Test_2_Certified_Advanced_Networking_Specialty
You must construct a 14-host subnet in a VPC. You must be as precise as possible, since you operate a very big business. Which CIDR format should you use?
/27
Convert the following IPv4 address from binary to dotted decimal.10101100.01111011.00001101.10011101.
172.123.13.157
Your organization's Amazon Elastic Compute Cloud (EC2) and Virtual Private Cloud (VPC) systems demand rigorous adherence to a change control procedure. The company controls and implements changes using AWS CloudFormation as the AWS service. Which of the following three services alerts you to modifications performed outside of AWS CloudFormation? (Select three.)
A. AWS Config B. AWS Simple Notification Service C. AWS CloudFormation
What are three services that aid in DDoS mitigation? (Select two.)
A. AWS Shield B. CloudFront
An organization creates dynamic, high-resolution online content. Internet users access material through a range of devices, including smartphones, tablets, and desktop computers.Each platform gets a unique experience that takes into consideration the various viewing modes. Each platform utilizes a dedicated, auto-scaling fleet of Amazon EC2 instances to deliver content based on path-based headers.Which service combination will MINIMIZE costs while MAXIMIZING performance? (Select two.)
A. Amazon CloudFront with {email protected} B. Application Load Balancer
What CloudWatch properties are utilized to generate the statistics?
All the options are used. 1. Dimension 2. data point unit 2. NameSpace
To deploy security modifications in your company, you must first establish a baseline of regular traffic flow.Which two things are the most appropriate? (Select two.)
A. An IDS B. CloudWatch
You are configuring numerous Direct Connect lines for your business and need them to be in a high-availability Active/Passive configuration with exceptional sensitivity to failures in order to promote extremely short failover times. Additionally, you must be able to control which connection is active.What are the two configuration adjustments that you should make? (Select two.)
A. BFD B. AS_PATH Prepending
An organization's current on-premises infrastructure will be extended into the cloud. The concept incorporates a transit VPC with stateful firewalls that will be deployed in a highly available manner across two Availability Zones for automated failover.What MUST be set in order for this design to function properly? (Select two.)
A. Border Gateway Protocol {BGP} routing B. Autonomous System {AS} path prepending
You've just connected two VPCs and need to optimize performance for the instances you're about to deploy. What are the two actions you'd take to accomplish this?(Select two.)
A. Create two subnets in the same AZ & create a placement group. D. Ensure you choose instances that use enhanced networking.
You've constructed your own VPC. What are the two steps necessary to SSH straight into your instance? (Select two.)
A. Enable Public IP addresses B. Attach an Internet Gateway
On AWS, a company hosts a consumer-facing website. The AWS Application Load Balancer is used to load balance the Amazon EC2-based web fleet; Amazon Route 53 is utilized to offer public DNS services.To provide content to end users, the following URLs must be used:test.example.comweb.example.comexample.comWhich mix of services must be employed to satisfy the need based on this information? (Select two.)
A. Host condition in ALB listener to route *.example.com to appropriate target groups. B. Host condition in ALB listener to route example,com to appropriate target groups.
Your organization is preparing to migrate from IPv4 to IPv6, but is worried about the security implications of assigning public IPv6 addresses to instances on a public network. They now utilize a NAT to permit outbound traffic. Updates need outbound traffic. What are two possible solutions to your business's concerns? (Select two.)
A. Remove any rules allowing ::/0 inbound in the security group. C. Create an egress-only internet gateway
A business has placed an order for a new AWS Direct Connect connection. According to the AWS Management Console, the connection is accessible and the BGP status is active. However, using ping on the organization's private IP address, the networking team is unable to access instances in the VPC.What may be causing this connection problem? (Select two.)
A. The instance security group does not allow ICMP traffic. B. The on-premises router is not advertising the correct CIDR range to AWS.
A business configures a virtual interface for access to Amazon S3 using a freshly provisioned 1-Gbps AWS Direct Connect connection.Which configuration settings are needed of the network engineer? (Select two.)
A. VLAN ID B. IP prefixes to advertise.
Your firm manages IP address distribution via the use of an IP Address Management (IPAM) tool. The IPAM makes an API available. CloudFormation is used by development teams to provide authorized reference architectures. IP addresses must be assigned to the VPC during deployment. When a virtual private cloud is destroyed, the IPAM must recover the virtual private cloud's IP allocation.Which approach enables the IPAM to be integrated with CloudFormation in an effective and automated manner?
AWS CloudFormation custom resource using an AWS Lambda invocation.
A user is attempting to comprehend the intricacies of the CloudWatch monitoring concept.Which of the following services does not provide comprehensive monitoring through CloudWatch?
