The latest AWS Certified Advanced Networking – Specialty ANS-C01 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.
Table of Contents
- Question 141
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 142
- Exam Question
- Correct Answer
- Explanation
- Question 143
- Exam Question
- Correct Answer
- Explanation
- Reference
- Question 144
- Exam Question
- Correct Answer
- Explanation
- Question 145
- Exam Question
- Correct Answer
- Explanation
- Question 146
- Exam Question
- Correct Answer
- Explanation
- Question 147
- Exam Question
- Correct Answer
- Explanation
- Question 148
- Exam Question
- Correct Answer
- Question 149
- Exam Question
- Correct Answer
- Question 150
- Exam Question
- Correct Answer
- Explanation
Question 141
Exam Question
A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed
The interim solution has worked for several weeks However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header ‘X-Cache Error from cloudfront’ Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests
What is the likely cause of the error and what is the solution?
A. The origin access identity is not correct Edit the CloudFront distribution and update the identity in the origins settings
B. The SSL certificate on the CloudFront distribution has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate
C. The SSL certificate on the legacy web application server has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate Export the public and private keys and install the certificate on the legacy web application
D. The SSL certificate on the legacy web application server has expired Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA) Install the full certificate chain onto the legacy web application server
Correct Answer
D. The SSL certificate on the legacy web application server has expired Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA) Install the full certificate chain onto the legacy web application server
Explanation
You can use an SSL/TLS certificate from the following sources on your custom origin: If your origin is an Elastic Load Balancing load balancer, you can use a certificate provided by AWS Certificate Manager (ACM). You also can use a certificate that is signed by a trusted third-party certificate authority and imported into ACM. For origins other than Elastic Load Balancing load balancers, you must use a certificate that is signed by a trusted third-party certificate authority (CA), for example, Comodo, DigiCert, or Symantec.
Reference
AWS > Documentation > Amazon CloudFront > Developer Guide > Requiring HTTPS for communication between CloudFront and your custom origin
Question 142
Exam Question
A financial services company receives real-time stock quotes in its ingestion VPC. The company plans to perform customer-specific data analysis on the stock quotes in various VPCs. The stock quotes must be distributed simultaneously from Amazon EC2 instances in the ingestion VPC to EC2 instances in the data analysis VPCs
Which set of configuration steps should the company lake to meet these requirements?
A. Configure EC2 instances m f he ingestion VPC as IP unicast senders Configure a transit gateway to serve as a unicast router for instances that send traffic destined for the EC2 instances in the data analysis VPCs.
B. Configure VPC peering between the ingestion VPC and the data analysis VPCs Configure an Application Load Balancer to distribute Virtual Extensible LAN (VXLAN)-encapsulated traffic from the sender EC2 instances to the receiver EC2 instances.
C. Configure EC2 instances m the ingestion VPC as IP multicast senders Configure a transit gateway to serve as a multicast router for instances that send traffic destined for the EC2 instances m the data analysis VPCs
D. Configure Amazon Kinesis Data Forehose to capture streaming data from the ingestion VPC and load the data into Amazon S3 Configure the instances in the data analysis VPCs to download the data from Amazon S3 for processing
Correct Answer
C. Configure EC2 instances m the ingestion VPC as IP multicast senders Configure a transit gateway to serve as a multicast router for instances that send traffic destined for the EC2 instances m the data analysis VPCs
Explanation
Multicast is a communication protocol used for delivering a single stream of data to multiple receiving computers simultaneously. Transit Gateway supports routing multicast traffic between subnets of attached VPCs, and it serves as a multicast router for instances sending traffic destined for multiple receiving instances.
Question 143
Exam Question
Your business has implemented a highly available Direct Connect system that makes use of two datacenters. Each data center is equipped with one LAG with two connections and one ordinary DX connection.
How many LOAs will be completed in total if your organization successfully completes an order for the addition of a new connection to each of the LAGs?
A. 1
B. 11
C. 2
D. 6
Correct Answer
D. 6
Explanation
When you create a LAG, you can download the Letter of Authorization and Connecting Facility Assignment (LOA-CFA) for each new physical connection individually from the AWS Direct Connect console. So that’d be 2 per LAG and 1 more for the individual connection, in total 6. Now to modify these LOA you can see https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-connection.html. If you need to change the LOA-CFA after it has been created (for example, you need to change the ports), contact AWS Support. No LOA is created.
Reference
AWS > Documentation > AWS Direct Connect > User Guide > Link aggregation groups
Question 144
Exam Question
An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion.
The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as proxies, firewalls, and logging.
The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region. A network engineer must establish connectivity between the various applications in the two Regions.
The solution must maximize bandwidth, minimize latency and minimize operational overhead.
Which solution will meet these requirements?
A. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2.
B. Create a VPN server in a VPC in each Region. Update the routing to point to the VPN servers for the IP addresses in alternate Regions.
C. Peer the transit gateways in each Region. Configure routing between the two transit gateways for each Region’s IP addresses.
D. Create VPN attachments between the two transit gateways. Configure the VPN attachments to use BGP routing between the two transit gateways.
Correct Answer
C. Peer the transit gateways in each Region. Configure routing between the two transit gateways for each Region’s IP addresses.
Explanation
Peering the transit gateways in each region would establish a private network connection between the two regions, allowing the company to route traffic between the VPCs in different regions without going over the public internet. This would help minimize latency and maximize bandwidth while reducing the operational overhead of managing multiple VPN connections.
Question 145
Exam Question
A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company is using Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. The company achieves hybrid network connectivity by using an AWS Site-to-Site VPN connection.
