ExamGecko
Login
Home / Amazon / ANS-C01 / List of questions
Ask Question

Amazon ANS-C01 Practice Test - Questions Answers, Page 8

List of questions

Question 71

Report
Export
Collapse

Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.

You must prepare the system for global expansion. The end users must access the application with lowest latency.

How should you use AWS services to meet these requirements?

Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
Suggested answer: B
asked 16/09/2024
Robert Pila
39 questions

Question 72

Report
Export
Collapse

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.

The instance has a security group configured to allow as follows:

Protocol: TCP

Port: 80 inbound, nothing outbound

The Network ACL for the subnet is configured to allow as follows:

Protocol: TCP

Port: 80 inbound, nothing outbound

When you try to browse to the web server, you receive no response.

Which additional step should you take to receive a successful response?

Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
Suggested answer: D

Explanation:

To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. https://aws.amazon.com/premiumsupport/knowledgecenter/ resolve-connection-sg-acl-inbound/

asked 16/09/2024
Freddie Lewis
33 questions

Question 73

Report
Export
Collapse

An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.

Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: “There are not enough free addresses in subnet ‘subnet-12345677’ to satisfy the requested number of instances.” What action will resolve the availability problem?

Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
Suggested answer: B
asked 16/09/2024
Ivan Rodrigo Velasco Capote
34 questions

Question 74

Report
Export
Collapse

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

What connection option should the organization use to get up and running at minimal cost?

Use an internet connection.
Use an internet connection.
Set up an AWS VPN connection.
Set up an AWS VPN connection.
Provision an AWS Direct Connection private virtual interface.
Provision an AWS Direct Connection private virtual interface.
Provision a Direct Connect public virtual interface.
Provision a Direct Connect public virtual interface.
Suggested answer: A
asked 16/09/2024
Danilo Omaljev
34 questions

Question 75

Report
Export
Collapse

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

The NAT gateway does not support UDP traffic.
The NAT gateway does not support UDP traffic.
The authentication server is not accepting traffic.
The authentication server is not accepting traffic.
The NAT gateway cannot allocate more ports.
The NAT gateway cannot allocate more ports.
The NAT gateway is launched in a private subnet.
The NAT gateway is launched in a private subnet.
Suggested answer: C

Explanation:

Ref: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html"A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. Thislimit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors.

These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch."

asked 16/09/2024
Nika Longley
38 questions

Question 76

Report
Export
Collapse

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.
Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.
Suggested answer: C

Explanation:

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

asked 16/09/2024
vladimir nezgoda
34 questions

Question 77

Report
Export
Collapse

A bank built a new version of its banking application in AWS using containers that content to an onpremises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.

What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the onpremises application version and the rest of the traffic to the new AWS based version.
Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the onpremises application version and the rest of the traffic to the new AWS based version.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use header-based routing to route traffic based on the application version.
Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use header-based routing to route traffic based on the application version.
Suggested answer: D
asked 16/09/2024
Muhammad Waheed
41 questions

Question 78

Report
Export
Collapse

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

Use a Network Load Balancer to automatically preserve the source IP address.
Use a Network Load Balancer to automatically preserve the source IP address.
Use a Network Load Balancer and enable the X-Forwarded-For attribute.
Use a Network Load Balancer and enable the X-Forwarded-For attribute.
Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded- For header.
Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded- For header.
Suggested answer: C

Explanation:

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-targetgroups.html#proxy-protocol

asked 16/09/2024
fritz villanueva
48 questions

Question 79

Report
Export
Collapse

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the ‘Remote’ (receiving) account are already in place.

The template below creates the VPC peering connection in the Originating account. It contains these components:

AWSTemplateFormation Version: 2010-09-09

Parameters:

Originating VCId:

Type: String

RemoteVPCId:

Type: String

RemoteVPCAccountId:

Type: String

Resources: newVPCPeeringConnection:

Type: ‘AWS::EC2::VPCPeeringConnection’

Properties:

VpcdId: !Ref OriginatingVPCId

PeerVpcId: !Ref RemoteVPCId

PeerOwnerId: !Ref RemoteVPCAccountId

Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”
Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”
Resources:newEC2Route:Type: AWS::EC2::Route
Resources:newEC2Route:Type: AWS::EC2::Route
Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”
Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”
Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn
Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn
Suggested answer: C, E

Explanation:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

asked 16/09/2024
Sharon Sandhu
43 questions

Question 80

Report
Export
Collapse

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.

What design will use the LEAST amount of IP space, while allowing for this growth?

Use two /29 subnets for an Application Load Balancer in different Availability Zones.
Use two /29 subnets for an Application Load Balancer in different Availability Zones.
Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Use two /28 subnets for a Network Load Balancer in different Availability Zones.
Use two /28 subnets for a Network Load Balancer in different Availability Zones.
Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Suggested answer: C

Explanation:

asked 16/09/2024
Myratgeldi Bekdurdyyev
46 questions
Total 153 questions
Go to page: of 16
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied. The SQS queue is not receiving messages. Which of the following are possible causes of this problem? (Choose two.)
A bank built a new version of its banking application in AWS using containers that content to an onpremises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL ( https://api.example.internal ). Two on-premises Windows DNS servers provide internal DNS resolution. The application on the EC2 instance needs to call the internal API service that is deployed in the onpremises environment. When the application on the EC2 instance attempts to call the internal API service by referring to the hostname that is assigned to the service, the call fails. When a network engineer tests the API service call from the same EC2 instance by using the API service's IP address, the call is successful. What should the network engineer do to resolve this issue and prevent the same problem from affecting other resources in the VPC?
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway. Which set of steps should the network engineer follow in each AWS account to meet these requirements?
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group. A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?
A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network engineer needs to implement a solution that requires all inbound traffic to the ALB to come from CloudFront. The network engineer must implement the solution at the network layer rather than in the application. Which solution will meet these requirements in the MOST operationally efficient way?
A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS Organizations through AWS Resource Access Manager (AWS RAM). A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization. The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB). The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17. A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments. Which solution will meet these requirements?
An ecommerce company needs to Implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company's new policy requires data authentication and data integrity verification for all queries to the company's domain names. The current Route 53 architecture has four public hosted zones. A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution must include an alert capability. Which combination of steps will meet these requirements? {Select THREE)