Skip to Content

AWS Certified Advanced Networking – Specialty ANS-C01 Exam Questions and Answers – 2

By: Author Alex Lim

Posted on  - Last updated:

Categories Amazon, Exam

The latest AWS Certified Advanced Networking – Specialty ANS-C01 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.

Question 121

Exam Question

You are configuring a VPN to AWS for your company. You have configured the Virtual Private Gateway (VGW) and the Customer Gateway (CGW). You have also run the necessary commands on your router for the VPN. You allowed all TCP and UDP traffic between your data center and your VPC. The tunnel still doesn’t get established.

What is the most likely cause behind this issue?

A. You are using IKEv2

B. Route propagation has not been enabled for the route table

C. You are using a private ASN for the customer gateway

D. Traffic on Protocol 50 is being blocked by the firewall

Correct Answer

D. Traffic on Protocol 50 is being blocked by the firewall

Explanation

Correct option:

Traffic on Protocol 50 is being blocked by the firewall

By default, instances that you launch into an Amazon VPC can’t communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-toSite VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.

What is AWS Site-to-Site VPN?

via – AWS > Documentation > AWS VPN > User Guide > What is AWS Site-to-Site VPN?

The use case states that the VPN doesn’t come up. Problems in establishing a VPN connection can happen due to the configuration of: Phase 1 or Internet Key Exchange (IKE) phase of tunnel configuration Phase 2 or Internet Protocol security (IPsec) phase of tunnel configuration

For successful phase 1, you need UDP packets on port 500 (and port 4500, if NAT-traversal is used) are allowed to pass between your network and the AWS VPN endpoints. You should also ensure that the intermediate internet service providers (ISPs) aren’t blocking UDP port 500 (or port 4500, if NATTraversal is used). The use case states that all TCP and UDP traffic between your datacenter and the VPC is allowed, so phase 1 is not the likely cause behind the issue.

The purpose of IPsec (phase 2) is to negotiate and establish a secure tunnel for the transmission of data between VPN peers. Without a successful phase 2 negotiation, you cannot send and receive traffic across the VPN tunnel. For the given use case, you need to ensure that Encapsulating Security Payload (ESP) protocol 50 is not blocked inbound or outbound.

Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?

via – Why is IPsec/Phase 2 for AWS Site-to-Site VPN failing to establish a connection?

Incorrect options:

Route propagation has not been enabled for the route table – Route tables determine where network traffic from your VPC is directed. In your VPC route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you. It is not mandatory to enable route propagation as you can configure static routes in your route table for your remote network, so this option is incorrect.

You are using IKEv2 – AWS supports both IKEv1 and IKEv2, so this option is ruled out.

You are using a private ASN for the customer gateway – To configure Border Gateway Protocol (BGP) for your VPN, you can use a private ASN in the 64512–65534 range. So this option is incorrect.

References

Question 122

Exam Question

A cybersecurity company has its flagship application running on EC2 instances in a VPC and the application must publish custom metrics with proprietary information to CloudWatch in the same AWS Region. All connectivity must be established using private IP addresses.

Which of the following options will address these requirements?

A. Connect the application to CloudWatch using a virtual private gateway

B. Connect the application to CloudWatch using a transit gateway

C. Connect the application to CloudWatch using an interface endpoint

D. Connect the application to CloudWatch using a gateway endpoint

Correct Answer

C. Connect the application to CloudWatch using an interface endpoint

Explanation

Correct option:

Connect the application to CloudWatch using an interface endpoint

Metrics are data about the performance of your systems. By default, many services provide free metrics for resources (such as Amazon EC2 instances, Amazon EBS volumes, and Amazon RDS DB instances). You can also enable detailed monitoring for some resources, such as your Amazon EC2 instances, or publish your own application metrics. Metric data is kept for 15 months, enabling you to view both up-to-the-minute data and historical data.

You can publish your own metrics to CloudWatch using the AWS CLI or an API. Each metric is one of the following:

Standard resolution, with data having a one-minute granularity

High resolution, with data at a granularity of one second

When you publish a custom metric, you can define it as either standard resolution or high resolution.

When you publish a high-resolution metric, CloudWatch stores it with a resolution of 1 second, and you can read and retrieve it with a period of 1 second, 5 seconds, 10 seconds, 30 seconds, or any multiple of 60 seconds.

A VPC endpoint enables connections between a virtual private cloud (VPC) and the supported services, without requiring that you use an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Therefore, your VPC is not exposed to the public internet.

VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. The following are the different types of VPC endpoints. You create the type of VPC endpoint that’s required by the supported service.

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a service that is owned by AWS or owned by an AWS customer or partner. CloudWatch supports interface endpoint. For the given use case, you can establish a private connection from the given application to CloudWatch using an interface endpoint.

Incorrect options:

Connect the application to CloudWatch using a gateway endpoint – A gateway endpoint is a gateway that is a target for a route in your route table used for traffic destined to either Amazon S3 or DynamoDB. CloudWatch does not support gateway endpoint so this option is ruled out.

Connect the application to CloudWatch using a transit gateway – AWS Transit Gateway connects VPCs and on-premises networks through a central hub. You cannot establish a private connection from the given application to CloudWatch using a transit gateway.

Connect the application to CloudWatch using a virtual private gateway – A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection or a Direct Connect Connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection or a Direct Connect Connection. This option has been added as a distractor, you cannot establish a private connection from the given application to CloudWatch using a virtual private gateway.

References

Question 123

Exam Question

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company’s on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company’s global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances.

What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.

B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.

C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator

D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Correct Answer

B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.

Question 124

Exam Question

You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.

Which of the following will improve transmission quality?

A. Enable enhanced networking

B. Select G2 instance types

C. Enable jumbo frames

D. Use multiple elastic network interfaces

Correct Answer

A. Enable enhanced networking

Reference

AWS > Documentation > Amazon EC2 > User Guide for Linux Instances > Enhanced networking on Linux

Question 125

Exam Question

An Elastic Load Balancer (ELB) is configured with an Auto Scaling Group (ASG) having a minimum of 4, a maximum of 10, and a desired value of 4 instances. The ASG cooldown and the termination policies are configured to the default values. Monitoring reports indicate a general usage requirement of 4 instances, while any traffic spikes result in an additional 7-8 instances. Customers have been complaining of request timeouts and partially loaded pages.

Which configuration change will you suggest as the first line of troubleshooting to fix this issue?

A. Configure termination policies on ASG to determine which instances it terminates first during scale-in events

B. Configure connection draining on ELB

C. Add a lifecycle hook on scale-out event to your ASG, making sure that the instance is fully ready before it starts receiving traffic

D. Enable Sticky Sessions on ELB

Correct Answer

B. Configure connection draining on ELB

Explanation

Correct option:

Configure connection draining on ELB – To ensure that an ELB stops sending requests to instances that are de-registering or unhealthy while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy.

When you enable connection draining, you can specify a maximum time for the load balancer to keep connections alive before reporting the instance as de-registered. The maximum timeout value can be set between 1 and 3,600 seconds (the default is 300 seconds). When the maximum time limit is reached, the load balancer forcibly closes connections to the de-registering instance.

When Connection Draining is enabled and configured, the process of deregistering an instance from an Elastic Load Balancer gains an additional step. For the duration of the configured timeout, the load balancer will allow existing, in-flight requests made to an instance to complete, but it will not send any new requests to the instance.

Incorrect options:

Configure termination policies on ASG to determine which instances it terminates first during scale-in events – Amazon EC2 Auto Scaling uses termination policies to determine which instances it terminates first during scale-in events. Termination policies define the termination criteria that is used by Amazon EC2 Auto Scaling when choosing which instances to terminate. However, termination policies are not relevant to the given use case.

Enable Sticky Sessions on ELB – Sticky session feature (also known as session affinity), enables the load balancer to bind a user’s session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance. The key to managing sticky sessions is to determine how long your load balancer should consistently route the user’s request to the same instance. A sticky session is relevant for a use case that needs to maintain session functionality.

Add a lifecycle hook on scale-out event to your ASG, making sure that the instance is fully ready before it starts receiving traffic – Amazon EC2 Auto Scaling offers the ability to add lifecycle hooks to your Auto Scaling groups. These hooks enable an Auto Scaling group to be aware of events in the Auto Scaling instance lifecycle and then perform a custom action when the corresponding lifecycle event occurs. Adding a lifecycle hook on a scale-out event is not relevant for the given use case.

References

Question 126

Exam Question

An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers. The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services. A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud.

Which solution will meet these requirements with the HIGHEST availability?

A. Set up an Amazon CloudFront distribution with origin failover. Create an origin group for each Region where the solution is deployed

B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to Yes.

C. Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups andhealth checks.

D. Set up Bring Your Own IP (BYOIP) addresses. Use the same PI addresses for each Region where the solution is deployed.

Correct Answer

B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to Yes.

