How to pass Amazon ANS-C01 exam with the help of dumps?

Question # 1

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linuxbasednetwork appliance in a highly available architecture. The network engineer isconfiguring the new launch template for the Auto Scaling group.In addition to the primary network interface the network appliance requires a secondnetwork interface that will be used exclusively by the application to exchange traffic withhosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the secondnetwork interface.How can the network engineer implement the required architecture?

A. Configure the two network interfaces in the launch template. Define the primary networkinterface to be created in one of the private subnets. For the second network interface,select one of the public subnets. Choose the BYOIP pool ID as the source of public IPaddresses.
B. Configure the primary network interface in a private subnet in the launch template. Usethe user data option to run a cloud-init script after boot to attach the second networkinterface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling groupwhen an instance is launching. In the Lambda function, assign a network interface to anAWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary networkinterface. Use the user data option to run a cloud-init script to allocate a second networkinterface and to associate an Elastic IP address from the BYOIP pool.

Show Answer

Question # 2

A company is planning to migrate an internal application to the AWS Cloud. The applicationwill run on Amazon EC2 instances in one VPC. Users will access the application from thecompany's on-premises data center through AWS VPN or AWS Direct Connect. Users willuse private domain names for the application endpoint from a domain name that isreservedexplicitly for use in the AWS Cloud.Each EC2 instance must have automatic failover to another EC2 instance in the sameAWS account and the same VPC. A network engineer must design a DNS solution that willnot exposethe application to the internet.Which solution will meet these requirements?

A. Assign public IP addresses to the EC2 instances. Create an Amazon Route 53 privatehosted zone for the AWS reserved domain name. Associate the private hosted zone withthe VPC. Create a Route 53 Resolver outbound endpoint. Configure conditional forwardingin the on-premises DNS resolvers to forward all DNS queries for the AWS domain tothe outbound endpoint IP address for Route 53 Resolver. In the private hosted zone,configure primary and failover records that point to the public IP addresses of the EC2instances. Create an Amazon CloudWatch metric and alarm to monitor the application'shealth. Set up a health check on the alarm for the primary application endpoint.
B. Place the EC2 instances in private subnets. Create an Amazon Route 53 public hostedzone for the AWS reserved domain name. Associate the public hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the public hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
C. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
D. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances. Setup Route 53 health checks on the private IP addresses of the EC2 instances.

Show Answer

Question # 3

A company is using an Amazon CloudFront distribution that is configured with anApplication Load Balancer (ALB) as an origin. A network engineer needs to implement asolution that requiresall inbound traffic to the ALB to come from CloudFront. The network engineer mustimplement the solution at the network layer rather than in the application.Which solution will meet these requirements in the MOST operationally efficient way?

A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix listfor CloudFront.
B. Add an inbound rule to the network ACLs that are associated with the ALB's subnets.Use the AWS managed prefix list for CloudFront as the source in the rule.
C. Configure CloudFront to add a custom HTTP header to the requests that CloudFrontsends to the ALB.
D. Associate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allowtraffic from the CloudFront IP set. Automatically update the CloudFront IP set by using anAWS Lambda function.

Show Answer

Question # 4

A company's AWS architecture consists of several VPCs. The VPCs include a sharedservices VPC and several application VPCs. The company has established networkconnectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS forinternally hosted domains on premises. The applications also must be able to resolve localVPC domain names and domains that are hosted in Amazon Route 53 private hostedzones.What should a network engineer do to meet these requirements?

A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC. Update each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreateforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPUpdate each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.

Show Answer

Question # 5

A company has an AWS Site-to-Site VPN connection between its existing VPC and onpremisesnetwork. The default DHCP options set is associated with the VPC. The companyhas an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWSSecrets Manager through a private VPC endpoint. An on-premises application providesinternal RESTful API service that can be reached by URL (https://api.example.internal).Two on-premises Windows DNS servers provide internal DNS resolution.The application on the EC2 instance needs to call the internal API service that is deployedin the on-premises environment. When the application on the EC2 instance attempts to callthe internal API service by referring to the hostname that is assigned to the service, the callfails. When a network engineer tests the API service call from the same EC2 instance byusing the API service's IP address, the call is successful.What should the network engineer do to resolve this issue and prevent the same problemfrom affecting other resources in the VPC?

A. Create a new DHCP options set that specifies the on-premises Windows DNS servers.Associate the new DHCP options set with the existing VPC. Reboot the Amazon Linux 2EC2 instance.
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configurethe rule to forward DNS queries to the on-premises Windows DNS servers if the domainname matches example.internal.
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the servicedomain name (api.example.internal) to the IP address of the internal API service.
D. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VPC.Change the IP addresses of the name servers in the file to the IP addresses of thecompany's on-premises Windows DNS servers.

Show Answer

Question # 6

A company is hosting an application on Amazon EC2 instances behind an Application LoadBalancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recentchange to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The networkengineer must implement a solution that remediates noncompliant changes to securitygroups.Which solution will meet these requirements?

A. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.
B. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
C. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
D. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.

