The latest AWS Certified Advanced Networking – Specialty ANS-C01 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.
Table of Contents
- Question 101
- Exam Question
- Correct Answer
- Explanation
- Question 102
- Exam Question
- Correct Answer
- Question 103
- Exam Question
- Correct Answer
- Explanation
- Question 104
- Exam Question
- Correct Answer
- Question 105
- Exam Question
- Correct Answer
- Explanation
- Question 106
- Exam Question
- Correct Answer
- Question 107
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 108
- Exam Question
- Correct Answer
- Question 109
- Exam Question
- Correct Answer
- Explanation
- References
- Question 110
- Exam Question
- Correct Answer
Question 101
Exam Question
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL (https://api.example.internal). Two on-premises Windows DNS servers provide internal DNS resolution.
The application on the EC2 instance needs to call the internal API service that is deployed in the on-premises environment. When the application on the EC2 instance attempts to call the internal API service by referring to the hostname that is assigned to the service, the call fails. When a network engineer tests the API service call from the same EC2 instance by using the API service’s IP address, the call is successful.
What should the network engineer do to resolve this issue and prevent the same problem from affecting other resources in the VPC?
A. Create a new DHCP options set that specifies the on-premises Windows DNS servers. Associate the new DHCP options set with the existing VPC. Reboot the Amazon Linux 2 EC2 instance.
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configure the rule to forward DNS queries to the on-premises Windows DNS servers if the domain name matches example.internal.
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the service domain name (api.example.internal) to the IP address of the internal API service.
D. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VPC. Change the IP addresses of the name servers in the file to the IP addresses of the company’s on-premises Windows DNS servers.
Correct Answer
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configure the rule to forward DNS queries to the on-premises Windows DNS servers if the domain name matches example. Internal.
Explanation
Creating an Amazon Route 53 Resolver rule and associating it with the VPC would enable forwarding of DNS queries for a specified domain name (example.internal) to a specified IP address (the on-premises Windows DNS servers) . This would allow EC2 instances in the VPC to resolve the internal API service by using its 3 hostname. Configuring the rule to forward DNS queries only if the domain name matches example.internal would also allow EC2 instances to use the Amazon Route 53 Resolver server for other DNS queries, such as those for AWS services through private VPC endpoints.
Question 102
Exam Question
A company has multiple VPCs in the us-east-1 Region. The company has deployed a website in one of the VPCs.
The company wants to implement split-view DNS so that the website is accessible internally from the VPCs and externally over the internet with the same domain name, example.com.
Which solution will meet these requirements?
A. Change the DHCP options for each VPC to use the IP address of an on-premises DNS server. Create a private hosted zone and a public hosted zone for example.com. Map the private hosted zone to the website’s internal IP address. Map the public hosted zone to the website’s external IP address.
B. Create Amazon Route 53 private hosted zones and public hosted zones that have the same name, example.com. Associate the VPCs with the private hosted zone. Create records in each hosted zone that determine how traffic is routed.
C. Create an Amazon Route 53 Resolver inbound endpoint for resolving example.com internally. Create a Route 53 public hosted zone for routing external DNS queries.
D. Create an Amazon Route 53 Resolver outbound endpoint for resolving example.com externally. Create a Route 53 private hosted zone for routing internal DNS queries.
Correct Answer
B. Create Amazon Route 53 private hosted zones and public hosted zones that have the same name, example.com. Associate the VPCs with the private hosted zone. Create records in each hosted zone that determine how traffic is routed.
Question 103
Exam Question
A company needs to establish network connectivity between its Amazon VPCs and on-premises network using multiple AWS Site-to-Site VPN connections that are associated with a Transit Gateway. The Network Engineer has been assigned to increase the traffic bandwidth over multiple paths and get a higher VPN bandwidth beyond the default 1.25 Gbps limit.
Currently, the Site-to-Site VPN connections only support IPv4 traffic. There’s a new requirement to update these VPN connections to allow IPv6 communication between the company’s AWS resources and on-premises servers.
