ANS-C01 Online Practice Questions and Answers

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an ElasticLoad Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS.TLS processing must be offloaded to the load balancer. The web server must know the user's IP address so that the company can keepaccurate logs for security purposes.Which solution will meet these requirements?

A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct targetgroup. Include the X-Forwarded-For request header with traffic to the targets.

B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to thecorrect target group for each domain. Include the X-Forwarded-For request header with traffic to the targets.

C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group.Configure client IP address preservation for traffic to the targets.

D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correcttarget group for each domain. Configure client IP address preservation for traffic to the targets.

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instancehosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default networkACL with no modification applied. The EC2 instance has the default security group with no modification applied.The SQS queue is not receiving messages.Which of the following are possible causes of this problem? (Choose two.)

A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.

B. The security group is blocking traffic to the IP address range used by Amazon SQS

C. There is no interface VPC endpoint configured for Amazon SQS

D. The network ACL is blocking return traffic from Amazon SQS

E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production accountVPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.Which set of steps should the network engineer follow in each AWS account to meet these requirements?

A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theConnectivity account ID. Enable the feature to allow external accounts2. In the Connectivity account: Accept the resource.3. In the Connectivity account: Create an attachment to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivityaccount ID. Enable the feature to allow external accounts.2. In the Connectivity account: Accept the resource.3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Productionaccount ID. Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theProduction account ID Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Production account: Create an attachment to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

A company's network engineer is designing a hybrid DNS solution for an AWS Cloud workload. Individual teams want to manage their own DNShostnames for their applications in their development environment. The solution must integrate the application-specific hostnames with thecentrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also mustminimize management overhead.Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Use an Amazon Route 53 Resolver inbound endpoint.

B. Modify the DHCP options set by setting a custom DNS server value.

C. Use an Amazon Route 53 Resolver outbound endpoint.

D. Create DNS proxy servers.

E. Create Amazon Route 53 private hosted zones.

F. Set up a zone transfer between Amazon Route 53 and the on-premises DNS.

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and thenonproduction VPC must each have communication with the shared services VPC. There must be no communication between the productionVPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.Which route table configurations on the transit gateway will meet these requirements?

A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the sharedservices VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from theproduction and nonproduction VPCs.

B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC.Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.

C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate anadditional route table with only the shared services VPC attachment associated with propagated routes from the production andnonproduction VPCs.

D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create anadditional route table with only the shared services VPC attachment associated with propagated routes from the production andnonproduction VPCs.

A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The companyhas established network connectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. Theapplications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.What should a network engineer do to meet these requirements?

A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC. Update each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.

B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC.

C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPUpdate each application VPC's DHCP configurationto point DNS resolution to the new Resolver endpoint.

D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC.

A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. Thecompany's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company'snetwork team plans to use MACsec support for Direct Connect to meet the new requirement.Which combination of steps should the network team take to implement this functionality? (Choose three.)

A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.

B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.

C. Associate the Internet Key Exchange (IKE) with the existing LAG.

D. Configure the MACsec encryption mode on the existing LAG.

E. Configure the MACsec encryption mode on the new LAG.

F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.

A company hosts its IT infrastructure in an on-premises data center. The company wants to migrate the infrastructure to the AWS Cloud inphases. A network engineer wants to set up a 10 Gbps AWS Direct Connect dedicated connection between the on-premises data center andVPCs. The company's network provider needs 3 months to provision the Direct Connect connection.In the meantime, the network engineer implements a temporary solution by deploying an AWS Siteto-Site VPN connection that terminates toa virtual private gateway. The network engineer observes that the bandwidth of the Site-to-Site VPN connection is capped at 1.25 Gbpsdespite a powerful customer gateway device.What should the network engineer do to improve the VPN connection bandwidth before the implementation of the Direct Connect connection?

A. Contact AWS Support to request a bandwidth quota increase for the existing Site-to-Site VPN connection.

B. Discuss the issue with the hardware vendor. Buy a bigger and more powerful customer gateway device that has faster encryption anddecryption capabilities.

C. Create several additional Site-to-Site VPN connections that terminate on the same virtual gateway. Configure equal-cost multi-path(ECMP) routing to use all the VPN connections simultaneously.

D. Create a transit gateway. Attach the VPCs to the transit gateway. Create several additional Site-to-Site VPN connections that terminateon the transit gateway. Configure equal-cost multi-path (ECMP) routing to use all the VPN connections simultaneously.

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to useAWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment.The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiatethe VPN connection on the AWS side of the connection for traffic from the AWS environment to the on-premises network.Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premisesnetwork? (Choose three.)

A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).

B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).

C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.

D. Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate.

E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device's external interface.

F. Create a customer gateway without specifying the IP address of the customer gateway device.

A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing applicationruns as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. AnAmazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority toprovision its certificates.The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encryptedduring processing so that only certain application components can decrypt the sensitive data.Which combination of steps will meet these requirements? (Choose two.)

A. Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFrontdistribution into AWS Certificate Manager (ACM) in us-west-2.

B. Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with theALUpload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.

C. Upload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.

D. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionconfiguration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newlycreated configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.

E. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.