Amazon ANS-C00 Exam Questions Instant Access

Question 1

You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.

How should you design routing to meet these requirements?

AConfigure a single routing table with two default routes: one to the Internet via an IGW, the other to the on-premises network via the VGW. Use this routing table across all subnets in your VPC.

BConfigure two routing tables: one that has a default route via the IGW, and another that has a default route via the VGW. Associate both routing tables with each VPC subnet.

CConfigure a single routing table with a default route via the IGW. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnet.

DConfigure a single routing table with a default route via the IGW. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.

Answer : D

0/0 to IGW and advertise specific routes or (10/8) from onprem to VGW and propogate to VPC

Question 2

Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.

Which method allows for efficient, automated integration of the IPAM with CloudFormation?

AAWS CloudFormation parameters using the ''Ref::'' intrinsic function

BAWS CloudFormation custom resource using an AWS Lambda invocation.

CCloudFormation::OpsWorks::Stack with custom Chef configuration.

DAWS CloudFormation parameters using the ''Fn::FindInMap'' intrinsic function.

Answer : B

Cloudformation chapter under exam essentials it says 'custom resources in an AWS cloudformation template allows you to configure non-aws resources not supported by AWS. You can use custom resources to make calls to an IPAM'

Question 3

A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You congure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.

What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

AAttach the virtual private gateway to a VPC and enable route propagation.

BFilter the public IP prexes on the corporate network from the private virtual interface.

CChange the BGP advertisements from the corporate network to only be a default route.

DAttach the second virtual interface to an alternative virtual private gateway.

Answer : C

https://aws.amazon.com/es/premiumsupport/knowledge-center/virtual-interface-bgp-down/

Question 4

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).

The security team is calling this new connection a ''backdoor'', and you have been asked to clarify the risk to the company.

Which concern from the security team is valid and should be addressed?

AAWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.

BDirect Connect customers with a Public VIF in the same region could directly reach the router.

CEC2 instances in the same region with access to the Internet could directly reach the router.

DThe S3 service could reach the router through a pre-configured VPC Endpoint.

Answer : C

https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/

Question 5

An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.

What is the MOST simple and secure architecture that will achieve the organization's goal?

AUse the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

Buse the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

CCreate a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.

DCreate a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.

Answer : A

https://docs.aws.amazon.com/kms/latest/developerguide/kms-vpc-endpoint.html

Question 6

Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.

You must prepare the system for global expansion. The end users must access the application with lowest latency.

How should you use AWS services to meet these requirements?

ARegister the IP addresses of the service hosts as ''A'' records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.

BSet the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.

CSet Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.

DSet the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.

Answer : B

Question 7

An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.

Which of the following designs will minimize cost while allowing the organization to expand?

AOrder 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.

BCreate a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.

CCreate hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.

DCreate a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.

Answer : D

https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

Amazon AWS Advanced Networking Specialty ANS-C00 Exam Questions