A new governance policy requires logging for DNS traffic that originates in the AWS Cloud. The policy also requires the company to query DNS traffic to identify the source IP address of the resources that the query originated from, along with the DNS name that was requested.
Which solution will meet these requirements?
A. Create VPC flow logs for all VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the IP address and DNS name.
B. Configure Route 53 Resolver query logging for all VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the IP address and DNS name.
C. Configure DNS logging for the Site-to-Site VPN connection. Send the logs to an Amazon S3 bucket. Use Amazon Athena to query the IP address and DNS name.
D. Modify the existing Route 53 Resolver rules to configure logging. Send the logs to an Amazon S3 bucket. Use Amazon Athena to query the IP address and DNS name.
Correct Answer
B. Configure Route 53 Resolver query logging for all VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the IP address and DNS name.
Explanation
The correct answer is to configure Amazon Route 53 Resolver query logging for all the VPCs. The query logs can be stored in Amazon CloudWatch Logs and can be analyzed with CloudWatch Logs Insights.
The other answer options will fail to capture the needed DNS queries. In option A, flow logs will fail to capture traffic from the Amazon EC2 instances to the Amazon provided DNS servers. In option C, AWS Site-to-Site VPN connections do not offer an option for DNS logging. In option D, Route 53 Resolver rules do not allow the configuration of logging.
Question 146
Exam Question
An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances.
The company must encrypt all traffic at all stages between the customers and the application servers.
No decryption at intermediate points is allowed.
Which solution will meet these requirements?
A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the AL Configure the Auto Scaling group to register instances with the ALB’s target group.
B. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB’s target group.
C. Create an Amazon CloudFront distribution. Configure the distribution with a custom SSL/TLS certificate. Set the Auto Scaling group as the distribution’s origin.
D. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB’s target group.
Correct Answer
D. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB’s target group.
Explanation
To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at all stages between the customers and the application servers without decryption at intermediate points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution allows for end-to-end encryption of traffic without decryption at intermediate points.
Question 147
Exam Question
A company hosts its ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances are in a private subnet with the default DHCP options set. Internet connectivity is through a NAT gateway that is configured in the public subnet.
A third-party audit of the security infrastructure identifies a DNS exfiltration vulnerability. The company must implement a highly available solution that protects against this vulnerability.
Which solution will meet these requirements MOST cost-effectively?
A. Configure a BIND server with DNS filtering. Modify the DNS servers in the DHCP options set.
B. Use Amazon Route 53 Resolver DNS Firewall. Configure a domain list with a rule group.
C. Use AWS Network Firewall with domain name filtering.
D. Configure an Amazon Route 53 Resolver outbound endpoint with rules to filter and block suspicious traffic.
Correct Answer
B. Use Amazon Route 53 Resolver DNS Firewall. Configure a domain list with a rule group.
Explanation
With Amazon Route 53 Resolver DNS Firewall, you can monitor and control the domains that applications in your VPCs can access. DNS Firewall supports the use of allow lists or deny lists to filter the set of domains that you can use. This solution can effectively prevent the use of DNS queries to exfiltrate data.
In option A, the configuration of a BIND server with DNS filtering could work. However, a single BIND server would be a single point of failure. Additionally, a fleet of BIND servers with load balancers would be more complex and expensive than the correct answer.
In option C, AWS Network Firewall provides filtering of application layer traffic and network layer traffic. However, Network Firewall does not have visibility into queries from Route 53 Resolver. Option D includes the configuration of a Route 53 Resolver outbound endpoint, which is used to forward queries for specific domains to an on-premises DNS server. However, this endpoint does not filter or block traffic.
Question 148
Exam Question
A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?
A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.
B. Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
C. Use two /28 subnets for a Network Load Balancer in different Availability Zones.
D. Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
Correct Answer
C. Use two /28 subnets for a Network Load Balancer in different Availability Zones.
Question 149
Exam Question
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.
The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency.
How should the network engineer design the network architecture to meet these requirements?
A. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
C. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
Correct Answer
B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
Question 150
Exam Question
An ecommerce company has a business-critical application that runs on Amazon EC2 instances in a VPC. The company’s development team has been testing a new version of the application on test EC2 instances. The development team wants to test the new application version against production traffic to address any problems that might occur before the company releases the new version across all servers.
Which solution will meet this requirement with no impact on the end user’s experience?
A. Configure Amazon Route 53 weighted routing policies by configuring records that have the same name and type as each of the instances. Assign relative weights to the production instances and the test instances.
B. Create an Application Load Balancer with weighted target groups. Add more than one target group to the forward action of a listener rule. Specify a weight for each target group.
C. Implement Traffic Mirroring to replay the production requests to the test instances. Configure the source as the production instances. Configure the target as the test instances.
D. Configure an NGINX proxy in front of the production servers. Use the NGINX mirroring capability.
Correct Answer
C. Implement Traffic Mirroring to replay the production requests to the test instances. Configure the source as the production instances. Configure the target as the test instances.
Explanation
Traffic Mirroring is the correct answer. Because this mirroring will occur at the transport layer, all the inbound requests can be captured and mirrored into a test environment without affecting the performance of the production environment. This solution will eliminate any possibility of a user encountering an error that is caused by a test of the new version. The existing production environment will serve all user requests.
The other answer options will either expose some of the users to the new version of the application or will add overhead and a potential failure point. The question requires the solution to have no impact on an end user’s experience. By exposing the users to potential errors or performance problems, these options will produce a negative impact.