Show Answer

Question # 7

A company is deploying third-party firewall appliances for traffic inspection and NATcapabilities in its VPC. The VPC is configured with private subnets and public subnets. Thecompany needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?

A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
B. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.
C. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.

Show Answer

Question # 8

A company has a hybrid cloud environment. The company’s data center is connected tothe AWS Cloud by an AWS Direct Connect connection. The AWS environment includesVPCs that are connected together in a hub-and-spoke model by a transit gateway. TheAWS environment has a transit VIF with a Direct Connect gateway for on-premisesconnectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company isrunning a backend application in one of the VPCs.The company uses a message-oriented architecture and employs Amazon Simple QueueService (Amazon SQS) to receive messages from other applications over a privatenetwork. A network engineer wants to use an interface VPC endpoint for Amazon SQS forthis architecture. Client services must be able to access the endpoint service from onpremises and from multiple VPCs within the company's AWS infrastructure.Which combination of steps should the network engineer take to ensure that the clientapplications can resolve DNS for the interface endpoint? (Choose three.)

A. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned on.
B. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned off.
C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Addnecessary records that point to the interface endpoint. Associate the private hosted zoneswith other VPCs.
D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.comwith previously created necessary records that point to the interface endpoint. Associatethe private hosted zones with other VPCs.
E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.comin VPCs and on premises.
F. Access the SQS endpoint by using the private DNS name of the interface endpoint.sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises.

Show Answer

Question # 9

A company has two business units (BUs). The company operates in the us-east-1 Regionand the us-west-1 Region. The company plans to extend to more Regions in the future.Each BU hasa VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit gateways in both Regions are peered.The company will create several more BUs in the future and will need to isolate some ofthe BUs from the other BUs. The company wants to migrate to an architecture toincorporate moreRegions and BUs.Which solution will meet these requirements with the MOST operational efficiency?

A. Create a new transit gateway for each new BU in each Region. Peer the new transitgateways with the existing transit gateways. Update the route tables to control trafficbetween BUs.
B. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Usesegment actions to control traffic between segments.
C. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Configurethe segments to isolate attachments to control traffic between segments.
D. Attach new VPCs to the existing transit gateways. Update route tables to control trafficbetween BUs.

Show Answer

Question # 10

A company has deployed a new web application on Amazon EC2 instances behind anApplication Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scalinggroup. Enterprise customers from around the world will use the application. Employees ofthese enterprise customers will connect to the application over HTTPS from officelocations.The company must configure firewalls to allow outbound traffic to only approved IPaddresses. The employees of the enterprise customers must be able to access theapplication with the least amount of latency.Which change should a network engineer make in the infrastructure to meet theserequirements?

A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.
B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution’s origin.
C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an acceleratorendpoint.
D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to theALB.

Show Answer

Question # 11

A global company runs business applications in the us-east-1 Region inside a VPC. One ofthe company's regional offices in London uses a virtual private gateway for an AWS Siteto-Site VPN connection tom the VPC. The company has configured a transit gateway andhas set up peering between the VPC and other VPCs that various departments in thecompany use.Employees at the London office are experiencing latency issues when they connect to thebusiness applications.What should a network engineer do to reduce this latency?

A. Create a new Site-to-Site VPN connection. Set the transit gateway as the targetgateway. Enable acceleration on the new Site-to-Site VPN connection. Update the VPNdevice in the London office with the new connection details.
B. Modify the existing Site-to-Site VPN connection by setting the transit gateway as thetarget gateway. Enable acceleration on the existing Site-to-Site VPN connection.
C. Create a new transit gateway in the eu-west-2 (London) Region. Peer the new transitgateway with the existing transit gateway. Modify the existing Site-to-Site VPN connectionby setting the new transit gateway as the target gateway.
D. Create a new AWS Global Accelerator standard accelerator that has an endpoint of theSite-to-Site VPN connection. Update the VPN device in the London office with the newconnection details.

Show Answer

Question # 12

A company is migrating an existing application to a new AWS account. The company willdeploy the application in a single AWS Region by using one VPC and multiple AvailabilityZones. The application will run on Amazon EC2 instances. Each Availability Zone will haveseveral EC2 instances. The EC2 instances will be deployed in private subnets.The company's clients will connect to the application by using a web browser with theHTTPS protocol. Inbound connections must be distributed across the Availability Zonesand EC2 instances. All connections from the same client session must be connected to thesame EC2 instance. The company must provide end-to-end encryption for all connectionsbetween the clients and the application by using the application SSL certificate.Which solution will meet these requirements?

A. Create a Network Load Balancer. Create a target group. Set the protocol to TCP and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for thelistener. Deploy SSL certificates to the EC2 instances.
B. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPand the port to 80 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTPSlistener. Set the default action to forward to the target group. Use AWS Certificate Manager(ACM) to create a certificate for the listener.
C. Create a Network Load Balancer. Create a target group. Set the protocol to TLS and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TLS and the port to 443 for thelistener. Use AWS Certificate Manager (ACM) to create a certificate for the application.
D. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPSand the port to 443 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTP listener. Set the port to 443 for the listener. Set the default action to forward to the targetgroup.

