• support@dumpspool.com
SPECIAL LIMITED TIME DISCOUNT OFFER. USE DISCOUNT CODE TO GET 20% OFF DP2021

PDF Only

$35.00 Free Updates Upto 90 Days

  • ANS-C01 Dumps PDF
  • 110 Questions
  • Updated On March 16, 2024

PDF + Test Engine

$60.00 Free Updates Upto 90 Days

  • ANS-C01 Question Answers
  • 110 Questions
  • Updated On March 16, 2024

Test Engine

$50.00 Free Updates Upto 90 Days

  • ANS-C01 Practice Questions
  • 110 Questions
  • Updated On March 16, 2024
Check Our Free Amazon ANS-C01 Online Test Engine Demo.

How to pass Amazon ANS-C01 exam with the help of dumps?

DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest Amazon ANS-C01 Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.

How Do I Know Amazon ANS-C01 Dumps are Worth it?

Did we mention our latest ANS-C01 Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.

You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just Amazon Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!

IT Students Are Using our Amazon AWS Certified Advanced Networking - Specialty Dumps Worldwide!

It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using Amazon AWS Certified Advanced Networking - Specialty Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.

How to Get ANS-C01 Real Exam Dumps?

Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the ANS-C01 exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!

Amazon ANS-C01 Sample Question Answers

Question # 1

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linuxbasednetwork appliance in a highly available architecture. The network engineer isconfiguring the new launch template for the Auto Scaling group.In addition to the primary network interface the network appliance requires a secondnetwork interface that will be used exclusively by the application to exchange traffic withhosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the secondnetwork interface.How can the network engineer implement the required architecture?

A. Configure the two network interfaces in the launch template. Define the primary networkinterface to be created in one of the private subnets. For the second network interface,select one of the public subnets. Choose the BYOIP pool ID as the source of public IPaddresses.
B. Configure the primary network interface in a private subnet in the launch template. Usethe user data option to run a cloud-init script after boot to attach the second networkinterface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling groupwhen an instance is launching. In the Lambda function, assign a network interface to anAWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary networkinterface. Use the user data option to run a cloud-init script to allocate a second networkinterface and to associate an Elastic IP address from the BYOIP pool.

Question # 2

A company is planning to migrate an internal application to the AWS Cloud. The applicationwill run on Amazon EC2 instances in one VPC. Users will access the application from thecompany's on-premises data center through AWS VPN or AWS Direct Connect. Users willuse private domain names for the application endpoint from a domain name that isreservedexplicitly for use in the AWS Cloud.Each EC2 instance must have automatic failover to another EC2 instance in the sameAWS account and the same VPC. A network engineer must design a DNS solution that willnot exposethe application to the internet.Which solution will meet these requirements?

A. Assign public IP addresses to the EC2 instances. Create an Amazon Route 53 privatehosted zone for the AWS reserved domain name. Associate the private hosted zone withthe VPC. Create a Route 53 Resolver outbound endpoint. Configure conditional forwardingin the on-premises DNS resolvers to forward all DNS queries for the AWS domain tothe outbound endpoint IP address for Route 53 Resolver. In the private hosted zone,configure primary and failover records that point to the public IP addresses of the EC2instances. Create an Amazon CloudWatch metric and alarm to monitor the application'shealth. Set up a health check on the alarm for the primary application endpoint.
B. Place the EC2 instances in private subnets. Create an Amazon Route 53 public hostedzone for the AWS reserved domain name. Associate the public hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the public hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
C. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
D. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances. Setup Route 53 health checks on the private IP addresses of the EC2 instances.

Question # 3

A company is using an Amazon CloudFront distribution that is configured with anApplication Load Balancer (ALB) as an origin. A network engineer needs to implement asolution that requiresall inbound traffic to the ALB to come from CloudFront. The network engineer mustimplement the solution at the network layer rather than in the application.Which solution will meet these requirements in the MOST operationally efficient way?

A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix listfor CloudFront.
B. Add an inbound rule to the network ACLs that are associated with the ALB's subnets.Use the AWS managed prefix list for CloudFront as the source in the rule.
C. Configure CloudFront to add a custom HTTP header to the requests that CloudFrontsends to the ALB.
D. Associate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allowtraffic from the CloudFront IP set. Automatically update the CloudFront IP set by using anAWS Lambda function.