Reference

The Internet of Things on AWS – Official Blog > Automate global device provisioning with AWS IoT Core and Amazon Route 53

Question 127

Exam Question

An organization processes consumer information submitted through its website. The organization’s security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an iAM role.

Which combination of services will support these requirement? (Select two.)

A. Amazon Aurora in a private subnet

B. Amazon CloudFront using AWS Lambda@Edge

C. Customer-managed MySQL with Transparent Data Encryption

D. Application Load Balancer using HTTPS listeners and targets

E. AWS Key Management Services

Correct Answer

B. Amazon CloudFront using AWS Lambda@Edge

E. AWS Key Management Services

Reference

Question 128

Exam Question

A social media company is delivering web content from an Amazon EC2 instance in a public subnet with address 2021:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:

2 098765432112 eni-0596e500987654321 2021:db8:2:200::2 2021:db8:1:100::1 0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112 eni-0596e500987654321 2021:db8:1:100::1 2021:db8:2:200::2 0 0 58 236 42336 1551200195 1551200434 REJECT OK

Which of the following actions will restore network reachability to the EC2 instance?

A. Update the security group associated with the eni-0596e500987654321 to allow outbound traffic

B. Update the network ACL associated with the eni-0596e500987654321 to allow outbound traffic

C. Update the security group associated with the subnet to allow outbound traffic

D. Update the network ACL associated with the subnet to allow outbound traffic

Correct Answer

D. Update the network ACL associated with the subnet to allow outbound traffic

Explanation

Correct option:

Update the network ACL associated with the subnet to allow outbound traffic

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.

Logging IP traffic using VPC Flow Logs

via – AWS > Documentation > Amazon VPC > User Guide > Logging IP traffic using VPC Flow Logs

For the given use case, the inbound traffic is accepted however the response traffic has been rejected. If you’re using flow logs to diagnose overly restrictive or permissive security group rules or network ACL rules, you should note that the security groups are stateful — this means that responses to allowed traffic are also allowed, even if the rules in your security group do not permit it.

Conversely, network ACLs are stateless, therefore responses to allowed traffic are subject to network ACL rules.

Flow log record examples

via – AWS > Documentation > Amazon VPC > User Guide > Flow log record examples

Incorrect options:

Update the network ACL associated with the eni-0596e500987654321 to allow outbound traffic – A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. A network ACL cannot be associated with ENIs, so this option is incorrect.

Update the security group associated with the eni-0596e500987654321 to allow outbound traffic – Considering the case when a security group’s inbound rules allow traffic but the outbound rules do not allow traffic, the response traffic from the instance would still be allowed because security groups are stateful. So this option is incorrect.

Update the security group associated with the subnet to allow outbound traffic – A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Security groups are associated with network interfaces.

Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.

Security groups cannot be associated with subnets, so this option is incorrect.

References

Question 129

Exam Question

A company has two on-premises data center locations. There is a company-managed router at earn data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP and the router tor the second location is advertising 60 routes to the Direct Connect gateway by using BGP The Direct Connect gateway is attached to a company VPC through a virtual private gateway

A network engineer receives reports that resources In the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center. location are not being populated into the route table The network engineer must resolve this issue in the most operationally efficient manner

What should the network engineer do to meet these requirements’

A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC

B. Change the router configurations to summarize the advertised routes

C. Open a support ticket to increase the quota on advertised routes to the VPC route table

D. Create an AWS Transit Gateway Attach the transit gateway to the VPC and connect the Direct Connect gateway to the transit gateway.

Correct Answer

D. Create an AWS Transit Gateway Attach the transit gateway to the VPC and connect the Direct Connect gateway to the transit gateway.

Question 130

Exam Question

A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company’s data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one onpremises server. The on-premises network segments the traffic between the databases and the server.

How should the network engineer set up the Direct Connect connection to meet these requirements?

A. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency

B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

C. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

D. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Correct Answer

B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Explanation

This solution meets the requirements of the company by using a single Direct Connect connection with two VIFs, one connected to the transit gateway in us-east-1 and the other connected to the VPC in eu-west-1. Two Direct Connect gateways are used, one for each VIF, to route traffic from the Direct Connect location to the corresponding AWS Region along the path that has the lowest latency. This setup ensures that traffic between the VPCs in us-east-1 and on-premises databases is routed through the transit gateway, while traffic between the VPC in eu-west-1 and the on-premises server is routed directly through the private VIF.