ExamGecko
Search Search Login
Home Home / Amazon / ANS-C01

Amazon ANS-C01 Practice Test - Questions Answers, Page 8

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?
A bank built a new version of its banking application in AWS using containers that content to an onpremises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network engineer needs to implement a solution that requires all inbound traffic to the ALB to come from CloudFront. The network engineer must implement the solution at the network layer rather than in the application. Which solution will meet these requirements in the MOST operationally efficient way?
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL ( https://api.example.internal ). Two on-premises Windows DNS servers provide internal DNS resolution. The application on the EC2 instance needs to call the internal API service that is deployed in the onpremises environment. When the application on the EC2 instance attempts to call the internal API service by referring to the hostname that is assigned to the service, the call fails. When a network engineer tests the API service call from the same EC2 instance by using the API service's IP address, the call is successful. What should the network engineer do to resolve this issue and prevent the same problem from affecting other resources in the VPC?
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB). The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17. A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments. Which solution will meet these requirements?
An ecommerce company needs to Implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company's new policy requires data authentication and data integrity verification for all queries to the company's domain names. The current Route 53 architecture has four public hosted zones. A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution must include an alert capability. Which combination of steps will meet these requirements? {Select THREE)
A company has established connectivity between its on-premises data center in Paris, France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway. The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center. In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet. Which set of steps should a network engineer take to meet these requirements?
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group. A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?
A company is deploying AWS Cloud WAN with edge locations in the us-east-1 Region and the ap-southeast-2 Region. Individual AWS Cloud WAN segments are configured for the development environment, the production environment, and the shared services environment at each edge location. Many new VPCs will be deployed for the environments and will be configured as attachments to the AWS Cloud WAN core network. The company's network team wants to ensure that VPC attachments are configured for the correct segment. The network team will tag the VPC attachments by using the Environment key with a value of the corresponding environment segment name. The segment for the production environment in us-east-1 must require acceptance for attachment requests. AH other attachment requests must not require acceptance. Which solution will meet these requirements?
A company is planning to host external websites on AWS. The websites will include multiple tiers such as web servers, application logic services, and databases. The company wants to use AWS Network Firewall. AWS WAR and VPC security groups for network security. The company must ensure that the Network Firewall firewalls are deployed appropriately within relevant VPCs. The company needs the ability to centrally manage policies that are deployed to Network Firewall and AWS WAF rules. The company also needs to allow application teams to manage their own security groups while ensuring that the security groups do not allow overly permissive access. What is the MOST operationally efficient solution that meets these requirements?

Question 71

Report
Export
Collapse

Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.

You must prepare the system for global expansion. The end users must access the application with lowest latency.

How should you use AWS services to meet these requirements?

A.
Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
A.
Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
Answers
B.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
B.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
Answers
C.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
C.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
Answers
D.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
D.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
Answers
Suggested answer: B

Question 72

Report
Export
Collapse

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.

The instance has a security group configured to allow as follows:

Protocol: TCP

Port: 80 inbound, nothing outbound

The Network ACL for the subnet is configured to allow as follows:

Protocol: TCP

Port: 80 inbound, nothing outbound

When you try to browse to the web server, you receive no response.

Which additional step should you take to receive a successful response?

A.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
A.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
Answers
B.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
B.
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
Answers
C.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
C.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
Answers
D.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
D.
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
Answers
Suggested answer: D

Explanation:

To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. https://aws.amazon.com/premiumsupport/knowledgecenter/ resolve-connection-sg-acl-inbound/

Question 73

Report
Export
Collapse

An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.

Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: “There are not enough free addresses in subnet ‘subnet-12345677’ to satisfy the requested number of instances.” What action will resolve the availability problem?

A.
Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
A.
Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Answers
B.
Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
B.
Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Answers
C.
Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
C.
Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
Answers
D.
Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
D.
Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
Answers
Suggested answer: B

Question 74

Report
Export
Collapse

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

What connection option should the organization use to get up and running at minimal cost?

