Amazon ANS-C00 Exam Practice Test Instant Access

Question 1

A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance For compliance purposes, data encryption is required.

What should the network engineer do to meet these requirements?

AConfigure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

BConfigure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

CConfigure an internet gateway in the VPC Set up a software VPN between the customer gateway and an EC2 instance in the VPC.

DConfigure an internet gateway in the VPC Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

Answer : A

Traffic is not encrypted on a DX connection. In order to use AWS VPN you must use a Public VIF.

Question 2

Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client's IP address in your application to generate dynamic content.

How should you utilize AWS services in a scalable fashion to perform this task?

AModify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic Restriction.

BEnable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.

CUse X-Forwarded-For with security groups to apply the Geographic Restriction.

DModify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.

Answer : D

https://aws.amazon.com/premiumsupport/knowledge-center/elb-capture-client-ip-addresses/

Question 3

An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

AUse multiple CloudHSM instances, and load balance them using a Network Load Balancer.

BUse multiple CloudHSM instances to the cluster;request to it will automatically load balance.

CEnable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.

DUse multiple CloudHSM instances, and load balance them using an Application Load Balancer.

Answer : B

https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html#cluster-high-availability-load-balancing

Question 4

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).

The security team is calling this new connection a ''backdoor'', and you have been asked to clarify the risk to the company.

Which concern from the security team is valid and should be addressed?

AAWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.

BDirect Connect customers with a Public VIF in the same region could directly reach the router.

CEC2 instances in the same region with access to the Internet could directly reach the router.

DThe S3 service could reach the router through a pre-configured VPC Endpoint.

Answer : C

https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/

Question 5

A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain ''example.com'' should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain ''dev.example.com'' should reside on-premises. The administrator has decided to use Amazon Route 53 to achieve this scenario.

What procedurals steps must be taken to implement the solution?

AUse a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com

BUse a Route 53 public and private hosted zone for example.com and perform subdomain delegation for dev.example.com

CUse a Route 53 public hosted zone for example.com and perform subdomain delegation for dev.example.com

DUse a Route 53 private hosted zone for example.com and perform subdomain delegation for dev.example.com

Answer : A

aws.amazon.com/premiumsupport/knowledge-center/internal-version-website/

Question 6

You run a well-architected, multi-AZ application in the eu-central-1 (Frankfurt) AWS region. The application is hosted in a VPC and is only accessed from the corporate network. To support large volumes of data transfer and administration of the application, you use a single 10-Gbps AWS Direct Connect connection with multiple private virtual interfaces. As part of a review, you decide to improve the resilience of your connection to AWS and make sure that any additional connectivity does not share the same Direct Connect routers at AWS. You need to provide the best levels of resilience to meet the application's needs.

Which two options should you consider? (Select two.)

AInstall a second 10-Gbps Direct Connect connection to the same Direct Connection location.

BDeploy an IPsec VPN over a public virtual interface on a new 10-Gbps Direct Connect connection.

CInstall a second 10-Gbps Direct Connect connection to a Direct Connect location in eu-west-1.

DDeploy an IPsec VPN over the Internet to the eu-west-1 region for diversity.

EInstall a second 10-Gbps Direct Connect connection to a second Direct Connect location for eu-central-1.

Answer : A, E

https://aws.amazon.com/directconnect/resiliency-recommendation/

Question 7

You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.

Which action is required to support a successful Amazon EMR cluster launch?

AAdd a conditional forwarder to the Amazon-provided DNS server.

BEnable seamless domain join for the Amazon EMR cluster.

CLaunch an AD connector for the internal domain.

DConfigure an Amazon Route 53 private zone for the EMR cluster.

Answer : A

https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/

Amazon AWS Advanced Networking Specialty ANS-C00 Exam Practice Test