Amazon (ANS-C01) Exam Questions And Answers page 6
A company that provides a RESTful API is designing a network architecture for deployment to the AWS Cloud. The company needs a scalable design that is cost-optimized and secure. The company is conducting pre-release testing with some of its customers, but the company expects to expand to several hundred customers when the final version is released.
The data that is exchanged through the API is confidential. All data must be exchanged on private IP addresses that are not accessible through the internet. All customers who use the API operate on AWS in VPCs.
What should the company do with its architecture to meet these requirements?
The data that is exchanged through the API is confidential. All data must be exchanged on private IP addresses that are not accessible through the internet. All customers who use the API operate on AWS in VPCs.
What should the company do with its architecture to meet these requirements?
Use AWS PrivateLink endpoints in customer VPCs as the front end for an AWS Fargate containers deployment with auto scaling enabled.
Use an Amazon API Gateway API with a regional API endpoint as the front end for all API interactions that invoke AWS Lambda functions.
Use an Amazon API Gateway API with an edge-optimized API endpoint as the front end for all API interactions that invoke AWS Lambda functions.
AWS Networking Services
Network Security and Optimization
A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25 customers. The company creates a unique hostname for each customer to use to access the application. Hostnames use the format customer-name.example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name.example.com, the ALB should route the request to the correct group of EC2 instances. The company requires a highly available solution that is easy to maintain.
Which solution meets these requirements at the LOWEST cost?
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name.example.com, the ALB should route the request to the correct group of EC2 instances. The company requires a highly available solution that is easy to maintain.
Which solution meets these requirements at the LOWEST cost?
Create one ALB for all customers. Create a listener rule that includes an HTTP header condition to match the URL. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
Create one ALB for each customer. Configure the listener to route requests to the customer target group. Configure an NGINX proxy server to manage connections to each ALB. Use Amazon Route 53 to create a CNAME record for each customer-name.example.com hostname that points to the NGINX proxy server.
Create one ALB for all customers. Create a listener rule that includes a Host header condition to match the hostname. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
Create one ALB for each customer. Configure the listener to route requests to the customer target group. Create an Amazon CloudFront distribution. Add each ALB to the distribution as a custom origin. Use Amazon Route 53 to create an alias for each customer-name.example.com hostname that points to the CloudFront distribution.
Networking Fundamentals
AWS Networking Services
A company uses an AWS Site-to-Site VPN to connect its corporate network. The company recently added an AWS Direct Connect connection. A network engineer wants all traffic to use the Direct Connect connection, and for the VPN to be used as backup. However, after the Direct Connect connection was added, traffic continued to pass through the VPN connection.
What should the network engineer do to route the traffic through the Direct Connect connection?
What should the network engineer do to route the traffic through the Direct Connect connection?
Add routes to the VPC route tables that specify the Direct Connect connection.
Set local preference BGP community tags on the on-premises router.
Advertise the same network routes over the Direct Connect connection and VPN connection.
Ensure the Direct Connect connection AS_PATH is longer than the VPN connection AS_PATH.
AWS Networking Services
Network Security and Optimization
A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3.
Which configuration values is the network engineer required to provide? (Choose two.)
Which configuration values is the network engineer required to provide? (Choose two.)
Connection speed
VLAN ID
IP prefixes to advertise
Direct Connect location
Virtual private gateway
AWS Networking Services
Network Security and Optimization
A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.
What steps must be taken to order the cross-connect at the Direct Connect location?
What steps must be taken to order the cross-connect at the Direct Connect location?
Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.
Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.
Obtain one LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The facility operator will ensure that the cross-connect is installed.
Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.
Networking Fundamentals
AWS Networking Services
A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?
What is the MOST scalable way to add VPCs with on-premises connectivity?
Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs.
Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network.
Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to the corporate network.
Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway.
AWS Networking Services
Network Security and Optimization
A company uses multiple AWS accounts within AWS Organizations and has services deployed in a single AWS Region. The instances in a private subnet occasionally download patches from the internet through a NAT gateway. The company recently migrated from VPC peering to AWS Transit Gateway. The cumulative traffic through deployed NAT gateways is less than 1 Gbps. The NAT gateway hourly charge contributes to most of the NAT gateway costs across all inked accounts.
What should the company do to reduce NAT gateway hourly costs?
What should the company do to reduce NAT gateway hourly costs?
Deploy and use NAT gateways in the same Availability Zone as the heavy-traffic resources.
Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC. Use VPC peering to send traffic through the centralized NAT gateways.
Use VPC endpoints to send traffic to AWS services in the same Region.
Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC. Use AWS Transit Gateway to send traffic through the centralized NAT gateways.
AWS Networking Services
Network Security and Optimization
A company wants to conduct a proof of concept for an SAP HANA application with a key objective to automate the provisioning of infrastructure and the application. The company operates a hybrid cloud infrastructure with AWS Direct Connect between its data center and VPC. Security policy dictates that all traffic from AWS be routed through on-premises data center firewalls. Security policy also prohibits the use of a VPC internet gateway for internet access. The company enforces use of a forward proxy server for all outbound network traffic. All resources inside the VPC are able to reach on-premises servers.
All Amazon EC2 Linux instances require package updates over the internet. However, the updates are falling and sending errors.
What would cause these errors?
All Amazon EC2 Linux instances require package updates over the internet. However, the updates are falling and sending errors.
What would cause these errors?
Inbound security groups are configured incorrectly on the EC2 instances running in the VPC.
The VPC route table does not have entries for the proxy server in the data center.
The EC2 instances are not configured to use the proxy running in the data center for traffic on TCP port 80.
The data center firewall is blocking all traffic sent from the VPC CIDR range destined for 0.0.0.0/0.
Hybrid Networking
Network Security and Optimization
A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC.
Why is the solution failing to meet the compliance requirement?
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC.
Why is the solution failing to meet the compliance requirement?
The security group cannot filer outbound traffic to the Amazon DNS servers.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
The security group cannot filter outbound traffic to destinations within the same VPC.
Network Security and Optimization
A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC.
Why is the solution failing to meet the compliance requirement?
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC.
Why is the solution failing to meet the compliance requirement?
The security group cannot filer outbound traffic to the Amazon DNS servers.
The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
The security group cannot filter outbound traffic to destinations within the same VPC.
Network Security and Optimization
Comments