Summer Sale Coupon - 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sbfdisc

Note! ANS-C00 has been withdrawn. The new exam code is ANS-C01

ANS-C00 Practice Exam Questions with Answers AWS Certified Advanced Networking-Specialty Certification

Question # 6

A VPC is deployed with a 10 0 0.0/16 CIDR block. The engineering team is reviewing DHCP options and there is disagreement about the valid DNS addresses available for the VPC Which addresses are valid IP addresses provided by Amazon for this subnet' (Select TWO.)

A.

8.8.8.8

B.

10.00.2

C.

10.1.0.2

D.

169.254.169.253

E.

169.254.169.254

Full Access
Question # 7

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

A.

CloudWatch Logs at the VPC level

B.

Packet sniffing at the instance level

C.

VPC flow logs at the subnet level

D.

Packet sniffing at the VPC level

Full Access
Question # 8

You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:

2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027

1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027

1432917082 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094

1432917142 REJECT OK

Why are ICMP responses not received by the on-premises system?

A.

The inbound network access control list is blocking the traffic

B.

The outbound network access control list is blocking the traffic

C.

The inbound security group is blocking the traffic.

D.

The outbound security group is blocking the traffic.

Full Access
Question # 9

An IT company wants to securely perform an on-off migration of its on-premises VMs to the AWS Cloud by using AWS Server Migration Service {AWS SMS) For the first phase of the migration, the company must migrate 50 development VMs m batches during non-peak times over the next 7 days The VMs are between 2 GB and 5 GB in size The company has 1 Gbps of available bandwidth over the internet

Which network connectivity option meets these requirements MOST cost-effectively?

A.

Contact an AWS partner to order a hosted VIF

B.

Use the existing internet connection

C.

Order an AWS Direct Connect connection Provision a public VIF

D.

Create a VPN connection to AWS.

Full Access
Question # 10

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

A.

Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

B.

Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

C.

Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.

D.

Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Full Access
Question # 11

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Select two.)

A.

Public AS number

B.

VLAN ID

C.

IP prefixes to advertise

D.

Direct Connect location

E.

Virtual private gateway

Full Access
Question # 12

A company's application runs in a VPC and stores sensitive data in Amazon S3 The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3 The S3 bucket is located in the same AWS Region as the EC2 instances The company wants to ensure that this bucket can be accessed only from the VPC where the application resides

Which changes should a network engineer make to the architecture to meet these requirements?

A.

Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet Configure the S3 security group to allow only the application instances to access the bucket

B.

Deploy an S3 VPC endpoint in the VPC where the application resides Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint

C.

Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket Allow access only from the VPC CIDR range, and deny all other IP address ranges

D.

Create a new 1AM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances Configure an S3 bucket policy to allow access only from the role

Full Access
Question # 13

An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.

Which architecture will support this deployment while allowing for future expansion?

A.

A VPC with a /16 CIDR and one /21 subnet

B.

A VPC with a /20 CIDR and two /21 subnets

C.

A VPC with a /16 CIDR and one /22 subnet

D.

A VPC with a /20 CIDR and two /23 subnets

Full Access
Question # 14

Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.

The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.

Which step should you take to meet the requirements?

A.

Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.

B.

Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.

C.

Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.

D.

Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.

Full Access
Question # 15

You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.

Which three factors that must be supported should you consider when choosing the customer router? (Select three.)

A.

802.1q trunking

B.

802.1ax or 802.3ad link aggregation

C.

OSPF

D.

BGP

E.

single-mode optical fiber connectivity

F.

1-Gbps copper connectivity

Full Access
Question # 16

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.

Which of the following connectivity options should you choose?

A.

Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.

B.

Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.

C.

Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.

D.

Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.

Full Access
Question # 17

A company has a hybrid environment across its on-premises network and the AWS Cloud The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between on-premises services that are required to resolve DNS queries through on-premises DNS servers The company wants to use a custom domain name to connect to Amazon EFS The company also wants to avoid using the Amazon EFS target IP address.

What should a network engineer do to meet these requirements?

A.

Create an Amazon Route 53 Resolver outbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone

B.

Create an Amazon Route 53 Resolver inbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver

C.

Create an Amazon Route 53 Resolver outbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone,

and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver

D.

Create an Amazon Route 53 Resolver inbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone

Full Access
Question # 18

Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.

What are the minimum requirements for your router?

A.

1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

B.

1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

C.

IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5

D.

BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel

Full Access
Question # 19

An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover.

What MUST be configured for this design to work? (Select two.)

A.

A different Autonomous System Number (ASN) for each firewall.

B.

Border Gateway Protocol (BGP) routing

C.

Autonomous system (AS) path prepending

D.

Static routing

E.

Equal-cost multi-path routing (ECMP)

Full Access
Question # 20

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

A.

Use a Network Load Balancer to automatically preserve the source IP address.

B.

Use a Network Load Balancer and enable the X-Forwarded-For attribute.

C.

Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.

D.

Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Full Access
Question # 21

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group’s group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

A.

Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other’s security group-id in each region.

B.

Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

C.

Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

D.

Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other’s security group-id in each region.

Full Access
Question # 22

A company is using AWS to host all of its applications. Each application is isolated in its own Amazon VPC. Different environments such as Development, Test, and Production are also isolated in their own VPCs. The Network Engineer needs to automate VPC creation to enforce the company’s network and security standards. Additionally, the CIDR range used in each VPC needs to be unique.

Which solution meets all of these requirements?

A.

Use AWS CloudFormation to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.

B.

Use AWS OpsWorks to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.

C.

Use the VPC wizard in the AWS Management Console. Type in the CIDR blocks for the VPC and subnets.

D.

Create the VPCs using AWS CLI and use the dry-run flag to validate if the current CIDR range is in use.

Full Access