Show Answer

Question # 13

A company has a global network and is using transit gateways to connect AWS Regionstogether. The company finds that two Amazon EC2 instances in different Regions areunable to communicate with each other. A network engineer needs to troubleshoot thisconnectivity issue.What should the network engineer do to meet this requirement?

A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables and in the VPC route tables. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables. Verify that the VPC route tables are correct. Use AWS Firewall Manager toanalyze the IP traffic that security group rules and network ACL rules accept or reject in theVPC.
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use VPC flow logs to analyze theIP traffic that security group rules and network ACL rules accept or reject in the VPC.
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables.Verify that the VPC route tables are correct. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.

Show Answer

Question # 14

A company needs to manage Amazon EC2 instances through command line interfaces forLinux hosts and Windows hosts. The EC2 instances are deployed in an environment inwhich there isno route to the internet. The company must implement role-based access control formanagement of the instances. The company has a standalone on-premises environment.Which approach will meet these requirements with the LEAST maintenance overhead?

A. Set up an AWS Direct Connect connection between the on-premises environment andthe VPC where the instances are deployed. Configure routing, security groups, and ACLs.Connect to the instances by using the Direct Connect connection.
B. Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance.Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instancesbyusing Session Manager.
C. Establish an AWS Site-to-Site VPN connection between the on-premises environmentand the VPC where the instances are deployed. Configure routing, security groups, andACLs. Connect to the instances by using the Site-to-Site VPN connection.
D. Deploy an appliance to the VPC where the instances are deployed. Assign a public IPaddress to the appliance. Configure security groups and ACLs. Connect to the instances byusing the appliance as an intermediary.

Show Answer

Question # 15

A company has workloads that run in a VPC. The workloads access Amazon S3 by usingan S3 gateway endpoint. The company also has on-premises workloads that need toaccess AmazonS3 privately over a VPN connection. The company has established the VPN connection to the VPC.Which solution will provide connectivity to Amazon S3 from the VPC workloads and the onpremisesworkloads in the MOST operationally efficient way?

A. Deploy a proxy fleet of Amazon EC2 instances in the VPC behind an Application LoadBalancer (ALB). Configure the on-premises workloads to use the ALB as the proxy serverto connect to Amazon S3. Configure the proxy fleet to use the S3 gateway endpoint toconnect to Amazon S3.
B. Delete the S3 gateway endpoint. Create an S3 interface endpoint. Deploy a proxy fleetof Amazon EC2 instances in the VPC behind an Application Load Balancer (ALB).Configure the on-premises workloads to use the ALB as the proxy server to connect toAmazon S3. Configure the proxy fleet and the VPC workloads to use the S3 interfaceendpoint to connect to Amazon S3.
C. Create an S3 interface endpoint. Configure an on-premises DNS resolver to resolve theS3 DNS names to the private IP addresses of the S3 interface endpoint. Use the S3interface endpoint to access Amazon S3. Continue to use the S3 gateway endpoint for theVPC workloads to access Amazon S3.
D. Set up an AWS Direct Connect connection. Create a public VIF. Configure on-premisesrouting to route the S3 traffic over the public VIF. Make no changes to the on-premisesworkloads. Continue to use the S3 gateway endpoint for the VPC workloads to accessAmazon S3.

Show Answer

Question # 16

A company has deployed its AWS environment in a single AWS Region. The environmentconsists of a few hundred application VPCs, a shared services VPC, and a VPNconnection to the company’s on-premises environment. A network engineer needs toimplement a transit gateway with the following requirements:• Application VPCs must be isolated from each other.• Bidirectional communication must be allowed between the application VPCs and the onpremisesnetwork. • Bidirectional communication must be allowed between the application VPCs and theshared services VPC.The network engineer creates the transit gateway with options disabled for default routetable association and default route table propagation. The network engineer also createsthe VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designinga solution that needs the least number of transit gateway route tables.Which combination of actions should the network engineer perform to accomplish thisgoal? (Choose two.)

A. Configure a separate transit gateway route table for on premises. Associate the VPNattachment with this transit gateway route table. Propagate all application VPC attachmentsto this transit gateway route table.
B. Configure a separate transit gateway route table for each application VPC. Associateeach application VPC attachment with its respective transit gateway route table. Propagatethe shared services VPC attachment and the VPN attachment to this transit gateway routetable.
C. Configure a separate transit gateway route table for all application VPCs. Associate allapplication VPCs with this transit gateway route table. Propagate the shared services VPCattachment and the VPN attachment to this transit gateway route table.
D. Configure a separate transit gateway route table for the shared services VPC. Associatethe shared services VPC attachment with this transit gateway route table. Propagate allapplication VPC attachments to this transit gateway route table.
E. Configure a separate transit gateway route table for on premises and the sharedservices VPC. Associate the VPN attachment and the shared services VPC attachmentwith this transit gateway route table. Propagate all application VPC attachments to thistransit gateway route table.

Show Answer

Question # 17

A company's VPC has Amazon EC2 instances that are communicating with AWS servicesover the public internet. The company needs to change the connectivity so that thecommunicationdoes not occur over the public intemet.The company deploys AWS PrivateLink endpoints in the VPC. After the deployment of thePrivateLink endpoints, the EC2 instances can no longer communicate at all with therequired AWS services.Which combination of steps should a network engineer take to restore communication withthe AWS services? (Select TWO.)

