Amazon ANS-C01 Practice Test - Questions Answers, Page 12
Question list
List of questions
Related questions
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east-west (VPC-to-VPC) traffic.
Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations, and network ACLs as the cause of the dropped traffic.
What is causing the traffic to drop?
The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.
Appliance mode is not enabled on the transit gateway attachment to the shared services VPC
The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC.
Appliance mode is not enabled on the transit gateway attachment to the application VPCs.
A company is building an internet-facing application that is hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company is using the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes for pod networking connectivity. The company needs to expose its application to the internet by using a Network Load Balancer (NLB). The pods that host the application must have visibility of the source IP address that is contained in the original packet that the NLB receives.
How should the network engineer configure the NLB and Amazon EKS settings to achieve these goals?
Specify the Ip target type for the NLB. Set the externalTrafficPolicy attribute to Local in the Kubernetes service specification.
Specify the instance target type for the NLB. Set the externalTrafficPolicy attribute to Cluster in the Kubernetes service specification
Specify the instance target type for the NLB. Set the externalTrafficPolicy attribute to Local in the Kubernetes service specification.
Specify the Ip target type for the NLB. Set the externalTrafficPolicy attribute to Cluster in the Kubernetes service specification
A company is running business applications on AWS. The company uses 50 AWS accounts, thousands of VPCs. and 3 AWS Regions across the United States and Europe.
A network engineer needs to establish network connectivity between an on-premises data center and the Regions. The network engineer also must establish connectivity between the VPCs. On-premises users and applications must be able to connect to applications that run in the VPCs.
The company has an existing AWS Direct Connect connection that the network engineer can use. The network engineer creates a transit gateway in each Region and configures the transit gateways as inter-Region peers.
Which solution will provide network connectivity from the on-premises data center to the Regions and will provide inter-VPC communications across the different Regions?
Create a private VIF with a gateway type of virtual private gateway. Configure the private VIF to use a virtual private gateway that is associated with one of the VPCs.
Create a private VIF to a new Direct Connect gateway. Associate the new Direct Connect gateway with a virtual private gateway in each VPC.
Create a transit VIF with a gateway association to a new Direct Connect gateway. Associate each transit gateway with the new Direct Connect gateway.
Create an AWS Site-to-Site VPN connection that uses a public VIF for the Direct Connect connection Attach the Site-to-Site VPN connection to the transit gateways.
A company needs to manage Amazon EC2 instances through command line interfaces for Linux hosts and Windows hosts. The EC2 instances are deployed in an environment in which there is no route to the internet. The company must implement role-based access control for management of the instances. The company has a standalone on-premises environment.
Which approach will meet these requirements with the LEAST maintenance overhead?
Set up an AWS Direct Connect connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and ACLs. Connect to the instances by using the Direct Connect connection.
Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance. Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instances by using Session Manager.
Establish an AWS Site-to-Site VPN connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and ACLs. Connect to the instances by using the Site-to-Site VPN connection.
Deploy an appliance to the VPC where the instances are deployed. Assign a public IP address to the appliance. Configure security groups and ACLs. Connect to the instances by using the appliance as an intermediary.
A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection.
Which solution will meet these requirements?
Configure VPC flow logs on each EC2 network Interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2 appliance to acquire flow logs from the S3 bucket. Log in to the appliance to monitor network content.
Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic for the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application.
Configure a mirror session. Specify an Amazon Data Firehose delivery stream as the mirror target Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application Create a third-party EC2 appliance. Send all traffic to the appliance through the Firehose delivery stream for content inspection.
Configure VPC flow logs on each EC2 network interface. Send the logs to Amazon CloudWatch. Create a third-party EC2 appliance. Configure a CloudWatch filter to send the flow logs to Amazon Data Firehose to load the logs into the appliance.
An online retail company is running a web application in the us-west-2 Region and serves consumers in the United States. The company plans to expand across several countries in Europe and wants to provide low latency for all its users.
The application needs to identify the users' IP addresses and provide localized content based on the users' geographic location. The application uses HTTP GET and POST methods for its functionality. The company also needs to develop a failover mechanism that works for GET and POST methods and is based on health checks. The failover must occur in less than 1 minute for all clients.
Which solution will meet these requirements?
Configure a Network Load Balancer (NLB) for the application in each environment In the new AWS Regions. Create an AWS Global Accelerator accelerator that has endpoint groups that point to the NLBs in each Region.
Configure an Application Load Balancer (ALB) for the application in each environment in the new AWS Regions. Create an AWS Global Accelerator accelerator that has endpoint groups that point to the ALBs in each Region.
Configure an Application Load Balancer (ALB) for the application in each environment in the new AWS Regions. Create Amazon Route 53 public hosted zones that have failover routing policies.
Configure a Network Load Balancer (NLB) for the application in each environment in the new AWS Regions. Create an Amazon CloudFront distribution. Configure an origin group with origin failover options.
A company has a VPC that hosts Amazon EC2 instances in a private subnet. The EC2 Instances use a NAT gateway and an internet gateway for internet connectivity to retrieve data from specific internet websites. The company wants to use AWS Network Firewall to filter outbound traffic.
What should a network engineer do to meet these requirements?
1. Create a firewall in the NAT gateway subnet. 2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway. 3. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint. 4. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
1. Create a firewall in a new subnet. 2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint. 3. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway. 4. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
1. Create a firewall in the subnet of the EC2 instances. 2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint. 3. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway. 4. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
1. Create a firewall in a new subnet. 2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway. 3. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint. 4. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.
The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.
In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs. the development VPC. and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.
Which combination of steps should the network engineer take next to complete this solution? (Select THREE)
Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and development VPC attachment to the new route table.
Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.
A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM)in its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within the top-level pool.
A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account.
Which solution will meet these requirements?
Create a new AWS Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an AWS Lambda function to delete these VPCs.
Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the lpv4lpamPoolld context key value is not the ID of an IPAM pool.
Create an AWS Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.
Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.
A network engineer needs to design the architecture for a high performance computing (HPC) workload. Amazon EC2 instances will require 10 Gbps flows and an aggregate throughput of up to 100 Gbps across many instances with low-latency communication.
Which architecture solution will optimize this workload?
Place nodes in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.
Place nodes in multiple subnets in a single VPC. Configure a spread placement group Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
Place nodes in multiple VPCs. Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.
Place nodes in multiple subnets in multiple Availability Zones. Configure a cluster placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
Question