AWS Certified Advanced Networking - Specialty
A retail company has set up an AWS Site-to-Site VPN as well as an AWS Direct Connect connection between its on-premises data center and AWS Cloud. The VPN uses dynamic routing. The networking team wants all traffic to use the Direct Connect connection and configure the VPN as a backup. What would you do to route the traffic through Direct Connect as a preferred connection? (Select two)
Advertise the same prefix for Direct Connect and the VPN Use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC
A retail company operates its IT infrastructure in a hybrid cloud configuration with the on-premises data center connected to the AWS Cloud via an AWS Site-to-Site VPN connection. The networking team has set up an AWS VPC with a CIDR range of 10.0.0.0/16 and the on-premises network has a CIDR range of 172.31.0.0/24. The VPC's route table also has a static route to an internet gateway and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. Which of the following represents a correct statement regarding the routing for traffic destined to the on-premises network?
All traffic destined for 172.31.0.0/24 is routed via the internet gateway
The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH. How would you define the security rule for SSH?
Allow Inbound traffic on port 22 from the on-premises network
A company has deployed thin client devices in a remote office and will use Amazon Workspaces to host virtual desktops. A network engineer has configured the Amazon Workspaces security groups according to AWS best practices. Which of the following steps should the network engineer complete to configure the remote office firewalls to support streaming of the Workspace desktop?
Allow outbound access on ports 4172 and 4195 (UDP and TCP) and open inbound ephemeral ports to allow return communication.
A retail website will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The website must be accessible on example.com and www.example.com. A network engineer has created a public hosted zone in Amazon Route 53. Which records should be created to meet the requirements?
An ALIAS record for example.com pointing to the ALB and an ALIAS record for www.example.com pointing to the ALB.
A company facilitates best-in-class sports broadcasting via its flagship application. Users access the content from different platforms including mobile, tablet, and desktop. Each platform is customized to provide a different user experience based on various viewing modes. Path-based headers are used to serve the content for different platforms, hosted on different Amazon EC2 instances. An Auto Scaling group (ASG) has also been configured for the EC2 instances to ensure that the solution is highly scalable. Which of the following combination of services can help minimize the cost while maximizing the performance? (Select two)
Application Load Balancer Amazon CloudFront with Lambda@Edge
A CloudFront distribution has been configured to serve multiple CNAMEs (alternate domain names) through a single distribution. The company has rolled out new security policies that mandate the use of Secure Sockets Layer (SSL) for all the associated CNAMEs. How should this requirement be configured to achieve the security level proposed by the company?
Assign a certificate from ACM that includes all the required domains and attach it to the CloudFront distribution
A social media company is planning to release the major upgrade of its flagship application in a week. The development team is testing the alpha release of the application running on 10 EC2 instances managed by an Auto Scaling group in subnet 172.10.0.0/24 within VPC A having CIDR block 172.10.0.0/16. The team has noticed connection timeout errors in the application logs while connecting to a MySQL database running on an EC2 instance in the same region in subnet 172.40.0.0/24 within VPC B having CIDR block 172.40.0.0/16. The IP of the database instance is hard-coded in the application instances. As a Networking Specialist, which of the following solutions would you suggest to the development team to solve the problem securely with minimal maintenance and overhead? (Select two)
1) Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC B that points to the IP address range of 172.10.0.0/16, 2) Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.40.0.0/16
An organization has a newly installed 1-Gbps AWS Direct Connect connection. The organization has opted to use cross-connect from the Direct Connect location provider to a port on the router in the same facility. To enable the use of the virtual interface, the router must be configured appropriately. What are the minimum requirements for your router?
1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5
An Amazon VPC has been created with the 172.31.0.0/16 CIDR block. Within this VPC, which of the following addresses are provided by Amazon for DNS resolution using the Route 53 Resolver? (Select TWO.)
172.31.0.2 169.254.169.253
A network engineer has created an Amazon VPC with the CIDR block 172.16.0.0/16. The engineer must create several subnets and each subnet must support up to 1000 assignable IP addresses. Which subnet mask will make MOST efficient use of the VPC CIDR block?