A. In the VPC route table, add a route that has the PrivateLink endpoints as thedestination.
B. Ensure that the enableDnsSupport attribute is set to True for the VPC. Ensure that eachVPC endpoint has DNS support enabled.
C. Ensure that the VPC endpoint policy allows communication.
D. Create an Amazon Route 53 public hosted zone for all services.
E. Create an Amazon Route 53 private hosted zone that includes a custom name for eachservice.

Show Answer

Question # 18

An insurance company is planning the migration of workloads from its on-premises datacenter to the AWS Cloud. The company requires end-to-end domain name resolution. BidirectionalDNS resolution between AWS and the existing on-premises environments mustbe established. The workloads will be migrated into multiple VPCs. The workloads alsohave dependencies on each other, and not all the workloads will be migrated at the sametime.Which solution meets these requirements?

A. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC, and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
B. Configure a public hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC. and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
C. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPDefine Route 53 Resolver rules to forward requests for the on-premises domainsto the on-premises DNS resolver. Associate the application VPC private hosted zones withthe egress VPand s

Show Answer

Question # 19

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints ofAmazon S3 and AWS Systems Manager through NAT gateways. All the traffic from theVPCs to Amazon S3 and Systems Manager travels through the NAT gateways. Thecompany's network engineer must centralize access to these services and must eliminatethe need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a central egress VPC that has private NAT gateways. Connect all the VPCs tothe central egress VPC by using AWS Transit Gateway. Use the private NAT gateways toconnect to Amazon S3 and Systems Manager by using private IP addresses.
B. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure thatprivate DNS is turned off. Connect all the VPCs to the central shared services VPC byusing AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for eachinterface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNSqueries to the interface VPC endpoints in the shared services VPC.
C. Create a central shared services VPIn the central shared services VPC, create interfaceVPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNSis turned off. Connect all the VPCs to the central shared services VPC by using AWSTransit Gateway. Create an Amazon Route 53 private hosted zone with a full serviceendpoint name for Amazon S3 and Systems Manager. Associate the private hosted zoneswith all the VPCs. Create an alias record in each private hosted zone with the full AWSservice endpoint pointing to the interface VPC endpoint in the shared services VPC.
D. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all theVPCs to the central shared services VPC by using AWS Transit Gateway. Ensure thatprivate DNS is turned on for the interface VPC endpoints and that the transit gateway iscreated with DNS support turned on.

Show Answer

Question # 20

A company uses a 1 Gbps AWS Direct Connect connection to connect its AWSenvironment to its on-premises data center. The connection provides employees withaccess to an application VPC that is hosted on AWS. Many remote employees use acompany-provided VPN to connect to the data center. These employees are reportingslowness when they access the application during business hours. On-premises usershave started to report similar slowness while they are in the office.The company plans to build an additional application on AWS. On-site and remoteemployees will use the additional application. After the deployment of this additionalapplication, the company will need 20% more bandwidth than the company currently uses.With the increased usage, the company wants to add resiliency to the AWS connectivity. Anetwork engineer must review the current implementation and must make improvementswithin a limited budget.What should the network engineer do to meet these requirements MOST cost-effectively?

A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate theadditional traffic load from remote employees and the additional application. Create a linkaggregation group (LAG).
B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the onpremisesrouting for the remote employees to connect to the Site-to-Site VPN connection.
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees toconnect to Workspaces.
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps DirectConnect hosted connections. Create an AWS Client VPN endpoint in the application VPC.Instruct the remote employees to connect to the Client VPN endpoint.

Show Answer

Question # 21

A company’s network engineer needs to design a new solution to help troubleshoot anddetect network anomalies. The network engineer has configured Traffic Mirroring.However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the trafficmirror target. The EC2 instance hosts tools that the company’s security team uses toanalyze the traffic. The network engineer needs to design a highly available solution thatcan scale to meet the demand of the mirrored traffic.Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB,deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring only duringnon-business hours.
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirrortarget. Behind the ALB. deploy a fleet of EC2 instances in an Auto Scaling group. UseTraffic Mirroring only during active events or business hours.

Show Answer

Question # 22

A company has established connectivity between its on-premises data center in Paris,France, and the AWS Cloud by using an AWS Direct Connect connection. The companyuses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets inseveral VPCs that are attached to the transit gateway.The company recently acquired another corporation that hosts workloads on premises inan office building in Tokyo, Japan. The company needs to migrate the workloads from theTokyo office to AWS. These workloads must have access to the company's existingworkloads in Paris. The company also must establish connectivity between the Tokyo officebuilding and the Paris data center.In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnetsfor migration of the workloads. The workload migration must be completed in 5 days. Theworkloads cannot be directly accessible from the internet.Which set of steps should a network engineer take to meet these requirements?

