Amazon (ANS-C01) Exam Questions And Answers page 28
You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.
Which three factors that must be supported should you consider when choosing the customer router? (Choose three.)
Which three factors that must be supported should you consider when choosing the customer router? (Choose three.)
802.1ax or 802.3ad link aggregation
OSPF
BGP
single-mode optical fiber connectivity
1-Gbps copper connectivity
AWS Networking Services
Network Security and Optimization
You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?
How should you design routing to meet these requirements?
Configure a single routing table with two default routes: one to the Internet via an IGW, the other to the on-premises network via the VGW. Use this routing table across all subnets in your VPC.
Configure two routing tables: one that has a default route via the IGW, and another that has a default route via the VGW. Associate both routing tables with each VPC subnet.
Configure a single routing table with a default route via the IGW. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnet.
Configure a single routing table with a default route via the IGW. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.
AWS Networking Services
Hybrid Networking
You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.
You have to bring the web server down for maintenance, what two things should you do? (Choose two.)
You have to bring the web server down for maintenance, what two things should you do? (Choose two.)
Reboot the instance.
Move the ENI from one server to the other.
Associate the new ENI with the database security group.
Configure a secondary ENI on the standby instance.
AWS Networking Services
Network Security and Optimization
You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit.
What ELB configuration complies with the corporate encryption policy?
What ELB configuration complies with the corporate encryption policy?
Configure the ELB load balancer protocol as HTTP. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
Configure the ELB load balancer protocol as HTTPS. Offload application instance encryption to the load balancer. Install your SSL certificate on Amazon RDS, and configure SSL.
Configure the ELB protocols in SSL mode. Offload application instance encryption to the load balancer. Install your SSL/TLS certificate on Amazon RDS, and configure SSL.
AWS Networking Services
Network Security and Optimization
You are preparing to launch Amazon WorkSpaces and need to configure the appropriate networking resources.
What must be configured to meet this requirement?
What must be configured to meet this requirement?
At least two subnets in different Availability Zones.
A dedicated VPC with Active Directory Services.
An IPsec VPN to on-premises Active Directory.
Network address translation for outbound traffic.
AWS Networking Services
You are responsible for several EC2 instances deployed from Amazon AMIs that are required to upload information to an S3 bucket. This information must not traverse the public internet. You must also be able to update the instances. Which option is your best solution?
An S3 endpoint and a NAT
An S3 endpoint
A VPN to the IP addresses specified in the AWS official S3 prefix list
A NACL with the AWS prefix list added to it and a VPN.
AWS Networking Services
Network Security and Optimization
You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 נ7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets.
Select the correct network configuration that best facilitates your company's continued growth plans.
Select the correct network configuration that best facilitates your company's continued growth plans.
Provision a Direct Connect connection - between your service provider's data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required
Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
Provision a Direct Connect connection between your existing service provider's data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface
AWS Networking Services
Network Security and Optimization
You are the network engineer at your company, and you are noticing issues with QoS in you're the traffic to your instances hosting a VOIP program. You need to inspect the network packets to determine if it is a programming error or a networking error. How should you do this?
Configure a network monitoring program on every instance and stream the logs to an S3 bucket to be parsed.
Use CloudWatch
Set up another instance with an ENI added to act as a monitoring interface. Set the port to "promiscuous mode" and sniff the traffic to analyze the packets. Then output this single stream to an S3 bucket to be parsed.
Inspect Flow Logs
Network Security and Optimization
Network Automation and Optimization
You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?
You configured the rule number to be too low.
A NACL can't protect against a DDoS.
The DDoS isn't a TCP attack.
You need to add a deny rule outbound also since NACLs are stateful.
Network Security and Optimization
You are using the CLI to assign multiple IP addresses to interfaces. The operation fails. What is the most likely reason?
You cannot assign IP addresses in the CLI.
You can only assign 5 IP addresses at a time through the CLI.
One or more of the IP addresses could not be assigned.
All of the IP addresses could not be assigned.
Networking Fundamentals
Network Security and Optimization
Comments