ANS-C01 Online Practice Questions and Answers

A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes anew 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. Themigration must occur over encrypted paths between the on-premises data center and the AWS Cloud.Which solution will meet these requirements while providing the HIGHEST throughput?

A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPNattachment.

B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software.

C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with thetransit gateway.

D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-to-Site VPN connections to the transit gateway. Enableequal-cost multi-path (ECMP) routing.

A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to atransit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundantDirect Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from onpremises over Direct Connect.What should a network engineer do to meet these requirements?

A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes. Configure a CloudWatch alarm to send notificationswhen routes change.

B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use Amazon EventBridge (Amazon CloudWatchEvents) to send notifications when routes change.

C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications whenroutes change.

D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes. Create a metric filter Set an alarm on the filter to sendnotifications when routes change.

A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1Region. The production VPCs are namedVPC A and VPC B.A new security regulation requires all traffic between production VPCs to be inspected before the traffic is routed to its final destination. Thecompany deploys a new shared VPC that contains a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCsto route traffic between VPC A and VPC B through the firewall appliance for inspection. During testing, the company notices that the transitgateway is dropping the traffic whenever the traffic is between two Availability Zones.What should a network engineer do to fix this issue with the LEAST management overhead?

A. In the shared VPC, replace the VPC attachment with a VPN attachment. Create a VPN tunnel between the transit gateway and thefirewall appliance. Configure BGP.

B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC B.

C. Enable transit gateway appliance mode on the VPC attachment in the shared VPC.

D. In the shared VPC, configure one VPC peering connection to VPC A and another VPC peering connection to VPC B.

A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and ishosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolveand connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. TheHPC cluster can increase in size by five to seven times during the company's peak event at the end of the year.The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries tothe default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domainnames. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDSand S3 bucket endpoints.Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?

A. Scale out the DNS service by adding two additional EC2 instances in the VPC. Reconfigure half of the HPC cluster nodes to use thesenew DNS servers. Plan to scale out by adding additional EC2 instance-based DNS servers in the future as the HPC cluster size grows.

B. Scale up the existing EC2 instances that the company is using as DNS servers. Change the instance size to the largest possibleinstance size to accommodate the current DNS load and the anticipated load in the future.

C. Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for onpremises hosted domain names. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-basedDNS servers. Terminate the EC2 instances.

D. Create Route 53 Resolver inbound endpoints. Create rules on the on-premises DNS servers to forward queries to the default VPCresolver. Reconfigure the HPC cluster nodes to forward all DNS queries to the on-premises DNS servers. Terminate the EC2 instances.

A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production accountVPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.Which set of steps should the network engineer follow in each AWS account to meet these requirements?

A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theConnectivity account ID. Enable the feature to allow external accounts2. In the Connectivity account: Accept the resource.3. In the Connectivity account: Create an attachment to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivityaccount ID. Enable the feature to allow external accounts.2. In the Connectivity account: Accept the resource.3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Productionaccount ID. Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theProduction account ID Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Production account: Create an attachment to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

A company's network engineer is designing a hybrid DNS solution for an AWS Cloud workload. Individual teams want to manage their own DNShostnames for their applications in their development environment. The solution must integrate the application-specific hostnames with thecentrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also mustminimize management overhead.Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Use an Amazon Route 53 Resolver inbound endpoint.

B. Modify the DHCP options set by setting a custom DNS server value.

C. Use an Amazon Route 53 Resolver outbound endpoint.

D. Create DNS proxy servers.

E. Create Amazon Route 53 private hosted zones.

F. Set up a zone transfer between Amazon Route 53 and the on-premises DNS.

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an AmazonCloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticatedcustomers.The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A networkengineer must design a solution that gives the web application the ability to identify authorized customers.What is the MOST operationally efficient solution that meets these requirements?

A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customizedheader to inform the web application of an authenticated customer request.

B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Configure the ALB listener toinsert a customized header to inform the web application of an authenticated customer request.

C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edgefunction also to insert a customized header to inform the web application of an authenticated customer request.

D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST requestpayload. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NATgateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's networkengineer must centralize access to these services and must eliminate the need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a central egress VPC that has private NAT gateways. Connect all the VPCs to the central egress VPC by using AWS TransitGateway. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.

B. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and SystemsManager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS TransitGateway. Create an Amazon Route 53 forwarding rule for each interface VPC endpoint. Associate the forwarding rules with all the VPCs.Forward DNS queries to the interface VPC endpoints in the shared services VPC.

C. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and SystemsManager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS TransitGateway. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manager.Associate the private hosted zones with all the VPCs. Create an alias record in each private hosted zone with the full AWS serviceendpoint pointing to the interface VPC endpoint in the shared services VPC.

D. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and SystemsManager to access. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Ensure that private DNS isturned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.

A company's network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor thechanges that are made to network resources and must ensure strict compliance with network security policies. The company also needsaccess to the historical configurations of network resources.Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes. Configurethe rule to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes thatare identified.

B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke an AWS Lambda function to identify noncompliantresources. Update an Amazon DynamoDB table with the changes that are identified.

C. Record the current state of network resources by using AWS Config. Create rules that reflect the desired configuration settings. Setremediation for noncompliant resources.

D. Record the current state of network resources by using AWS Systems Manager Inventory. Use Systems Manager State Manager toenforce the desired configuration settings and to carry out remediation for noncompliant resources.