A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into.2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyooffice and the Paris workloads.4. Create peering connections between the Tokyo VPC and the Paris VPCs.5. Configure a VPN connection between the Paris data center and the Tokyo office byusing existing routers.
B. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transitgateway.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
C. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyotransit gateway as the target.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
D. 1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transitgateway.2. Create an association between the Paris transit gateway and the Tokyo VPC.3. Configure routing on the Paris transit gateway to allow data to flow between sites andthe VPCs.

Show Answer

Question # 23

A company has been using an outdated application layer protocol for communicationamong applications. The company decides not to use this protocol anymore and mustmigrate all applications to support a new protocol. The old protocol and the new protocolare TCP-based, but the protocols use different port numbers.After several months of work, the company has migrated dozens of applications that run onAmazon EC2 instances and in containers. The company believes that all the applicationshave been migrated, but the company wants to verify this belief. A network engineer needsto verify that no application is still using the old protocol.Which solution will meet these requirements without causing any downtime?

A. Use Amazon Inspector and its Network Reachability rules package. Wait until theanalysis has finished running to find out which EC2 instances are still listening to the oldport.
B. Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internet traffic to filter out occasions when the sameport is used as an ephemeral port.
C. Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use AmazonAthena to query the data and to filter for the port number that is used by the old protocol.
D. Inspect all security groups that are assigned to the EC2 instances that host theapplications. Remove the port of the old protocol if that port is in the list of allowed ports.Verify that the applications are operating properly after the port is removed from thesecurity groups.

Show Answer

Question # 24

A company is developing an application in which IoT devices will report measurements tothe AWS Cloud. The application will have millions of end users. The company observesthat the IoT devices cannot support DNS resolution. The company needs to implement anAmazon EC2 Auto Scaling solution so that the IoT devices can connect to an applicationendpoint without using DNS.Which solution will meet these requirements MOST cost-effectively?

A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer(NLB). Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALB. Set
up the IoT devices to connect to the IP addresses of the NLB.
B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB)endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALSetup the IoT devices to connect to the IP addresses of the accelerator.
C. Use a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach theAuto Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses ofthe NLB.
D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB)endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the NLB.Set up the IoT devices to connect to the IP addresses of the accelerator.

Show Answer

Question # 25

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises,and Example Corp's infrastructure is completely in the AWS Cloud. Thecompanies are using AWS Direct Connect with AWS Transit Gateway to establishconnectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC withno internet gateway. The CIDR range for the VPC is 10.0.0.0/16. ExampleCorp needs to access an application that is deployed on premises by AnyCompany.Because of compliance requirements, Example Corp must access the applicationthrough a limited contiguous block of approved IP addresses (10.1.0.0/24).A network engineer needs to implement a highly available solution to achieve this goal. Thenetwork engineer starts by updating the VPC to add a new CIDR range of10.1.0.0/24.What should the network engineer do next to meet the requirements?

A. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IPaddress range. Create a public NAT Sateway in each of the newsubnets. Update the route tables that are associated with other subnets to route applicationtraffic to the public NAT gateway in the corresponding AvailabilityZone. Add a route to the route table that is associated with the subnets of the public NATgateways to send traffic destined for the application to the transitgateway.
B. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IPaddress range. Create a private NAT gateway in each of the newsubnets. Update the route tables that are associated with other subnets to route applicationtraffic to the private NAT gateway in the correspondingAvailability Zone. Add a route to the route table that is associated with the subnets of theprivate NAT gateways to send traffic destined for the application tothe transit gateway.
C. In the VPC, create a subnet that uses the allowed IP address range. Create a privateNAT gateway in the new subnet. Update the route tables that areassociated with other subnets to route application traffic to the private NAT gateway. Add aroute to the route table that is associated with the subnet of theprivate NAT gateway to send traffic destined for the application to the transit gateway.
D. In the VPC, create a subnet that uses the allowed IP address range. Create a publicNAT gateway in the new subnet. Update the route tables that areassociated with other subnets to route application traffic to the public NAT gateway. Add aroute to the route table that is associated with the subnet of thepublic NAT gateway to send traffic destined for the application to the transit gateway.

Show Answer

Question # 26

A company’s network engineer builds and tests network designs for VPCs in adevelopment account. The company needs to monitor the changes that are made tonetwork resources and must ensure strict compliance with network security policies. Thecompany also needs access to the historical configurations of network resources.Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custompattern to monitor the account for changes. Configure the rule to invoke an AWS Lambdafunction to identify noncompliant resources. Update an Amazon DynamoDB table with thechanges that are identified.
B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke anAWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDBtable with the changes that are identified.
C. Record the current state of network resources by using AWS Config. Create rules thatreflect the desired configuration settings. Set remediation for noncompliant resources.
D. Record the current state of network resources by using AWS Systems ManagerInventory. Use Systems Manager State Manager to enforce the desired configurationsettings and to carry out remediation for noncompliant resources.

Show Answer

Question # 27

A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. Thecompany has attached the VPCs in each Region to a transit gateway in that Region. Thecompany alsohas set up inter-Region peering connections between the transit gateways.The company wants to use AWS Direct Connect to provide access from its on-premiseslocation for only four VPCs across the three Regions. The company has provisioned fourDirectConnect connections at two Direct Connect locations.Which combination of steps will meet these requirements MOST cost-effectively? (SelectTHREE.)

