ANS-C01 Online Practice Questions and Answers

A retail company is running its service on AWS. The company's architecture includes Application Load Balancers (ALBs) in public subnets. TheALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can callexternally hosted services over the internet by using a NAT gateway.The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source ofthis increased usage.Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. UseCloudWatch Logs Insights to query and analyze the logs.

B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to queryand analyze the logs.

C. Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools suchas tcpdump and Wireshark to query and analyze the mirrored traffic.

D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom tablefor the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athenato describe the log structure. Use Athena to query and analyze the logs.

A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requiresconnectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWSand its on-premises network to accommodate the growing demand for the application.The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWSand the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.What should a network engineer do to meet these requirements with the LEAST operational overhead?

A. Deploy a new public VIF with encryption on the existing Direct Connect connections. Reroute traffic through the new public VIF.

B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroutetraffic from the Direct Connect private VIF to the new VPNs.

C. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Configure MACsec on the edge routers. Reroute traffic to the newDirect Connect connections. Decommission the original Direct Connect connections

D. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Deploy a new public VIF on the new Direct Connect connections.Deploy two AWS Site-to-Site VPN connections on top of the new public VIF. Reroute traffic from the existing private VIF to the new Site-to-Site connections. Decommission the original Direct Connect connections.

A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed atransit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that isconnected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to otherVPCs that are attached to the transit gateway.Which solution will meet these requirements?

A. Create a new VPC for the SD-WAN hub virtual appliance. Create two IPsec VPN connections between the SD-WAN hub virtual applianceand the transit gateway. Configure BGP over the IPsec VPN connections

B. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to thetransit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGPparameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

C. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Create twoIPsec VPN connections between the SD-WAN hub virtual appliance and the transit gateway. Configure BGP over the IPsec VPNconnections.

D. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to thetransit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the VXLAN andBGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application mustalways be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change tothe EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever achange is made to the security group. The solution also must notify the network engineer when the change affects the connection.Which solution will meet these requirements?

A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create analarm to notify the network engineer.

B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarmto notify the network engineer

C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as thedestination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to thesecurity group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNStopic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when achange to the security group occurs.

D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instancesas the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change tothe security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to theSNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function whena change to the security group occurs.

A company is developing an application in which IoT devices will report measurements to the AWS Cloud. The application will have millions ofend users. The company observes that the IoT devices cannot support DNS resolution. The company needs to implement an Amazon EC2 AutoScaling solution so that the IoT devices can connect to an application endpoint without using DNS.Which solution will meet these requirements MOST cost-effectively?

A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attachthe Auto Scaling group to the ALB. Set up the IoT devices to connect to the IP addresses of the NLB.

B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB) endpoint. Create an EC2 Auto Scaling group. Attachthe Auto Scaling group to the ALSet up the IoT devices to connect to the IP addresses of the accelerator.

C. Use a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the NLB. Set up the IoTdevices to connect to the IP addresses of the NLB.

D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB) endpoint. Create an EC2 Auto Scaling group. Attach theAuto Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses of the accelerator.

A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are inan Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprisecustomers will connect to the application over HTTPS from office locations.The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customersmust be able to access the application with the least amount of latency.Which change should a network engineer make in the infrastructure to meet these requirements?

A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.

B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution's origin.

C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an accelerator endpoint.

D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to the ALB.

A company has a hybrid cloud environment. The company's data center is connected to the AWS Cloud by an AWS Direct Connect connection.The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has atransit VIF with a Direct Connect gateway for on-premises connectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allowbidirectional DNS traffic flow. The company is running a backend application in one of the VPCs.The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages fromother applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture.Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWSinfrastructure.Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interfaceendpoint? (Choose three.)

A. Create the interface endpoint for Amazon SQS with the option for private DNS names turned on.

B. Create the interface endpoint for Amazon SQS with the option for private DNS names turned off.

C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Add necessary records that point to the interface endpoint.Associate the private hosted zones with other VPCs.

