AWS Certified Advanced Networking Specialty 2023
You have two Amazon EC2 instances in two different VPCs that have a peering connection. Both VPCs are in the same Availability Zone. What charge will you see on your bill for data transfer between those two instances?
$0.00 per GB in each direction
Which of the following is the charge for data transfer out from Amazon S3 to Amazon CloudFront?
$0.000 per GB
What is the maximum number of connections supported in a Link Aggregation Group (LAG) for connections less than 100G?
4
You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Virtual Private Cloud (VPC), and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet for their databases. They also require the web servers and database servers to be highly available, and there is a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability?
4
Which of the following exposes the Amazon side of a Virtual Private Network (VPN) connection?
A Virtual Private Gateway (VGW)
Hosted Virtual Interfaces (VIFs) on AWS Direct Connect describe which of the following scenarios?
A customer providing a Virtual Interface (VIF) to another customer (an AWS account) on their connection.
Your security department has mandated that all traffic leaving a VPC must go through a specialized security appliance. This security appliance runs on a bespoke operating system that users cannot access. What considerations are the most important for this operating system performance on AWS? (Choose two.)
A. Driver support for the Intel Virtual Function and Elastic Network Adapter (ENA) C. Instance family and size support
Your security department has mandated that all traffic leaving a VPC must go through a specialized security appliance. This security appliance runs on a bespoke operating system that users cannot access. What considerations are the most important for this operating system performance on AWS? (Choose two.)(2)
A. Driver support for the Intel Virtual Function and Elastic Network Adapter (ENA) C. Instance family and size support
Amazon CloudFront can work with which of the following origin servers?
A. S3, ELB & On-premises servers
Amazon Virtual Private Cloud (VPC) Flow Logs reports accept and reject data based on which VPC features? (Choose two.)
A. Security groups C. Network Access Control Lists (ACLs)
You have created a centralized, shared service Virtual Private Cloud (VPC) for your organization. It uses VPC peering, and you have been asked to evaluate AWS PrivateLink to optimize connectivity. Which of the following design considerations is true?
AWS PrivateLink is only appropriate for solutions that originate requests to the services VPC. Services in the shared VPC cannot initiate connections to spoke VPCs.
When adding an alternate domain to your Amazon CloudFront distribution, the wildcard * can be used to do what?
Act in the place of specifying subdomains individually.
Which of the following is a good use case for leveraging the transit VPC architecture?
Allow on-premises resources access to AWS resources while inspecting all traffic for compliance reasons.
What are the routing mechanisms supported by a Virtual Private Gateway (VGW) from the following?
B. Border Gateway Protocol (BGP) C. Static Routes
You recently set up Amazon Route 53 for a private hosted zone for a highly-available application hosted on AWS. After adding a few A records, you notice that the instance hostnames are not resolving within the VPC. What actions should be taken? (Choose two.)
C. Set enableDnsHostnames to true on the VPC. D. Set enableDnsSupport to true on the VPC.
When setting up a client-to-site VPN using EC2 instance to access AWS resources, which of the following configuration would be preferable considering the security and management?
Configure the client software to use an EC2 elastic IP as the VPN termination endpoint. Turn on EC2 auto-recovery on this instance.
Your company has an application that it would like to share with a business partner, but the performance of the application is business-critical. The network architects are discussing using AWS Direct Connect to increase performance. Which of the following are performance advantages of AWS Direct Connect compared to a Virtual Private Network (VPN) or Internet connectivity?
Consistent and Dedicated bandwidth
Your networking group has decided to migrate all of the 192.168.0.0/16 Virtual Private Cloud (VPC) instances to 10.0.0.0/16. Which of the following is a valid option?
Create a new 10.0.0.0/16 VPC and migrate the existing workload with appropriate method, e.g. for EC2, create AMIs and launch new instances in the new VPC
Which Amazon Virtual Private Cloud (Amazon VPC) feature allows you to create a dual homed instance?