255.255.252.0 (/22) To determine the usable IP addresses per subnet you can perform a simple two-step calculation. 1) Take the number 32 and subtract the number of bits assigned to the subnet mask. For example, take 32 and subtract 22, leaving 10 (32 - 22 = 10). 2) Take the value from the previous calculation and raise it to the power of 2. In our example we take 10 and raise it to the power of 2. 2 x 2 x 2 x 2 x 2 x 2 x 2 x 2 x 2 x 2 = 1024. The result (1024) is the number of IP addresses available. Remember that we must always deduct 5 addresses from this number for VPC subnets as AWS reserve the first 4 and last IP address. The actual assignable addresses are therefore 1019 (1024 - 5 = 1019) which is sufficient for this use case.
A company runs a hybrid cloud infrastructure and it has 99 routes in the dynamic BGP propagated route table. The networking team at the company wants to add 2 more routes for 10.1.0.0 and 10.3.0.0. You cannot modify or remove routes that have already been announced. Which of the following solutions will you recommend?
Combine the two routes into a default route and advertise it
A Network Engineer is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The security team has flagged a concern of a probable attack on the origin server IP addresses, despite it being served by CloudFront. Suggest a solution that provides the strongest level of protection to the origin server?
Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header
A development team is looking at connecting their Amazon EC2 instances to the confidential data stored on Amazon S3 storage. The team has a requirement to use private IP addresses from their VPC to access Amazon S3 while also having the ability to access S3 buckets from their on-premises systems. In a few months, the S3 buckets will also be accessed from a VPC in another AWS Region. What is the right way to configure the team's requirement?
Configure Interface endpoints for Amazon S3
A network engineer is deploying an AWS Direct Connect connection. The engineer must create a public virtual interface and needs to only import routes that originated from the same Region as the Direct Connect location. Which action will achieve this?
Configure a filter on the company's router to only import routes with the 7224: 8100 BGP community tag.
A company is deploying an API using Amazon API Gateway that will be used by customers in several geographical locations. The company plans to deploy the API to multiple Regions and will use a custom DNS domain name. What actions should a network engineer take to ensure customers can access the API with the LOWEST latency?
Configure a regional API endpoint in each Region, set the same custom domain name for each deployed API, and configure latency-based DNS records in Amazon Route 53 to route client requests to the Region that has the lowest latency.
A meteorology company receives real-time weather data from sensors. The data is received in a single data source VPC and the company must then perform unique analysis on the data using applications in several data analysis VPCs. The data must be distributed simultaneously from Amazon EC2 instances in the data source VPC to the data analysis VPCs. Which set of configuration steps should the company take to meet these requirements?
Configure a transit gateway to serve as a multicast router. Attach the data source and data analysis VPCs. Add the ENIs of the EC2 instances in the data source VPC as multicast senders.
A new application has been deployed in an Amazon VPC on Amazon EC2 instances. The application must communicate with on-premises servers. Network traffic for the first few months is expected to be low volume but will increase to more than 10 Gbps within the first year. The company needs to connect the applications as quickly as possible. The network engineer has been asked to design a hybrid IT connectivity solution. What should be done to meet these requirements?
Configure an AWS Site-to-Site VPN between the VPC and the data center. Submit a connection request for an AWS Direct Connect connection later.
A two-tier application has an Elastic Load Balancing (ELB) load balancer configured in front of the application tier that is driven via RESTful interfaces. The data tier uses RDS MySQL. The company's new policies require end-to-end encryption of all data in transit. How will you configure this requirement?
Configure the ELB with a TCP listener. Configure the application instances for SSL termination. Configure RDS for SSL, and use REQUIRE SSL grants
The networking team at a company wants to set up an AWS Site-to-Site VPN connection between its on-premises data center and the AWS Cloud. The VPN connection should use static routing and the team wants to make sure that tunnel A is preferred over tunnel B when sending traffic from AWS to the on-premises network. Which solution would you recommend for this requirement?
Configure the VPN connection in an Active/Passive configuration by assigning a higher priority to tunnel A while configuring the static routes
A health care company has two web applications and wants to run them in separate, isolated VPCs. The company is looking at using Elastic Load Balancing to distribute requests between application instances. The security and compliance team at the company has imposed the following restrictions: Inbound HTTP requests to the application must be routed through a centralized VPC Application VPCs must not be exposed to any other inbound traffic Application VPCs cannot be allowed to initiate any outbound connections Internet gateways must not be attached to the application VPCs Which of the following solutions would you recommend to address these requirements?
