ANS-C01 Online Practice Questions and Answers

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC thatincludes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in theenvironment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment.The service provider's API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not wantto permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The networkengineer turns on IPv6 in the VPC and in the private subnets.Which solution will meet these requirements?

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT gateway.

B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT instance.

C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-onlyinternet gateway.

D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the securitygroup with the egress-only internet gateway.

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an AmazonCloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticatedcustomers.The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A networkengineer must design a solution that gives the web application the ability to identify authorized customers.What is the MOST operationally efficient solution that meets these requirements?

A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customizedheader to inform the web application of an authenticated customer request.

B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Configure the ALB listener toinsert a customized header to inform the web application of an authenticated customer request.

C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edgefunction also to insert a customized header to inform the web application of an authenticated customer request.

D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST requestpayload. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

A company is growing rapidly. Data transfers between the company's on-premises systems and Amazon EC2 instances that run in VPCs arelimited by the throughput of a single AWS Site-to-Site VPN connection between the company's on-premises data center firewall and an AWSTransit Gateway.A network engineer must resolve the throttling by designing a solution that is highly available and secure. The solution also must scale theVPN throughput from on premises to the VPC resources to support the increase in traffic.Which solution will meet these requirements?

A. Configure multiple dynamic BGP-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing(ECMP).

B. Configure multiple static routing-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing(ECMP).

C. Configure a new Site-to-Site VPN connection to the transit gateway. Enable acceleration for the Site-to-Site VPN connection.

D. Configure a software appliance-based VPN connection over the internet from the on-premises firewall to an EC2 instance that has alarge instance size and networking capabilities.

A company is establishing connectivity between its on-premises site and an existing VPC on AWS to meet a new security requirement.According to the new requirement, all public DNS queries must use an on-premises DNS security solution. The company's security team hasallowed an exception for the AWS service endpoints because the company is using VPC endpoints to access AWS services.Which combination of steps should a network engineer take to configure the architecture to meet these requirements? (Choose three.)

A. Create a system rule for the domain name "." (dot) with a target IP address of the on-premises DNS security solution.

B. Create a new DHCP options set that provides the IP address of the on-premises DNS security solution. Update the VPC to use this newDHCP options set.

C. Create an Amazon Route 53 Resolver inbound endpoint. Associate this endpoint with the VPC.

D. Create an Amazon Route 53 Resolver outbound endpoint. Associate this endpoint with the VPC.

E. Create a system rule for the domain name amazonaws.com.

F. Create a forwarding rule for the domain name "." (dot) with a target IP address of the on-premises DNS security solution.

A company wants to migrate its DNS registrar and DNS hosting to Amazon Route 53. The company website receives tens of thousands of visitseach day, and the company's current DNS provider cannot keep up. The company wants to migrate as quickly as possible but cannot tolerateany downtime.Which solution will meet these requirements?

A. Transfer the domain name to Route 53. Create a Route 53 private hosted zone, and copy all the existing DNS records. Update the nameservers on the domain to use the name servers that are specified in the newly created private hosted zone.

B. Copy all DNS records from the existing DNS servers to a Route 53 private hosted zone. Update the name servers with the existingregistrar to use the private hosted zone name servers. Transfer the domain name to Route 53. Ensure that all the changes havepropagated.

C. Transfer the domain name to Route 53. Create a Route 53 public hosted zone, and copy all the existing DNS records. Set the TTL valueon each record to 1 second. Update the name servers on the domain to use the name servers that are specified in the newly createdpublic hosted zone.

D. Copy all DNS records from the existing DNS servers to a Route 53 public hosted zone. Update the name servers with the existingregistrar to use the Route 53 name servers for the hosted zone. When the changes have propagated, perform a domain name transfer toRoute 53.

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to useAWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment.The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiatethe VPN connection on the AWS side of the connection for traffic from the AWS environment to the on-premises network.Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premisesnetwork? (Choose three.)

A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).

B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).

C. Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate.

D. Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate.

E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device's external interface.