Elastic network interface
You create a new instance, and you are able to connect over Secure Shell (SSH) to its private IP address from your corporate network. The instance does not have Internet access, however. Your internal policies forbid direct access to the Internet. What is required to enable access to the Internet?
Ensure that there is a default route in the subnet route table that goes to your on-premises network.
Your development team is testing the performance of a new application using enhanced networking. They have updated the kernel to the latest version that supports the Elastic Network Adapter (ENA) driver. What is the other requirement for support?
Flag the Amazon Machine Image (AMI) for enhanced networking support
You are supporting a customer that executes tightly coupled High Performance Computing (HPC) workloads. What Virtual Private Cloud (VPC) option provides high-throughput, low-latency, and high packet-per-second performance?
Placement groups
What does the Amazon CloudFront invalidation feature do?
Removes objects from the CloudFront cache.
In order to decrease the number of instances that have inbound web access, your team has recently placed a Network Address Translation (NAT) instance on Amazon Linux in the public subnet. The private subnet has a 0.0.0.0/0 route to the elastic network interface of the NAT instance. Users are complaining that web responses are slower than normal. What are practical steps to fix this issue?
Replace the NAT instance with a NAT gateway
You are using Amazon CloudFront for your website. A user requests content, which is routed to a local edge location. What happens before the requested content is available at that edge location?
The edge location sends a request to the origin server, serves the user the content, and then stores the content.
Which of the following is a security benefit of Amazon VPC endpoints?
VPC endpoints provide private access to AWS services without instances requiring outbound Internet access
You have set up a transit VPC architecture and want to connect the spoke VPCs to the hub VPC. What termination endpoint should you choose on the spokes, considering the least management overhead?
Virtual Private Gateway (VGW)
You elect to use an AWS Direct Connect public Virtual Interface (VIF) to carry an IP Security (IPsec) Virtual Private Network (VPN) from your VPC VGW to your customer gateway. What rate is charged for all of the data transfer OUT over the VPN?
$0.020 per GB
When using a Link Aggregation Group (LAG) composed of two AWS Direct Connect connections, how many IPv4 Border Gateway Protocol (BGP) sessions are required per Virtual Interface (VIF)?
1. A LAG behaves as a single Layer 2 connection. Each provisioned (VIF) spans the LAG but requires only a single BGP session.
How many prefixes can be announced from a customer to AWS over an AWS Direct Connect Private Virtual Interface (VIF) per Border Gateway Protocol (BGP) session?
1000
How many Internet Protocol Security (IPsec) tunnels are available for a single Virtual Private Network (VPN) connection?
2
What is the default expiry time for an Amazon CloudFront cache?
24 hours
What happens when you create a new Virtual Private Cloud (VPC)?
A main route table is created by default
Your organization is planning on connecting to AWS. The organization has decided to use a specific Virtual Private Network (VPN) technology for the first phase of the project. You are tasked with implementing the VPN server in a Virtual Private Cloud (VPC) and optimizing it for performance. What are important considerations for Amazon EC2 VPN performance? (Choose two.)
A. The VPN instance should support enhanced networking D. Analyze the packet per second and bandwidth limitations
Which of the following tools can be used to record the source and destination IP addresses of traffic flowing in/out of VPC or EC2 instances? (Choose two.)
A. VPC Flow logs B. Packet capture on an instance
When connecting an on-premises network to AWS APIs, which option provides the least amount of network jitter and latency?
AWS Direct Connect public VIF
One of the applications that you want to migrate to AWS has high disk performance requirements. You need to guarantee certain baseline performance with low latency. Which feature can help meet the performance requirements of this application?
Amazon EBS Provisioned Input/Output per Second (IOPS)
With the enableDnsHostname attribute set to true, Amazon will do which of the following?
Auto-assign DNS hostnames to Amazon Elastic Compute Cloud (Amazon EC2) instances.
Which routing protocol is supported by AWS Direct Connect Virtual Interfaces (VIFs)?
Border Gateway Protocol (BGP)
[From AWS Sample Exam Questions] A gaming company is planning to launch a globally available game that is hosted in one AWS Region. The game backend is hosted on Amazon EC2 instances that are part of an Auto Scaling group. The game uses the gRPC protocol for bidirectional streaming between game clients and the backend. The company needs to filter incoming traffic based on the source IP address to protect the game. Which solution will meet these requirements?
Configure an AWS Global Accelerator accelerator with an Application Load Balancer (ALB) endpoint. Attach the ALB to the Auto Scaling group. Configure an AWS WAF web ACL for the ALB to filter traffic based on the source IP address.
[From AWS Sample Exam Questions] A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the data privately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect the on-premises data center to a VPC. The network engineer plans to use this Direct Connect connection for the hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture?
Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application.
[From AWS Sample Exam Questions] A company is migrating many applications from two on-premises data centers to AWS. The company's network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2. The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs.
Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct Connect connection 1.
What does an Amazon CloudFront cache behavior do?
Controls how requests are served from the origin and how requests are cached.
What is the advantage of the Data Plane Development Kit (DPDK) over enhanced networking?
DPDK decreases operating system overhead for networking
What is the advantage of the Data Plane Development Kit (DPDK) over enhanced networking? (2)
DPDK decreases operating system overhead for networking
You have an existing Virtual Private Cloud (VPC). You try to add a Classless Inter-Domain Routing (CIDR) range, but the additional CIDR range is not being applied. Which of the following could solve this issue?
Delete unused routes if you are at the maximum allowed routes & Define a valid CIDR range based on the original VPC CIDR
Some people in your company have created a very complicated and management-intensive workflow for automating development builds and testing. They have requested those involved in creating it not to repeat this workflow more than once. The security organization, however, wants every developer to have their own account to reduce the blast radius of development issues. What is the best design for providing access to the development system?
Deploy the development system in a central VPC. Allow developers to access the system through AWS PrivateLink.
Which of the following steps is necessary to ensure proper routing when terminating a Virtual Private Network (VPN) on an Amazon Elastic Compute Cloud (Amazon EC2) instance?
Disable source destination check on the Amazon EC2 instance
What would you recommend to scale up the network performance for very high throughput data transfers?
Distribute the flows across many instances
Voice calls to international numbers from inside your company must go through an opensource Session Border Controller (SBC) installed on a custom Linux Amazon Machine Image (AMI) in your Virtual Private Cloud (VPC) public subnet. The SBC handles the real-time media and voice signaling. International calls often have garbled voice, and it is difficult to understand what people are saying. What may increase the quality of international voice calls?
Enable enhanced networking on the device
You created a new endpoint for your VPC that does not have Internet connectivity. Your instance cannot connect to Amazon S3. What could be the problem?
For VPC gateway endpoint you need to add the route entry in the subnet route table, also the IAM policy for the endpoint and bucket policy for S3 should allow the access from the VPC. VPC endpoint works for the AWS services in the same AWS region
In order to ensure the high availability of the NAT gateway, you should
Have one NAT gateway per AZ and route outbound traffic from that AZ via corresponding NAT gateway
You are tasked with setting up a VPN connection to a VPC from your on-premises data center. You have to purchase a new VPN termination device to be used as customer gateway. You are leveraging a Virtual Private Gateway at the AWS end. Which of the following must be supported by the hardware you choose to deploy on-premises for setting up the VPN connection?
IPsec protocol
A previous network administrator implemented a transit VPC architecture using Amazon EC2 instances with 5 Gbps networking to facilitate communication between multiple AWS VPCs in various regions and on-premises resources. Over time, the transit VPC Amazon EC2 instance network bandwidth has become saturated with on-premises traffic, causing application requests to fail. What design recommendations can you make to reduce application failures?
Implement AWS Direct Connect and migrate to a AWS Direct Connect gateway
[From AWS Sample Exam Questions] An ecommerce company has a business-critical application that runs on Amazon EC2 instances in a VPC. The company's development team has been testing a new version of the application on test EC2 instances. The development team wants to test the new application version against production traffic to address any problems that might occur before the company releases the new version across all servers. Which of the following simple, reliable & cost effective solution will meet this requirement with no impact on the end user's experience?
Implement Traffic Mirroring to replay the production requests to the test instances. Configure the source as the production increases. Configure the target as the test increases.
You launch multiple Amazon Elastic Compute Cloud (Amazon EC2) instances into a private subnet. These instances need to access the Internet to download patches. You decide to create a Network Address Translation (NAT) gateway. Where in the VPC should the NAT gateway reside?
In the Public Subnet
Your application is having a slower than expected transfer rate between application tiers. What is the best option for increasing throughput?
Increase the Maximum Transmission Unit (MTU)
Your application is having a slower than expected transfer rate between application tiers. What is the best option for increasing throughput? (2)
Increase the Maximum Transmission Unit (MTU)
Which statement about Maximum Transmission Units (MTUs) on AWS is true?
Increasing the MTU is most beneficial for applications limited by packets per second
You have created three Virtual Private Clouds (VPCs) named A, B, and C. VPC A is peered with VPC B. VPC B is peered with VPC C. Which statement is true about this peering arrangement?
Instances in VPC A can reach instances in VPC C if they use a proxy instance in VPC B
Which of the following services can you access over AWS Direct Connect?
Interface Virtual Private Cloud (VPC) endpoints to connect to Amazon service endpoints
Your application developers are facing a challenge relating to network performance. Their application creates a buffer to accept network data so that it can be analyzed and displayed in real time. It seems that packets have delays of between 2 milliseconds and 120 milliseconds, however. Which network characteristic do you need to improve?
Jitter
Your application developers are facing a challenge relating to network performance. Their application creates a buffer to accept network data so that it can be analyzed and displayed in real time. It seems that packets have delays of between 2 milliseconds and 120 milliseconds, however. Which network characteristic do you need to improve?(2)
Jitter
A previous network administrator implemented a transit VPC architecture to facilitate communication between multiple AWS networks and on-premises resources. Over time, the transit VPC Amazon EC2 instance network bandwidth has become saturated with cross-region traffic. What highly available design change should you recommend for this network?
Leverage VPC peering connections between VPCs across regions
Which of the following is the responsibility of AWS when you terminate a Virtual Private Network (VPN) on an Amazon Elastic Compute Cloud (Amazon EC2) instance?
Manage the underlying Amazon EC2 host health.
What is not required for Internet connectivity from a public subnet?
NAT gateway
You are responsible for your company's AWS resources. You notice a significant amount of traffic from an IP address range in a foreign country where your company does not have customers. Further investigation of the traffic indicates that the source of the traffic is scanning for open ports on your Amazon EC2 instances. Which one of the following resources can prevent the IP address from reaching the instances?
Network ACL (NACL) rules - can be ALLOW or DENY
Your team has created a Multi-AZ Amazon RDS instance. The front-end application tier connects to the database through a Database DNS endpoint. What change needs to be made to ensure the application connectivity to the database in the event of a database failover?
No action required as the same DNS will point to the secondary database in the event of failover
The new architecture for your application involves replicating your stateful application data from your Virtual Private Cloud (VPC) in US East (Ohio) to Asia Pacific (Tokyo). The replication instances are in public subnets in each region and communicate with public addresses over Transport Layer Security (TLS). Your team is seeing much lower replication throughput than they see within a single VPC. Which steps can you take to improve throughput?
None of the above
What is the optimal performance configuration to enable high-performance networking for an Amazon EC2 instance operating as a firewall?
None of the above
Which of the following allows you to restrict access to your Amazon Simple Storage Service (Amazon S3) bucket to Amazon CloudFront distributions that you control?
Origin Access Control (OAC)
You discover that the default VPC has been deleted from region us-east-1 by a coworker in the morning. You will be deploying a lot of new services such as EC2, EKS, RDS in the afternoon. What should you do?
Perform an Application Programming Interface (API) call or go through the AWS Management Console to create a new default VPC
Which networking feature will provide the most benefits to support a clustered computing application that requires very low latency and high network throughput?
Placement groups
Which of the following entity of VPC has an effect of the stateful traffic?
Security groups
You have a transit VPC set up with the hub VPC in us-east-1 and the spoke VPCs spread across multiple AWS Regions. Servers in the VPCs in Mumbai and Singapore are suffering huge latencies when connecting with each other. How do you rearchitect your VPCs to maintain the transit VPC architecture and reduce the latencies in the overall architecture?
Set up a local transit hub in the Singapore region. Connect the VPCs in Mumbai and Singapore. Set up a Generic Routing Encapsulation (GRE) VPN over cross-region VPC peering between the two hubs.
You have a hybrid IT application that requires access to Amazon DynamoDB. You have set up AWS Direct Connect between your data center and AWS. All data written to Amazon DynamoDB should be encrypted as it is written to the database. How will you enable connectivity from the on-premises application to Amazon DynamoDB in most simple and cost effective way?
Set up a public Virtual Interface (VIF) and use DynamoDB client to enable application layer encryption.
You have an application in a VPC that requires access to on-premises Active Directory servers for joining the company domain. How will you enable this setup, considering low latency for domain join requests?
Set up an AWS Direct Connect private VIF.
You have an on-premises application that requires access to Amazon S3 storage. How do you enable this connectivity while designing for high-bandwidth access with low jitter, high availability, low cost and high scalability?
Set up an AWS Direct Connect public Virtual Interface (VIF).
Your big data team is trying to determine why their proof of concept is running slowly. For the demo, they are trying to ingest 1 TB of data from Amazon Simple Storage Service (Amazon S3) on their c4.8xl instance. They have already enabled enhanced networking. What should they do to increase Amazon S3 ingest rates?
Split the data ingest on more than one instance, such as two c4.4xl instances
You are tasked with setting up IPSec VPN connectivity between your on-premises data center and AWS. You have an application on-premises that will exchange sensitive control information to an EC2 instance in the VPC. This traffic should take priority in the VPN tunnel over all other traffic. How will you design this solution, considering the least management overhead?
Terminate a VPN connection on an Amazon EC2 instance loaded with a software supporting Quality of Service (QoS) and use Differentiated Services Code Point (DSCP) markings to give priority to the application traffic as it sent and received over the VPN tunnel.
When using a public Virtual Interface (VIF) on AWS Direct Connect, you access an Amazon Simple Storage Service (Amazon S3) bucket owned by someone who is not part of your organization. Who pays for data transfer from that bucket?
The Amazon S3 bucket owner
All billing for AWS Direct Connect stops when which of the following occurs?
The Direct Connect connection is deleted.
You have configured private subnets so that applications can download security updates from public website. You have a Network Address Translation (NAT) instance in each Availability Zone as the default gateway to the Internet for each private subnet. You find that you cannot reach port 8080 of a server on the Internet from any of your private subnets. Which of the following most likely to cause the problem?
The NAT instances are blocking traffic to port 8080
You have configured an AWS PrivateLink connection between your Virtual Private Cloud (VPC) and the VPC of a business partner's hospital. The hospital has specialized applications that staff developed in-house; some were developed more than 10 years ago. The hospital is trying to enable access to your private service but is having problems connecting to your service. Which of the following is a possible solution?
The hospital is sending traffic over User Datagram Protocol (UDP). They must find a way to send traffic over Transmission Control Protocol (TCP).
You have configured a consumer Virtual Private Cloud (VPC) endpoint for a remote authentication service hosted by a business partner using AWS PrivateLink. The endpoints have been whitelisted and configured on the consumer and provider. Some instances are not able to access the private authentication service. Which of the following could cause this issue?
