ANS-C01 Exam - AWS Certified Advanced Networking Specialty Exam

NEW QUESTION 1
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?

• A. Create an internet gateway and a NAT gateway in the VP
• B. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
• C. Create an internet gateway and a NAT instance in the VP
• D. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
• E. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables topoint IPv6 traffic to the egress-only internet gateway.
• F. Create an egress-only internet gateway in the VP
• G. Configure a security group that denies all inbound traffi
• H. Associate the security group with the egress-only internet gateway.

Answer: C

NEW QUESTION 2
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the
authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application within the application's VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements? (Choose three.)

• A. Add a geoproximity routing policy in Route 53.
• B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.
• C. Enable DNS hostnames for the application's VPC.
• D. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
• E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the public hosted zon
• F. Create an AWS Lambda function as the target of the rul
• G. Configure the function to use the event information to update the privatehosted zone.
• H. Add the private IP addresses in the existing Route 53 public hosted zone.

Answer: BCD

NEW QUESTION 3
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

• A. Create an Amazon S3 bucke
• B. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluste
• C. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda functio
• D. Configure flow logs for the firewal
• E. Set the S3 bucket as the destination.
• F. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
• G. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
• H. Configure flow logs for the firewal
• I. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
• J. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
• K. Configure flow logs for the firewal
• L. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

Answer: B

Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-usin

NEW QUESTION 4
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.
What should a network engineer do to meet these requirements with the LEAST amount of configuration?

• A. Set up an AWS Site-to-Site VPN connection between on premises and AW
• B. Deploy an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• C. Set up an AWS Direct Connect connection with a private VI
• D. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• E. Set up an AWS Client VPN connection between on premises and AW
• F. Deploy an Amazon Route 53 Resolver inbound endpoint in the VPC.
• G. Set up an AWS Direct Connect connection with a public VI
• H. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that is hosting the VP
• I. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Answer: A

Explanation:
Setting up an AWS Site-to-Site VPN connection between on premises and AWS would enable a secure and encrypted connection over the public internet1. Deploying an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC would enable forwarding of DNS queries for on-premises servers to the on-premises DNS servers2. This would allow EC2 instances in the VPC to resolve names of on-premises servers during the migration period. After the migration period, the Route 53 Resolver outbound endpoint can be deleted with minimal configuration changes.

NEW QUESTION 5
A company operates its IT services through a multi-site hybrid infrastructure. The company deploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. The company also deploys resources in its own data centers that are located in the United States (US) and in the United Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect 15 VPCs to each other. The company has created a transit gateway peering connection between the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP addresses used within the data centers. The VPC CIDR prefixes can also be aggregated either on a Regional level or for the company's entire AWS environment.
The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through Interior BGP (iBGP) sessions. The data centers maintain connectivity to AWS through one AWS Direct Connect connection in the US and one Direct Connect connection in the UK. Each Direct Connect connection is terminated on a Direct Connect gateway and is associated with a local transit gateway through a transit VIF.
Traffic follows the shortest geographical path from source to destination. For example, packets from the UK data center that are targeted to resources in eu-west-2 travel across the local Direct Connect connection. In cases of cross-Region data transfers, such as from the UK data center to VPCs in us-east-1, the private WAN connection must be used to minimize costs on AWS. A network engineer has configured each transit gateway association on the Direct Connect gateway to advertise VPC-specific CIDR IP prefixes only from the local Region. The routes toward the other Region must be learned through BGP from the routers in the other data center in the original, non-aggregated form.
The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original traffic routing goal when the network is
operating normally.
Which modifications will meet these requirements? (Choose two.)

• A. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connectio
• B. Add the company's entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection.
• C. Add the CIDR prefixes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connectio
• D. Configure data center routers to make routing decisions based on the BGP communities received.
• E. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection.
• F. Add the aggregate IP prefix for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection.
• G. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connectio
• H. Add both Regional aggregate IP prefixes to the list of subnets advertised through the Direct Connect connection on both sides of the networ
• I. Configure data center routers to make routing decisions based on the BGP communities received.

Answer: AD

NEW QUESTION 6
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

• A. Create one hosted connectio
• B. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direc
• C. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• D. Create one hosted connectio
• E. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• F. Create one dedicated connectio
• G. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• H. Create one dedicated connectio
• I. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Answer: B

Explanation:
This solution meets the requirements of the company by using a single Direct Connect connection with two VIFs, one connected to the transit gateway in us-east-1 and the other connected to the VPC in eu-west-1. Two Direct Connect gateways are used, one for each VIF, to route traffic from the Direct Connect location to the corresponding AWS Region along the path that has the lowest latency. This setup ensures that traffic between the VPCs in us-east-1 and on-premises databases is routed through the transit gateway, while traffic between the VPC in eu-west-1 and the on-premises server is routed directly through the private VIF.

NEW QUESTION 7
A company is deploying a non-web application on an AWS load balancer. All targets are servers located
on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

• A. Use a Network Load Balancer to automatically preserve the source IP address.
• B. Use a Network Load Balancer and enable the X-Forwarded-For attribute.
• C. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
• D. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Answer: C

Explanation:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-proto

NEW QUESTION 8
A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.
Which solution will meet these requirements?