A. Create four virtual private gateways. Attach the virtual private gateways to the fourVPCs.
B. Create a Direct Connect gateway. Associate the four virtual private gateways with theDirect Connect gateway.
C. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFswith the Direct Connect gateway.
D. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFswith the four virtual private gateways.
E. Create four private VIFs on each Direct Connect connection to the Direct Connectgateway.
F. Create an association between the Direct Connect gateway and the transit gateways.

Show Answer

Question # 28

A company has several production applications across different accounts in the AWSCloud. The company operates from the us-east-1 Region only. Only certain partnercompanies can access the applications. The applications are running on Amazon EC2instances that are in an Auto Scaling group behind an Application Load Balancer (ALB).The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is ina public subnet and allows inbound traffic only from partner network IP address ranges over port 80.When the company adds a new partner, the company must allow the IP address range ofthe partner network in the security group that is associated with the ALB in each account. Anetwork engineer must implement a solution to centrally manage the partner network IPaddress ranges.Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an Amazon DynamoDB table to maintain all IP address ranges and securitygroups that need to be updated. Update the DynamoDB table with the new IP addressrange when the company adds a new partner. Invoke an AWS Lambda function to readnew IP address ranges and security groups from the DynamoDB table to update thesecurity groups. Deploy this solution in all accounts.
B. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use AmazonEventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function toupdate security groups whenever a new IP address range is added to the prefix list. Deploythis solution in all accounts.
C. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share theprefix list across different accounts by using AWS Resource Access Manager (AWS RAM).Update security groups to use the prefix list instead of the partner IP address range.Update the prefix list with the new IP address range when the company adds a newpartner.
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups thatneed to be updated. Update the S3 bucket with the new IP address range when thecompany adds a new partner. Invoke an AWS Lambda function to read new IP addressranges and security groups from the S3 bucket to update the security groups. Deploy thissolution in all accounts.

Show Answer

Question # 29

A company ran out of IP address space in one of the Availability Zones in an AWS Regionthat the company uses. The Availability Zone that is out of space is assigned the10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWSCloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDRblock and has available capacity in the 10.10.1.0/22 CIDR block. How should a network specialist add more IP address space in the existing VPC with theLEAST operational overhead?

A.Update the AWS :: EC2 :: Subnet resource for the Availability Zone in theCloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
B.Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change theCidrBlock property to 10.10.1.0/22.
C.Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock propertyto 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22for the Availability Zone.
D.Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in theCloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.

Show Answer

Question # 30

A network engineer is working on a large migration effort from an on-premises data centerto an AWS Control Tower based multi-account environment. The environmenthas a transit gateway that is deployed to a central network services account. The centralnetwork services account has been shared with an organization in AWSOrganizations through AWS Resource Access Manager (AWS RAM).A shared services account also exists in the environment. The shared services accounthosts workloads that need to be shared with the entire organization.The network engineer needs to create a solution to automate the deployment of commonnetwork components across the environment. The solution must provision aVPC for application workloads to each new and existing member account. The VPCs mustbe connected to the transit gateway in the central network services account.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select THREE.)

A. Deploy an AWS Lambda function to the shared services account. Program the Lambdafunction to assume a role in the new and existing member accountsto provision the necessary network infrastructure.
B. Update the existing accounts with an Account Factory Customization (AFC). Select thesame AFC when provisioning new accounts.
C. Create an AWS CloudFormation template that describes the infrastructure that needs tobe created in each account. Upload the template as an AWSService Catalog product to the shared services account.
D. Deploy an Amazon EventBridge rule on a default event bus in the shared servicesaccount. Configure the EventBridge rule to react to AWS Control TowerCreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
E. Create an AWSControlTowerBlueprintAccess role in the shared services account.
F. Create an AWSControlTowerBlueprintAccess role in each member account.

Show Answer

Question # 31

A company is migrating an application from on premises to AWS. The company will hostthe application on Amazon EC2 instances that are deployed in a single VPC. During themigration period, DNS queries from the EC2 instances must be able to resolve names ofon-premises servers. The migration is expected to take 3 months After the 3-monthmigration period, the resolution of on-premises servers will no longer be needed.What should a network engineer do to meet these requirements with the LEAST amount ofconfiguration?

A. Set up an AWS Site-to-Site VPN connection between on premises and AWS. Deploy anAmazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
B. Set up an AWS Direct Connect connection with a private VIF. Deploy an Amazon Route53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Regionthat is hosting the VPC.
C. Set up an AWS Client VPN connection between on premises and AWS. Deploy anAmazon Route 53 Resolver inbound endpoint in the VPC.
D. Set up an AWS Direct Connect connection with a public VIF. Deploy an Amazon Route53 Resolver inbound endpoint in the Region that is hosting the VPC. Use the IP addressthat is assigned to the endpoint for connectivity to the on-premises DNS servers.

Show Answer

Question # 32

A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud. Which solution will meet these requirements while providing the HIGHEST throughput? 

A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment.  
B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software. 
C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway. 
D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-toSite VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing. 

Show Answer

Question # 33

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs. Which route table configurations on the transit gateway will meet these requirements? 

