ANS-C00 Online Practice Questions and Answers

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

A. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.

B. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

C. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

D. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.

An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

A. Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.

B. Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.

C. Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.

D. Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven't yet upgraded.

What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

A. Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.

B. Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.

C. Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.

D. Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.

Your company is connecting one data center with one router to several VPCs and needs to access them transitively. What should you do?

A. Create a VPN to one VPC and peer the others.

B. This is not possible.

C. Use a transit VPC with a VPN running on one or more EC2 instances to route traffic between the VPCs.

D. Just connect; VPCs are transitive in nature.

How many BGP advertised routes can you have per route table?

A. 50

B. 200

C. 100

D. As many as you want as long as you contact AWS first.

Which of these is not specified on an ENI?

A. A primary private IPv4 address

B. A source/destination check flag

C. A MAC address

D. An A record

In your current role as the corporate network architect - you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC.

Select which option is NOT required.

A. Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP

B. Deploy a Customer Gateway within your corporate network

C. Deploy a Customer Gateway within your VPC

D. Deploy a Virtual Private Gateway within your VPC

You have several VPCs that are peered. Each VPC has several routes to different subnets. Over the years, your company has acquired many companies. You find that traffic destined for one VPC ends up going to another.

What is the best way to remedy this?

A. Move the route table entry for the proper VPC higher in the list.

B. Adjust your routes so the proper VPC has a higher CIDR.

C. Move the route table entry for the proper VPC lower in the list.

D. Adjust your routes so the proper VPC has a lower CIDR.

How many tunnels do you get with each VPN connection hosted by AWS?

A. 4

B. 1

C. 2

D. 8

A company has 20 AWS accounts and has hundreds of VPCs within those accounts. Each account has several security groups. Most of the security groups share a common set of CIDR range rules.

The company wants to simplify the management of these CIDR ranges that the security groups use. The company's network team does not have full access to all the accounts. The common CIDR ranges are 10.10.0.0/16, 10.8.0.0/16, and 192.168.128.0/24.

Which solution should a network engineer recommend to meet these requirements?

A. Use AWS CloudFormation and AWS CloudFormation StackSets to configure all the accounts and VPCs with the same security groups.

B. Use a CLI and a shell script to configure all the accounts and VPCs with the same security groups.

C. Use AWS CloudFormation to configure a VPC prefix list, and share the prefix list with all the accounts in AWS Resource Access Manager.

D. Use a CLI and a shell script to configure all the accounts and VPCs with the same network ACLs.