Free ANS-C00 Sample Questions — AWS Certified Advanced Networking - Specialty

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users. What design will use the LEAST amount of IP space, while allowing for this growth?

• A. Use two /29 subnets for an Application Load Balancer in different Availability Zones
• B. Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth
• C. Use two /28 subnets for a Network Load Balancer in different Availability Zones
• D. Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?

• A. There is no rule in your bucket policy allowing public access
• B. You have applied your SSL to your Elastic Loadbalancer but not your CDN
• C. Your S3 Bucket permissions are incorrect
• D. You are using an SSL from an external CA

You have an application that is processing confidential data. The data is currently stored in your data center. You are moving workloads to AWS, and you need to ensure confidentiality and integrity of the data in transit to your VPC. Your company has an existing AWS Direct Connect connection. What combination of steps should you perform to set up the most cost-effective connection between your on-premises data center and AWS? (Choose three.)

• A. Set up a VPC with a virtual private gateway
• B. Set up a VPC with an Internet gateway
• C. Configure a public virtual interface on your Direct Connect connection
• D. Configure a private virtual interface to the virtual private gateway
• E. Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC
• F. Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway

A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization's security team, the VPN must meet the following requirements: ✑ AES 128-bit encryption ✑ SHA-1 hashing ✑ User access via SSL VPN ✑ PFS using DH Group 2 ✑ Ability to maintain/rotate keys and passwords ✑ Certificate-based authentication Which solution should you recommend so that the organization meets the requirements?

• A. AWS hardware VPN between the virtual private gateway and customer gateway
• B. third-party VPN solution deployed from AWS Marketplace
• C. private MPLS solution from an international carrier
• D. AWS hardware VPN between the virtual private gateways in each region

In AWS, which tool records API calls for a specific AWS account and also delivers the log files for that account?

• A. CloudTrail
• B. Redshift
• C. Beanstalk
• D. Cognito

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price. Which of the following connectivity options should you choose?

• A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface
• B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC
• C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC
• D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC

A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3. Which configuration values is the network engineer required to provide? (Choose two.)

• A. Connection speed
• B. VLAN ID
• C. IP prefixes to advertise
• D. Direct Connect location
• E. Virtual private gateway

A company has applications running in a single AWS Region and its on-premises data center in a hybrid mode. The company has a 1 Gbps AWS Direct Connect connection from the data center to AWS that is 65% utilized. The company has an AWS Enterprise Support plan. The company is planning to deploy a new critical application on AWS that will connect with existing applications running in the data center. The application SLA requires a minimum of 99.9% network uptime between the data center and AWS. What is the MOST cost-effective way to meet this SLA requirement?

• A. Create a second virtual interface (VIF) on the existing Direct Connect connection, and terminate this VIF in the existing VPC. Use BGP for load balancing between the VIFs in active/active mode
• B. Purchase an additional 1 Gbps Direct Connect connection from AWS in a different cross-connect location terminated in the associated Region. Provision a new virtual interface (VIF) to the existing VPC, and use BGP for load balancing
• C. Set up two new hosted Direct Connect connections of 500 Mbps each through an AWS Direct Connect partner. Provision two virtual interfaces (VIFs) to the existing VPC on both Direct Connect connections, and use BGP for load balancing. Terminate the existing 1 Gbps Direct Connect connection
• D. Purchase an additional 1 Gbps Direct Connect connection from AWS in the existing cross-connect location. Ask AWS to terminate this new connection in a different router. Provision two virtual interfaces (VIFs) to the same VPC on both Direct Connect connections, and use BGP for load balancing

After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?

• A. You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection
• B. You can change the region of your virtual interface
• C. You can create a hosted virtual interface
• D. You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

• A. Site A: VPN 10.0.1.0/24 AS 65000 65000
• B. Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
• C. Site C: DX 10.0.0.0/8 AS 65000
• D. Site D: DX 10.0.0.0/16

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC. Which solution will fix the connectivity failures with the LEAST amount of effort?

• A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications
• B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs
• C. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region
• D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3

To allow all traffic to access an instance in "Subnet 1" that uses "Security Group 1", what two options need to be configured? (Choose two.)

• A. NACL rule allowing 0.0.0.0/0 to access "Subnet 1"
• B. Security Group rule in "Security Group 1" that allows 0.0.0.0/0 inbound
• C. Security Group rule in "Security Group 1" that allows outbound traffic to 0.0.0.0/0
• D. NACL rule allowing 0.0.0.0/0 to access "Security Group 1"

Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an on-premises Hadoop cluster. You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, fault- tolerant connectivity between Amazon Kinesis and your data center. What should you implement to address these needs?

• A. Deploy a single 1-Gbps Direct Connect connection with a VPN backup
• B. Deploy three 1-Gbps Direct Connect connections
• C. Deploy two 1-Gbps Direct Connect connections
• D. Set up an IPsec VPN connection over Direct Connect with two tunnels

A network architect is designing a website. It has web, application, and database tiers that will run in AWS. The website uses Amazon DynamoDB. Which architecture will minimize public exposure of the backend instances?

• A. VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB
• B. VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint
• C. VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB
• D. VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint

You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC. Which action is required to support a successful Amazon EMR cluster launch?

• A. Add a conditional forwarder to the Amazon-provided DNS server
• B. Enable seamless domain join for the Amazon EMR cluster
• C. Launch an AD connector for the internal domain
• D. Configure an Amazon Route 53 private zone for the EMR cluster

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum. Which design should be recommended?

• A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link
• B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs
• C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC
• D. Create a total of four private VIFs, and enable VPC peering between all VPCs

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum. Which design should be recommended?

• A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link
• B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs
• C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC
• D. Create a total of four private VIFs, and enable VPC peering between all VPCs

Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)

• A. aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress -rule-number 32768
• B. aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -egress rule-number 100
• C. aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100
• D. aws ec2 create-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100 -protocol -1 -port-range From =-1,To =-1 -cidr-block 0.0.0.0/0 -rule- action deny

A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company's on-premises router for this Direct Connect connection. Which of the following actions will require the LEAST amount of configuration overhead on the customer router?

• A. Configure private virtual interfaces for the VPC resources and for Amazon S3
• B. Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3
• C. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3
• D. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

• A. Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
• B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• D. Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443