Configure the applications behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to route application traffic to the corresponding target group through the ALB
The networking team at a company has noticed issues with Quality of Service (QoS) in the traffic to the EC2 instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a programming error or a networking error. As an AWS Certified Networking Specialist, which of the following solutions would you recommend for the given use case?
Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis
A cybersecurity company has its flagship application running on EC2 instances in a VPC and the application must publish custom metrics with proprietary information to CloudWatch in the same AWS Region. All connectivity must be established using private IP addresses. Which of the following options will address these requirements?
Connect the application to CloudWatch using an interface endpoint
Users connect to an online gaming application using the TCP and UDP protocols. Each protocol uses different ports on the same instances. Incoming connections must be distributed to a pool of Amazon EC2 instances across multiple Availability Zones. Which actions should a network engineer perform?
Create a Network Load Balancer with TCP and UDP listeners. Create two target groups for the EC2 instances, select TCP for the protocol in one target group and UDP in the other and enter the port numbers.
A network engineer is designing a domain name resolution solution for a client. The company plans to migrate all DNS records to Amazon Route 53. The company's public website uses the domain name "example.com" and the company plans to use "internal.example.com" for private services running in an Amazon VPC. Which steps should the network engineer take to configure split-view DNS for the client?
Create a Route 53 public hosted zone for example.com and a private hosted zone for internal.example.com. Associate the Amazon VPC with the private hosted zone.
A social media company has installed an AWS Site-to-Site VPN and the networking team has noticed that the VPN tunnel is unstable or the tunnel status is frequently down on the customer gateway device. Which steps should the networking team take to address this issue? (Select two)
Create a host that sends ICMP requests to an instance in your VPC every 5 seconds Customer gateway device is configured to receive and respond to dead peer detection (DPD) messages
An e-commerce company is building a hybrid Payment Card Industry Data Security Standard (PCI-DSS) compliant application that runs in the us-east-1 Region as well as on-premises. The application sends access logs from all locations to a single S3 bucket in the us-east-1 Region. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How would you configure the network to address these requirements?
Create a private virtual interface to a Direct Connect connection in us-east-1. Set up a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access S3
A company has four Amazon VPCs within an AWS Region. The company plans to connect an AWS Site-to-Site VPN between an on-premises data center and the AWS Cloud. The company requires full transitive routing between the data center network and all four Amazon VPCs. Which solutions meets these requirements?
Create a transit gateway with three VPC attachments and one Site-to-Site VPN attachment. In each VPC route table create a route to 0.0.0.0/0 that points to the transit gateway.
A security team is responsible for monitoring a group of AWS accounts. The security team does not have direct access to all of the AWS accounts but must be able to monitor for malicious or unauthorized behavior. Which of the following solutions will enable the security team to monitor the resources across all AWS accounts with the LEAST administrative overhead?
Create an Amazon GuardDuty administrator account within an AWS account the security team has access to. Add the monitored accounts as member accounts in Amazon GuardDuty.
