ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 8

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 71

Report
Export
Collapse

Which statement about VPC endpoints is incorrect?

A.
Endpoints are transitive for Direct Connect connections.
A.
Endpoints are transitive for Direct Connect connections.
Answers
B.
Endpoints cannot be extended out of a VPC.
B.
Endpoints cannot be extended out of a VPC.
Answers
C.
Endpoints cannot be tagged.
C.
Endpoints cannot be tagged.
Answers
D.
An S3 endpoint allows Amazon AMIs to install some software.
D.
An S3 endpoint allows Amazon AMIs to install some software.
Answers
Suggested answer: A

Explanation:

Explanation:

Endpoints are not transitive for Direct Connect connections or any other connections. To access S3 resources through an endpoint from outside of a VPC, an EC2 proxy must be used.

Question 72

Report
Export
Collapse

A company requires connectivity between two workloads that are located in separate VPCs: VPC A and VPC

A.
The VPCs are located in the same AWS Region. A network engineer has configured a VPC peering relationship between the VPCs.The network engineer is testing for connectivity by using the ping command from an Amazon EC2 instance in VPC A with address 10.1.1.1 to another EC2 instance in VPC B with address 10.2.2.2. The pings are timing out. Which combination of stops should the network engineer take to troubleshoot the problem? (Choose three.)
A.
The VPCs are located in the same AWS Region. A network engineer has configured a VPC peering relationship between the VPCs.The network engineer is testing for connectivity by using the ping command from an Amazon EC2 instance in VPC A with address 10.1.1.1 to another EC2 instance in VPC B with address 10.2.2.2. The pings are timing out. Which combination of stops should the network engineer take to troubleshoot the problem? (Choose three.)
Answers
B.
Ensure that the security group rules allow ICMP traffic from the source EC2 instance to the target EC2 instance.
B.
Ensure that the security group rules allow ICMP traffic from the source EC2 instance to the target EC2 instance.
Answers
C.
Ensure that the security group rules allow the flow of UDP traffic from the source EC2 instance to the target EC2 instance.
C.
Ensure that the security group rules allow the flow of UDP traffic from the source EC2 instance to the target EC2 instance.
Answers
D.
Ensure that the network ACL rules allow ICMP traffic between the source EC2 instance and the target EC2 instance.
D.
Ensure that the network ACL rules allow ICMP traffic between the source EC2 instance and the target EC2 instance.
Answers
E.
Ensure that the security group rules allow the flow of TCP traffic from the source EC2 instance to the target EC2 instance.
E.
Ensure that the security group rules allow the flow of TCP traffic from the source EC2 instance to the target EC2 instance.
Answers
F.
Verify that routes have been added to the respective VPC route tables to forward traffic that is destined for the other VPC through the peering connection.
F.
Verify that routes have been added to the respective VPC route tables to forward traffic that is destined for the other VPC through the peering connection.
Answers
G.
Configure the VPC peering settings to activate bidirectional traffic support.
G.
Configure the VPC peering settings to activate bidirectional traffic support.
Answers
Suggested answer: B, D, F

Explanation:

Explanation:

EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.

Configuring bidirectional VPC peering.

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/gcp-administration-guide/741384/configuring-bidirectionalvpc-peering

Question 73

Report
Export
Collapse

Which one of these healthcheck reason codes is not a valid reason code?

A.
Elb.InitialHealthChecking
A.
Elb.InitialHealthChecking
Answers
B.
Target.UnHealthy
B.
Target.UnHealthy
Answers
C.
Target.NotInUse
C.
Target.NotInUse
Answers
D.
Target.InvalidState
D.
Target.InvalidState
Answers
Suggested answer: B

Explanation:

Explanation:

Target.UnHealthy does not exist.

Question 74

Report
Export
Collapse

What service is used to store the log files generated by CloudTrail?