Which combination of steps below provides the most operationally efficient solution to satisfy the requirement? (Select TWO.)
A. Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center. Launch a multicast domain on the Transit Gateway to further improve the bandwidth.
B. Launch a new set of Site-to-Site VPN connections with IPv6 traffic enabled and replace the existing ones..
C. Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway.
D. Use Jumbo Frames by setting the MTU to 9001 and implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame
E. Modify all the existing Site-to-Site VPN connections to enable IPv6 support. Move all the VPN connections from the Transit Gateway to a Virtual Private Gateway.
Correct Answer
A. Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center. Launch a multicast domain on the Transit Gateway to further improve the bandwidth.
C. Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway.
Explanation
AWS Site-to-Site VPN offers customizable tunnel options, including inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN). In this way, you can set up multiple secure VPN tunnels to increase the bandwidth for your applications or for resiliency in case of downtime.
Equal-cost multi-path routing (ECMP) is available with AWS Site-to-Site VPN on AWS Transit Gateway to help increase the traffic bandwidth over multiple paths. You can use ECMP to get higher VPN bandwidth than the default VPN bandwidth limit of 1.25 Gbps by aggregating multiple VPN connections.
You have to confirm that your customer gateway is configured to perform ECMP for traffic going out to AWS for all VPN tunnels. If necessary, configure your customer gateway BGP to accept the route from AWS so that the customer gateway installs all the routes with the same metric. You will also have to verify that your customer gateway is advertising the on-premises prefix to AWS with the same BGP AS PATH attribute. For AWS to choose all the available ECMP paths, the AS Path and AS Number must match.
Your Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the VPN tunnels. By default, a Site-to-Site VPN connection supports IPv4 traffic inside the VPN tunnels. You can configure a new Site-to-Site VPN connection to support IPv6 traffic inside the VPN tunnels. Then, if your VPC and your on-premises network are configured for IPv6 addressing, you can send IPv6 traffic over the VPN connection.
If you enable IPv6 for the VPN tunnels for your Site-to-Site VPN connection, each tunnel has two CIDR blocks. One is a size /30 IPv4 CIDR block, and the other is a size /126 IPv6 CIDR block.
The following rules apply:
- IPv6 addresses are only supported for the inside IP addresses of the VPN tunnels. The outside tunnel IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer gateway must be an IPv4 address.
- Site-to-Site VPN connections on a virtual private gateway do not support IPv6.
- You cannot enable IPv6 support for an existing Site-to-Site VPN connection.
- A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic.
For ECMP to function properly, Dynamic VPN and VPN ECMP Support must be enabled on the transit gateway. The VPN ECMP Support option can only be enabled or disabled when you create a transit gateway.
Hence, the correct answers are:
- Launch a new set of Site-to-Site VPN connections with IPv6 traffic enabled and replace the existing ones.
- Set up Equal-Cost Multi-Path (ECMP) routing. Ensure that VPN ECMP Support and Dynamic VPN options are enabled in the Transit Gateway.
The option that says: Set up a private Multiprotocol Label Switching (MPLS) network in your on-premises data center. Launch a multicast domain on the Transit Gateway to further improve the bandwidth is incorrect because MPLS doesn’t increase the traffic bandwidth of the VPN connection over multiple paths nor provide a higher VPN bandwidth beyond the default 1.25 Gbps limit. In the MPLS forwarding paradigm, once a packet is assigned to an FEC (Forwarding Equivalence Classes), no further header analysis is done by subsequent routers; all forwarding is driven by the labels. This is the MPLS advantage over conventional network layer forwarding but not to the connection bandwidth. Moreover, launching a multicast domain on the Transit Gateway will not improve the bandwidth of your VPN connections.
The option that says: Use Jumbo Frames by setting the MTU to 9001 and implement Q-in-Q Tunnels by adding a second 802.1Q tag to an already tagged frame is incorrect because AWS Managed VPN doesn’t support jumbo frames. If the same route is advertised over DX and AWS Managed VPN, then 1500 MTU is used. A Q-in-Q Tunnel simply enables a service provider to segregate the traffic of different customers in their infrastructure while still giving the customer a full range of VLANs for their internal use.