A financial services company is migrating sensitive data from its on-premises data center to AWS Cloud via an existing AWS Direct Connect connection. The company must ensure confidentiality and integrity of the data in transit to the AWS VPC. Which of the following options should be combined to set up the most cost-effective connection between your on-premises data center and AWS? (Select three)
Create an IPsec tunnel between your customer gateway appliance and the virtual private gateway Create a VPC with a virtual private gateway Set up a public virtual interface on the Direct Connect connection
A company wants to establish an AWS Direct Connect link to connect the AWS Cloud with the internal corporate network. Using AWS Direct Connect would enable the company to deliver on its performance benchmark requirements including a three-second or less response time for sending small documents across the internal network. To facilitate this goal, the company wants to be able to resolve DNS queries for any resources in the on-premises network from the AWS VPC and also resolve any DNS queries for resources in the AWS VPC from the on-premises network. As an AWS Certified Networking Specialist, which of the following solutions would you recommend for this use case? (Select two)
Create an inbound endpoint on Route 53 Resolver and then DNS resolvers on the on-premises network can forward DNS queries to Route 53 Resolver via this endpoint Create an outbound endpoint on Route 53 Resolver and then Route 53 Resolver can conditionally forward queries to resolvers on the on-premises network via this endpoint
A company has three VPCs: X, Y, and Z. VPCs X and Z are both peered with VPC Y. The IP address ranges are as follows: VPC X: 10.1.0.0/16 VPC Y: 192.168.0.0/16 VPC Z: 10.1.0.0/16 Instance x-1 in VPC X has the IP address 10.1.0.10. Instance z-1 in VPC Z has the IP address 10.1.0.10. Instances y-1 and y-2 in VPC Y have the IP addresses 192.168.2.10 and 192.168.2.20 respectively. The instances y-1 and y-2 are in the subnet 192.168.2.0/24. The networking team at the company has mandated that y-1 must be able to communicate with x-1, and y-2 must be able to communicate with z-1. However, the team has noticed that both y-1 and y-2 are only able to communicate with x-1, instead of y-1 communicating with x-1 and y-2 communicating with z-1. Which of the following combination of steps will address this issue? (Select two)
Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC Y. Move y-1 to subnet 192.168.2.0/28 and y-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance Create two route tables in VPC Y - one with a route for destination VPC X and another with a route for destination VPC Z
The networking team at a company needs to automate VPC creation to enforce the company's network and security standards which mandate that each application is isolated in its own VPC. The solution must also ensure that the CIDR range used in each VPC is unique. Which of the following options would you recommend to address these requirements?
Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a unique CIDR range from an external IP address management (IPAM) service
An organization has deployed a web application in an Amazon VPC that will be used by many customers. The customers will connect to the web application from VPCs within the same Region and all connections must use private addresses and should not use the internet. What is the best way to meet these requirements?
Deploy the web application behind an internal Network Load Balancer. Connect to the service using an interface VPC endpoint.
A company uses an Amazon RDS MySQL database instance to store customer order data. The security team have requested that SSL/TLS encryption in transit must be used for encrypting connections to the database from application servers. The data in the database is currently encrypted at rest using an AWS KMS key. How can a network engineer enable encryption in transit?
Download the AWS-provided root certificates. Use the certificates when connecting to the RDS DB instance.
A company wants to use Amazon S3 to augment its on-premises data store. The company is looking at setting up a Direct Connect connection to provide high bandwidth and low latency access to S3. The company has requested AWS for an AWS-owned address to be used for configuring a Public Virtual Interface (VIF) since the company does not own a publically routable IPv4 address block. For the given scenario, which of the following represents a valid security risk to the company?
EC2 instances in the same AWS Region with access to the Internet could directly reach the router
A company has deployed redundant AWS Direct Connect connections to an Amazon VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path and the other is the failover traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second. What should be done to meet this requirement?
Enable Bidirectional Forwarding Detection (BFD) on the company's router with a detection minimum interval of 300 ms and a BFD liveness detection multiplier of 3. BFD is a detection protocol that provides fast forwarding path failure detection times. These fast failure detection times facilitate faster routing reconvergence times. It's a best practice to enable BFD for fast failure detection and failover when connecting to AWS services over Direct Connect connections or VPNs. Enabling BFD for your Direct Connect connection allows the Border Gateway Protocol (BGP) neighbor relationship to be quickly torn down. Otherwise, by default, BGP waits for three keep-alives to fail at a hold-down time of 90 seconds. Asynchronous BFD is automatically enabled for Direct Connect virtual interfaces on the AWS side. However, you must configure your router to enable asynchronous BFD for your connection. The default AWS BFD liveness detection minimum interval is 300 ms. The default BFD liveness detection multiplier is three.
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). Users upload files through the application which are then stored in an Amazon S3 bucket. For large file uploads users have experienced timeout errors. A network engineer investigated the issue and determined that the backend connections are being closed for long running requests. How can the network engineer prevent timeouts from occurring and maintain connection reuse between the ALB and the backend nodes? (Select TWO.)
Enable HTTP keep-alive in the EC2 instance's web server settings. Increase the length of the idle timeout period on the ALB.