The outbound security group of the instances does not allow the authentication port.
Your database instance running on an r4.large instance seems to be dropping Transmission Control Protocol (TCP) packets based on a packet capture from a host with which it was communicating. During initial performance baseline tests, the instance was able to handle peak load twice as high as its current load. What could be the issue?
The r4.large instance may have accumulated network credits before load testing, which would allow higher peak values
You have configured a new Amazon S3 endpoint in your VPC. You have created a public Amazon S3 bucket so that you can test connectivity. You can download objects from your laptop but not from instances in the VPC. Which of the following could NOT be a problem?
There are not enough free IP addresses in your subnet, so you must chose a larger subnet or remove unused interfaces and IP addresses
What do Amazon CloudFront access logs do?
They contain detailed information about every user request that Amazon CloudFront receives.
You have defined your original Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) as 192.168.20.0/24. Your on-premises infrastructure is defined as 192.168.128.0/17. You have configured a route to on-premises as 192.168.0.0/16 in your VPC route table. You have added a new CIDR range of 192.168.100.0/24 to your VPC. Which of the following is true?
This is a valid configuration, the more specific route takes precedence and hence VPC traffic will be routed internally and on-premises traffic will be routed as per VPC route table configuration
How can you use the wildcard * when invalidating objects with Amazon CloudFront?
To specify a path that applies to many objects
You are in charge of creating a network architecture for a development group that is interested in running a real-time exchange on AWS. The participants (businesses like banks) of the exchange expect very low latency but do not operate on AWS. Which description most accurately describes the networking and security tradeoffs for potential network designs?
Use AWS Direct Connect to connect to the exchange application. This allows for more control of the latency, but it requires organizing connectivity to each of the participants. The traffic can be encrypted at Layer2 for select Direct Connect locations and port speed.
You run a hosted service on AWS. Each copy of your hosted service is in a separate Virtual Private Cloud (VPC) and is dedicated to a single customer. Your hosted service has thousands of customers. The services in the dedicated VPCs require access to central provisioning and update services. Which connectivity methods can enable this architecture?
Use AWS PrivateLink to access central services from the dedicated VPCs or make the central services public. Access the central services over the Internet using strong encryption and authentication.
You are deploying an application on multiple EC2 instances. The application must be U.S. Health Insurance Portability and Accountability Act (HIPAA) compliant and requires end-to-end encryption in motion. The application runs on Transmission Control Protocol (TCP) port 7128. What is the most effective way to deploy the application?
Use Secure Sockets Layer (SSL) to encrypt traffic at the application layer
Your research and development organization has created a mission-critical application that requires low latency and high bandwidth. The application needs to support AWS best practices for high availability. Which of the following is not a best practice for this application?
Use a placement group for the application to guarantee the lowest latency possible
Your research and development organization has created a mission-critical application that requires low latency and high bandwidth. The application needs to support AWS best practices for high availability. Which of the following is not a best practice for this application? (2)
Use a placement group to guarantee the lowest latency possible.
Which of the following parameters are automatically generated by AWS and you can not change it when you create a Virtual Private Network (VPN) connection to a Virtual Private Gateway (VGW)?
VGW Public IPs
A private Virtual Interface (VIF) on AWS Direct Connect attaches to your Virtual Private Cloud (VPC) using which of the following?
Virtual Private Gateway (VPC)
After creating an AWS Direct Connect connection, what is the earliest point in time that you start receiving port-hour charges?
When the connection becomes available for the first time if it's less than 90 days.
When using AWS Certification Manager (ACM) and Amazon CloudFront, you configured your certificate within ACM. When you try to enable Amazon CloudFront, however, you do not see the certificate available for use. What could be the problem?
You might not have created the ACM certificate in the right region.
You have the enableDnsHostname attribute set to true for your VPC. Your Amazon Elastic Compute Cloud (Amazon EC2) instances are not receiving DNS hostnames, however. What could be the potential cause?
enableDnsSupport is not set to true