Amazon (ANS-C01) Exam Questions And Answers page 35
You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached.
What is the first part of the command you would use?
What is the first part of the command you would use?
aws ec2 describe-instances
aws vpc describe-all
aws ec2 describe-security-groups
Networking Fundamentals
AWS Networking Services
You need to quickly view inbound traffic to an instance to determine why it isn't reaching the instance properly. What is the best tool for this?
Wireshark
CloudWatch
CloudTrail
Flow Logs
AWS Networking Services
Network Security and Optimization
You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.
Which two of the following components should be part of the design? (Choose two.)
Which two of the following components should be part of the design? (Choose two.)
Select an instance with support for single root I/O virtualization.
Select an instance that has support for multiple ENAs.
Ensure that the instance supports jumbo frames and set 9001 MTU.
Select an instance with Amazon Elastic Block Store (EBS)-optimization.
Ensure that proper OS drivers are installed.
AWS Networking Services
Network Security and Optimization
You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints (VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?
Add the CIDR address range of the private subnet to the S3 bucket policy.
Add the VPC-E identifier to the S3 bucket policy.
Add the VPC identifier for the production VPC to the S3 bucket policy.
Add the VPC-E identifier for the production VPC to endpoint policy.
AWS Networking Services
Network Security and Optimization
You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?
The inbound network access control list is blocking the traffic
The outbound network access control list is blocking the traffic
The inbound security group is blocking the traffic.
The outbound security group is blocking the traffic.
AWS Networking Services
Network Security and Optimization
Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an on-premises Hadoop cluster. You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, fault- tolerant connectivity between Amazon Kinesis and your data center.
What should you implement to address these needs?
What should you implement to address these needs?
Deploy a single 1-Gbps Direct Connect connection with a VPN backup.
Deploy three 1-Gbps Direct Connect connections.
Deploy two 1-Gbps Direct Connect connections.
Set up an IPsec VPN connection over Direct Connect with two tunnels.
AWS Networking Services
Network Security and Optimization
Your application is hosted behind an Elastic Load Balancer (ELB) within an autoscaling group. The autoscaling group is configured with a minimum of 2, a maximum of 14, and a desired value of 2. The autoscaling cooldown and the termination policies are set to the default value.
CloudWatch reports that the site typically requires just two servers, but spikes at the start and end of the business day can require eight to ten servers. You receive intermittent reports of timeouts and partially loaded web pages.
Which configuration change should you make to address this issue?
CloudWatch reports that the site typically requires just two servers, but spikes at the start and end of the business day can require eight to ten servers. You receive intermittent reports of timeouts and partially loaded web pages.
Which configuration change should you make to address this issue?
Configure connection draining on the ELB.
Configure the autoscaling cooldown to 600 seconds.
Configure the termination policy to oldest instance.
Configure a Terminating: Wait lifecycle hook on a scale in event.
AWS Networking Services
Network Security and Optimization
Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?
What configuration change should you make to ensure that these instances can reach the patch server?
Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
Configure an outbound rule on the application server instance security group for the Git repository.
Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
Configure an inbound rule on the application server instance security group for the Git repository.
AWS Networking Services
Network Security and Optimization
Your AWS WorkSpaces users are unable to authenticate. What could be one reason for this?
Your AD server is running Windows Server 2016
Port 3389 is not open to your AD server.
Port 389 is not open to your AD server.
Your AD server is running Windows Server 2012 Core Edition.
AWS Networking Services
Network Security and Optimization
Your boss decides to assign an Elastic IP to a production instance. Once he does this, access to the URL for that website fails. What happened?
The original IP address was released back to AWS when the Elastic IP was assigned.
Your boss only needs to restart the Apache service.
Your boss should have turned off the server before assigning the IP address.
Your boss needs to restart the server.
AWS Networking Services
Network Security and Optimization
Comments