• A. Deploy a Network Load Balancer (NLB) as the traffic mirror targe
• B. Behind the NL
• C. deploy a fleet of EC2 instances in an Auto Scaling grou
• D. Use Traffic Mirroring as necessary.
• E. Deploy an Application Load Balancer (ALB) as the traffic mirror targe
• F. Behind the ALB, deploy a fleet of EC2 instances in an Auto Scaling grou
• G. Use Traffic Mirroring only during non-business hours.
• H. Deploy a Gateway Load Balancer (GLB) as the traffic mirror targe
• I. Behind the GL
• J. deploy a fleet of EC2 instances in an Auto Scaling grou
• K. Use Traffic Mirroring as necessary.
• L. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror targe
• M. Behind the AL
• N. deploy a fleet of EC2 instances in an Auto Scaling grou
• O. Use Traffic Mirroring only during active events or business hours.

Answer: A

NEW QUESTION 9
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.
The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.
What is the MOST operationally efficient solution to resolve this issue?

• A. Enable the new Availability Zone on the NLB
• B. Create a new NLB for the instances in the second Availability Zone
• C. Enable proxy protocol on the NLB
• D. Create a new target group with the instances in both Availability Zones

Answer: A

Explanation:
When adding instances in a new Availability Zone to an existing Network Load Balancer (NLB), it is important to ensure that the new Availability Zone is enabled on the NLB. This will allow traffic to be routed to instances in both Availability Zones. This can be done by editing the settings of the NLB and selecting the new Availability Zone from the list of available zones.

NEW QUESTION 10
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?

• A. Create a new VPC for the SD-WAN hub virtual applianc
• B. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
• C. Configure BGP over the IPsec VPN connections
• D. Assign a new CIDR block to the transit gatewa
• E. Create a new VPC for the SD-WAN hub virtual applianc
• F. Attach the new VPC to the transit gateway with a VPC attachmen
• G. Add a transit gateway Connect attachmen
• H. Create a Connect peer and specify the GRE and BGP parameter
• I. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
• J. Create a new VPC for the SD-WAN hub virtual applianc
• K. Attach the new VPC to the transit gateway with a VPC attachmen
• L. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
• M. Configure BGP over the IPsec VPN connections.
• N. Assign a new CIDR block to the transit gatewa
• O. Create a new VPC for the SD-WAN hub virtual applianc
• P. Attach the new VPC to the transit gateway with a VPC attachmen
• Q. Add a transit gateway Connect attachmen
• R. Create a Connect peer and specify the VXLAN and BGP parameter
• S. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Answer: D

NEW QUESTION 11
A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?

• A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.
• B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.
• C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.
• D. Modify the transit gateway by selecting multicast support.

Answer: B

Explanation:
To resolve the issue of intermittent connections for traffic that crosses Availability Zonesafter configuring routing for traffic inspection between VPCs using a transit gateway and EC2 instances with IDS services in a shared services VPC, a network engineer should modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support (Option B). This will ensure that traffic is routed to the same EC2 instance for stateful inspection and prevent intermittent connections.

NEW QUESTION 12
Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

• A. Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254
• B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• D. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

Answer: C

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
To view all categories of instance metadata from within a running instance, use the following URI.
http://169.254.169.254/latest/meta-data/

NEW QUESTION 13
A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.
Which configuration change should a network engineer implement to resolve this issue?

• A. Configure the NAT gateway timeout to allow connections for up to 600 seconds.
• B. Enable enhanced networking on the client EC2 instances.
• C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.
• D. Close idle TCP connections through the NAT gateway.

Answer: C

Explanation:
When a TCP connection is idle for a long time, it may be terminated by network devices, including the NAT gateway. By enabling TCP keepalive, the client EC2 instances can periodically send packets to the third-party database to indicate that the connection is still active, preventing it from being terminated prematurely.

NEW QUESTION 14
A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.
Which change should a network engineer implement to meet these requirements?

• A. Update the DNS Firewall VPC configuration to disable fail open for the VPC.
• B. Update the DNS Firewall VPC configuration to enable fail open for the VPC.
• C. Create a new DHCP options set with parameter dns_firewall_fail_open=fals
• D. Associate the new DHCP options set with the VPC.
• E. Create a new DHCP options set with parameter dns_firewall_fail_open=tru
• F. Associate the new DHCP options set with the VPC.

Answer: B

NEW QUESTION 15
A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway.
In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

• A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true.
• B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0
• C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets.
• D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitorin
• E. Associate the new security group with the endpoint network interfaces.
• F. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch.Associate the new security group with the endpoint network interfaces.
• G. Associate the VPC endpoint or endpoints with route tables that the private subnets use.

Answer: BDF

NEW QUESTION 16
A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.
Which solution will meet these requirements?

• A. Edit the existing Site-to-Site VPN connection by enabling acceleratio
• B. Stop and start the VPN service on the customer gateway for the new setting to take effect.
• C. Configure a transit gateway in the same AWS Region as the existing virtual private gatewa
• D. Create a new accelerated Site-to-Site VPN connectio
• E. Connect the new connection to the transit gateway by using a VPN attachmen
• F. Update the customer gateway device to use the new Site to Site VPN connectio
• G. Delete the existing Site-to-Site VPN connection
• H. Create a new accelerated Site-to-Site VPN connectio
• I. Connect the new Site-to-Site VPN connection to the existing virtual private gatewa
• J. Update the customer gateway device to use the new Site-to-Site VPN connectio
• K. Delete the existing Site-to-Site VPN connection.
• L. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Clou
• M. Update the customer gateway device to use the new Direct Connect connectio
• N. Delete the existing Site-to-Site VPN connection.

Answer: B

NEW QUESTION 17
......