AWS EMR
Which of the following assertions about Amazon Web Services Elastic Beanstalk is true?
AWS Elastic Beanstalk uses CloudWatch for monitoring & alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.
Which of the following services is utilized by CloudWatch to issue an alert?
AWS SNS
A business runs services in a virtual private cloud (VPC) using the CIDR block 10.5.0.0/22. End users remark that they are unable to supply additional resources due to the fact that some of the VPC's subnets have run out of IP addresses.What is the proper way for a network engineer to handle this issue?
Add 10.5.4.0/22 as second CIDR block to the VPC. Create a new subnet with a new CIDR block, & provision new resources in the new subnet.
Your organization has implemented a hybrid high-availability solution that consists of two Direct Connect connections and a backup VPN connection. For some reason, traffic seems to favor the VPN connection over the straight connection. Although you've prefixed the VPN connection with a larger AS_PATH, AWS still favors it over Direct Connect connections.What may you be able to do to resolve this situation?
Advertise a less specific prefix on the VPN.
Using the VPC wizard, a user constructed a VPC with CIDR 20.0.0.0/16 with just a private subnet and VPN connection. The user wishes to establish an SSH connection to an instance located on a private subnet.How should the user provide the SSH security rule?
Allow Inbound traffic on port 22 from the user's network.
Which statement concerning accessing a distant AWS region in the United States using your US-based AWS Direct Connect is NOT true?
Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
You work as a network engineer for a business that just acquired a DX connection. You checked that your equipment meets all technical criteria, that everything is connected, and that all of your information is right with your AWS account manager and colocation provider. The link does not work properly for some reason.What may be the issue?
Autonegotiation is enabled.
What are the two routing strategies that Route 53 employs? (Select two.)
B. Failover C. Latency
In many AWS Regions, a gaming firm is hosting an online multiplayer game. The firm requires that traffic from its end users be routed to the Region that is geographically closest to the end users. When a Region undergoes maintenance, traffic must be routed to the next closest Region with no change to the IP addresses used by end users as connections.Which solution will satisfy these criteria?
Configure AWS Global Accelerator in front of all the regions
Your organization use an NTP server to maintain time synchronization across platforms. The organization utilizes a variety of Linux and Windows operating systems. You realize that the NTP server has failed and that you need to provide your instances with an additional NTP server.Where should the NTP server update be applied to ensure that information is propagated without restarting your operating instances?
DHCP Options Set
Complete the following sentences: One of the fundamental aspects of your VPC's security groups is that you_____.
Can specify allow rules, but not deny rules.
Which AWS utility records API calls for a single AWS account and also provides the account's log files?
CloudTrail
Which service would you utilize to determine whether any changes have occurred to your infrastructure?
Config
Various apps are operating in VPCs across multiple AWS accounts for an enterprise. The network engineer has created a central VPC and configured it with a pair of software VPN instances that operate IPSec tunnels with dynamic routing to all application VPCs' VGWs. This central VPC is linked to on-premises resources through a private VIF using a Direct Connect connection.What extra setup is necessary to allow apps inside VPCs to interact and use on-premises resources?
Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.
A business creates an AWS Direct Connect connection to provide access to Amazon EC2 resources distributed across several Amazon VPCs and data stored in private Amazon S3 buckets. The Network Engineer is responsible for configuring the on-premises router of the organization for this Direct Connect connection.Which of the following activities will have the LEAST setup overhead on the customer router?
Configure a private virtual interface to a Direct Connect gateway for the VPC resources & a public virtual interface for Amazon S3.
Your hybrid networking infrastructure comprises of two virtual private clouds for applications, a virtual private cloud for shared services, and your corporate network. The corporate network is linked to the shared services virtual private cloud (VPC) through an IPsec VPN that supports dynamic (BGP) routing.Access to a shared authentication service in the shared services VPC is required by the apps. Native network connectivity from the corporate network to both application VPCs must be enabled.Which course of action should you take to comply with the requirements?
Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.
You have a hybrid architecture and have setup an EC2 instance in your 10.1.3.0/24 subnet with your own DNS server. This subnet is located on VPC 10.1.0.0/16. Your data center must be capable of resolving Route 53 requests inside your own hosted zone. What steps must you take to achieve this?
Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2
A business connects to a VPC through AWS Direct Connect, utilizing a private VIF as the primary connection and a dynamic VPN connection as a backup. The company's Reliability Engineering team has been conducting failover and resilience testing on the network and current VPC by simulating a Direct Connect outage. During the resilience testing, traffic did not successfully transition to the backup VPN connection.How can this problem be resolved?