A.
EC2
A.
EC2
Answers
B.
EBS
B.
EBS
Answers
C.
S3
C.
S3
Answers
D.
VPC
D.
VPC
Answers
Suggested answer: C

Explanation:

Explanation:

The AWS CloudTrail uses Amazon's Simple Storage Service (S3) to store log files. It also supports the use of S3 life cycle configuration rules to reduce storage costs. Reference: https://aws.amazon.com/cloudtrail/

Question 75

Report
Export
Collapse

Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

A.
To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
A.
To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
Answers
B.
To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
B.
To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
Answers
C.
If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
C.
If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
Answers
D.
Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
D.
Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
Answers
Suggested answer: D

Explanation:

Explanation:

AWS Direct Connect locations in the United States can access public resources in any US region. You can use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in the US. You can then also establish a VPN connection to your VPC in the remote region.

Any data transfer out of a remote region is billed at the remote region data transfer rate.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html

Question 76

Report
Export
Collapse

You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and NACL rules. Which protocol do you need to allow to access your instance to remedy this?

A.
Protocol 6: TCP
A.
Protocol 6: TCP
Answers
B.
Protocol 47: GRE
B.
Protocol 47: GRE
Answers
C.
Protocol 17: UDP
C.
Protocol 17: UDP
Answers
D.
Protocol 1: ICMP
D.
Protocol 1: ICMP
Answers
Suggested answer: D

Explanation:

Explanation:

You need to allow Protocol 1, ICMP, to access your instance. tracepath specifically needs the "destination unreachable" feature of ICMP.

Question 77

Report
Export
Collapse

You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly. What could be the problem?

A.
The CAT6 cable is frayed.
A.
The CAT6 cable is frayed.
Answers
B.
Autonegotiation is enabled.
B.
Autonegotiation is enabled.
Answers
C.
You are using 802.1q VLANs instead of 802.1w.
C.
You are using 802.1q VLANs instead of 802.1w.
Answers
D.
BFD is disabled.
D.
BFD is disabled.
Answers
Suggested answer: B

Explanation:

Explanation:

Autonegotiation is enabled. A DX connection uses single-mode fiber, not CAT6; BFD is optional, and 802.1q is the correct standard. Autonegotiation must be disabled for DX to work properly.

Question 78

Report
Export
Collapse

A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway.

Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity to the company's on-premises environment.

During a maintenance window, the networking team adds eight VPCs. The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment. Connectivity between all VPCs through the transit gateway is working as expected.

Which of the following are possible causes of the connectivity issues? (Choose two.)

A.
The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs
A.
The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs
Answers
B.
The route tables for the newly created VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
B.
The route tables for the newly created VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
Answers
C.
The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
C.
The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
Answers
D.
The route tables for the newly created VPCs have only summary routes for the on-premises environment that point to the transit gateway attachment
D.
The route tables for the newly created VPCs have only summary routes for the on-premises environment that point to the transit gateway attachment
Answers
E.
The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs
E.
The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs
Answers
Suggested answer: A, D

Explanation:

Explanation:

Reference: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html https://docs.aws.amazon.com/directconnect/latest/UserGuide/prefix-example.html

Question 79

Report
Export
Collapse

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

A.
SSE-S3
A.
SSE-S3
Answers
B.
SCE-KMS
B.
SCE-KMS
Answers
C.
SCE-S3
C.
SCE-S3
Answers
D.
SSE-KMS
D.
SSE-KMS
Answers
Suggested answer: D

Explanation:

Explanation:

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use serverside encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files.

Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

Question 80

Report
Export
Collapse

A user is collecting 1000 records per second. The user wants to send the data to CloudWatch using a custom namespace. Which of the below mentioned options is recommended for this activity?

A.
Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
A.
Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
Answers
B.
Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically
B.
Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically
Answers
C.
It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically
C.
It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically
Answers
D.
Create one csv file of all the data and send a single file to CloudWatch
D.
Create one csv file of all the data and send a single file to CloudWatch
Answers
Suggested answer: A

Explanation:

Explanation:

AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put-metric-data. It is recommended that when the user is having multiple data points per minute, he should aggregate the data so that it will minimize the number of calls to put-metricdata. In this case it will be single call to CloudWatch instead of 1000 calls if the data is aggregated.

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms