AWS-Certified-Advanced-Networking-Specialty Exam - Amazon AWS Certified Advanced Networking - Specialty

NEW QUESTION 1
A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.
Which change should a network engineer implement to meet these requirements?

• A. Update the DNS Firewall VPC configuration to disable fail open for the VPC.
• B. Update the DNS Firewall VPC configuration to enable fail open for the VPC.
• C. Create a new DHCP options set with parameter dns_firewall_fail_open=fals
• D. Associate the new DHCP options set with the VPC.
• E. Create a new DHCP options set with parameter dns_firewall_fail_open=tru
• F. Associate the new DHCP options set with the VPC.

Answer: B

NEW QUESTION 2
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that minimizes data transfer cost.
Which solution will meet these requirements?

• A. Deploy the EC2 instances in the public subnet
• B. Create an S3 interface endpoint in the VP
• C. Modify the application configuration to use the S3 endpoint-specific DNS hostname.
• D. Deploy the EC2 instances in the private subnet
• E. Create a NAT gateway in the VP
• F. Create default routes in the private subnets to the NAT gatewa
• G. Connect to Amazon S3 by using the NAT gateway.
• H. Deploy the EC2 instances in the private subnet
• I. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets during endpoint creation to create routes to Amazon S3.
• J. Deploy the EC2 instances in the private subnet
• K. Create an S3 interface endpoint in the VP
• L. Modify the application configuration to use the S3 endpoint-specific DNS hostname.

Answer: C

Explanation:
Option C is the optimal solution as it involves deploying the EC2 instances in the private subnets, which provides additional security benefits. Additionally, creating an S3 gateway endpoint in the VPC will enable the EC2 instances to communicate with Amazon S3 directly, without incurring data transfer costs. This is because the S3 gateway endpoint uses Amazon's private network to transfer data between the VPC and S3, which is not charged for data transfer. Furthermore, specifying the route table of the private subnets during endpoint creation will create routes to Amazon S3, which is required for the EC2 instances to communicate with S3.

NEW QUESTION 3
A company is deploying a non-web application on an AWS load balancer. All targets are servers located
on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

• A. Use a Network Load Balancer to automatically preserve the source IP address.
• B. Use a Network Load Balancer and enable the X-Forwarded-For attribute.
• C. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
• D. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Answer: C

Explanation:
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-proto

NEW QUESTION 4
A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

• A. Enable VPC flow logs on the NAT gateway's elastic network interfac
• B. Publish the logs to a log group in Amazon CloudWatch Log
• C. Use CloudWatch Logs Insights to query and analyze the logs.
• D. Enable NAT gateway access log
• E. Publish the logs to a log group in Amazon CloudWatch Log
• F. Use CloudWatch Logs Insights to query and analyze the logs.
• G. Configure Traffic Mirroring on the NAT gateway's elastic network interfac
• H. Send the traffic to an additional EC2 instanc
• I. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
• J. Enable VPC flow logs on the NAT gateway's elastic network interfac
• K. Publish the logs to an Amazon S3 bucke
• L. Create a custom table for the S3 bucket in Amazon Athena to describe the log structur
• M. Use Athena to query and analyze the logs.
• N. Enable NAT gateway access log
• O. Publish the logs to an Amazon S3 bucke
• P. Create a custom table for the S3 bucket in Amazon Athena to describe the log structur
• Q. Use Athena to query and analyze the logs.

Answer: AD

Explanation:
To investigate the increased usage of a NAT gateway in a VPC architecture with ALBs and backend EC2 instances, a network engineer can use the following options:
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
(Option A)
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. (Option D)
These options allow for detailed analysis of traffic through the NAT gateway to identify the source of increased usage.

NEW QUESTION 5
A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.
Which route table configurations on the transit gateway will meet these requirements?

• A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VP
• B. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
• C. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VP
• D. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.
• E. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
• F. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disable
• G. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.

Answer: A

NEW QUESTION 6
An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

• A. Use an internet connection.
• B. Set up an AWS VPN connection.
• C. Provision an AWS Direct Connection private virtual interface.
• D. Provision a Direct Connect public virtual interface.

Answer: A

NEW QUESTION 7
An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

• A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
• B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
• C. Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
• D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Answer: C

Explanation:
https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

NEW QUESTION 8
A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its
on-premises data center. The connection provides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.
The company plans to build an additional application on AWS. On-site and remote employees will use the additional application. After the deployment of this additional application, the company will need 20% more bandwidth than the company currently uses. With the increased usage, the company wants to add resiliency to the AWS connectivity. A network engineer must review the current implementation and must make improvements within a limited budget.
What should the network engineer do to meet these requirements MOST cost-effectively?

• A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional applicatio
• B. Create a link aggregation group (LAG).
• C. Deploy an AWS Site-to-Site VPN connection to the application VP
• D. Configure the on-premises routing for the remote employees to connect to the Site-to-Site VPN connection.
• E. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces.
• F. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connection
• G. Create an AWS Client VPN endpoint in the application VP
• H. Instruct the remote employees to connect to the Client VPN endpoint.

Answer: A

Explanation:
Setting up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional trafficload from remote employees and the additional application would provide more bandwidth and lower latency than a VPN connection over the public internet1. Creating a link aggregation group (LAG) with the existing and new Direct Connect connections would provide resiliency and redundancy for the AWS connectivity2.