A company manages more than 500 public web applications on AWS Cloud which are deployed in a single AWS Region. The fully qualified domain names (FQDNs) of all of the applications are configured to use HTTPS and are served via Application Load Balancers (ALBs). These ALBs are configured to use public SSL/TLS certificates. The company has hired you to migrate the web applications to a multi-Region architecture. You must ensure that all HTTPS services continue to work without interruption. Which of the following solutions would you suggest to address these requirements?
Generate a separate certificate for each FQDN in each AWS Region using AWS Certificate Manager. Associate the certificates with the corresponding ALBs in the relevant AWS Region
A network engineer is configuring a customer router to establish an AWS Site-to-Site VPN connection. A firewall must also be updated to allow the traffic required for the connection. Which types of network traffic must be allowed? (Select TWO.)
IP Protocol 50, UDP port 500
An application runs on a fleet of Amazon EC2 instances behind an Auto Scaling group. The application publishes custom metrics to Amazon CloudWatch in the same AWS Region. The metric data includes sensitive information that must remain private. All connectivity must use private IP addresses and cannot use the AWS public endpoints. How can the network engineer configure the solution to meet the security requirements?
If you use Amazon Virtual Private Cloud (VPC) to host your AWS resources, you can establish a private connection between your VPC and CloudWatch Logs. You can use this connection to send logs to CloudWatch Logs without sending them through the internet. This meets the security requirements as the connection between the EC2 instances and Amazon CloudWatch will use private IP addresses and will not use the AWS public endpoints. CORRECT: "Use an interface VPC endpoint to connect to CloudWatch" is the correct answer (as explained above.)
The networking team at a company has provisioned a new EC2 instance A by choosing the default security group of the default VPC. The team can ping instance A from other instances in the VPC. These other instances were also created using the default security group. The next day, the team launches another instance B by creating a new security group and attaching it to instance B. All other configuration options for instance B are chosen as default. However, the team is not able to ping instance B from other instances in the VPC. As an AWS Certified Networking Specialist, which of the following would you identify as the root cause of the issue?
Instance A is in the default security group. The default rules for the default security group allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. Instance B is in a new security group. The default rules for a security group that you create allow no inbound traffic
A business has a web application (store.mybusiness.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. As part of the network re-architecture, the CTO at the company wants the web application to be moved to a different subnet in the same Availability Zone. Which of the following solutions would you suggest to meet these requirements?
Launch a new instance in the new subnet via an AMI created from the old instance. Direct traffic to this new instance using Route 53 and then terminate the old instance
A company runs a production environment in an Amazon VPC configured with the CIDR block 175.10.0.0/16. The company runs large batch computing workloads within the VPC and has nearly depleted the IP address space. The company must extend the VPC by allocating an additional block of addresses. Which CIDR blocks meet the company's requirements? (Select TWO.)
Longest prefix match, static routes, Direct Connect BGP routes, VPN BGP routes.
A company has an EC2 instance in a private subnet that has access to the internet via a NAT gateway in another public subnet. This EC2 instance behind the NAT gateway sends a 1 GB file to one of your Amazon Simple Storage Service (Amazon S3) buckets. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS Region (us-east-1) and the NAT gateway as well as the EC2 instance are in the same Availability Zone. Which of the following will contribute to the NAT Gateway cost? (Select two)
NAT Gateway Data Processing Charge; NAT Gateway Hourly Charge
A networking team working in a test environment has noticed inbound traffic in the VPC Flow Logs for a NAT Gateway. The team has connected with you to understand why the NAT gateway is accepting inbound traffic from the internet? How will you troubleshoot/fix this issue?
NAT gateways managed by AWS don't accept traffic initiated from the internet. However, if inbound internet traffic is permitted by your security group or Network ACLs then it appears as accepted
A company runs a critical application in an Amazon VPC which will be accessed by application servers running in an on-premises data center via a Direct Connect connection. An SLA of 99.9% uptime is required for the Direct Connect connection. The company has an AWS Enterprise Support plan. What is the MOST cost-effective way to meet this SLA requirement?
Order an additional Direct Connect connection from AWS in a different cross-connect location terminated in the associated Region. Provision a new virtual interface (VIF) to the existing VPC and use BGP for load balancing.
For the safety of critical applications, the networking team at a company has implemented a host-based firewall on all of the Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. A new requirement needs the instance metadata. Which firewall rule should be added to the instances to allow instance metadata access?
Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80
A company is deploying a critical application on multiple EC2 instances in a VPC. Per the company policy, any failed client connections to the EC2 instances must be logged. Which of the following options would you recommend as the MOST cost-effective solution to address these requirements?
Set up VPC Flow Logs for the elastic network interfaces associated with the instances and configure the VPC Flow Logs to be filtered for rejected traffic. Publish the Flow Logs to CloudWatch Logs
The CTO at an e-commerce company is pursuing an IT re-engineering effort to migrate from multiple on-premises data centers to the AWS Cloud. The current on-premises data centers are in different locations and are inter-linked via a private fiber. Due to the unique constraints of the existing legacy applications, using NAT is not an option. During the migration period, many critical applications will need access to other applications deployed in both the on-premises data centers and AWS Cloud. As an AWS Certified Networking Specialist, which of the following options would you suggest to set up a hybrid network architecture that is highly available and supports high bandwidth for a multi-Region deployment post-migration?
Set up a Direct Connect to each on-premises data center from different service providers and configure routing to failover to the other on-premises data center's Direct Connect in case one connection fails. Make sure that no VPC CIDR blocks overlap one another or the on-premises network
An ecommerce company has a hybrid environment between its on-premises data center and the AWS Cloud. The company wants to use the Elastic File System (EFS) to store and share data between the on-premises applications that need to resolve DNS queries through the on-premises DNS servers. The company wants to use a custom domain name to connect to EFS. The company also wants to avoid using the Amazon EFS target IP address. Which of the following solutions would you recommend to address these requirements?
Set up a Route 53 Resolver inbound endpoint and configure it for the EFS specific VPC. Set up a Route 53 private hosted zone and add a new CNAME record with the value of the EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone
A company stores application logs in an Amazon S3 bucket in the us-west-1 Region. The company has established an AWS Direct Connect connection to the us-east-1 Region. How can the company access the application log bucket over the Direct Connect connection?
Set up a public virtual interface and establish a Border Gateway Protocol (BGP) session.
The networking team at a company wants to set up two AWS Direct Connect connections between its on-premises data center and the AWS Cloud. The Direct Connect connections need to be set up in an Active/Passive configuration from a public virtual interface using a private ASN. As an AWS Certified Networking Specialist, which solution would you recommend for this requirement?
Set up the customer gateway to advertise the longer prefix on your primary connection
The development team at a company is deploying a web application in a VPC that requires SSL mutual authentication with a client-side certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application. Which load balancer protocol should you select for this application?
TCP
A network engineer has enabled VPC Flow Logs to troubleshoot a connectivity issue between an EC2 application instance and an EC2 database instance in another subnet. The VPC flow logs recorded ACCEPT records for the connection from the client to the EC2 database instance and REJECT records for the response from the EC2 database instance to the EC2 application instance. What is the MOST likely reason for the failed connection response?
The EC2 database instance's network ACL is denying outbound connections.
An ecommerce company is migrating its legacy web application to the AWS Cloud. Since the application is complex and may take several months to refactor, the CTO at the company tasked the development team to build an ad-hoc solution of using CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed. The ad-hoc solution has worked for several weeks, however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from CloudFront". Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests. Which of the following will you attribute as the likely cause of the error and what is the solution to address this issue?
The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server
A department in a company has created a new AWS account that is not part of the organization's consolidated billing family. The department has created a VPC for their workloads. Access is restricted by Network Access Control Lists (NACLs) to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for the VPC advertises a default route to the company's network. When the department downloads data from an Amazon Elastic Compute Cloud (EC2) instance hosted in its new VPC, what are the associated charges?
The department pays AWS Direct Connect Data Out charges
A company is planning an Amazon Workspaces deployment of up to 1000 desktops. The architecture should support a Multi-AZ AWS Directory Services construct and allow for future growth. Which architecture is suitable for this deployment?
Two private subnets with a /22 subnet mask.