A company's existing AWS environment contains public application servers that run on Amazon EC2 instances. The application servers run in aVPC subnet. Each server is associated with an Elastic IP address.The company has a new requirement for firewall inspection of all traffic from the internet before the traffic reaches any EC2 instances. Asecurity engineer has deployed and configured a Gateway Load Balancer (GLB) in a standalone VPC with a fleet of third-party firewalls.How should a network engineer update the environment to ensure that the traffic travels across the fleet of firewalls?

A. Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update theapplication subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allowstraffic from the GLB endpoint.

B. Update the application subnet route table to have a default route to the GLOn the standalone VPC that contains the firewall fleet, add aroute in the route table for the application VPC's CIDR block with the GLB endpoint as the destination. Update the EC2 instances' securitygroup to allow traffic from the GLB.

C. Provision a GLB endpoint in the application VPC in a new subnet. Create a gateway route table with a route that specifies theapplication subnet CIDR block as the destination and the GLB endpoint as the target. Associate the gateway route table with the internetgateway in the application VPUpdate the application subnet route table's default route destination to be the GLB endpoint.

D. Instruct the security engineer to move the GLB into the application VPC. Create a gateway route table. Associate the gateway routetable with the application subnet. Add a default route to the gateway route table with the GLB as its destination. Update the route tableon the GLB to direct traffic from the internet gateway to the application servers. Ensure that the EC2 instances' security group allowstraffic from the GLB.

A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. Thecompany's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company'snetwork team plans to use MACsec support for Direct Connect to meet the new requirement.Which combination of steps should the network team take to implement this functionality? (Choose three.)

A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.

B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.

C. Associate the Internet Key Exchange (IKE) with the existing LAG.

D. Configure the MACsec encryption mode on the existing LAG.

E. Configure the MACsec encryption mode on the new LAG.

F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.

A company uses Amazon Route 53 to host a public hosted zone for example.com. A network engineer recently reduced the TTL on severalrecords to 60 seconds. The network engineer wants to assess whether the change has increased the number of queries to Route 53 beyondthe expected levels that the company identified before the change. The network engineer must obtain the number of queries that have beenmade to the example.com public hosted zone.Which solution will provide this information?

A. Create a new trail in AWS CloudTrail to include Route 53 data events. Send logs to Amazon CloudWatch Logs. Set up a CloudWatchmetric filter to count the number of queries and create graphs.

B. Use Amazon CloudWatch to access the AWS/Route 53 namespace and to check the DNSQueries metric for the public hosted zone.

C. Use Amazon CloudWatch to access the AWS/Route 53 Resolver namespace and to check the InboundQueryVolume metric for a specificendpoint.

D. Configure logging to Amazon CloudWatch for the public hosted zone. Set up a CloudWatch metric filter to count the number of queriesand create graphs.

A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three globaloffices are connected to the us-east-1 Region through AWS Site-to-Site VPN links that terminate on a transit gateway with BGP routingactivated.The company recently started to produce content at a higher resolution to support 8K streaming. The size of the content files has increased tothree times the size of the content files from the previous format. Uploads of files to Amazon EC2 instances are taking 10 times longer thanthey did with the previous format.Which actions should a network engineer recommend to reduce the upload times? (Choose two.)

A. Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing.

B. Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location.

C. Replace the existing VPN tunnels with new tunnels that have acceleration activated.

D. Upgrade each EC2 instance to a modern instance type. Activate Jumbo MTU in the operating system.

E. Replace the existing VPN tunnels with new tunnels that have IGMP activated.

A company is migrating applications from a data center to AWS. Many of the applications will need to exchange data with the company's on-premises mainframe.The company needs to achieve 4 Gbps transfer speeds to meet peak traffic demands. A network engineer must design a highly availablesolution that maximizes resiliency. The solution must be able to withstand the loss of circuits or routers.Which solution will meet these requirements?

A. Order four 10 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate one connection from eachDirect Connect location to a router at the company location. Terminate the other connection from each Direct Connect location to adifferent router at the company location.

B. Order two 10 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate the connection from eachDirect Connect location to a different router at the company location.

C. Order four 1 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate one connection from eachDirect Connect location to a router at the company location. Terminate the other connection from each Direct Connect location to adifferent router at the company location.

D. Order two 1 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate the connection from each DirectConnect location to a different router at the company location.

A team of infrastructure engineers wants to automate the deployment of Application Load Balancer (ALB) components by using the AWSCloud Development Kit (AWS CDK). The CDK application must deploy an infrastructure stack that is reusable and consistent across multipleenvironments, AWS Regions, and AWS accounts.The lead network architect on the project has already bootstrapped the target accounts. The lead network architect also has deployed corenetwork components such as VPCs and Amazon Route 53 private hosted zones across the multiple environments and Regions. Theinfrastructure engineers must design the ALB components in the CDK application to use the existing core network components.Which combination of steps will meet this requirement with the LEAST manual effort between environment deployments? (Choose two.)

A. Design the CDK application to read AWS CloudFormation parameters for the values that vary across environments and Regions.Reference these variables in the CDK stack for resources that require the variables.

B. Design the CDK application to read environment variables that contain account and Region details at runtime. Use these variables asproperties of the CDK stack. Use context methods in the CDK stack to retrieve variable values.

C. Create a dedicated account for shared application services in the multi-account environment. Deploy a CDK pipeline to the dedicatedaccount. Create stages in the pipeline that deploy the CDK application across different environments and Regions.

D. Write a script that automates the deployment of the CDK application across multiple environments and Regions. Distribute the script toengineers who are working on the project.

E. Use the CDK toolkit locally to deploy stacks to each environment and Region. Use the --context flag to pass in variables that the CDKapplication can reference at runtime.