ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 8

List of questions

Question 71

Report
Export
Collapse

Which statement about VPC endpoints is incorrect?

Endpoints are transitive for Direct Connect connections.
Endpoints are transitive for Direct Connect connections.
Endpoints cannot be extended out of a VPC.
Endpoints cannot be extended out of a VPC.
Endpoints cannot be tagged.
Endpoints cannot be tagged.
An S3 endpoint allows Amazon AMIs to install some software.
An S3 endpoint allows Amazon AMIs to install some software.
Suggested answer: A

Explanation:

Explanation:

Endpoints are not transitive for Direct Connect connections or any other connections. To access S3 resources through an endpoint from outside of a VPC, an EC2 proxy must be used.

asked 16/09/2024
Ramzi Smair
36 questions

Question 72

Report
Export
Collapse

A company requires connectivity between two workloads that are located in separate VPCs: VPC A and VPC

The VPCs are located in the same AWS Region. A network engineer has configured a VPC peering relationship between the VPCs.The network engineer is testing for connectivity by using the ping command from an Amazon EC2 instance in VPC A with address 10.1.1.1 to another EC2 instance in VPC B with address 10.2.2.2. The pings are timing out. Which combination of stops should the network engineer take to troubleshoot the problem? (Choose three.)
The VPCs are located in the same AWS Region. A network engineer has configured a VPC peering relationship between the VPCs.The network engineer is testing for connectivity by using the ping command from an Amazon EC2 instance in VPC A with address 10.1.1.1 to another EC2 instance in VPC B with address 10.2.2.2. The pings are timing out. Which combination of stops should the network engineer take to troubleshoot the problem? (Choose three.)
Ensure that the security group rules allow ICMP traffic from the source EC2 instance to the target EC2 instance.
Ensure that the security group rules allow ICMP traffic from the source EC2 instance to the target EC2 instance.
Ensure that the security group rules allow the flow of UDP traffic from the source EC2 instance to the target EC2 instance.
Ensure that the security group rules allow the flow of UDP traffic from the source EC2 instance to the target EC2 instance.
Ensure that the network ACL rules allow ICMP traffic between the source EC2 instance and the target EC2 instance.
Ensure that the network ACL rules allow ICMP traffic between the source EC2 instance and the target EC2 instance.
Ensure that the security group rules allow the flow of TCP traffic from the source EC2 instance to the target EC2 instance.
Ensure that the security group rules allow the flow of TCP traffic from the source EC2 instance to the target EC2 instance.
Verify that routes have been added to the respective VPC route tables to forward traffic that is destined for the other VPC through the peering connection.
Verify that routes have been added to the respective VPC route tables to forward traffic that is destined for the other VPC through the peering connection.
Configure the VPC peering settings to activate bidirectional traffic support.
Configure the VPC peering settings to activate bidirectional traffic support.
Suggested answer: B, D, F

Explanation:

Explanation:

EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.

Configuring bidirectional VPC peering.

Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/gcp-administration-guide/741384/configuring-bidirectionalvpc-peering

asked 16/09/2024
Tim Wersinger
42 questions

Question 73

Report
Export
Collapse

Which one of these healthcheck reason codes is not a valid reason code?

Elb.InitialHealthChecking
Elb.InitialHealthChecking
Target.UnHealthy
Target.UnHealthy
Target.NotInUse
Target.NotInUse
Target.InvalidState
Target.InvalidState
Suggested answer: B

Explanation:

Explanation:

Target.UnHealthy does not exist.

asked 16/09/2024
Kellen Winters
40 questions

Question 74

Report
Export
Collapse

What service is used to store the log files generated by CloudTrail?

EC2
EC2
EBS
EBS
S3
S3
VPC
VPC
Suggested answer: C

Explanation:

Explanation:

The AWS CloudTrail uses Amazon's Simple Storage Service (S3) to store log files. It also supports the use of S3 life cycle configuration rules to reduce storage costs. Reference: https://aws.amazon.com/cloudtrail/

asked 16/09/2024
Scott Lerch
27 questions

Question 75

Report
Export
Collapse

Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
Suggested answer: D

Explanation:

Explanation:

AWS Direct Connect locations in the United States can access public resources in any US region. You can use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in the US. You can then also establish a VPN connection to your VPC in the remote region.

Any data transfer out of a remote region is billed at the remote region data transfer rate.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html

asked 16/09/2024
Ryan Harris
42 questions

Question 76

Report
Export
Collapse

You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and NACL rules. Which protocol do you need to allow to access your instance to remedy this?

Protocol 6: TCP
Protocol 6: TCP
Protocol 47: GRE
Protocol 47: GRE
Protocol 17: UDP
Protocol 17: UDP
Protocol 1: ICMP
Protocol 1: ICMP
Suggested answer: D

Explanation:

Explanation:

You need to allow Protocol 1, ICMP, to access your instance. tracepath specifically needs the "destination unreachable" feature of ICMP.

asked 16/09/2024
Max Lenin Dos Santos Torres
50 questions

Question 77

Report
Export
Collapse

You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly. What could be the problem?

The CAT6 cable is frayed.
The CAT6 cable is frayed.
Autonegotiation is enabled.
Autonegotiation is enabled.
You are using 802.1q VLANs instead of 802.1w.
You are using 802.1q VLANs instead of 802.1w.
BFD is disabled.
BFD is disabled.
Suggested answer: B

Explanation:

Explanation:

Autonegotiation is enabled. A DX connection uses single-mode fiber, not CAT6; BFD is optional, and 802.1q is the correct standard. Autonegotiation must be disabled for DX to work properly.

asked 16/09/2024
Vigen Pillay
42 questions

Question 78

Report
Export
Collapse

A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway.

Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity to the company's on-premises environment.

During a maintenance window, the networking team adds eight VPCs. The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment. Connectivity between all VPCs through the transit gateway is working as expected.

Which of the following are possible causes of the connectivity issues? (Choose two.)

The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs
The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs
The route tables for the newly created VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
The route tables for the newly created VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
The route tables for the newly created VPCs have only summary routes for the on-premises environment that point to the transit gateway attachment
The route tables for the newly created VPCs have only summary routes for the on-premises environment that point to the transit gateway attachment
The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs
The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs
Suggested answer: A, D

Explanation:

Explanation:

Reference: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html https://docs.aws.amazon.com/directconnect/latest/UserGuide/prefix-example.html

asked 16/09/2024
Jarlesi Bolivar
36 questions

Question 79

Report
Export
Collapse

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

SSE-S3
SSE-S3
SCE-KMS
SCE-KMS
SCE-S3
SCE-S3
SSE-KMS
SSE-KMS
Suggested answer: D

Explanation:

Explanation:

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use serverside encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files.

Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html

asked 16/09/2024
francesca parisi
25 questions

Question 80

Report
Export
Collapse

A user is collecting 1000 records per second. The user wants to send the data to CloudWatch using a custom namespace. Which of the below mentioned options is recommended for this activity?

Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically
Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically
It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically
It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically
Create one csv file of all the data and send a single file to CloudWatch
Create one csv file of all the data and send a single file to CloudWatch
Suggested answer: A

Explanation:

Explanation:

AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put-metric-data. It is recommended that when the user is having multiple data points per minute, he should aggregate the data so that it will minimize the number of calls to put-metricdata. In this case it will be single call to CloudWatch instead of 1000 calls if the data is aggregated.

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html

asked 16/09/2024
Roger Berger
27 questions
Total 414 questions
Go to page: of 42
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?