A highly sensitive application runs on Amazon EC2 Linux instances in private subnets. An AWS Direct Connect (DX) connection is provisioned to the company data center and all traffic must traverse the DX connection including outbound internet traffic. The company enforces the use of a forward proxy server for all outbound traffic. The EC2 instances have established connectivity with on-premises servers but are unable to connect to web services on the internet. What should a network engineer do to resolve the internet connectivity issues for the EC2 instances?
Update the VPC route table with entries for the on-premises proxy server.
A social media company is delivering web content from an Amazon EC2 instance in a public subnet with address 2021:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries: 2 098765432112 eni-0596e500987654321 2021:db8:2:200::2 2021:db8:1:100::1 0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112 eni-0596e500987654321 2021:db8:1:100::1 2021:db8:2:200::2 0 0 58 236 42336 1551200195 1551200434 REJECT OK Which of the following actions will restore network reachability to the EC2 instance?
Update the network ACL associated with the subnet to allow outbound traffic
A financial services application runs on a fleet of Amazon EC2 instances that are configured with an Auto Scaling Group (ASG). The instances are fronted by an Elastic Load Balancer (ELB). The security team has flagged an exploitable vulnerability in the encryption protocol and cipher that the application uses. The listener of the ELB is configured on an HTTPS protocol. Which step will you take to secure the application from the newly detected vulnerability?
Update the security policy on the ELB to disable vulnerable protocols and ciphers
A financial services company wants to modernize its applications and minimize its data center infrastructure. The company wants to explore a hybrid cloud environment with AWS so that it can start leveraging AWS services for some of its data analytics workflows. The engineering team at the company wants to establish a dedicated, encrypted, low latency, and high throughput connection between its data center and AWS Cloud. The engineering team has set aside sufficient time to account for the operational overhead of establishing this connection. Which of the following options represents the MOST optimal solution with the LEAST infrastructure set up required for provisioning the end to end connection?
Use AWS Direct Connect along with a site-to-site VPN to establish a connection between the data center and AWS Cloud
An e-commerce company has built a hub-and-spoke network using AWS Transit Gateway. VPCs have been provisioned into multiple AWS accounts to facilitate network isolation and to enable delegated network administration. The organization is looking at a cost-effective, quick and secure way of maintaining this distributed architecture so that it provides access to services required by workloads in each of the VPCs. As an AWS Certified Networking Specialist, which of the following solutions would you suggest for the given use case?
Use Centralized VPC Endpoints for connecting with multiple VPCs, also known as shared services VPC
A media company wants to use AWS Cloudfront to manage its content. Firstly, it would like to allow only those new users who have paid the annual subscription fee the ability to download the application installation file. Secondly, only the subscribers should be able to view the files in the members' area. As a Networking Specialist, which of the following would you recommend as the MOST optimal solutions to deliver restricted content to the bona fide end users? (Select two)
Use CloudFront signed cookies to restrict access to all the files in the members' area of the website Use CloudFront signed URLs to restrict access to the application installation file
An online retail organization runs its e-commerce website on AWS. The Amazon EC2 instances running the application are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services. Different URLs (mobile.shopping.com, web.shopping.com, api.shopping.com) will serve the required content to the end-users. Which combination of services must be used to serve the content correctly to the end-users? (Select two)
Use Host conditions in ALB listener to route *.shopping.com to appropriate target groups Use Host conditions in ALB listener to route shopping.com to appropriate target groups
A network engineer at a social media company needs to monitor and analyze the DNS traffic. The company uses Route 53 as the DNS service for its public-hosted zone. All DNS queries must be captured for future analysis. As an AWS Certified Networking Specialist, what would you suggest for the given requirement?
Use Route 53 query logging to log information to CloudWatch Logs about the Route 53 DNS queries
A retail company wants to block access to its application from specific countries; however, the company wants to allow its remote testing team (from one of the blocked countries) to have access to the application. The application is deployed on EC2 instances running under an Application Load Balancer (ALB) with AWS WAF. As a Networking Specialist, which of the following solutions would you suggest as the BEST fit for the given use case? (Select two)
Use WAF geo match statement listing the countries that you want to block Use WAF IP set statement that specifies the IP addresses that you want to allow through
A multi-player gaming application that runs on UDP protocol needs to add functionality where you can assign multiple players to a single session on a game server based on factors such as geographic location, player skill, and few more configurable parameters. The application is accessed by players spread out across different regions of the world. What is the right way to configure this requirement?