D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.com with previously created necessary records thatpoint to the interface endpoint. Associate the private hosted zones with other VPCs.

E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in VPCs and on premises.

F. Access the SQS endpoint by using the private DNS name of the interface endpoint .sqs.us-east-1.vpce.amazonaws.com in VPCs and onpremises.

A network engineer needs to provide dual-stack connectivity between a company's office location and an AWS account. The company's on-premises router supports dual-stack connectivity, and the VPC has been configured with dual-stack support. The company has set up two AWSDirect Connect connections to the office location. This connectivity must be highly available and must be reliable for latency-sensitive traffic.Which solutions will meet these requirements? (Choose two.)

A. Configure a single private VIF on each Direct Connect connection. Add both IPv4 and IPv6 peering to each private VIF. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

B. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with theIPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4peering and IPv6 routes on the IPv6 peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

C. Configure a single private VIF and IPv4 peering on each Direct Connect connection. Configure the on-premises equipment with thispeering to advertise the IPv6 routes in the same BGP neighbor configuration. Enable Bidirectional Forwarding Detection (BFD) on allpeering sessions.

D. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with theIPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise all IPv4 routes and IPv6routes on all peering sessions. Keep the Bidirectional Forwarding Detection (BFD) configuration unchanged.

E. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with theIPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4peering and IPv6 routes on the IPv6 peering. Reduce the BGP hello timer to 5 seconds on both the on-premises equipment and the DirectConnect configuration.

Two companies are merging. The companies have a large AWS presence with multiple VPCs and are designing connectivity between their AWSnetworks. Both companies are using AWS Direct Connect with a Direct Connect gateway. Each company also has a transit gateway andmultiple AWS Site-to-Site VPN connections from its transit gateway to on-premises resources. The new solution must optimize networkvisibility, throughput, logging, and monitoring.Which solution will meet these requirements?

A. Configure a Site-to-Site VPN connection between each company's transit gateway to establish reachability between the respectivenetworks. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitorconnectivity.

B. Configure a Site-to-Site VPN connection between each company's transit gateway to establish reachability between the respectivenetworks. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use AWS Transit Gateway Network Managerto monitor the transit gateways and their respective connections.

C. Configure transit gateway peering between each company's transit gateway. Configure VPC Flow Logs for all VPCs. Publish the flowlogs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitor connectivity.

D. Configure transit gateway peering between each company's transit gateway. Configure VPC Flow Logs for all VPCs. Publish the flow logsto Amazon CloudWatch. Use AWS Transit Gateway Network Manager to monitor the transit gateways, their respective connections, and thetransit gateway peering link.

A team of infrastructure engineers wants to automate the deployment of Application Load Balancer (ALB) components by using the AWSCloud Development Kit (AWS CDK). The CDK application must deploy an infrastructure stack that is reusable and consistent across multipleenvironments, AWS Regions, and AWS accounts.The lead network architect on the project has already bootstrapped the target accounts. The lead network architect also has deployed corenetwork components such as VPCs and Amazon Route 53 private hosted zones across the multiple environments and Regions. Theinfrastructure engineers must design the ALB components in the CDK application to use the existing core network components.Which combination of steps will meet this requirement with the LEAST manual effort between environment deployments? (Choose two.)

A. Design the CDK application to read AWS CloudFormation parameters for the values that vary across environments and Regions.Reference these variables in the CDK stack for resources that require the variables.

B. Design the CDK application to read environment variables that contain account and Region details at runtime. Use these variables asproperties of the CDK stack. Use context methods in the CDK stack to retrieve variable values.

C. Create a dedicated account for shared application services in the multi-account environment. Deploy a CDK pipeline to the dedicatedaccount. Create stages in the pipeline that deploy the CDK application across different environments and Regions.

D. Write a script that automates the deployment of the CDK application across multiple environments and Regions. Distribute the script toengineers who are working on the project.

E. Use the CDK toolkit locally to deploy stacks to each environment and Region. Use the --context flag to pass in variables that the CDKapplication can reference at runtime.