F. Create a customer gateway without specifying the IP address of the customer gateway device.

A company has a 2 Gbps AWS Direct Connect hosted connection from the company's office to a VPC in the ap-southeast-2 Region. A networkengineer adds a 5 Gbps Direct Connect hosted connection from a different Direct Connect location in the same Region. The hostedconnections are connected to different routers from the office with an iBGP session running in between the routers.The network engineer wants to ensure that the VPC uses the 5 Gbps hosted connection to route traffic to the office. Failover to the 2 Gbpshosted connection must occur when the 5 Gbps hosted connection is down.Which solution will meet these requirements?

A. Configure an outbound BGP policy from the router that is connected to the 2 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.

B. Advertise a longer prefix route from the router that is connected to the 2 Gbps connection.

C. Advertise a less specific route from the router that is connected to the 5 Gbps connection.

D. Configure an outbound BGP policy from the router that is connected to the 5 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.

A company has a new AWS Direct Connect connection between its on-premises data center and the AWS Cloud. The company has created anew private VIF on this connection. However, the VIF status is DOWN.A network engineer verifies that the physical connection status is UP and RUNNING based on information from the AWS Management Console.The network engineer checks the customer Direct Connect router and can see the ARP entry for the VLAN interface created for the private VIFat AWS.What could be causing the private VIF to have a DOWN status?

A. ICMP is blocked on the customer Direct Connect router.

B. TCP port 179 is blocked on the customer Direct Connect router.

C. The IEEE 802.1Q VLAN identifier is misconfigured on the customer Direct Connect router.

D. The company has configured IEEE 802.1ad instead of 802.1Q on the customer Direct Connect router.

A company is replatforming a legacy data processing solution to AWS. The company deploys the solution on Amazon EC2 Instances in private subnets that are in one VPC.

The solution uses Amazon S3 for abject storage. Both the data that the solution processes and the data the solution produces are stored in Amazon S3. The solution uses Amazon DynamoDB to save its own state. The company collects flow logs for the VPC. The solution uses one NAT gateway to register its license through the internet. A software vendor provides a specific hostname so the solution can register its license.

The company notices that the AWS bill exceeds the projected budget for the solution. A network engineer uses AWS Cost Explorer to investigate the bill. The network engineer notices that the USE2-NatGateway-Bytes($) usage type is the root cause of the higher than expected bill.

What should the network engineer do to resolve the issue? (Choose two.)

A. Set up Amazon VPC Traffic Mirroring. Analyze the traffic to identify the traffic that the NAT gateway processes.

B. Examine the VPC flow logs to identity the traffic that traverses the NAT gateway.

C. Set up an AWS Cost and Usage Report in the AWS Billing and Cost Management console. Examine the report to find more details about the NAT gateway charges.

D. Verify that the security groups attached to the EC2 instances allow outgoing traffic only to the IP addresses that the hostname resolves to, the VPC CIDR block, and the AWS IP address ranges for Amazon S3 and DynamoDB.

E. Verify that the gateway VPC endpoints for Amazon S3 and DynamoDB are both set up and associated with the route tables of the private subnets.

A financial company offers investment forecasts and recommendations to authorized users through the internet. All the services are hosted in the AWS Cloud. A new compliance requirement states that all the internet service traffic from any host must be logged and retained for 2 years. In its development AWS accounts, the company has designed, tested, and verified a solution that uses Amazon VPC Traffic Mirroring with a Network Load Balancer (NLB) as the traffic mirror target. While the solution runs in one AWS account, the solution mirrors the traffic to another AWS account.

A network engineer notices that not all traffic is mirrored when the solution is deployed into the production environment. The network engineer also notices that this behavior is random.

Which statements are possible explanations for why not all the traffic is mirrored? (Choose two.)

A. The security groups are misconfigured on the production AWS account that hosts the company's services.

B. The Amazon EC2 instance that is being monitored cannot handle the extra traffic that Traffic Mirroring has introduced.

C. The IAM policy that allows the creation of traffic mirror sessions is misconfigured

D. The mirrored traffic has a lower priority than the production traffic and is being dropped when network congestion occurs.

E. The NLB is experiencing warm-up delay because of sudden and significant increases in traffic.