Confirm that the same routes are being advertised over both the VPN & Direct Connect
Your data center and VPC are connected by a static VPN. Your route table currently has 50 routes. You want to increase the number; how should you proceed?
Convert your VPN to a dynamic VPN & use BGP.
Your business is constructing a new data center. Currently, you have an on-premises data center that connects through VPN to your single VPC. You must provide your new data center access to your single VPC. Due to the fact that your new data center construction is already over budget, you must keep expenses down.How should this be accomplished?
Create a new Customer Gateway & add it to your VPN using a CloudHub infrastructure model.
To serve IPv6-native mobile clients, an organization created an IPv6-only web site. Front-end instances are launched in an Amazon VPC with an assigned IPv6 CIDR. The IPv4 CIDR of the VPC is completely used. Each of the two Availability Zones has a single subnet with correctly configured IPv6 CIDR associations. Auto Scaling is set correctly, and there is no usage of Elastic Load Balancing.Customers report that the service is inaccessible at times of high demand. When the network engineer tries to manually launch an instance, he gets the following message: 'There are insufficient available addresses in subnet'subnet-12345678' to support the desired number of instances.'What step will remedy the issue of availability?
Create a new subnet using a VPC secondary IPv4 CIDR, & associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
Which of the following statements concerning placement groups is false?
If you stop an instance & restart it, it will always return to the same placement group.
A Network Engineer need automated notification when a certain TCP port on a fleet of Amazon EC2 instances operating in an Amazon VPC is visited.Which of the following solutions is the MOST RESPONSIBLE?
Create an inbound rule in the VPC's network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero,
Your business just acquired a domain from another registrar and want to utilize the same nameservers as your existing AWS-hosted domain.How is this to be accomplished?
In the API, create a Reusable Delegation Set.
A business is in the process of migrating an application from an on-premises data center to AWS. The following needs regarding DNS have been identified as part of the planning process.✑ On-premises systems must be able to resolve the entries in an Amazon Route 53 private hosted zone.✑ Amazon EC2 instances running in the organization's VPC must be able to resolve the DNS names of on-premises systemsThe organization's VPC utilizes the CIDR block 172.16.0.0/16.How can these conditions be accomplished, assuming that there is no DNS namespace overlap?
Deploy & configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, & forward all other queries to the Amazon-provided DNS server {172.16.0.2}. Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the proxies as authoritative for the Route 53 private hosted zone.
A business must enable distant users to access firm resources hosted on the AWS Cloud. The organization has two virtual private clouds (VPCs) that are linked through VPC peering. Remote users must be able to connect securely to resources in both VPCs through their laptop computers. The organization is not interested in using an access control system that would increase its expenses or effort.Which solution satisfies these criteria?
Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both CPCs to allow traffic from the security group for the subnet association. securely send the users the configuration options, & instruct the users to install ClientVPN on their laptops. Instruct the users to connect to the ClientVPN endpoint to gain access to the resources.
The application of a business is hosted in a VPC and sensitive data is stored in Amazon S3. Amazon EC2 instances for the application are situated in a private subnet, with a NAT gateway on a public network providing access to Amazon S3. S3 buckets are stored in the same AWS Region as EC2 instances. The organization want to restrict access to this bucket to the VPC in where the application lives.Which modifications to the design should a network engineer make to fulfill these requirements?
Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
A user is having data created at random in response to a certain occurrence. The user wishes to submit the corresponding data to CloudWatch. It is possible that an event will create no data for a period of time owing to randomness.Which of the following choices is the most appropriate in this case?
For the period when there is no data the use should send the value as 0.
Your business just purchased another. You have two virtual private clouds (VPCs)? The first is 172.31.0.0/16, whereas the second is 10.111.0.0/16. The purchased company's VPC is located at 10.111.0.0/16. Your VPC "A" has a cluster of 12 servers whose IP addresses range from 10.111.2.101 to 10.111.2.112. Their VPC "B" has twenty servers between 10.111.2.171 and 10.111.2.190.Both VPCs must be accessed through the 172.31.0.0/16 VPC "C".What is the most effective strategy for resolving this issue?
From VPC C, create a peering connection & add a route to VPC A's peering connection for 10.111.2.96/27 & a route to VPC B's peering connection for 10.111.2.0/24
You are the AWS cloud architect for your organization. You've established a VPC topology comprised of three VPCs. You have a centralized virtual private network (VPC-Shared) that delivers shared services to the other two departmental dedicated virtual private networks (VPCs) (VPC-Dept1 and VPC-Dept2). The centralised VPC is peering with both departmental VPCs, namely VPC-Shared and VPC-Dept1, and VPC-Shared and VPC-Dept2.Choose the appropriate item from the drop-down menu below.
