Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

ANS-C00 Questions and Answers

Question # 6

A bank built a new version of its banking application in AWS using containers that content to an on-premises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.

What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

A.

Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.

B.

Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.

C.

Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.

D.

Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use header-based routing to route traffic based on the application version.

Full Access
Question # 7

An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.

What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

A.

Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.

B.

Provision a private virtual interface for each VPC connection.

C.

Enable VPC Flow Logs for each VPC.

D.

Use AWS KMS to encrypt traffic between on-premises and AWS.

E.

Provision a VPN connection to each VPC over the internet.

Full Access
Question # 8

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.

The instance has a security group configured to allow as follows:

  • Protocol: TCP
  • Port: 80 inbound, nothing outbound

The Network ACL for the subnet is configured to allow as follows:

  • Protocol: TCP
  • Port: 80 inbound, nothing outbound

When you try to browse to the web server, you receive no response.

Which additional step should you take to receive a successful response?

A.

Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80

B.

Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535

C.

Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80

D.

Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

Full Access
Question # 9

You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.

What should you do to provide on-premises users with access to the private hosted zone?

A.

Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.

B.

Modify the network access control list on the VPC to allow DNS queries from on-premises systems.

C.

Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.

D.

Update the on-premises forwarders with the four name servers assigned to the private hosted zone.

Full Access
Question # 10

A department in your company has created a new account that is not part of the organization’s consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department’s on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?

A.

The company pays Internet Data Out charges.

B.

The company pays AWS Direct Connect Data Out charges.

C.

The department pays Internet Data Out charges.

D.

The department pays AWS Direct Connect Data Out charges.

Full Access
Question # 11

A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization’s security team, the VPN must meet the following requirements:

  • AES 128-bit encryption
  • SHA-1 hashing
  • User access via SSL VPN
  • PFS using DH Group 2
  • Ability to maintain/rotate keys and passwords
  • Certificate-based authentication

Which solution should you recommend so that the organization meets the requirements?

A.

AWS hardware VPN between the virtual private gateway and customer gateway

B.

A third-party VPN solution deployed from AWS Marketplace

C.

A private MPLS solution from an international carrier

D.

AWS hardware VPN between the virtual private gateways in each region

Full Access
Question # 12

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Select three.)

A.

AWS Config

B.

AWS Simple Notification Service

C.

AWS CloudWatch metrics

D.

AWS Lambda

E.

AWS CloudFormation

F.

AWS Identify and Access Management

Full Access
Question # 13

A company is deploying a new web application that uses a three-tier model with a public-facing Network Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company's data center. There is an AWS Direct Connect connection between the VPC and the company’s data center. Load testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are required to handle peak loads.

The Network Engineer needs to design a VPC that has a /24 CIDR assigned to it.

How should the Engineer allocate subnets across three Availability Zones for each tier?

A.

Network Load Balancer: /29 per subnetWeb: /26 per subnet

B.

Network Load Balancer: /28 per subnetWeb: /25 per subnet

C.

Network Load Balancer: /28 per subnetWeb: /27 per subnet

D.

Network Load Balancer: /28 per subnetWeb: /26 per subnet

Full Access
Question # 14

DNS name resolution must be provided for services in the following four zones:

company.private.

emea.company.private.

apac.company.private.

amer.company.private.

The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.

How can you use Amazon route 53 to meet these requirements?

A.

Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.

B.

Create a single Route 53 Private Hosted Zone for the zone company.private and associate it with the three VPCs.

C.

Create a Route Public Hosted Zone for each of the four zones and configure the VPS DNS Resolver to forward

D.

Create a single Route 53 Public Hosted Zone for the zone company.private and configure the VPS DNS Resolver to forward

Full Access
Question # 15

Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.

What are the minimum requirements for your router?

A.

1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

B.

1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

C.

IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5

D.

BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel

Full Access
Question # 16

You manage a web service that is used by client applications deployed in 300 offices worldwide. The web service architecture is an Elastic Load balancer (ELB) distributing traffic across four application servers deployed in an autoscaling group across two availability zones.

The ELB is configured to use round robin, and sticky sessions are disabled. You have configured the NACLs and Security Groups to allow port 22 from your bastion host, and port 80 from 0.0.0.0/0. The client configuration is managed by each regional IT team.

Upon inspection you find that a large amount of requests from incorrectly configured sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects.

What should you do to remedy the situation and prevent future occurrences?

A.

Mark the affected instance as degraded in the ELB and raise it with the client application team.

B.

Update the NACL to only allow port 80 to the application servers from the ELB servers.

C.

Update the Security Groups to only allow port 80 to the application servers from the ELB.

D.

Terminate the affected instance and allow Auto Scaling to create a new instance.

Full Access
Question # 17

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway tor internet access After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.

Which configuration change should a network engineer implement to resolve this issue''

A.

Configure the NAT gateway timeout to allow connections for up to 600 seconds

B.

Enable enhanced networking on the client EC2 instances

C.

Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds

D.

Close idle TCP connections though the NAT gateway

Full Access
Question # 18

A computing team is evaluating whether to place a high performance computing (HPC) application in AWS. The team is concerned about application performance and wants to know what options are available to increase networking performance.

Which of the following changes would increase performance for this application? (Choose two.)

A.

Place the application across many smaller instances to achieve higher total throughput.

B.

Increase the MTU of the VPC to 9001.

C.

Enable an MTU of 9001 in the application's operating system.

D.

Enable enhanced networking on the instances.

E.

Deploy the application in two Availability Zones and insert them in one placement group.

Full Access
Question # 19

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

A.

Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254

B.

Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80

C.

Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80

D.

Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

Full Access
Question # 20

Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone “awscloud:internal” from the corporate network. An AWS Direct Connect connection with a private virtual interface is configured to provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS Resolver has standard root server hints configured and conditional forwarding for “awscloud.internal” to the IP address 192.168.0.2.

From your PC on the corporate network, you query the DNS server at 192.168.10.5 for www.amazon.com. The query is successful and returns the appropriate response. When you query for “server.awscloud.internal”, the query times out. You receive no response.

How should you enable successful queries for “server.awscloud.internal”?

A.

Attach an internet gateway to the VPC and create a default route.

B.

Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True

C.

Relocate the BIND DNS Resolver to the corporate network.

D.

Update the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.

Full Access
Question # 21

A company is running services in a VPC with a CIDR block of 10.5.0.0/22 End users report that they no longer can provision new resources because some ot the subnets in theVPC have run out of IP addresses

How should a network engineer resolve this issue?

A.

Add 10 5.2.0/23 as a second CIDR block to the VPC Create a new subnet with a new CIDR block, and provision new resources in the new subnet

B.

Add 10 5.4.0/21 as a second CIDR block to the VPC Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses

C.

Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses

D.

Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet

Full Access
Question # 22

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints(VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.

What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

A.

Add the CIDR address range of the private subnet to the S3 bucket policy.

B.

Add the VPC-E identified to the S3 bucket policy.

C.

Add the VPC identifier for the production VPC to the S3 bucket policy.

D.

Add the VPC-E identifier for the production VPC to endpoint policy.

Full Access