ANS-C00 Online Practice Questions and Answers

Your company's policy requires that all VPCs peer with a “common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC. The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.

Which step should you take to enable access to Amazon S3?

A. Update the S3 bucket policy with the private IP address of the instance.

B. Exclude 169.254.169.0/24 from the instance's proxy configuration.

C. Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.

D. Update the CORS configuration for Amazon S3 to allow traffic from the proxy.

You need to set up a VPN between AWS VPC and your on-premises network. You create a VPN connection in the AWS Management Console, download the configuration file, and install it on your on-premises router. The tunnel is not coming up because of firewall restrictions on your router. Which two network traffic options should you allow through the firewall? (Choose two.)

A. UDP port 500

B. IP protocol 50

C. IP protocol 5

D. TCP port 50

E. TCP port 500

Your company operates a single AWS account. A common services VPC is deployed to provide shared services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and each VPC must peer with the common services VPC. You must choose the most efficient and cost effective approach.

Which approach should be used to automate the required VPC peering?

A. AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.

B. An OpsWorks Chef recipe to execute a command-line peering request.

C. Cfn-init with AWS CloudFormation to execute a command-line peering request.

D. An AWS CloudFormation template that includes a peering request.

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

What connection option should the organization use to get up and running at minimal cost?

A. Use an internet connection.

B. Set up an AWS VPN connection.

C. Provision an AWS Direct Connection private virtual interface.

D. Provision a Direct Connect public virtual interface.

You can turn on the AWS Config service from the AWS CLI by running the subscribe command and passing as parameters a valid IAM role, SNS topic, and ____.

A. EBS volume

B. EC2 instance

C. S3 bucket

D. Kinesis stream

When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains a(n) ____ attribute, which is a JSON-formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.

A. inputParameters

B. invokingEvent

C. ruleConfiguration

D. mappingTemplate

A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

A. AWS Route53

B. AWS EMR

C. AWS ELB

D. AWS RDS

Your company has placement groups in two different availability zones. There is a large project coming up and, although resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able to achieve the highest speed possible.

How can this be achieved?

A. Create AMIs from all of the instances, terminate them, and deploy them all into one placement group.

B. In the CLI, run the command "aws ec2 set-placement-group 1 " for all of the instances.

C. Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.

D. Peer the two placement groups using AWS PG Peering.

Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

A. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

B. To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.

C. If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.

D. Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.

In Amazon CloudFront, if you need to quickly remove objects from a distribution, you can:

A. delete the objects from cache.

B. invalidate the objects.

C. remove your Amazon S3 bucket.

D. delete your distribution and recreate it.

Which service parses large Flow Logs for consumption by other programs such as Kibana?

A. S3

B. ElasticSearch

C. Elastic Beanstalk

D. Kinesis

Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall. You advertise your company's public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP. This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap-southeast-1 region.

Which step should you take to provide concurrent AWS and Internet access?

A. Configure AS-PATH prepending for the public virtual interface.

B. Advertise a host route for the corporate firewall on the public virtual interface.

C. Advertise a host route for the corporate firewall to the upstream Internet provider.

D. NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy.

Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.

What is the MOST reliable way to implement DNS in this scenario?

A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees. The company is evaluating Amazon WorkSpaces as a solution.

A network engineer who is testing with a thin client is unable to connect to Amazon WorkSpaces. After entering credentials, the network engineer receives the following error:

“An error occurred while launching your WorkSpace. Please try again.”

What should the network engineer do to resolve this issue?

A. Update the inbound rules on the network ACL on the subnets used for Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.

B. Update the company's corporate firewall to allow outbound access to UDP on port 4172 and TCP on port 4172. Open inbound ephemeral ports explicitly to allow return communication.

C. Update the inbound rules on the security group assigned to Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.

D. Update the company's corporate firewall to allow inbound access to UDP on port 4172 and TCP on port 4172. Open outbound ephemeral ports explicitly to allow return communication.

A company runs a large-scale application on a fleet of Amazon EC2 instances that are distributed across several VPCs. A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances. The NLB's VPC is peered to all the application VPCs.

The application must process millions of requests each minute during times of peak utilization. Users are reporting that the connections to the application are failing during peak times. Monitoring shows an increase in port allocation errors on the NLB.

Which action will solve this issue with the LEAST change to the architecture?

A. Increase the number of EC2 instances in the target group.

B. Create an Application Load Balancer for the target group.

C. Add a new target group to the same NLB listener.

D. Change the target group type to "instance."