NEW QUESTION 9
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

• A. Create an Amazon S3 bucke
• B. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluste
• C. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda functio
• D. Configure flow logs for the firewal
• E. Set the S3 bucket as the destination.
• F. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
• G. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
• H. Configure flow logs for the firewal
• I. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
• J. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
• K. Configure flow logs for the firewal
• L. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

Answer: B

Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-usin

NEW QUESTION 10
A global company operates all its non-production environments out of three AWS Regions: eu-west-1,
us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.
The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers. This traffic will increase over time.
Which solution will meet these requirements?

• A. Set up an AWS Direct Connect connection from each data center to AWS in each Regio
• B. Create and attach private VIFs to a single Direct Connect gatewa
• C. Attach the Direct Connect gateway to all the VPC
• D. Remove the existing VPN connections that are attached directly to the virtual private gateways.
• E. Create a single transit gateway with VPN connections from each data cente
• F. Share the transit gateway with each account by using AWS Resource Access Manager (AWS RAM). Attach the transit gateway to each VP
• G. Remove the existing VPN connections that are attached directly to the virtual private gateways.
• H. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data cente
• I. Share the transit gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPRemove the existing VPN connections that are attached directly to the virtual private gateways.
• J. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VP
• K. Create new VPN connections from each data center to the transit VPC
• L. Terminate the original VPN connections that are attached to all the original VPC
• M. Retain the new VPN connection to the new transit VPC in each Region.

Answer: C

NEW QUESTION 11
A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched a replacement EC2 instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware.
Which solution will meet this requirement with the LEAST operational effort?

• A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.
• B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
• C. Set up a Gateway Load Balance
• D. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for traffic inspection.
• E. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.

Answer: A

Explanation:
This solution involves using Amazon GuardDuty to monitor network traffic and analyze DNS requests and VPC flow logs for suspicious activity. This will allow the company to identify when an application is spreading malware by monitoring the network traffic patterns associated with the instance. GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. It requires minimal setup and configuration and can be integrated with other AWS services for automated remediation. This solution requires the least operational effort compared to the other options

NEW QUESTION 12
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?

• A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
• B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
• C. Associate an AWS WAF web ACL with the ALB
• D. and create a security rule to enforce forward secrecy (FS)
• E. Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer: D

NEW QUESTION 13
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.
What should a network engineer do to meet these requirements with the LEAST amount of configuration?

• A. Set up an AWS Site-to-Site VPN connection between on premises and AW
• B. Deploy an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• C. Set up an AWS Direct Connect connection with a private VI
• D. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• E. Set up an AWS Client VPN connection between on premises and AW
• F. Deploy an Amazon Route 53 Resolver inbound endpoint in the VPC.
• G. Set up an AWS Direct Connect connection with a public VI
• H. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that is hosting the VP
• I. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Answer: A

Explanation:
Setting up an AWS Site-to-Site VPN connection between on premises and AWS would enable a secure and encrypted connection over the public internet1. Deploying an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC would enable forwarding of DNS queries for on-premises servers to the on-premises DNS servers2. This would allow EC2 instances in the VPC to resolve names of on-premises servers during the migration period. After the migration period, the Route 53 Resolver outbound endpoint can be deleted with minimal configuration changes.

NEW QUESTION 14
A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Region only. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an Auto Scaling group behind an Application
Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.
When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that is associated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP address ranges.
Which solution will meet these requirements in the MOST operationally efficient manner?

• A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be update
• B. Update the DynamoDB table with the new IP address range when the company adds a new partne
• C. Invoke an AWS Lambda function to read new IP address ranges and security groups from the DynamoDB table to update the security group
• D. Deploy this solution in all accounts.
• E. Create a new prefix lis
• F. Add all allowed IP address ranges to the prefix lis
• G. Use Amazon EventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix lis
• H. Deploy this solution in all accounts.
• I. Create a new prefix lis
• J. Add all allowed IP address ranges to the prefix lis
• K. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address rang
• L. Update the prefix list with the new IP address range when the company adds a new partner.
• M. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be update
• N. Update the S3 bucket with the new IP address range when the company adds a new partne
• O. Invoke an AWS Lambda function to read new IP address ranges and security groups from the S3 bucket to update the security group
• P. Deploy this solution in all accounts.

Answer: C

Explanation:
Creating a new prefix list and adding all allowed IP address ranges to the prefix list would enable grouping of CIDR blocks that can be referenced in security group rules3. Sharing the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM)would enable central management of the partner network IP address ranges5. Updating security groups to use the prefix list instead of the partner IP address range would enable simplification of security group rules3. Updating the prefix list with the new IP address range when the company adds a new partner would enable automatic propagation of the changes to all security groups that use the prefix list3.

NEW QUESTION 15
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company’s peak event at the end of the year.
The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries to the default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domain names. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDS and S3 bucket endpoints.
Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?

• A. Scale out the DNS service by adding two additional EC2 instances in the VP
• B. Reconfigure half of the HPC cluster nodes to use these new DNS server
• C. Plan to scale out by adding additional EC2instance-based DNS servers in the future as the HPC cluster size grows.
• D. Scale up the existing EC2 instances that the company is using as DNS server
• E. Change the instance size to the largest possible instance size to accommodate the current DNS load and theanticipated load in the future.
• F. Create Route 53 Resolver outbound endpoint
• G. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for on premises hosted domain name
• H. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-based DNS server
• I. Terminate the EC2 instances.
• J. Create Route 53 Resolver inbound endpoint
• K. Create rules on the on-premises DNS servers to forward queries to the default VPC resolve
• L. Reconfigure the HPC cluster nodes to forward all DNS queries to the on-premises DNS server
• M. Terminate the EC2 instances.

Answer: C

NEW QUESTION 16
......