The option that says: Modify all the existing Site-to-Site VPN connections to enable IPv6 support. Move all the VPN connections from the Transit Gateway to a Virtual Private Gateway is incorrect. Firstly, you cannot modify an existing IPv4 Site-to-Site VPN connection to support IPv6. You have to launch a new Site-to-Site VPN that supports IPv6, which also implicitly allows IPv4 communication. In addition, IPv6 is not supported on a Virtual Private Gateway.
Question 104
Exam Question
An ecommerce company has a business-critical application that runs on Amazon EC2 instances in a VPC.
The company’s development team has been testing a new version of the application on test EC2 instances.
The development team wants to test the new application version against production traffic to address any problems that might occur before the company releases the new version across all servers.
Which solution will meet this requirement with no impact on the end user’s experience?
A. Configure Amazon Route 53 weighted routing policies by configuring records that have the same name and type as each of the instances. Assign relative weights to the production instances and the test instances.
B. Create an Application Load Balancer with weighted target groups. Add more than one target group to the forward action of a listener rule. Specify a weight for each target group.
C. Implement Traffic Mirroring to replay the production requests to the test instances. Configure the source as the production instances. Configure the target as the test instances.
D. Configure an NGINX proxy in front of the production servers. Use the NGINX mirroring capability.
Correct Answer
C. Implement Traffic Mirroring to replay the production requests to the test instances. Configure the source as the production instances. Configure the target as the test instances.
Question 105
Exam Question
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com to host the VPC resources. The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The company’s on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement? (Choose three.)
A. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the outbound endpoint.
B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
D. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
F. Configure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.
Correct Answer
B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
Explanation
To replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints in a hybrid architecture where on-premises applications need to communicate with applications running in a VPC, a network engineer should take the following steps: Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint. (Option C) Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint. (Option B) Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver. (Option E) These steps will allow for seamless replacement of the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints and enable communication between on-premises and VPC applications.
Question 106
Exam Question
A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. The three VPCs are an application VPC, a backend VPC, and an inspection VPC.
The application VPC and the backend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared services VPC.
All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances to comply with a security policy that mandates traffic inspection. There are no overlapping IP addresses across the three VPCs.
A network engineer must ensure that traffic between the application VPC and the backend VPC can route through the inspection VPC’s stateful firewalls.
Which solution will meet these requirements?
A. Create IPsec VPN connections between the transit gateway and the virtual firewall appliances.
B. Configure Virtual Router Redundancy Protocol (VRRP) on the virtual firewall appliances.
C. Set up BGP between the transit gateway and the virtual firewall appliances.
D. Enable transit gateway appliance mode for the VPC attachment to the inspection VPC.
Correct Answer
D. Enable transit gateway appliance mode for the VPC attachment to the inspection VPC.
Question 107
Exam Question
Consider a scenario where an EC2 instance in a private subnet reaches out to the internet via a NAT gateway in a public subnet. The EC2 instance sends a 1 GB file to one of the Amazon Simple Storage Service (Amazon S3) buckets via the NAT gateway. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS region. The NAT gateway and EC2 instance are in the same Availability Zone.
Which costs should be included when the total cost of this file transfer is calculated?
A. NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance
B. NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket
C. NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway
D. NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance
Correct Answer
C. NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway
Explanation
Correct option:
NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway
NAT Gateway is charged on an hourly basis. Hence, NAT Gateway hourly charges should be included in the total cost. 1 GB of data was transferred via the NAT gateway, hence NAT Gateway data processing charges will apply to this transaction.
Incorrect options:
NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to the S3 bucket
NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to the S3 bucket + The data transfer charges for 1 GB of data between the NAT gateway and the EC2 instance
NAT Gateway Hourly Charge and NAT Gateway Data Processing Charges will apply. 1 GB of data was transferred from the EC2 instance to S3 via the NAT gateway. There is no charge for the data transfer from the EC2 instance to S3, as it is Data Transfer Out to Amazon EC2 to S3 in the same region.
