The latest AWS Certified Advanced Networking – Specialty ANS-C01 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.
Table of Contents
- Question 151
- Exam Question
- Correct Answer
- Question 152
- Exam Question
- Correct Answer
- Explanation
- Question 153
- Exam Question
- Correct Answer
- Question 154
- Exam Question
- Correct Answer
- Explanation
- Question 155
- Exam Question
- Correct Answer
- Question 156
- Exam Question
- Correct Answer
- Explanation
- Question 157
- Exam Question
- Correct Answer
- Question 158
- Exam Question
- Correct Answer
- Explanation
- Question 159
- Exam Question
- Correct Answer
- Reference
- Question 160
- Exam Question
- Correct Answer
- Explanation
Question 151
Exam Question
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?
A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarm to notify the network engineer
B. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
C. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create an alarm to notify the network engineer.
D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
Correct Answer
B. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
Question 152
Exam Question
A company is migrating many applications from two on-premises data centers to AWS. The company’s network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2.
The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in each Region. All traffic to and from AWS must travel through the first data center. In the event of failure, the second data center must take over the traffic.
How should the network team configure BGP to meet these requirements?
A. Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct Connect connection 1.
B. Configure the local preference BGP community tag 7224:9300 for the transit VIF connected to Direct Connect connection 2.
C. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct Connect connection 2.
D. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct Connect connection 1.
Correct Answer
A. Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct Connect connection 1.
Explanation
The correct answer is to configure the local BGP community tag 7224:7300 for the transit VIF connected to the first AWS Direct Connect connection. By default, AWS uses the distance from the local AWS Region to the Direct Connect location to determine the VIF or transit VIF for routing. You can modify this behavior by assigning local preference communities to VIFs. This question asks for the VIF in Direct Connect connection 1 to have a higher preference. AWS supports the 7224:7300 local preference tag for high-preference use cases.
Option B includes the 7224:9300 community tag, which is used to control how far a customer-advertised prefix is propagated. This community tag will not help solve this routing priority problem. The remaining answer options propose the use of the AS_PATH attribute to control the traffic between Direct Connect connections in multiple Regions. This strategy would be appropriate for handling multiple VIFs in a single Region, but this strategy is not appropriate for handling multiple VIFs in this question’s multi-Region environment.
Question 153
Exam Question
A government contractor is designing a multi-account environment with multiple VPCs for a customer. A network security policy requires all traffic between any two VPCs to be transparently inspected by a third-party appliance.
The customer wants a solution that features AWS Transit Gateway. The setup must be highly available across multiple Availability Zones, and the solution needs to support automated failover. Furthermore, asymmetric routing is not supported by the inspection appliances.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
A. Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VP
B. Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPCs attachment. Propagate all VPC attachments into the application route table. Define a static default route in the inspection route table. Enable appliance mode on the attachment that connects the inspection VPC.
C. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VP Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Network Load Balancer (NLB), and set it up to forward to the newly created target group. Configure a default route in the inspection VPCs transit gateway subnet toward the NLB.
D. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint.
E. Configure one route table on the transit gateway. Associate the route table with all the VPCs. Propagate all VPC attachments into the route table. Define a static default route in the route table.
Correct Answer
A. Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VP
D. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint.
Question 154
Exam Question
A company hosts a public hosted zone in Amazon Route 53. The company wants to configure DNS Security Extensions (DNSSEC) signing for the public hosted zone. All the company’s business-critical applications are running in the us-west-2 Region.
The company has created a symmetric, customer managed, single-Region key in us-west-2 by using AWS Key Management Service (AWS KMS). A network engineer finds that the existing AWS KMS key cannot be used to create a key-signing key (KSK).
How can the network engineer resolve this issue?
A. Recreate a symmetric, customer managed, multi-Region key in the us-east-1 Region. Use this key to create a KSK.
B. Recreate a symmetric, customer managed, single-Region key in us-west-2. Use this key to create a KSK.
C. Recreate an asymmetric, customer managed key with an ECC_NIST_P256 key spec in the us-east-1 Region. Use this key to create a KSK.
D. Recreate an asymmetric, customer managed key with an ECC_NIST_P256 key spec in us-west-2. Use this key to create a KSK.
Correct Answer
C. Recreate an asymmetric, customer managed key with an ECC_NIST_P256 key spec in the us-east-1 Region. Use this key to create a KSK.
Explanation
When Amazon Route 53 creates a key-signing key (KSK), Route 53 requires you to provide a customer managed key. The customer managed key must be located in the us-east-1 Region. The key must be an asymmetric customer managed key with an ECC_NIST_P256 key spec.
The other answer options are incorrect for a combination of two reasons. Option A includes a symmetric key, which violates the requirement for an asymmetric key. Option D correctly includes the asymmetric key, but the key is in the wrong Region. Option B has the wrong key and the wrong Region. Only keys that meet all the requirements can be used to create the KSK and support DNSSEC signing in Route 53.
Question 155
Exam Question
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer configure the AWS resources to meet these requirements?
A. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
B. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
C. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
Correct Answer
B. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
Question 156
Exam Question
A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. The three VPCs are an application VPC, a backend VPC, and an inspection VPC. The application VPC and the backend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared services VPC.
All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances to comply with a security policy that mandates traffic inspection. There are no overlapping IP addresses across the three VPCs. A network engineer must ensure that traffic between the application VPC and the backend VPC can route through the inspection VPC’s stateful firewalls.
Which solution will meet these requirements?
A. Create IPsec VPN connections between the transit gateway and the virtual firewall appliances.
B. Configure Virtual Router Redundancy Protocol (VRRP) on the virtual firewall appliances.
C. Set up BGP between the transit gateway and the virtual firewall appliances.
D. Enable transit gateway appliance mode for the VPC attachment to the inspection VPC.
Correct Answer
D. Enable transit gateway appliance mode for the VPC attachment to the inspection VPC.
Explanation
The correct answer is to enable transit gateway appliance mode for the VPC attachment to the inspection VPC. The underlying issue in the question comes from cross-AZ traffic. When appliance mode is not enabled, a transit gateway attempts to keep traffic routed between VPC attachments in the originating Availability Zone until the traffic reaches its destination. This behavior causes return traffic to be routed to the virtual firewall in the firewall’s local Availability Zone rather than to the Availability Zone that initiated the traffic. This discrepancy causes the firewall to drop the traffic.
Option A will create unnecessary connections and will not provide the symmetry that is needed for the traffic to flow through the firewalls. Option B includes the use of Virtual Router Redundancy Protocol (VRRP) for instance load sharing. AWS does not directly support this protocol, which depends on multicast. Multicast is not supported within a VPC. Option C is incorrect because virtual firewall appliances cannot use BGP peering with a transit gateway.
Question 157
Exam Question
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application’s components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application within the application’s VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements? (Choose three.)
A. Add a geoproximity routing policy in Route 53.
B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.
C. Enable DNS hostnames for the application’s VP
D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the public hosted zone. Create an AWS Lambda function as the target of the rule. Configure the function to use the event information to update the private hosted zone.
E. Add the private IP addresses in the existing Route 53 public hosted zone.
F. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
Correct Answer
B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.
C. Enable DNS hostnames for the application’s VP
F. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
Question 158
Exam Question
A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the data privately in an S3 bucket that the company created.
The company has set up an AWS Direct Connect connection with a private VIF to connect the on-premises data center to a VPC. The network engineer plans to use this Direct Connect connection for the hybrid cloud setup. The solution must be highly available.
What should the network engineer do next to implement this architecture?
A. Configure an S3 gateway endpoint in the VPC. Update VPC route tables to route traffic to the S3 gateway endpoint. Configure the S3 gateway endpoint DNS name in the on-premises application.
B. Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application.
C. Configure an S3 gateway endpoint in the VPC. Update VPC route tables to route traffic to the S3 gateway endpoint. Configure an HTTP proxy on an Amazon EC2 instance in the VPC to route traffic to the S3 gateway endpoint. Configure the HTTP proxy DNS name in the on-premises application.
D. Configure an S3 interface endpoint in the VPC. Update VPC route tables to route traffic to the S3 interface endpoint. Configure an HTTP proxy on an Amazon EC2 instance in the VPC to route traffic to the S3 interface endpoint. Configure the HTTP proxy DNS name in the on-premises application.
Correct Answer
B. Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application.
Explanation
The question requires a solution that will provide a connection to Amazon S3 from workloads on AWS and from an on-premises data center. An S3 interface endpoint will provide the needed access from workloads on AWS and can support connections from the on-premises environment over AWS Direct Connect. The use of the S3 interface endpoint will require the on-premises client applications to use the endpoint DNS records.
Option A includes the use of a gateway endpoint. Routing to the gateway endpoint depends on the route tables of the VPC, and route tables do not support the use of DNS endpoints for the on-premises application. While option C could route the traffic, this option contains a single point of failure in the HTTP proxy server and does not offer the high availability that the question requires. Option D also contains an HTTP proxy, which is unneeded and creates a single point of failure. This option also includes the use of an interface endpoint name in a route table, which is incorrect.
Question 159
Exam Question
A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?
A. Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded-For header.
B. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
C. Use a Network Load Balancer to automatically preserve the source IP address.
D. Use a Network Load Balancer and enable the X-Forwarded-For attribute.
Correct Answer
B. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
Reference
AWS > Documentation > Elastic Load Balancing > Network Load Balancers > What is a Network Load Balancer?
Question 160
Exam Question
An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.
Which solution meets these requirements?
A. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPDefine Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPand s
B. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
C. Configure a public hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC. and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Correct Answer
B. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Explanation
Creating a private hosted zone for each application VPC and creating the requisite records would enable end-to-end domain name resolution for the resources. Creating a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC would enable bi-directional DNS resolution between AWS and the existing on-premises environments. Defining Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver would enable DNS queries from AWS resources to on-premises resources. Associating the application VPC private hosted zones with the egress VPC and sharing the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager would enable DNS queries among different VPCs and accounts. Configuring the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints would enable DNS queries from on-premises resources to AWS resources1.