Instances within VPC-Dept can communicate directly with instances in VPC-shared, as long as the appropriate routes & security groups are in place, & vice versa regardless of who initiates communication.
Choose the answer(s) that accurately describe how Jumbo Frames function.
Jumbo Frames can assist with application performance.
Each unique AWS Config rule you write must be accompanied by a(n) AWS____ containing the logic for determining if your AWS resources conform with the rule.
Lambda function
Your organization operates an HTTPS application in several Availability Zones utilizing an Elastic Load Balancing (ELB) load balancer/PHP on a nginx server/RDS. To produce dynamic content, you must apply Geographic Restriction and specify the client's IP address in your application.How should you scale this work by using AWS services?
Modify the application code to use value of X-Forwarded-For & CloudFront to apply the Geographic Restriction.
Multiple IAM users have been created by the owner of an AWS account. One of these IAM users, John, has access to CloudWatch but not to EC2 services. John has configured an alert action that terminates EC2 instances when their CPU usage falls below a predefined threshold. What happens if the CPU Utilization rate of an EC2 instance falls below the threshold John has specified?
Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.
Which of the following statements concerning elastic IP addresses is false?
Once an EIP is associated with an instance, you must manually change the hostname if you want it to match.
The users of your AWS WorkSpaces are unable to authenticate. What may be one possible explanation for this?
Port 389 is not open to your AD server.
By default, which service is utilized to store CloudTrail log files?
Simple Storage Service {S3}
Your virtual private network (VPC) has a DX connection that advertises 99 routes. You need to add two more prefixes: 10.223.1.0/24 and 10.223.2.0/24. Because you have several locations, you must be as precise as possible with your routing.How would you go about doing this?
Summarize the routes into a 10.223.0.0/22 & advertise that route instead.
An business with a growing ecommerce presence utilizes AWS CloudHSM to offload its web server fleet's SSL/TLS processing. To manage expansion, the organization uses Amazon EC2 Auto Scaling for web servers. What is the ideal architectural technique for scaling the encryption operation?
Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
You are responsible for the administration of a web service that is utilized by client applications deployed in 300 locations globally. The web service architecture is comprised of an Elastic Load Balancer (ELB) that distributes traffic across four application servers distributed across two Availability Zones in an Auto Scaling group.Round robin is enabled on the ELB, and sticky sessions are deactivated. You've setup your NACLs and security groups to permit access to port 22 from your bastion server and to port 80 from 0.0.0.0/0. Each regional IT team is responsible for client configuration.You discover that a high volume of requests from improperly configured websites is causing a single application server to deteriorate. The rest of the requests are dispersed evenly across all servers without causing any adverse impact.What steps should you take to rectify the issue and avoid recurrences?
Update the Security Groups to only allow port 80 to the application servers from the ELB.
The network engineer of a business must examine and monitor DNS traffic. The organization utilizes Amazon Route 53 to manage its public hosted zone's DNS. All DNS requests must be recorded and analyzed in the future.What actions should the network engineer take to ensure compliance with these requirements?
Use Route 53 query logging to log information to Amazon CloudWatch Logs about the queries that Route 53 receives
Your organization is connecting one data center to numerous VPCs through a single router and requires transitive access to them. What are your options?
Use a transit VPC with a VPN running on one or more EC2 instances to route traffic between the VPCs
A business requires access to an AWS VPC for 225 mobile and desktop devices, as well as 300 partner VPNs. VPN users should be unable to communicate with one another.Which strategy satisfies technical and security needs while being cost effective?
Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing & connectivity.
A traditional on-premises web application cannot be adequately load balanced. Both planned and unforeseen events may result in increases in use for millions of concurrent users. The present infrastructure is incapable of handling the surges in consumption. The CIO has instructed that the application be relocated to the cloud to minimize future interruptions, with the added stipulation that source IP addresses remain unchanged to fulfill network traffic monitoring requirements. Which of the following designs satisfies these specifications?
Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
Your company has suspended a project and terminated 30 public EC2 instances. These instances make use of instance store volumes and do not include bespoke AMIs. You continue to be charged on a monthly basis.What is the likely purpose of the charge?
You have Elastic IPs associated with those instances.
AWS CloudTrail may be set to_____ log data from various accounts and regions into a single bucket.
aggregate
You must identify the subnet, security group, and VPC with which your instance is linked. You have access to the instance's terminal only if you have the admin role associated.Which component of the command would you use first?
aws ec2 describe-instances
To change the name of the AWS Config____, you must stop the configuration recorder, remove the existing one, and establish a new one with the new name, since each AWS account can only have one of these.
delivery channel