ANS-C01 Online Practice Questions and Answers

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC thatincludes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in theenvironment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment.The service provider's API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not wantto permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The networkengineer turns on IPv6 in the VPC and in the private subnets.Which solution will meet these requirements?

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT gateway.

B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT instance.

C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-onlyinternet gateway.

D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the securitygroup with the egress-only internet gateway.

A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Regiononly. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an AutoScaling group behind an Application Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. TheALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that isassociated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP addressranges.Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated. Update theDynamoDB table with the new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IPaddress ranges and security groups from the DynamoDB table to update the security groups. Deploy this solution in all accounts.

B. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use Amazon EventBridge (Amazon CloudWatch Events)rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix list. Deploy thissolution in all accounts.

C. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list across different accounts by using AWSResource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address range. Update theprefix list with the new IP address range when the company adds a new partner.

D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated. Update the S3 bucket withthe new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IP address ranges andsecurity groups from the S3 bucket to update the security groups. Deploy this solution in all accounts.

A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company's trading platform includes athird-party pricing service that the EC2 instances communicate with over UDP on port 50000.Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectlyformatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning.The third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricingservice. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoringaccount.Which set of steps should a network engineer take to capture the data and meet these requirements?

A. 1. Configure VPC flow logs to capture the data that flows in the VPC.2. Send the data to an Amazon S3 bucket.3. In the monitoring account, extract the data that flows to the EC2 instance's IP address and filter the traffic for the UDP data.4. Provide the data to the third-party vendor.

B. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of thenew EC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.

C. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the newEC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.

D. 1. Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance.2. Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume.3. Export the data from the EBS volume to Amazon S3.4. Provide the data to the third-party vendor.

A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. Thecompany's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company'snetwork team plans to use MACsec support for Direct Connect to meet the new requirement.Which combination of steps should the network team take to implement this functionality? (Choose three.)

A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.

B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.

C. Associate the Internet Key Exchange (IKE) with the existing LAG.

D. Configure the MACsec encryption mode on the existing LAG.

E. Configure the MACsec encryption mode on the new LAG.

F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.

An IoT company collects data from thousands of sensors that are deployed in the Unites States and South Asia. The sensors use a proprietarycommunication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling groupand run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region.Occasionally, the data from the sensors in South Asia gets lost in transit over the internet and does not reach the EC2 instances.Which solutions will resolve this issue? (Choose two.)

A. Use AWS Global Accelerator with the existing NLB.

B. Create an Amazon CloudFront distribution. Specify the existing NLB as the origin.

C. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 latency routingpolicy to resolve to the Region that provides the least latency.

D. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 failover routingpolicy to resolve to an alternate Region in case packets are dropped.

E. Turn on enhanced networking on the EC2 instances by using the most recent Elastic Network Adapter (ENA) drivers.

A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and thefirst 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points.Which solution will meet these requirements?

A. Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to AmazonCloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.

B. Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an AmazonOpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.

C. Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyzethe flow log data by using CloudWatch Logs Insights.

D. Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data byusing Amazon Athena.

A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM) in its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within the top-level pool.

A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account.

Which solution will meet these requirements?

A. Create a new AWS Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an AWS Lambda function to delete these VPCs.

B. Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.

C. Create an AWS Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.

D. Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.

A company has established connectivity between its on-premises data center in Paris. France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway.

The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center.

In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet.

Which set of steps should a network engineer take to meet these requirements?

A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into.

2.

Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.

3.

Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads.

4.

Create peering connections between the Tokyo VPC and the Paris VPCs.

5.

Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.

B. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.

2.

Create peering connections between the Tokyo transit gateway and the Paris transit gateway.

3.

Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway.

4.

Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

C. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.

2.

Create peering connections between the Tokyo transit gateway and the Paris transit gateway.

3.

Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target.

4.

Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

D. 1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway.

2.

Create an association between the Paris transit gateway and the Tokyo VPC.

3.

Configure routing on the Paris transit gateway to allow data to flow between sites and the VPC.