Amazon ANS-C00 Exam Questions Instant Access

Question 1

You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL.

Which of the following solutions should you deploy? (Select two.)

AInclude s3.amazonaws.com in the whitelist.

BCreate a VPC endpoint for S3.

CRun Squid proxy on a NAT instance.

DDeploy a NAT gateway into your VPC.

EUtilize a security group to restrict access.

Answer : B, C

https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/

Question 2

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

AUse an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.

BConfigure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.

CConfigure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.

DAttach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.

Answer : B

Question 3

Refer to the image.

You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows:

VPC A: 10.0.0.0/16

VPC B: 192.168.0.0/16

VPC C: 10.0.0.0/16

Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24.

i-3 must be able to communicate with i-1

i-4 must be able to communicate with i-2

i-3 and i-4 are able to communicate with i-1, but not with i-2.

Which two steps will fix this problem? (Select two.)

ACreate subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.

BCreate subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.

CChange the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.

DCreate a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.

ECreate two route tables: one with a route for destination VPC A, and another for destination VPC C.

Answer : A, E

https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html#one-to-two-vpcs-simple-hub

Question 4

You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to budget requirements, you can only provision a single Direct Connect port. You have two border gateway routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.

Which two design methodologies, in combination, will achieve this connectivity? (Select two.)

ATerminate the Direct Connect circuit on a L2 border switch, which in turn has trunk connections to the two routers.

BCreate two Direct Connect private VIFs for the same VPC, each with a different peer IP.

CTerminate the Direct Connect circuit on any of the one routers, which in turn will have an IBGP session with the other router.

DCreate one Direct Connect private VIF for the VPC with two customer peer IPs.

EProvision two VGWs for the VPC and create one Direct Connect private VIF per VGW.

Answer : A, D

https://docs.aws.amazon.com/directconnect/latest/UserGuide/add-peer-to-vif.html (Adding a BGP Peer)

Question 5

Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.

Which design should you set up?

AAn AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.

BAn AWS Direct Connect connection to us-east-1.

CAn AWS Direct Connect connection to us-west-2.

DAn AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.

Answer : C

DC is in West Coast, it doesn't make sense to create direct connect connection to us-east-1 other than DC location, so A & B are out of picture. You can therefore use a single AWS Direct Connect connection to build multi-Region services. All networking traffic remains on the AWS global network backbone, regardless of whether you access public AWS services or a VPC in another Region. To access public resources in a remote Region, you must set up a public virtual interface and establish a Border Gateway Protocol (BGP) session. S3 is one of AWS public resources, be aware that BGP is needed instead of VPN. https://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html

Question 6

Your company uses an NTP server to synchronize time across systems. The company runs multiple versions of Linux and Windows systems. You discover that the NTP server has failed, and you need to add an alternate NTP server to your instances.

Where should you apply the NTP server update to propagate information without rebooting your running instances?

ADHCP Options Set

Binstance user-data

Ccfn-init scripts

Dinstance meta-data

Answer : A

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-dhcp-options.html

Question 7

A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You congure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.

What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

AAttach the virtual private gateway to a VPC and enable route propagation.

BFilter the public IP prexes on the corporate network from the private virtual interface.

CChange the BGP advertisements from the corporate network to only be a default route.

DAttach the second virtual interface to an alternative virtual private gateway.

Answer : C

https://aws.amazon.com/es/premiumsupport/knowledge-center/virtual-interface-bgp-down/

Amazon AWS Advanced Networking Specialty ANS-C00 Exam Questions