A.
Use an internet connection.
A.
Use an internet connection.
Answers
B.
Set up an AWS VPN connection.
B.
Set up an AWS VPN connection.
Answers
C.
Provision an AWS Direct Connection private virtual interface.
C.
Provision an AWS Direct Connection private virtual interface.
Answers
D.
Provision a Direct Connect public virtual interface.
D.
Provision a Direct Connect public virtual interface.
Answers
Suggested answer: A

Question 75

Report
Export
Collapse

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

A.
The NAT gateway does not support UDP traffic.
A.
The NAT gateway does not support UDP traffic.
Answers
B.
The authentication server is not accepting traffic.
B.
The authentication server is not accepting traffic.
Answers
C.
The NAT gateway cannot allocate more ports.
C.
The NAT gateway cannot allocate more ports.
Answers
D.
The NAT gateway is launched in a private subnet.
D.
The NAT gateway is launched in a private subnet.
Answers
Suggested answer: C

Explanation:

Ref: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html"A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. Thislimit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors.

These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch."

Question 76

Report
Export
Collapse

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

A.
Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
A.
Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
Answers
B.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
B.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
Answers
C.
Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
C.
Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
Answers
D.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.
D.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.
Answers
Suggested answer: C

Explanation:

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

Question 77

Report
Export
Collapse

A bank built a new version of its banking application in AWS using containers that content to an onpremises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.

What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

A.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the onpremises application version and the rest of the traffic to the new AWS based version.
A.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the onpremises application version and the rest of the traffic to the new AWS based version.
Answers
B.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
B.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
Answers
C.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
C.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Answers
D.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use header-based routing to route traffic based on the application version.
D.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use header-based routing to route traffic based on the application version.
Answers
Suggested answer: D

Question 78

Report
Export
Collapse

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

A.
Use a Network Load Balancer to automatically preserve the source IP address.
A.
Use a Network Load Balancer to automatically preserve the source IP address.
Answers
B.
Use a Network Load Balancer and enable the X-Forwarded-For attribute.
B.
Use a Network Load Balancer and enable the X-Forwarded-For attribute.
Answers
C.
Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
C.
Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
Answers
D.
Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded- For header.
D.
Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded- For header.
Answers
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-targetgroups.html#proxy-protocol

Question 79

Report
Export
Collapse

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the ‘Remote’ (receiving) account are already in place.

The template below creates the VPC peering connection in the Originating account. It contains these components:

AWSTemplateFormation Version: 2010-09-09

Parameters:

Originating VCId:

Type: String

RemoteVPCId:

Type: String

RemoteVPCAccountId:

Type: String

Resources: newVPCPeeringConnection:

Type: ‘AWS::EC2::VPCPeeringConnection’

Properties:

VpcdId: !Ref OriginatingVPCId

PeerVpcId: !Ref RemoteVPCId

PeerOwnerId: !Ref RemoteVPCAccountId

Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

A.
Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
A.
Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
Answers
B.
Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”
B.
Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”
Answers
C.
Resources:newEC2Route:Type: AWS::EC2::Route
C.
Resources:newEC2Route:Type: AWS::EC2::Route
Answers
D.
Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”
D.
Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”
Answers
E.
Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn
E.
Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn
Answers
Suggested answer: C, E

Explanation:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

Question 80

Report
Export
Collapse

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.

What design will use the LEAST amount of IP space, while allowing for this growth?

A.
Use two /29 subnets for an Application Load Balancer in different Availability Zones.
A.
Use two /29 subnets for an Application Load Balancer in different Availability Zones.
Answers
B.
Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
B.
Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Answers
C.
Use two /28 subnets for a Network Load Balancer in different Availability Zones.
C.
Use two /28 subnets for a Network Load Balancer in different Availability Zones.
Answers
D.
Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
D.
Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Answers
Suggested answer: C

Explanation:

Total 153 questions
Go to page: of 16
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms