The latest AWS Certified Advanced Networking – Specialty ANS-C01 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.
Table of Contents
- Question 131
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 132
- Exam Question
- Correct Answer
- Explanation
- References
- Question 133
- Exam Question
- Correct Answer
- Question 134
- Exam Question
- Correct Answer
- Question 135
- Exam Question
- Correct Answer
- Reference
- Question 136
- Exam Question
- Correct Answer
- Question 137
- Exam Question
- Correct Answer
- Explanation
- References
- Question 138
- Exam Question
- Correct Answer
- Explanation
- References
- Question 139
- Exam Question
- Correct Answer
- Explanation
- References
- Question 140
- Exam Question
- Correct Answer
Question 131
Exam Question
Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone ”awscloud:internal” from the corporate network. An AWS Direct Connect connection with a private virtual interface is configured to provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS Resolver has standard root server hints configured and conditional forwarding for ”awscloud.internal” to the IP address 192.168.0.2.
How should you enable successful queries for ”server.awscloud.internal”?
A. Attach an internet gateway to the VPC and create a default route.
B. Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True
C. Relocate the BIND DNS Resolver to the corporate network.
D. Update the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.
Correct Answer
B. Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True
Explanation
The ‘AmazonProvideDNS’ server reserved by each VPC. Also it mentioned the PHZ (Privated Hosted Zone) is hosted in Route 53, thus you need to make sure both ‘enableDNS’ and ‘enableHostName’ are enabled in your VPC
Reference
AWS > Documentation > Amazon Route 53 > Developer Guide > Creating a private hosted zone
Question 132
Exam Question
The networking team at a company wants to do a Simple AD deployment and use it for the company’s Microsoft Exchange email server. The team is having issues finding the AD server.
What is the most probable root cause behind this issue?
A. You need to contact AWS to receive an MX record for the Microsoft Exchange email server
B. Simple AD does not support Microsoft Exchange
C. The Network Access Control List is blocking the traffic to the email server
D. TLS is not implemented
Correct Answer
B. Simple AD does not support Microsoft Exchange
Explanation
Correct option:
Simple AD does not support Microsoft Exchange
Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.
Small – Supports up to 500 users (approximately 2,000 objects including users, groups, and computers).
Large – Supports up to 5,000 users (approximately 20,000 objects including users, groups, and computers).
When you create a directory with Simple AD, AWS Directory Service creates two domain controllers and DNS servers on your behalf. The domain controllers are created in different subnets in a VPC; this redundancy helps ensures that your directory remains accessible even if a failure occurs.
However, note that Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group-managed service accounts, and schema extensions for POSIX and Microsoft applications.
Microsoft Exchange server needs Microsoft Active Directory domain controllers and Windows Server-based instances as Exchange nodes. Both Simple AD and AWS Managed Microsoft AD do not support Microsoft Exchange Server.
Incorrect options:
You need to contact AWS to receive an MX record for the Microsoft Exchange email server
The Network Access Control List is blocking the traffic to the email server
TLS is not implemented
These three options have been added as distractors. The root cause has been identified in the explanation above.
References
- AWS > Documentation > AWS Directory Service > Administration Guide > Simple Active Directory
- Exchange Server on AWS
- Microsoft Workloads on AWS > How to run Microsoft Exchange Server on AWS using Amazon EC2
- Products > Security, Identity & Compliance > AWS Directory Service > AWS Directory Service FAQs
Question 133
Exam Question
A security team is performing an audit of a company’s AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured. The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and the dstaddr field in the flow logs.
B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
Correct Answer
D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
Question 134
Exam Question
A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization’s security team, the VPN must meet the following requirements:
- AES 128-bit encryption
- SHA-1 hashing
- User access via SSL VPN
- PFS using DH Group 2
- Ability to maintain/rotate keys and passwords
- Certificate-based authentication
Which solution should you recommend so that the organization meets the requirements?
A. AWS hardware VPN between the virtual private gateway and customer gateway
B. A third-party VPN solution deployed from AWS Marketplace
C. A private MPLS solution from an international carrier
D. AWS hardware VPN between the virtual private gateways in each region
Correct Answer
B. A third-party VPN solution deployed from AWS Marketplace
Question 135
Exam Question
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL.
Which of the following solutions should you deploy? (Select two.)
A. Include s3.amazonaws.com in the whitelist.
B. Create a VPC endpoint for S3.
C. Run Squid proxy on a NAT instance.
D. Deploy a NAT gateway into your VPC.
E. Utilize a security group to restrict access.
Correct Answer
B. Create a VPC endpoint for S3.
C. Run Squid proxy on a NAT instance.
Reference
AWS Security Blog > How to set up an outbound VPC proxy with domain whitelisting and content filtering
Question 136
Exam Question
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company’s customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name. The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)
A. Create a self-signed certificate for service.example.com. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
B. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
C. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
D. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
E. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
F. Create a self-signed certificate for service-alb.example.com. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
Correct Answer
B. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
D. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
E. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
Question 137
Exam Question
The networking team at a company has noticed issues with Quality of Service (QoS) in the traffic to the EC2 instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a programming error or a networking error.
As an AWS Certified Networking Specialist, which of the following solutions would you recommend for the given use case?
A. Provision another EC2 instance with an ENI added to act as a monitoring interface. Configure the port to promiscuous mode and sniff the traffic to analyze the packets. Direct the output of this single stream to an S3 bucket for further analysis
B. Use CloudWatch to inspect the network packets
C. Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis
D. Use VPC Flow Logs to inspect the network packets
Correct Answer
C. Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis
Explanation
Correct option:
Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis
Quality of Service (QoS) is a set of technologies that enable a network to dependably run high-priority applications and traffic under limited network capacity. QoS technologies accomplish this by providing differentiated handling and capacity allocation to specific flows in network traffic. Bandwidth (throughput), latency (delay), jitter (variance in latency), and error rate are the metrics relevant to QoS. This implies that QoS is of particular importance to high-bandwidth, real-time traffic such as voice over IP (VoIP), video conferencing, and video-on-demand that have a high sensitivity to latency and jitter.
Generally, the promiscuous mode allows the user to bypass the normal operation mode by forwarding all traffic it receives to the CPU. However for AWS, even if you can turn your NIC to Promiscuous mode, the hypervisor will never pass traffic intended for another virtual machine to your EC2 instance. You need to use traffic mirroring as it allows you to copy traffic passing through an elastic network adaptor and send it toward another instance for further investigation. For the given use case, you need to set up traffic mirroring on the source EC2 instances hosting the VOIP program and then install a network monitoring program (such as Wireshark) on the traffic mirroring target EC2 instance. Finally, you can stream the logs from the target EC2 instance to an S3 bucket for further analysis.
Incorrect options:
Use CloudWatch to inspect the network packets – Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms. CloudWatch cannot be used to inspect the network packets.
Use VPC Flow Logs to inspect the network packets – VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored. VPC Flow Logs cannot be used to inspect the network packets.
Provision another EC2 instance with an ENI added to act as a monitoring interface. Configure the port to promiscuous mode and sniff the traffic to analyze the packets. Direct the output of this single stream to an S3 bucket for further analysis – Amazon EC2 instances running with an Amazon VPC have built-in protection against packet sniffing. It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic. So this option is incorrect.
References
- Overview of AWS Security – Network Security
- Cyberpedia > Network Security > What is Quality of Service?
Question 138
Exam Question
The networking team at a company needs to automate VPC creation to enforce the company’s network and security standards which mandate that each application is isolated in its own VPC. The solution must also ensure that the CIDR range used in each VPC is unique.
Which of the following options would you recommend to address these requirements?
A. Deploy the VPC infrastructure using AWS CloudFormation and use the intrinsic function Fn::Cidr to request a unique CIDR range
B. Set up the VPCs using AWS CLI and use the dry-run flag to validate if the requested CIDR range is in use
C. Deploy the VPC infrastructure using AWS OpsWorks and leverage a custom resource to request a unique CIDR range from an external IP address management (IPAM) service
D. Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a unique CIDR range from an external IP address management (IPAM) service
Correct Answer
D. Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a unique CIDR range from an external IP address management (IPAM) service
Explanation
Correct option:
Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a CIDR range from an external IP address management (IPAM) service
AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. CloudFormation template describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you. Whenever you create a stack, CloudFormation provisions the resources that are described in your template.
via – AWS > Documentation > AWS CloudFormation > User Guide > How does AWS CloudFormation work?
IP address management (IPAM) is a core part of planning and managing the assignment and use of IP address space of a network. In order to request available CIDR blocks from IPAM for VPCs, you can use AWS CloudFormation Custom Resources. Custom resources enable you to write custom provisioning logic in templates that AWS CloudFormation runs anytime you create, update (if you changed the custom resource), or delete stacks. For custom resources, you can specify
AWS::CloudFormation::CustomResource as the resource type, or you can specify your own resource type name. For example, instead of using AWS::CloudFormation::CustomResource, you can use Custom::MyCustomResourceTypeName.
via – Achieve Networking at Scale with a Self-Service Network Solution
Incorrect options:
Deploy the VPC infrastructure using AWS OpsWorks and leverage a custom resource to request a unique CIDR range from an external IP address management (IPAM) service – AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. You cannot deploy the VPC infrastructure using AWS OpsWorks.
Set up the VPCs using AWS CLI and use the dry-run flag to validate if the requested CIDR range is in use – The dry-run flag checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRun-Operation. Otherwise, it is UnauthorizedOperation. The dry-run flag cannot be used to validate if the requested CIDR range is in use.
Deploy the VPC infrastructure using AWS CloudFormation and use the intrinsic function Fn::Cidr to request a unique CIDR range – The intrinsic function Fn::Cidr returns an array of CIDR address blocks. The number of CIDR blocks returned is dependent on the count parameter. The syntax is like so – !Cidr [ ipBlock, count, cidrBits ]. For example, the YAML code !Cidr [ “192.168.0.0/24”, 6, 5 ] creates 6 CIDRs with a subnet mask “/27” inside from a CIDR with a mask of “/24”. Fn::Cidr cannot be used to request a unique CIDR range.
References
- AWS > Documentation > AWS CloudFormation > User Guide > What is AWS CloudFormation?
- AWS > Documentation > AWS CloudFormation > User Guide > How does AWS CloudFormation work?
- AWS > Documentation > AWS CloudFormation > User Guide > What is AWS CloudFormation?
- AWS > Documentation > AWS CloudFormation > User Guide > What is AWS CloudFormation?
- Achieve Networking at Scale with a Self-Service Network Solution
Question 139
Exam Question
A developer has configured a private hosted zone using Route 53. The developer needs to configure health checks for record sets within the private hosted zone that are associated with EC2 instances.
How can the developer build a solution to address the given use-case?
A. Set up a Route 53 health check that monitors an SNS topic which in turn notifies a CloudWatch alarm when the EC2 StatusCheckFailed metric fails
B. Set up a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric and then configure a health check that monitors the status of the metric
C. Set up a Route 53 health check to a private IP associated with the instances inside the VPC to be checked
D. Set up a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then configure a health check that monitors the state of the alarm
Correct Answer
D. Set up a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then configure a health check that monitors the state of the alarm
Explanation
Correct option:
Set up a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then configure a health check that monitors the state of the alarm
A private hosted zone is a container that holds information about how you want Amazon Route 53 to respond to DNS queries for a domain and its subdomains within one or more VPCs that you create with the Amazon VPC service.
via AWS > Documentation > Amazon Route 53 > Developer Guide > Working with private hosted zones
Amazon Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources. Each health check that you create can monitor one of the following:
- The health of a specified resource, such as a web server.
- The status of other health checks.
- The status of an Amazon CloudWatch alarm.
Additionally, with Amazon Route 53 Application Recovery Controller, you can set up routing control health checks with DNS failover records to manage traffic failover for your application.
For the given use-case, you need to create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the data stream for the alarm. To improve resiliency and availability, Route 53 doesn’t wait for the CloudWatch alarm to go into the ALARM state. The status of a health check changes from healthy to unhealthy based on the data stream and the criteria in the CloudWatch alarm.
via AWS > Documentation > Amazon Route 53 > Developer Guide > Types of Amazon Route 53 health checks
Incorrect options:
Set up a Route 53 health check that monitors an SNS topic which in turn notifies a CloudWatch alarm when the EC2 StatusCheckFailed metric fails – As mentioned above, the Route 53 health checks cannot monitor an SNS topic, so this option is incorrect.
Set up a Route 53 health check to a private IP associated with the instances inside the VPC to be checked – Route 53 health checkers are outside the VPC. To check the health of an endpoint within a VPC by IP address, you must assign a public IP address to the instance in the VPC. Therefore, you cannot set up a Route 53 health check to a private IP associated with an instance.
Set up a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric and then configure a health check that monitors the status of the metric – Route 53 health checks can monitor CloudWatch alarms. The Route 53 health checks cannot directly monitor the CloudWatch metrics, so this option is incorrect.
References
- AWS > Documentation > Amazon Route 53 > Developer Guide > Creating Amazon Route 53 health checks and configuring DNS failover
- AWS > Documentation > Amazon Route 53 > Developer Guide > Working with private hosted zones
- AWS > Documentation > Amazon Route 53 > Developer Guide > Configuring failover in a private hosted zone
- AWS > Documentation > Amazon Route 53 > Developer Guide > Types of Amazon Route 53 health checks
Question 140
Exam Question
A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable — ‘app.example.com’.
Instances within the VPC should always connect to the private IP to minimize data transfer costs.
How should the engineer configure DNS to support these requirements?
A. Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.
B. Create two A record entries for ‘app’ in the DNS zone ‘example.com’ — one for the public IP and one for the private IP.
C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.
D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.
Correct Answer
D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.