Question # 4

A company's AWS architecture consists of several VPCs. The VPCs include a sharedservices VPC and several application VPCs. The company has established networkconnectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS forinternally hosted domains on premises. The applications also must be able to resolve localVPC domain names and domains that are hosted in Amazon Route 53 private hostedzones.What should a network engineer do to meet these requirements?

A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC. Update each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreateforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPUpdate each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.

Question # 5

A company has an AWS Site-to-Site VPN connection between its existing VPC and onpremisesnetwork. The default DHCP options set is associated with the VPC. The companyhas an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWSSecrets Manager through a private VPC endpoint. An on-premises application providesinternal RESTful API service that can be reached by URL (https://api.example.internal).Two on-premises Windows DNS servers provide internal DNS resolution.The application on the EC2 instance needs to call the internal API service that is deployedin the on-premises environment. When the application on the EC2 instance attempts to callthe internal API service by referring to the hostname that is assigned to the service, the callfails. When a network engineer tests the API service call from the same EC2 instance byusing the API service's IP address, the call is successful.What should the network engineer do to resolve this issue and prevent the same problemfrom affecting other resources in the VPC?

A. Create a new DHCP options set that specifies the on-premises Windows DNS servers.Associate the new DHCP options set with the existing VPC. Reboot the Amazon Linux 2EC2 instance.
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configurethe rule to forward DNS queries to the on-premises Windows DNS servers if the domainname matches example.internal.
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the servicedomain name (api.example.internal) to the IP address of the internal API service.
D. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VPC.Change the IP addresses of the name servers in the file to the IP addresses of thecompany's on-premises Windows DNS servers.

Question # 6

A company is hosting an application on Amazon EC2 instances behind an Application LoadBalancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recentchange to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The networkengineer must implement a solution that remediates noncompliant changes to securitygroups.Which solution will meet these requirements?

A. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.
B. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
C. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
D. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.

Question # 7

A company is deploying third-party firewall appliances for traffic inspection and NATcapabilities in its VPC. The VPC is configured with private subnets and public subnets. Thecompany needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?

A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
B. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.
C. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.

Question # 8

A company has a hybrid cloud environment. The company’s data center is connected tothe AWS Cloud by an AWS Direct Connect connection. The AWS environment includesVPCs that are connected together in a hub-and-spoke model by a transit gateway. TheAWS environment has a transit VIF with a Direct Connect gateway for on-premisesconnectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company isrunning a backend application in one of the VPCs.The company uses a message-oriented architecture and employs Amazon Simple QueueService (Amazon SQS) to receive messages from other applications over a privatenetwork. A network engineer wants to use an interface VPC endpoint for Amazon SQS forthis architecture. Client services must be able to access the endpoint service from onpremises and from multiple VPCs within the company's AWS infrastructure.Which combination of steps should the network engineer take to ensure that the clientapplications can resolve DNS for the interface endpoint? (Choose three.)

A. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned on.
B. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned off.
C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Addnecessary records that point to the interface endpoint. Associate the private hosted zoneswith other VPCs.
D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.comwith previously created necessary records that point to the interface endpoint. Associatethe private hosted zones with other VPCs.
E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.comin VPCs and on premises.
F. Access the SQS endpoint by using the private DNS name of the interface endpoint.sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises.

Question # 9

A company has two business units (BUs). The company operates in the us-east-1 Regionand the us-west-1 Region. The company plans to extend to more Regions in the future.Each BU hasa VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit gateways in both Regions are peered.The company will create several more BUs in the future and will need to isolate some ofthe BUs from the other BUs. The company wants to migrate to an architecture toincorporate moreRegions and BUs.Which solution will meet these requirements with the MOST operational efficiency?

A. Create a new transit gateway for each new BU in each Region. Peer the new transitgateways with the existing transit gateways. Update the route tables to control trafficbetween BUs.
B. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Usesegment actions to control traffic between segments.
C. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Configurethe segments to isolate attachments to control traffic between segments.
D. Attach new VPCs to the existing transit gateways. Update route tables to control trafficbetween BUs.

Question # 10

A company has deployed a new web application on Amazon EC2 instances behind anApplication Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scalinggroup. Enterprise customers from around the world will use the application. Employees ofthese enterprise customers will connect to the application over HTTPS from officelocations.The company must configure firewalls to allow outbound traffic to only approved IPaddresses. The employees of the enterprise customers must be able to access theapplication with the least amount of latency.Which change should a network engineer make in the infrastructure to meet theserequirements?

A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.
B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution’s origin.
C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an acceleratorendpoint.
D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to theALB.

Question # 11

A global company runs business applications in the us-east-1 Region inside a VPC. One ofthe company's regional offices in London uses a virtual private gateway for an AWS Siteto-Site VPN connection tom the VPC. The company has configured a transit gateway andhas set up peering between the VPC and other VPCs that various departments in thecompany use.Employees at the London office are experiencing latency issues when they connect to thebusiness applications.What should a network engineer do to reduce this latency?

A. Create a new Site-to-Site VPN connection. Set the transit gateway as the targetgateway. Enable acceleration on the new Site-to-Site VPN connection. Update the VPNdevice in the London office with the new connection details.
B. Modify the existing Site-to-Site VPN connection by setting the transit gateway as thetarget gateway. Enable acceleration on the existing Site-to-Site VPN connection.
C. Create a new transit gateway in the eu-west-2 (London) Region. Peer the new transitgateway with the existing transit gateway. Modify the existing Site-to-Site VPN connectionby setting the new transit gateway as the target gateway.
D. Create a new AWS Global Accelerator standard accelerator that has an endpoint of theSite-to-Site VPN connection. Update the VPN device in the London office with the newconnection details.

Question # 12

A company is migrating an existing application to a new AWS account. The company willdeploy the application in a single AWS Region by using one VPC and multiple AvailabilityZones. The application will run on Amazon EC2 instances. Each Availability Zone will haveseveral EC2 instances. The EC2 instances will be deployed in private subnets.The company's clients will connect to the application by using a web browser with theHTTPS protocol. Inbound connections must be distributed across the Availability Zonesand EC2 instances. All connections from the same client session must be connected to thesame EC2 instance. The company must provide end-to-end encryption for all connectionsbetween the clients and the application by using the application SSL certificate.Which solution will meet these requirements?

A. Create a Network Load Balancer. Create a target group. Set the protocol to TCP and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for thelistener. Deploy SSL certificates to the EC2 instances.
B. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPand the port to 80 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTPSlistener. Set the default action to forward to the target group. Use AWS Certificate Manager(ACM) to create a certificate for the listener.
C. Create a Network Load Balancer. Create a target group. Set the protocol to TLS and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TLS and the port to 443 for thelistener. Use AWS Certificate Manager (ACM) to create a certificate for the application.
D. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPSand the port to 443 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTP listener. Set the port to 443 for the listener. Set the default action to forward to the targetgroup.

Question # 13

A company has a global network and is using transit gateways to connect AWS Regionstogether. The company finds that two Amazon EC2 instances in different Regions areunable to communicate with each other. A network engineer needs to troubleshoot thisconnectivity issue.What should the network engineer do to meet this requirement?

A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables and in the VPC route tables. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables. Verify that the VPC route tables are correct. Use AWS Firewall Manager toanalyze the IP traffic that security group rules and network ACL rules accept or reject in theVPC.
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use VPC flow logs to analyze theIP traffic that security group rules and network ACL rules accept or reject in the VPC.
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables.Verify that the VPC route tables are correct. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.

Question # 14

A company needs to manage Amazon EC2 instances through command line interfaces forLinux hosts and Windows hosts. The EC2 instances are deployed in an environment inwhich there isno route to the internet. The company must implement role-based access control formanagement of the instances. The company has a standalone on-premises environment.Which approach will meet these requirements with the LEAST maintenance overhead?

A. Set up an AWS Direct Connect connection between the on-premises environment andthe VPC where the instances are deployed. Configure routing, security groups, and ACLs.Connect to the instances by using the Direct Connect connection.
B. Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance.Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instancesbyusing Session Manager.
C. Establish an AWS Site-to-Site VPN connection between the on-premises environmentand the VPC where the instances are deployed. Configure routing, security groups, andACLs. Connect to the instances by using the Site-to-Site VPN connection.
D. Deploy an appliance to the VPC where the instances are deployed. Assign a public IPaddress to the appliance. Configure security groups and ACLs. Connect to the instances byusing the appliance as an intermediary.

Question # 15

A company has workloads that run in a VPC. The workloads access Amazon S3 by usingan S3 gateway endpoint. The company also has on-premises workloads that need toaccess AmazonS3 privately over a VPN connection. The company has established the VPN connection to the VPC.Which solution will provide connectivity to Amazon S3 from the VPC workloads and the onpremisesworkloads in the MOST operationally efficient way?

A. Deploy a proxy fleet of Amazon EC2 instances in the VPC behind an Application LoadBalancer (ALB). Configure the on-premises workloads to use the ALB as the proxy serverto connect to Amazon S3. Configure the proxy fleet to use the S3 gateway endpoint toconnect to Amazon S3.
B. Delete the S3 gateway endpoint. Create an S3 interface endpoint. Deploy a proxy fleetof Amazon EC2 instances in the VPC behind an Application Load Balancer (ALB).Configure the on-premises workloads to use the ALB as the proxy server to connect toAmazon S3. Configure the proxy fleet and the VPC workloads to use the S3 interfaceendpoint to connect to Amazon S3.
C. Create an S3 interface endpoint. Configure an on-premises DNS resolver to resolve theS3 DNS names to the private IP addresses of the S3 interface endpoint. Use the S3interface endpoint to access Amazon S3. Continue to use the S3 gateway endpoint for theVPC workloads to access Amazon S3.
D. Set up an AWS Direct Connect connection. Create a public VIF. Configure on-premisesrouting to route the S3 traffic over the public VIF. Make no changes to the on-premisesworkloads. Continue to use the S3 gateway endpoint for the VPC workloads to accessAmazon S3.

Question # 16

A company has deployed its AWS environment in a single AWS Region. The environmentconsists of a few hundred application VPCs, a shared services VPC, and a VPNconnection to the company’s on-premises environment. A network engineer needs toimplement a transit gateway with the following requirements:• Application VPCs must be isolated from each other.• Bidirectional communication must be allowed between the application VPCs and the onpremisesnetwork. • Bidirectional communication must be allowed between the application VPCs and theshared services VPC.The network engineer creates the transit gateway with options disabled for default routetable association and default route table propagation. The network engineer also createsthe VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designinga solution that needs the least number of transit gateway route tables.Which combination of actions should the network engineer perform to accomplish thisgoal? (Choose two.)

A. Configure a separate transit gateway route table for on premises. Associate the VPNattachment with this transit gateway route table. Propagate all application VPC attachmentsto this transit gateway route table.
B. Configure a separate transit gateway route table for each application VPC. Associateeach application VPC attachment with its respective transit gateway route table. Propagatethe shared services VPC attachment and the VPN attachment to this transit gateway routetable.
C. Configure a separate transit gateway route table for all application VPCs. Associate allapplication VPCs with this transit gateway route table. Propagate the shared services VPCattachment and the VPN attachment to this transit gateway route table.
D. Configure a separate transit gateway route table for the shared services VPC. Associatethe shared services VPC attachment with this transit gateway route table. Propagate allapplication VPC attachments to this transit gateway route table.
E. Configure a separate transit gateway route table for on premises and the sharedservices VPC. Associate the VPN attachment and the shared services VPC attachmentwith this transit gateway route table. Propagate all application VPC attachments to thistransit gateway route table.

Question # 17

A company's VPC has Amazon EC2 instances that are communicating with AWS servicesover the public internet. The company needs to change the connectivity so that thecommunicationdoes not occur over the public intemet.The company deploys AWS PrivateLink endpoints in the VPC. After the deployment of thePrivateLink endpoints, the EC2 instances can no longer communicate at all with therequired AWS services.Which combination of steps should a network engineer take to restore communication withthe AWS services? (Select TWO.)

A. In the VPC route table, add a route that has the PrivateLink endpoints as thedestination.
B. Ensure that the enableDnsSupport attribute is set to True for the VPC. Ensure that eachVPC endpoint has DNS support enabled.
C. Ensure that the VPC endpoint policy allows communication.
D. Create an Amazon Route 53 public hosted zone for all services.
E. Create an Amazon Route 53 private hosted zone that includes a custom name for eachservice.

Question # 18

An insurance company is planning the migration of workloads from its on-premises datacenter to the AWS Cloud. The company requires end-to-end domain name resolution. BidirectionalDNS resolution between AWS and the existing on-premises environments mustbe established. The workloads will be migrated into multiple VPCs. The workloads alsohave dependencies on each other, and not all the workloads will be migrated at the sametime.Which solution meets these requirements?

A. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC, and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
B. Configure a public hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC. and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
C. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPDefine Route 53 Resolver rules to forward requests for the on-premises domainsto the on-premises DNS resolver. Associate the application VPC private hosted zones withthe egress VPand s

Question # 19

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints ofAmazon S3 and AWS Systems Manager through NAT gateways. All the traffic from theVPCs to Amazon S3 and Systems Manager travels through the NAT gateways. Thecompany's network engineer must centralize access to these services and must eliminatethe need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a central egress VPC that has private NAT gateways. Connect all the VPCs tothe central egress VPC by using AWS Transit Gateway. Use the private NAT gateways toconnect to Amazon S3 and Systems Manager by using private IP addresses.
B. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure thatprivate DNS is turned off. Connect all the VPCs to the central shared services VPC byusing AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for eachinterface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNSqueries to the interface VPC endpoints in the shared services VPC.
C. Create a central shared services VPIn the central shared services VPC, create interfaceVPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNSis turned off. Connect all the VPCs to the central shared services VPC by using AWSTransit Gateway. Create an Amazon Route 53 private hosted zone with a full serviceendpoint name for Amazon S3 and Systems Manager. Associate the private hosted zoneswith all the VPCs. Create an alias record in each private hosted zone with the full AWSservice endpoint pointing to the interface VPC endpoint in the shared services VPC.
D. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all theVPCs to the central shared services VPC by using AWS Transit Gateway. Ensure thatprivate DNS is turned on for the interface VPC endpoints and that the transit gateway iscreated with DNS support turned on.

Question # 20

A company uses a 1 Gbps AWS Direct Connect connection to connect its AWSenvironment to its on-premises data center. The connection provides employees withaccess to an application VPC that is hosted on AWS. Many remote employees use acompany-provided VPN to connect to the data center. These employees are reportingslowness when they access the application during business hours. On-premises usershave started to report similar slowness while they are in the office.The company plans to build an additional application on AWS. On-site and remoteemployees will use the additional application. After the deployment of this additionalapplication, the company will need 20% more bandwidth than the company currently uses.With the increased usage, the company wants to add resiliency to the AWS connectivity. Anetwork engineer must review the current implementation and must make improvementswithin a limited budget.What should the network engineer do to meet these requirements MOST cost-effectively?

A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate theadditional traffic load from remote employees and the additional application. Create a linkaggregation group (LAG).
B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the onpremisesrouting for the remote employees to connect to the Site-to-Site VPN connection.
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees toconnect to Workspaces.
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps DirectConnect hosted connections. Create an AWS Client VPN endpoint in the application VPC.Instruct the remote employees to connect to the Client VPN endpoint.

Question # 21

A company’s network engineer needs to design a new solution to help troubleshoot anddetect network anomalies. The network engineer has configured Traffic Mirroring.However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the trafficmirror target. The EC2 instance hosts tools that the company’s security team uses toanalyze the traffic. The network engineer needs to design a highly available solution thatcan scale to meet the demand of the mirrored traffic.Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB,deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring only duringnon-business hours.
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirrortarget. Behind the ALB. deploy a fleet of EC2 instances in an Auto Scaling group. UseTraffic Mirroring only during active events or business hours.

Question # 22

A company has established connectivity between its on-premises data center in Paris,France, and the AWS Cloud by using an AWS Direct Connect connection. The companyuses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets inseveral VPCs that are attached to the transit gateway.The company recently acquired another corporation that hosts workloads on premises inan office building in Tokyo, Japan. The company needs to migrate the workloads from theTokyo office to AWS. These workloads must have access to the company's existingworkloads in Paris. The company also must establish connectivity between the Tokyo officebuilding and the Paris data center.In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnetsfor migration of the workloads. The workload migration must be completed in 5 days. Theworkloads cannot be directly accessible from the internet.Which set of steps should a network engineer take to meet these requirements?

A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into.2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyooffice and the Paris workloads.4. Create peering connections between the Tokyo VPC and the Paris VPCs.5. Configure a VPN connection between the Paris data center and the Tokyo office byusing existing routers.
B. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transitgateway.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
C. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyotransit gateway as the target.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
D. 1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transitgateway.2. Create an association between the Paris transit gateway and the Tokyo VPC.3. Configure routing on the Paris transit gateway to allow data to flow between sites andthe VPCs.