AWS Certified Advanced Networking - Specialty v1.0

Page:    1 / 8   
Exam contains 110 questions

Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different
Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Choose two.)

  • A. Use BGP AS prepend attribute to prepend additional AS numbers while advertising routers from R1 to VGW.
  • B. Use BGP local preference attribute to assign R1 to a lower local preference number than R2.
  • C. Use BGP local preference attribute to assign R1 a higher local preference number than R2.
  • D. Use BGP MED attribute to assign a higher MED value to the routes advertised R1 to VGW.
  • E. Use BGP MED attribute to assign a higher MED value to the routes advertised from R2 to VGW.


Answer : AC

An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account).
There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?

  • A. Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.
  • B. Create a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.
  • C. Create hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.
  • D. Create a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.


Answer : D

An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

  • A. Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
  • B. Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
  • C. Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
  • D. Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.


Answer : A

A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another.
Which approach will meet the technical and security requirements while minimizing costs?

  • A. Use the AWS IPsec VPN for the mobile, desktop, and partner VPN connections. Use network access control lists (Network ACLs) and security groups to maintain routing separation.
  • B. Use the AWS IPsec VPN for the partner VPN connections. Use an Amazon EC2 instance VPN for the mobile and desktop devices. Use Network ACLs and security groups to maintain routing separation.
  • C. Create an AWS Direct Connect connection between on-premises and AWS Use a public virtual interface to connect to the AWS IPsec VPN for the mobile, desktop, and partner VPN connections.
  • D. Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing and connectivity.


Answer : B

Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public
Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the
United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?

  • A. An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
  • B. An AWS Direct Connect connection to us-east-1.
  • C. An AWS Direct Connect connection to us-west-2.
  • D. An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.


Answer : A

Your organization runs a popular e-commerce application deployed on AWS that uses autoscaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses.
Which step should you take to fix this problem?

  • A. Generate new SSL certificates for all web servers and replace current certificates.
  • B. Change the security policy on the ELB to disable vulnerable protocols and ciphers.
  • C. Generate new SSL certificates and use ELB to front-end the encrypted traffic for all web servers.
  • D. Leverage your current configuration management system to update SSL policy on all web servers.


Answer : D

Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use
CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the
IPAM must reclaim the VPC"™s IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?

  • A. AWS CloudFormation parameters using the "Ref::" intrinsic function
  • B. AWS CloudFormation custom resource using an AWS Lambda invocation.
  • C. CloudFormation::OpsWorks::Stack with custom Chef configuration.
  • D. AWS CloudFormation parameters using the "Fn::FindInMap" intrinsic function.


Answer : A

You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.
Which two of the following components should be part of the design? (Choose two.)

  • A. Select an instance with support for single root I/O virtualization.
  • B. Select an instance that has support for multiple ENIs.
  • C. Ensure that the instance supports jumbo frames and set 9001 MTU.
  • D. Select an instance with Amazon Elastic Block Store (EBS)-optimization.
  • E. Ensure that proper OS drivers are installed.


Answer : AB

References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Choose two.)

  • A. Public AS number
  • B. VLAN ID
  • C. IP prefixes to advertise
  • D. Direct Connect location
  • E. Virtual private gateway


Answer : AE

References:
https://aws.amazon.com/directconnect/faqs/

A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

  • A. Attach the virtual private gateway to a VPC and enable route propagation.
  • B. Filter the public IP pre?xes on the corporate network from the private virtual interface.
  • C. Change the BGP advertisements from the corporate network to only be a default route.
  • D. Attach the second virtual interface to an alternative virtual private gateway.


Answer : D

Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account. Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Choose two.)

  • A. Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
  • B. Update the Route 53 private hosted zone"™s VPC associations to include the new VPC.
  • C. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.
  • D. Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
  • E. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.


Answer : AB

A department in your company has created a new account that is not part of the organization"™s consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department"™s on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?

  • A. The company pays Internet Data Out charges.
  • B. The company pays AWS Direct Connect Data Out charges.
  • C. The department pays Internet Data Out charges.
  • D. The department pays AWS Direct Connect Data Out charges.


Answer : D

An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover.
What MUST be configured for this design to work? (Choose two.)

  • A. A different Autonomous System Number (ASN) for each firewall.
  • B. Border Gateway Protocol (BGP) routing
  • C. Autonomous system (AS) path prepending
  • D. Static routing
  • E. Equal-cost multi-path routing (ECMP)


Answer : BE

A company is about to migrate an application from its on-premises data center to AWS. As part of the planning process, the following requirements involving DNS have been identified.
-> On-premises systems must be able to resolve the entries in an Amazon Route 53 private hosted zone.
Amazon EC2 instances running in the organization"™s VPC must be able to resolve the DNS names of on-premises systems


The organization"™s VPC uses the CIDR block 172.16.0.0/16.
Assuming that there is no DNS namespace overlap, how can these requirements be met?

  • A. Change the DHCP options set for the VPC to use both the Amazon-provided DNS server and the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
  • B. Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to 172.16.0.2. Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
  • C. Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to the Amazon-provided DNS server (172.16.0.2). Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the proxies as authoritative for the Route 53 private hosted zone.
  • D. Change the DHCP options set for the VPC to use both the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the Route 53 private hosted zone"™s name servers as authoritative for the Route 53 private hosted zone.


Answer : C

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

  • A. Use inbound security group rules to block the IP addresses.
  • B. Use inbound network ACL rules to block the IP addresses.
  • C. Use AWS WAF to block the IP addresses.
  • D. Write iptables rules on the instance to block the IP addresses.


Answer : B

Page:    1 / 8   
Exam contains 110 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary doesn't offer Real Microsoft Exam Questions.
Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.