Use custom routing accelerator of Global Accelerator to deterministically route one or more users to a specific instance using VPC subnet endpoints
A company is migrating to the AWS Cloud and needs to migrate 100 virtual machines (VMs) using the AWS Server Migration Service (SMS). The migration must take place during non-peak hours to avoid saturating the existing internet connection. The migration must complete within 14 days. The average VM size is 10 GB, and the company has a 2 Gbps internet connection. What should the company do to ensure the migration completes on schedule?
Use the existing internet connection and schedule the transfer outside of business hours.
The networking team at a retail company is configuring a virtual interface for accessing your VPC on a newly provisioned 10-Gbps AWS Direct Connect connection. Which of the following configuration values do you need to provide? (Select two)
Virtual local area network (VLAN) ID Virtual private gateway
A company has set up an AWS network consisting of three transit gateways (tgw-1, tgw-2, and tgw-3) each present in different AWS accounts and different AWS Regions. The development team owns transit gateways tgw-1 and tgw-3. Transit gateway tgw-1 has a peering attachment with transit gateway tgw-2 owned by another team. The entire network is within AWS and does not consist of on-premises resources. The company has decided to use Transit Gateway Network Manager for managing the network topology. Which of the following would you identify as the key points of consideration while implementing this requirement? (Select three)
When you register transit gateway tgw-1 in the Network Manager, you can see information about transit gateway tgw-2 in your global network To enable multi-account functionality in Network Manager, you first need to set up an account in AWS Organizations Create a global network in Network Manager and register the transit gateways tgw-1 and tgw-3 with your global network
A consultant is creating an architecture for a web application that includes an Elastic Load Balancer. For compliance purposes the server access logs should record the source IP address of all connections to the application. With default settings, what IP address will be recorded in the EC2 instance server access logs as the source of incoming connections? (Select TWO.)
With a Network Load Balancer, the source IP of the client will be recorded if the instance is specified by instance ID. With an Application Load Balancer, the source IP address of the load balancer nodes will be recorded.
A company is using AWS Local Zones to bring cloud resources closer to the end-users to ensure very low latency access to the required resources. The company is looking at adding Elastic Load Balancing for enhanced security and performance. Which of the following statements are relevant for configuring the ELB correctly? (Select two)
You cannot use a Lambda function as a target when using Local Zone subnets for configuring the ELB Only Application Load Balancer (ALB) supports Local Zones
A retail company wants to set up a hybrid cloud infrastructure between AWS Cloud and on-premises data center using Direct Connect as well as AWS Site-to-Site VPN. The networking team is working on configuring routing for this infrastructure and needs assistance with respect to the correct priority order for propagated and static routes for Direct Connect and Site-to-Site VPN when the prefixes are the same. As an AWS Certified Networking Specialist, which of the following would you identify as the correct order of priority from the most preferred to the least preferred?
Correct option: BGP propagated routes from an AWS Direct Connect connection > Manually added static routes for a Site-to-Site VPN connection > BGP propagated routes from a Site-to-Site VPN connection When a virtual private gateway receives routing information, it uses path selection to determine how to route traffic. The longest prefix match applies. If the prefixes are the same, then the virtual private gateway prioritizes routes as follows, from the most preferred to the least preferred: BGP propagated routes from an AWS Direct Connect connection Manually added static routes for a Site-to-Site VPN connection BGP propagated routes from a Site-to-Site VPN connection For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred. When the AS PATHs are the same length and if the first AS in the AS_SEQUENCE is the same across multiple paths, multi-exit discriminators (MEDs) are compared. The path with the lowest MED value is preferred.
A network engineer is configuring an Amazon CloudFront distribution for a website running on example.com. For several countries the website uses country-specific subdomains such as us.example.com and uk.example.com. The network engineer has configured the distribution to cache based on the CloudFront-Viewer-Country header and must configure a redirect for requests to example.com to the relevant subdomain. Which actions should the network engineer take?
Create a Lambda@Edge origin request function that generates a redirect response when a viewer requests example.com.
