Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

ANS-C00 Questions and Answers

Note! Following ANS-C00 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is ANS-C01

ANS-C00 Questions and Answers

Question # 6

An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.

What is the MOST simple and secure architecture that will achieve the organization’s goal?

A.

Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

B.

use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

C.

Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.

D.

Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.

Full Access
Question # 7

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Select two.)

A.

Public AS number

B.

VLAN ID

C.

IP prefixes to advertise

D.

Direct Connect location

E.

Virtual private gateway

Full Access
Question # 8

You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.

Which action is required to support a successful Amazon EMR cluster launch?

A.

Add a conditional forwarder to the Amazon-provided DNS server.

B.

Enable seamless domain join for the Amazon EMR cluster.

C.

Launch an AD connector for the internal domain.

D.

Configure an Amazon Route 53 private zone for the EMR cluster.

Full Access
Question # 9

You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.

What should you do to provide on-premises users with access to the private hosted zone?

A.

Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.

B.

Modify the network access control list on the VPC to allow DNS queries from on-premises systems.

C.

Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.

D.

Update the on-premises forwarders with the four name servers assigned to the private hosted zone.

Full Access
Question # 10

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway tor internet access After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.

Which configuration change should a network engineer implement to resolve this issue''

A.

Configure the NAT gateway timeout to allow connections for up to 600 seconds

B.

Enable enhanced networking on the client EC2 instances

C.

Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds

D.

Close idle TCP connections though the NAT gateway

Full Access
Question # 11

Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.

The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.

Which step should you take to meet the requirements?

A.

Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.

B.

Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.

C.

Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.

D.

Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.

Full Access
Question # 12

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

What connection option should the organization use to get up and running at minimal cost?

A.

Use an internet connection.

B.

Set up an AWS VPN connection.

C.

Provision an AWS Direct Connection private virtual interface.

D.

Provision a Direct Connect public virtual interface.

Full Access
Question # 13

An organization runs a consumer-facing website on AWS. The Amazon EC2-based web fleet is load balanced using the AWS Application Load Balancer, Amazon Route 53 is used to provide the public DNS services.

The following URLs need to server content to end users:

test.example.com

web.example.com

example.com

Based on this information, what combination of services must be used to meet the requirement? (Select two.)

A.

Path condition in ALB listener to route example.com to appropriate target groups.

B.

Host condition in ALB listener to route *.example.com to appropriate target groups.

C.

Host condition a ALB listener to route example.com to appropriate target groups.

D.

Path condition in ALB listener to route *.example.com to appropriate target groups.

E.

Host condition in ALB listener to route $$$$.example.com to appropriate target groups.

Full Access
Question # 14

A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider's public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing.

Which of the following actions should improve the connectivity issues? (Choose two.)

A.

Allocate additional elastic IP addresses to the NAT gateway.

B.

Request that the third-party service provider implement HTTP keepalive.

C.

Implement TCP keepalive on the client instances.

D.

Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.

E.

Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.

Full Access
Question # 15

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.

Which of the following is the MOST reliable solution?

A.

Create an inbound rule in the VPC's network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

B.

Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.

C.

Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

D.

Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

Full Access
Question # 16

Your organization’s corporate website must be available on www.acme.com and acme.com.

How should you configure Amazon Route 53 to meet this requirement?

A.

Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record targeting the ELB.

B.

Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.

C.

Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.

D.

Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record with the acme.com record target.

Full Access
Question # 17

A logistics company has deployed a hybrid environment that has multiple VPCs in both the us-east-1 Region and the af-south-1 Region The on-premises data center is connected to us-east-1 through an AWS Direct Connect connection The Direct Connect connection is connected to a Direct Connect gateway that is associated with a transit gateway The transit gateway is attached to all the VPCs in us-east-1

An application that is deployed in af-south-1 requires access to a database in the data center The application also requires access to file storage in a VPC in us-east-1

Which solution will meet these requirements with the LOWEST latency?

A.

Create a transit gateway in af-south-1, and attach the VPCs Create a transit gateway peering connection between the transit gateways

B.

Create a Direct Connect connection in af-south-1, and attach the VPCs with a Direct Connect gateway and a transit gateway Create an AWS Site-to-Site VPN connection over the internet between the Direct Connect connections.

C.

Create a transit gateway in af-south-1 and attach the VPCs Associate the transit gateway in af-south-1 with the Direct Connect gateway tn us-east-1

D.

Create inter-Region VPC peering connections between the VPCs in each Region Use the transit gateway attachments in us-east-1 to access the database in the data center

Full Access
Question # 18

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).

The security team is calling this new connection a “backdoor”, and you have been asked to clarify the risk to the company.

Which concern from the security team is valid and should be addressed?

A.

AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.

B.

Direct Connect customers with a Public VIF in the same region could directly reach the router.

C.

EC2 instances in the same region with access to the Internet could directly reach the router.

D.

The S3 service could reach the router through a pre-configured VPC Endpoint.

Full Access
Question # 19

A company wants to conduct a proof of concept for an SAP HANA application with a hey objective to automate the provisioning of infrastructure and the application. The company operates a hybrid cloud infrastructure with AWS Direct Connect between its data center and VPC. Security policy dictates that all traffic from AWS be routed through on-premises data center firewalls. Security policy also prohibits the use of a VPC internet gateway for internet access The company enforces use of a forward proxy server for all outbound network traffic All resources inside the VPC are able to reach on-premises servers.

All Amazon EC2 Linux instances require package updates over the internet. However, the updates are failing and sending errors.

What would cause these errors?

A.

Inbound security groups are configured incorrectly on the EC2 instances running in the VPC.

B.

The VPC route table does not have entries for the proxy server in the data center

C.

The EC2 instances are not configured to use the proxy running in the data center for traffic on TCP port 80.

D.

The data center firewall is blocking all traffic sent from the VPC CIDR range destined for 0.0.0.0/0.

Full Access
Question # 20

A company's network engineer needs to evaluate and monitor DNS traffic The company uses Amazon Route 53 as the DNS service for its public hosted zone All DNS queries must be captured for future analysis.

What should the network engineer do to meet these requirements?

A.

Use AWS WAF to log information to Amazon CloudWatch Logs about the queries that Route 53 receives

B.

Use VPC Flow Logs to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives

C.

Use Route 53 query logging to log information to Amazon CloudWatch Logs about the queries that Route 53 receives

D.

Use AWS CloudTrail to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives

Full Access
Question # 21

An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.

What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

A.

Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.

B.

Provision a private virtual interface for each VPC connection.

C.

Enable VPC Flow Logs for each VPC.

D.

Use AWS KMS to encrypt traffic between on-premises and AWS.

E.

Provision a VPN connection to each VPC over the internet.

Full Access
Question # 22

Your company’s policy requires that all VPCs peer with a “common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC. The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.

Which step should you take to enable access to Amazon S3?

A.

Update the S3 bucket policy with the private IP address of the instance.

B.

Exclude 169.254.169.0/24 from the instance’s proxy configuration.

C.

Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.

D.

Update the CORS configuration for Amazon S3 to allow traffic from the proxy.

Full Access