Amazon ANS-C01 Exam Practice Test Instant Access

Question 1

A company needs to manage Amazon EC2 instances through command line interfaces for Linux hosts and Windows hosts. The EC2 instances are deployed in an environment in which there is

no route to the internet. The company must implement role-based access control for management of the instances. The company has a standalone on-premises environment.

Which approach will meet these requirements with the LEAST maintenance overhead?

ASet up an AWS Direct Connect connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and ACLs.
Connect to the instances by using the Direct Connect connection.

BDeploy and configure AWS Systems Manager Agent (SSM Agent) on each instance. Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instances by
using Session Manager.

CEstablish an AWS Site-to-Site VPN connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and
ACLs. Connect to the instances by using the Site-to-Site VPN connection.

DDeploy an appliance to the VPC where the instances are deployed. Assign a public IP address to the appliance. Configure security groups and ACLs. Connect to the instances by
using the appliance as an intermediary.

Answer : B

The correct approach is to use AWS Systems Manager Session Manager, which allows you to manage your EC2 instances through a secure and browser-based interface. By deploying and configuring SSM Agent on each instance, you can enable Session Manager to communicate with the instances. By deploying VPC endpoints for Session Manager, you can enable the instances to connect to the AWS service without requiring an internet gateway, NAT device, or VPN connection. You can also use IAM policies and SSM documents to implement role-based access control for managing the instances. This approach has the least maintenance overhead, as it does not require any additional infrastructure or configuration.

Question 2

A company has established connectivity between its on-premises data center in Paris, France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway.

The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center.

In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet.

Which set of steps should a network engineer take to meet these requirements?

A1. Create public subnets in the Tokyo VPC to migrate the workloads into.
2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.
3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads.
4. Create peering connections between the Tokyo VPC and the Paris VPCs.
5. Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.

B1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.
2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway.
3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway.
4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

C1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.
2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway.
3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target.
4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

D1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway.
2. Create an association between the Paris transit gateway and the Tokyo VPC.
3. Configure routing on the Paris transit gateway to allow data to flow between sites and the VPCs.

Answer : C

Option C is the best solution because it allows the company to use transit gateways to connect the VPCs in different regions and the on-premises sites. Transit gateways support inter-region peering and VPN attachments, which enable secure and scalable connectivity. Option A is not valid because public subnets are not suitable for workloads that cannot be directly accessible from the internet. Option B is not valid because Direct Connect connections take longer than 5 days to provision.

Question 3

A company has two business units (BUs). The company operates in the us-east-1 Region and the us-west-1 Region. The company plans to extend to more Regions in the future. Each BU has

a VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit gateways in both Regions are peered.

The company will create several more BUs in the future and will need to isolate some of the BUs from the other BUs. The company wants to migrate to an architecture to incorporate more

Regions and BUs.

Which solution will meet these requirements with the MOST operational efficiency?

ACreate a new transit gateway for each new BU in each Region. Peer the new transit gateways with the existing transit gateways. Update the route tables to control traffic between BUs.

BCreate an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to the new BU VPCs. Use segment actions to control traffic between segments.

CCreate an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to the new BU VPCs. Configure the segments to isolate attachments to control traffic between segments.

DAttach new VPCs to the existing transit gateways. Update route tables to control traffic between BUs.

Answer : C

The correct solution is to use AWS Cloud WAN, which is a new service that simplifies the management of global networks. AWS Cloud WAN allows you to create a core network that connects your AWS Regions and on-premises locations. You can then create segments for each BU and attach their VPCs to the segments. By configuring the segments to isolate attachments, you can prevent traffic from flowing between different BUs. This way, you can achieve network isolation and scalability without creating multiple transit gateways and peering connections. You can also use segment actions to apply routing and security policies to the traffic within and across segments.

Question 4

A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network engineer needs to implement a solution that requires

all inbound traffic to the ALB to come from CloudFront. The network engineer must implement the solution at the network layer rather than in the application.

Which solution will meet these requirements in the MOST operationally efficient way?

AAdd an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront.

BAdd an inbound rule to the network ACLs that are associated with the ALB's subnets. Use the AWS managed prefix list for CloudFront as the source in the rule.

CConfigure CloudFront to add a custom HTTP header to the requests that CloudFront sends to the ALB.

DAssociate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allow traffic from the CloudFront IP set. Automatically update the CloudFront IP set by using an AWS Lambda function.

