Amazon (ANS-C01) Exam Questions And Answers page 41
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -egress rule-number 100
aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100
aws ec2 create-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100 -protocol -1 -port-range From =-1,To =-1 -cidr-block 0.0.0.0/0 -rule-action deny
Network Security and Optimization
Network Automation and Optimization
Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to ensure the site is as secure as possible. What two items could you recommend? (Choose two.)
An NACL that blocks all ports to your subnets.
A restricted bucket policy.
A WAF on the load balancer.
A WAF on your CloudFront distribution.
Hybrid Networking
Network Security and Optimization
You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?
What should you do to provide on-premises users with access to the private hosted zone?
Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
Update the on-premises forwarders with the four name servers assigned to the private hosted zone.
AWS Networking Services
Network Security and Optimization
You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?
Set all MTU to 1500 as that is the best way to ensure compatibility.
Leave everything as is.
Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
Network Security and Optimization
Network Automation and Optimization
You want to send a broadcast message to your 10.0.0.0/24 subnet, which one of these addresses should you use?
10.0.0.255
10.0.0.1
10.0.0.2
You cannot send a broadcast in an AWS VPC.
Networking Fundamentals
You wish to access all European regions using your Direct Connect connection. How should you accomplish this?
Peer VPCs in the different regions and connect DX to one of the regions to communicate with the other.
Use a DX Gateway.
Find the prefix list for the other region and add it to your route table.
One DX connection will connect you to all regions.
Networking Fundamentals
AWS Networking Services
You wish to have a sub-1G connection to AWS to save on costs. How can you achieve this?
Just set your router to the speed you want and AWS will charge you based on the actual speed of the port.
Contact AWS, they will put you in contact with a technical account manager who can help you get this setup.
You can't. The only speeds available for Direct Connect are 1G and 10G.
Contact an AWS partner, AWS does not provide sub-1G connection speeds.
AWS Networking Services
Network Security and Optimization
You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?
Create an EIP for the instance.
Configure the mail service to serve as an open relay.
Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.
Provide open security group access to your instance on ports 25, 3389 and 22.
AWS Networking Services
Network Security and Optimization
You work for a company that has several instances running with automatically assigned public IPs. You performed an upgrade that required you to restart the instances from the console and your DNS records don't work anymore. What happened?
Your network interfaces need to be reinitialized
You need to restart Route 53
Restarting too many instances at once overloads the system
The instances changed their public IP addresses on restart
Networking Fundamentals
You work for an international corporation that uses AWS. Due to regulations, you are now required to route the US and China to two different websites. You set up the records and now no other countries can access your site.
Why is this?
Why is this?
You forgot to set a default geolocation record.
You probably broke your DNS.
You must have a geolocation in place for every country.
Geolocation features are only available in CloudFront.
Networking Fundamentals
Network Security and Optimization
Comments