A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 
B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC. 
C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 
D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 

Show Answer

Question # 34

An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion. The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as proxies, firewalls, and logging. The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region. A network engineer must establish connectivity between the various applications in the two Regions. The solution must maximize bandwidth, minimize latency and minimize operational overhead. Which solution will meet these requirements?

A. Create VPN attachments between the two transit gateways. Configure the VPN attachments to use BGP routing between the two transit gateways. 
B. Peer the transit gateways in each Region. Configure routing between the two transit gateways for each Region's IP addresses. 
C. Create a VPN server in a VPC in each Region. Update the routing to point to the VPN servers for the IP addresses in alternate Regions. 
D. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2. 

Show Answer

Question # 35

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet. The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event. Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances. 
B. Set up AWS WAF on all network components. 
C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses. 
D. Use AWS Direct Connect with MACsec support for connectivity to the cloud. 
E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. 
F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Show Answer

Question # 36

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessiblethird-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response. Which configuration change should a network engineer implement to resolve this issue?

A. Configure the NAT gateway timeout to allow connections for up to 600 seconds.  
B. Enable enhanced networking on the client EC2 instances.  
C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds. 
D. Close idle TCP connections through the NAT gateway.  

Show Answer

Question # 37

A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers. This traffic will increase over time. Which solution will meet these requirements?  

A. Set up an AWS Direct Connect connection from each data center to AWS in each Region. Create and attach private VIFs to a single Direct Connect gateway. Attach the Direct Connect gateway to all the VPCs. Remove the existing VPN connections that are attached directly to the virtual private gateways. 
B. Create a single transit gateway with VPN connections from each data center. Share the transit gateway with each account by using AWS Resource Access Manager (AWS RAM). Attach the transit gateway to each VPC. Remove the existing VPN connections that are attached directly to the virtual private gateways. 
C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transit gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPRemove the existing VPN connections that are attached directly to the virtual private gateways.
D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC. Create new VPN connections from each data center to the transit VPCs. Terminate the original VPN connections that are attached to all the original VPCs. Retain the new VPN connection to the new transit VPC in each Region. 

Show Answer

Question # 38

A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway. The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failover data center only in the case of an outage. Which solution will meet these requirements? 

A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100. Set the BGP community tag for all prefixes from the failover data center to 7224:7300 
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes from the failover data center to 7224:7100 
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300. Set the BGP community tag for all prefixes from the failover data center to 7224:9100 
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100. Set the BGP community tag for all prefixes from the failover data center to 7224:9300 

Show Answer

Question # 39

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?

A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway. 
B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account. 
C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC. 
D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs. 

Show Answer

Question # 40

A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured. The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications. Which solution will meet these requirements with the LEAST operational overhead?

A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and the dstaddr field in the flow logs.
B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs. 
D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs. 

Show Answer

Question # 41

A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1. The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency. How should the network engineer design the network architecture to meet these requirements?

A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF. 
B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways. 
C. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways. 
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.

Show Answer

Question # 42

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC. Which solution will fix the connectivity failures with the LEAST amount of effort?

A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications. 
B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs. 
C. Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region. 
D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon. 

Show Answer

Question # 43

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB. 
B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator 
D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront. 

Show Answer

Question # 44

A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application. Which solution will meet these requirements? 

A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to the target group from Amazon ECS as required to handle scaling. Specify the GLB in the service definition. Create a VPC peer for external AWS accounts. Update the route tables so that the AWS accounts can reach the GLB.
B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC endpoint service for the ALB Share the VPC endpoint service with other AWS accounts. 
C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC peer for the external AWS accounts. Update the route tables so that the AWS accounts can reach the ALB. 
D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.

Show Answer

Question # 45

A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection. What is the MOST scalable way to add VPCs with on-premises connectivity?

A. Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs. 
B. Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network. 
C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to the corporate network. 
D. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway. 

Show Answer

Question # 46

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements? 

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB. 
B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator. 
C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator 
D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront. 

Show Answer

Question # 47

An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed. Which solution will meet these requirements? 

A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Configure the Auto Scaling group to register instances with the ALB's target group. 
B. Create an Amazon CloudFront distribution. Configure the distribution with a custom SSL/TLS certificate. Set the Auto Scaling group as the distribution's origin. 
C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group. 
D. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group. 

Show Answer

Question # 48

A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route. The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that minimizes data transfer cost. Which solution will meet these requirements?

A. Deploy the EC2 instances in the public subnets. Create an S3 interface endpoint in the VPC. Modify the application configuration to use the S3 endpoint-specific DNS hostname. 
B. Deploy the EC2 instances in the private subnets. Create a NAT gateway in the VPC. Create default routes in the private subnets to the NAT gateway. Connect to Amazon S3 by using the NAT gateway. 
C. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets during endpoint creation to create routes to Amazon S3. 
D. Deploy the EC2 instances in the private subnets. Create an S3 interface endpoint in the VPC. Modify the application configuration to use the S3 endpoint-specific DNS hostname. 

Show Answer

Question # 49

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access? 

A. Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254 
B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80 
C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80 
D. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

Show Answer

Question # 50

A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads. A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time. How should the network engineer configure routing to meet these requirements? 

A. Add a static default route in the transit gateway route table to point to the secondary SDWAN virtual appliance. Add routes that are more specific to point to the primary SD-WAN virtual appliance. 
B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway. 
C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway. 
D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

Show Answer

Question # 51

A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises over Direct Connect. What should a network engineer do to meet these requirements?

A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes. Configure a CloudWatch alarm to send notifications when routes change. 
B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes change.
C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes change. 
D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes. Create a metric filter Set an alarm on the filter to send notifications when routes change.

Show Answer

Question # 52

A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.) 

A. Configure the BIND DNS servers in the central VPC to forward queries for efs.us-east1.amazonaws.com to the Amazon provided DNS server (169.254.169.253)
B. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution. 
C. Create an Amazon Route 53 Resolver inbound endpoint in the central VPUpdate all the VPC DHCP options sets to use the Route 53 Resolver inbound endpoint in the central VPC for name resolution.  
D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.
E. Create an Amazon Route 53 private hosted zone for the efs.us-east-1.amazonaws.com domain. Associate the private hosted zone with the VPC where the EC2 instance is deployed. Create an A record for fs-33444567d.efs.us-east-1.amazonaws.com in the private hosted zone. Configure the A record to return the mount target of the EFS mount point.

Show Answer

Question # 53

A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name. A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918. Components of the application need to be able to access other components of the application within the application's VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries.Which combination of steps will meet these requirements? (Choose three.)  

A. Add a geoproximity routing policy in Route 53.  
B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone. 
C. Enable DNS hostnames for the application's VPC.  
D. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses. 
E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the public hosted zone. Create an AWS Lambda function as the target of the rule. Configure the function to use the event information to update the privatehosted zone.
F. Add the private IP addresses in the existing Route 53 public hosted zone.  

Show Answer

Question # 54

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed. What connection option should the organization use to get up and running at minimal cost? 

A. Use an internet connection. 
B. Set up an AWS VPN connection. 
C. Provision an AWS Direct Connection private virtual interface. 
D. Provision a Direct Connect public virtual interface. 

Show Answer

Question # 55

A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website has static content such as images. The company is using Amazon S3 to store the content. The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpages. The company is using AWS Direct Connect with a public VIF for on-premises connectivity to the S3 bucket. A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing through a NAT gateway. As traffic increases, the company's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from the traffic between the EC2 instances and Amazon S3. Which solution will meet these requirements?

A. Create a Direct Connect private VIF. Migrate the traffic from the public VIF to the private VIF. 
B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF. 
C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table. 
D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table. 

Show Answer

Question # 56

A company operates its IT services through a multi-site hybrid infrastructure. The companydeploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. Thecompany also deploys resources in its own data centers that are located in the UnitedStates (US) and in the United Kingdom (UK). In both AWS Regions, the company uses atransit gateway to connect 15 VPCs to each other. The company has created a transitgateway peering connection between the two transit gateways. The VPC CIDR blocks donot overlap with each other or with IP addresses used within the data centers. The VPCCIDR prefixes can also be aggregated either on a Regional level or for the company'sentire AWS environment.The data centers are connected to each other by a private WAN connection. IP routinginformation is exchanged dynamically through Interior BGP (iBGP) sessions. The datacenters maintain connectivity to AWS through one AWS Direct Connect connection in theUS and one Direct Connect connection in the UK. Each Direct Connect connection isterminated on a Direct Connect gateway and is associated with a local transit gatewaythrough a transit VIF.Traffic follows the shortest geographical path from source to destination. For example,packets from the UK data center that are targeted to resources in eu-west-2 travel acrossthe local Direct Connect connection. In cases of cross-Region data transfers, such as fromthe UK data center to VPCs in us-east-1, the private WAN connection must be used tominimize costs on AWS. A network engineer has configured each transit gatewayassociation on the Direct Connect gateway to advertise VPC-specific CIDR IP prefixes onlyfrom the local Region. The routes toward the other Region must be learned through BGPfrom the routers in the other data center in the original, non-aggregated form.The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original traffic routing goal when the network is operating normally. Which modifications will meet these requirements? (Choose two.) 

A. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add the company's entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection.
B. Add the CIDR prefixes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. Configure data center routers to make routing decisions based on the BGP communities received. 
C. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. 
D. Add the aggregate IP prefix for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. 
E. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add both Regional aggregate IP prefixes to the list of subnets advertised through the Direct Connect connection on both sides of the network. Configure data center routers to make routing decisions based on the BGP communities received. 

Show Answer

Question # 57

A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group. A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements? 

A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create an alarm to notify the network engineer. 
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarm to notify the network engineer 
C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security groupoccurs. 
D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs. 

Show Answer

Question # 58

A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for private communication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company's network services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account. The company wants to use thiscentralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without sending traffic over the public internet. What should the network engineer do to meet these requirements?

A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account. 
B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate each private hosted zone with the shared services AWS account. 
C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associate each private hosted zone with the shared services AWS account. 
D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account. 

Show Answer