Test_6_Certified_Advanced_Networking_Specialty
You must construct a 1000-host subnet in a VPC. You must be as precise as possible, since you operate a very big business. Which CIDR format should you use?
/22
Which route will be favored if you have one VPC peering with two VPCs that have overlapping CIDRs?
10.1.1.5/32
How many subnets and hosts per subnet are feasible given the network 192.168.130.130/28? (for the sake of this inquiry, disregard the fact that AWS reserves five IP addresses)
16 subnets & 14 hosts per subnet
You have a data center equipped with a LAG of two connections. You desire to add two more connections; how many LOAs do you need to complete?
2
How large may an Amazon CloudFront response body be before it is returned to the viewer?
30 GB
Which of the following characters is not permitted when defining a CloudWatch metric's namespace?
@
You must verify that only authorized users have access to the files supplied by your CloudFront distribution. You want to serve a large number of users. What are the two steps you should take? (Select two.)
A. Configure signed cookies. B. Configure a bucket policy restricting the bucket to only CloudFront OAI.
Your organization has chosen AWS WorkSpaces as the host for their hosted desktop solution. Your organization currently has an Active Directory with around 57,000 members and you want to decrease authentication traffic between AWS and your datacenter. Your organization has frequent employee changes, and it is critical that these changes be accurately reported.What are the two steps you should take? (Select two.)
A. Deploy Hosted AS in AWS. B. Create a DX connection between the datacenter & AWS.
The security team of an organization requires that all data leaving the firm's on-premises data center be encrypted at the network layer and transported over dedicated connection. Additionally, all traffic flowing via Amazon VPC environments must be centralized logged. This design will be implemented via an AWS Direct Connect connection.What efforts should be done to guarantee that connection to Amazon Web Services complies with these security requirements? (Make a selection of at least two.)
A. Provision a public virtual interface on AWS Direct Connect & set up a VPN to each VPC. B. Enable VPC Flow Logs for each VPC.
You've created an S3 endpoint and want to prevent certain instances from accessing it. Due to the fact that all of these instances are on the same subnet, you cannot simply delete the prefix list from the route table.Which of the following two options do you have for resolving this? (Select two.)
A. Remove any access to the PL in the security group attached to the instances. B. Modify the endpoint policy.
You have two public apps running on distinct domains, each of which utilizes two front-end servers and two back-end servers. You want both apps to be highly available. What are the two choices that you should configure? (Select two.)
A. Route 53:2 public zones & 2 private zones. B. 4 load balancers: 2 public & 2 internal.
ABC Telecom is the network provider for a client. The client operates ten separate offices that are all linked to ABC Telecom's MPLS backbone. The client is configuring an AWS Direct Connect connection and has given ABC Telecom with the LOA-CFA. ABC Telecom has completed the termination of the Direct Connect connection to its MPLS backbone. To ensure that the client's traffic is uniquely identifiable throughout the MPLS backbone, the customer must encapsulate all traffic in VLAN tag 100. The client wishes to route traffic to numerous virtual private clouds (VPCs).Which two measures should be made to satisfy the customer? (Select two.)
A. The customer performs Q-in-Q tunneling, with the AWS-required VLAN tag in the inside & VLAN 100 as the outside tag. B. ABC telecom removes the outer tag before sending the packet to AWS.
You administer a webserver on AWS infrastructure that delivers a website. This site makes use of an Application Load Balancer, CloudFront, S3, and a few other AWS services. You are solely accountable for the server and have no access to the AWS panel or API.You need to determine which IP addresses are visiting your website. What is the most effective method for doing this?
Add "X-Forwarded For" to the access logs & view the access logs.
You're developing an AWS application that makes use of Amazon Elastic MapReduce (Amazon EMR). The application must resolve hostnames in your on-premises Active Directory domain on an internal basis. You modify the VPC's DHCP Options Set to refer to a pair of Active Directory integrated DNS servers that are operating inside the VPC.Which actions are necessary to ensure the effective deployment of an Amazon EMR cluster?
Add a conditional forwarder to the Amazon-provided DNS server.
Which AWS Config element may be used to assist in the maintenance of internal and external compliance controls?
Config Rules
You're constructing the network architecture for an Amazon VPC application server. All application instances will be accessible through the Internet and an on-premises network. The on-premises network is linked to the virtual private cloud using an AWS Direct Connect connection.How should routing be designed to satisfy these requirements?
Configure a single routing table with a default route via the IGW. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.
Your organization has just implemented IPv6 in a VPC. All of the instances are now set with a NAT, however once configured for IPv6 exclusively, they were unable to access the instances' resources through IPv6. What is the best course of action to take?
Configure an egress-only internet gateway.
Your application server instances are located inside your VPC's private subnet. These instances must have Internet connection to a Git repository. You construct a NAT gateway in your VPC's public subnet. The NAT gateway is able to access the Git repository, however instances on the private subnet are unable to do so. You verify that the private subnet route table has a default route to the NAT gateway. All communication to the NAT gateway is permitted via the security group for your application server instances.Which configuration changes should you make to allow these instances to communicate with the patch server?
Configure an outbound rule on the application server instance security group for the Git repository.
A business has a hybrid architecture that includes two AWS Direct Connect connections and apps that operate on both AWS Cloud and on-premises infrastructure. The corporation resolves names for its internal domain company.com using its on-premises DNS servers. The corporation resolves AWS resource records using an Amazon Route 53 private hosted zone, aws.company.com.A new application running on Amazon EC2 inside the company's virtual private cloud (VPC) must resolve records in the company.com domain and on other AWS resources.What actions should the business take to comply with these requirements?
Create Route 53 Resolver outbound endpoints in each subnet in the VPC. Configure a Route 53 forwarding rule with a rule type of Forward for company.com that points to the on-premises DNS servers. Configure a Route 53 forwarding rule with a rule type of System for aws.company.com
What is NOT a CloudFront benefit?
Distributes traffic evenly to EC2 instances.
A business is implementing a mission-critical application on two Amazon EC2 instances inside a virtual private cloud (VPC). Client connections to EC2 instances that fail must be reported in accordance with business policy.Which approach is the MOST cost-effective in meeting these requirements?
Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.
You have a web application operating on an EC2 instance (app.mycompany.com) with a single elastic network interface in a VPC subnet. Due to a network redesign, the web application must be relocated to a new subnet inside the same Availability Zone.Which one of the following migration techniques satisfies the criteria?
Launch a new instance in the subnet via an AMI created from the instance, & redirect new connections to this new instance using DNS. Decommission the old instance.
You're implementing a web application in a virtual private cloud that needs SSL mutual authentication through a client-side, smartcard-stored certificate. Mutual authentication between the client and the application must be supported by the ELB Classic Load Balancer listener.Which protocol for load balancing should you use for this application?
TCP
You want to guarantee that all Amazon S3 buckets, both existing and newly generated, have logging enabled going forward. Which trigger type(s) should you use?
Only a configuration change trigger
You're attempting to determine the MTU utilized by another instance, but tracepath is failing. You are aware that the instance you are tracing has an open security group and NACL rules. Which protocol must you grant access to your instance in order to resolve this?
Protocol 17:UDP
Your business hosts an application for the US market in the AWS region us-east-1. This program runs on Amazon Elastic Compute Cloud (EC2) instances using proprietary TCP and UDP protocols. On their own PCs, end users run a real-time, front-end application. This front-end application is aware of the service's DNS hostname.You must ensure that the system is prepared for worldwide growth. End users must have the lowest possible latency while accessing the application.How should you approach these criteria while using AWS services?
Register the IP addresses of the service hosts as " " records with latency-based routing policy in Amazon Route S3, & set a Route 53 health check for these hosts.
You may enable the AWS Config service through the AWS CLI by executing the subscribe command with a valid IAM role, SNS topic, and as ________
S3 bucket
Which of the following physical layer standards is needed for access to AWS Direct Connect through a normal 1 GB or 10 GB Ethernet fiber-optic cable?
Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-LR for 10 gigabit Ethernet
From your datacenter, you have four Direct Connect connections. Site A advertises 172.16.0.0/16 AS 65000, Site B advertises 172.16.0.128/25 AS 65000 65000 65000, Site C advertises 172.0.0.0/8 AS 65000 and Site D advertises 172.16.0.0/24 AS 65000.Which AWS location will AWS use to connect to your network?
Site B: 172.16.0.128/25 AS 65000 65000 65000
Which of the following modes is not a WAF configuration mode?
Sleep
You're the victim of a DDoS assault and have added a deny all TCP rule to your NACL, yet data continues to flow. What did you do incorrectly?
The DDoS isn't a TCP attack.
Within a 10.0.0.0/16 VPC, all IP addresses are completely occupied by application servers spread over two Availability Zones. The application servers must periodically send UDP probes to a single central authentication server on the Internet to ensure that they are running the most current packages. The network is configured such that application servers may communicate with one another over a single NAT gateway. During testing, it was discovered that a small number of servers are unable to interact with the authentication server.What caused this failure?
The NAT gateway cannot allocate more ports.
A business is transferring a classic storefront online application to the Amazon Web Services (AWS) Cloud. The program is sophisticated and refactoring will take many months. Until the replacement web application is completed and deployed, a solutions architect proposed utilizing Amazon CloudFront with a custom origin connecting to the SSL endpoint URL for the old web application.For many weeks, the intermediate solution worked. However, all browser connections have lately begun to display an HTTP 502 Bad Gateway error with the header 'X-Cache: Error from cloudfront.' Monitoring services indicate that the traditional web application's HTTPS port 443 is accessible and accepting requests.What is the most probable source of the mistake, and how do you fix it?
The SSL certificate on the legacy web application sever has expired. Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority {CA}. Install the full certificate chain onto the legacy web application server.
Using your understanding of both the OSI and TCP/IP models, choose which of the following statements is NOT true.
The TCP/IP Application layer maps to 2 of the OSI Layers.
You work for a corporation that runs many instances with dynamically allocated public IP addresses. You conducted an update that required restarting the instances from the console, and now your DNS records are no longer functional. What transpired?
The instances changed their public IP addresses on restart.
A corporation wishes to replace 500 desktop PCs in its contact center with thin clients running virtual desktops. Amazon WorkSpaces is being evaluated as a possible option.A network engineer attempting to connect to Amazon WorkSpaces through a thin client is unable to do so. The network engineer gets the following message after entering credentials: 'An error occurred when launching your WorkSpace. Kindly try again.'What is the network engineer's responsibility in resolving this issue?
Update the inbound rules on the security group assigned to Amazon WorkSpaces to allow UDP on port 4172 & TCP on port 4172.
A systems administrator is developing a split-view hybrid DNS solution. The apex domain 'example.com' should be supplied by various top-level domains' name servers (TLDs). On-premises name servers should be used for the subdomain 'dev.example.com'. The administrator has chosen to implement this scenario through Amazon Route 53.Which procedures must be followed in order to apply the solution?
Use a Route 53 public & private hosted zone for example.com & perform subdomain delegation for dev.example.com
A company is installing an application in a VPC that needs SSL mutual authentication with a client-side certificate as the main way of client identification. The Network Engineer has been entrusted with creating the technique for SSL mutual authentication inside AWS.Which of the following choices fits the criteria of the organization?
Use an Application Load Balancer &b upload the client certificate private keys to it by using the native server name indication {SNI} features with smart certificate selection to handle multiple calling applications.
Choose one of the following VPC Peering statements that is NOT true.
VPC peering supports transitive peering relationships for IPv6 traffic but not IPv4.
Which of the following statements regarding WorkSpaces is incorrect?
Workspace can query on-premises domains for authentication.
You work for a multinational firm that makes extensive use of AWS. As a result of laws, you are now obligated to route traffic from the United States and China to two distinct websites. You established the records, and as a result, no other nations are able to visit your site.Why is this the case?
You forgot to set a default geolocation record.
The Adobe Flash Media Server________ file determines which domains may access media files in a given domain when used in conjunction with CloudFront RTMP Distribution.
crossdomain.xml