Answer : A

The most operationally efficient way to restrict inbound traffic to the ALB to come from CloudFront is to use the AWS managed prefix list for CloudFront. A prefix list is a collection of CIDR blocks that can be used to configure security groups and network ACLs. AWS provides a managed prefix list for CloudFront that is automatically updated when CloudFront IP ranges change. By adding an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront, the network engineer can ensure that only CloudFront can access the ALB at the network layer. This solution does not require any additional configuration or maintenance. Option B is less efficient because network ACLs are stateless and require rules for both inbound and outbound traffic. Option C is not a network layer solution, but an application layer solution that requires the ALB to inspect the HTTP headers and reject requests that do not have the custom header. Option D is also not a network layer solution, but a web layer solution that requires AWS WAF to filter the traffic based on the CloudFront IP set. This solution also requires an AWS Lambda function to update the CloudFront IP set, which adds complexity and cost

Question 5

A company is planning to migrate an internal application to the AWS Cloud. The application will run on Amazon EC2 instances in one VPC. Users will access the application from the

company's on-premises data center through AWS VPN or AWS Direct Connect. Users will use private domain names for the application endpoint from a domain name that is reserved

explicitly for use in the AWS Cloud.

Each EC2 instance must have automatic failover to another EC2 instance in the same AWS account and the same VPC. A network engineer must design a DNS solution that will not expose

the application to the internet.

Which solution will meet these requirements?

AAssign public IP addresses to the EC2 instances. Create an Amazon Route 53 private hosted zone for the AWS reserved domain name. Associate the private hosted zone with
the VPC. Create a Route 53 Resolver outbound endpoint. Configure conditional forwarding in the on-premises DNS resolvers to forward all DNS queries for the AWS domain to
the outbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configure primary and failover records that point to the public IP addresses of the EC2
instances. Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set up a health check on the alarm for the primary application endpoint.

BPlace the EC2 instances in private subnets. Create an Amazon Route 53 public hosted zone for the AWS reserved domain name. Associate the public hosted zone with the
VPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding in the on-premises DNS resolvers to forward all DNS queries for the AWS domain to the
inbound endpoint IP address for Route 53 Resolver. In the public hosted zone, configure primary and failover records that point to the IP addresses of the EC2 instances.
Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set up a health check on the alarm for the primary application endpoint.

CPlace the EC2 instances in private subnets. Create an Amazon Route 53 private hosted zone for the AWS reserved domain name. Associate the private hosted zone with the
VPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding in the on-premises DNS resolvers to forward all DNS queries for the AWS domain to the
inbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configure primary and failover records that point to the IP addresses of the EC2 instances.
Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set up a health check on the alarm for the primary application endpoint.

DPlace the EC2 instances in private subnets. Create an Amazon Route 53 private hosted zone for the AWS reserved domain name. Associate the private hosted zone with the
VPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding in the on-premises DNS resolvers to forward all DNS queries for the AWS domain to the
inbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configure primary and failover records that point to the IP addresses of the EC2 instances. Set
up Route 53 health checks on the private IP addresses of the EC2 instances.

Answer : C

The correct solution is to use a Route 53 private hosted zone and a Route 53 Resolver inbound endpoint. A private hosted zone allows you to use private domain names for your internal AWS resources without exposing them to the internet. A Route 53 Resolver inbound endpoint enables DNS queries from your on-premises network to be forwarded to your VPC. By configuring conditional forwarding on your on-premises DNS resolvers, you can ensure that only the queries for the AWS reserved domain name are sent to the inbound endpoint. In the private hosted zone, you can create primary and failover records that point to the IP addresses of the EC2 instances. These records will automatically switch to the failover instance if the primary instance becomes unhealthy. You can use CloudWatch metrics and alarms to monitor the application's health and trigger the health check for the primary endpoint.

The other options are not correct because they either expose the application to the internet or use a public hosted zone, which is not suitable for internal applications. Option A assigns public IP addresses to the EC2 instances, which makes them accessible from the internet. Option B uses a public hosted zone, which requires the EC2 instances to have public IP addresses or elastic IP addresses. Option D does not set up a health check on the alarm for the primary endpoint, which is required for the failover mechanism to work.

Question 6

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

ACreate a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

BUpdate the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

CUpdate the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.

DCreate an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Answer : C

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

Question 7

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

AThe NAT gateway does not support UDP traffic.

BThe authentication server is not accepting traffic.

CThe NAT gateway cannot allocate more ports.

DThe NAT gateway is launched in a private subnet.

Answer : C

Ref: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

'A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch.'

Amazon ANS-C01 AWS Certified Advanced Networking - Specialty Exam Practice Test