Therefore, both these options are incorrect.
NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + The data transfer charges for 1 GB of data between the NAT gateway and the EC2 instance – There is no charge for the data transfer between the NAT gateway and the EC2 instance since the traffic stays in the same Availability Zone using private IP addresses. There will be data transfer charges between your NAT gateway and EC2 instance if they are in different Availability Zones. So this option is incorrect.
NAT Gateway pricing example:
Reference
Products > Networking & Content Delivery > Amazon VPC > Amazon VPC pricing
Question 108
Exam Question
A company is migrating many applications from two on-premises data centers to AWS. The company’s network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2.
The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in each Region.
All traffic to and from AWS must travel through the first data center. In the event of failure, the second data center must take over the traffic.
How should the network team configure BGP to meet these requirements?
A. Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct Connect connection 2.
B. Configure the local preference BGP community tag 7224:9300 for the transit VIF connected to Direct Connect connection 2.
C. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct Connect connection 2.
D. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct Connect connection 1.
Correct Answer
A. Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct Connect connection 2.
Question 109
Exam Question
For the safety of critical applications, the networking team at a company has implemented a host-based firewall on all of the Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. A new requirement needs the instance metadata.
Which firewall rule should be added to the instances to allow instance metadata access?
A. Inbound; Protocol TCP; Destination 169.254.169.254; Destination port 80
B. Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80
C. Inbound; Protocol UDP; Destination 169.254.169.254; Destination port 443
D. Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 443
Correct Answer
B. Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80
Explanation
Correct option:
Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80 – Because your instance metadata is available from your running instance, you do not need to use the Amazon EC2 console or the AWS CLI. This can be helpful when you’re writing scripts to run from your instance. For example, you can access the local IP address of your instance from instance metadata to manage a connection to an external application.
To view all categories of instance metadata from within a running instance, use the following: http://169.254.169.254/latest/meta-data/
Port 80 is one of the most commonly used port numbers in the Transmission Control Protocol (TCP) suite. Any Web/HTTP client, such as a Web browser, uses port 80 to send and receive requested Web pages from an HTTP server.
The metadata needed from the EC2 instance is outbound data for the firewall. Hence, the outbound rule on port 80 with TCP protocol for the destination 169.254.169.254 should be allowed.
Incorrect options:
Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 443 – Port 443, a web browsing port, is primarily used for HTTPS services. Instance metadata is served on HTTP, which is port 80.
Inbound; Protocol UDP; Destination 169.254.169.254; Destination port 443 – Inbound traffic for the firewall will be the traffic coming to the EC2 instance and not the data going from the instance.
Therefore, this option is incorrect.
Inbound; Protocol TCP; Destination 169.254.169.254; Destination port 80 – Inbound traffic for the firewall will be the traffic coming to the EC2 instance and not the data going from the instance.
Therefore, this option is incorrect.
References
- AWS > Documentation > Amazon EC2 > User Guide for Linux Instances > Retrieve instance metadata
- AWS > Documentation > Amazon EC2 > User Guide for Linux Instances > Authorize inbound traffic for your Linux instances
Question 110
Exam Question
A company hosts its ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances are in a private subnet with the default DHCP options set. Internet connectivity is through a NAT gateway that is configured in the public subnet.
A third-party audit of the security infrastructure identifies a DNS exfiltration vulnerability. The company must implement a highly available solution that protects against this vulnerability.
Which solution will meet these requirements MOST cost-effectively?
A. Configure a BIND server with DNS filtering. Modify the DNS servers in the DHCP options set.
B. Use Amazon Route 53 Resolver DNS Firewall. Configure a domain list with a rule group.
C. Use AWS Network Firewall with domain name filtering.
D. Configure an Amazon Route 53 Resolver outbound endpoint with rules to filter and block suspicious traffic.
Correct Answer
B. Use Amazon Route 53 Resolver DNS Firewall. Configure a domain list with a rule group.