ANS-C00 Online Practice Questions and Answers

Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.

The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.

Which step should you take to meet the requirements?

A. Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.

B. Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.

C. Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.

D. Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

C. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.

D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.

A Network Engineer is troubleshooting a network connectivity issue for an instance within a public subnet that cannot connect to the internet. The first step the Engineer takes is to SSH to the instance via a local bastion within the VPC and runs an ifconfigcommand to inspect the IP addresses configured on the instance. The output is as follows:

The Engineer notices that the command output does not contain a public IP address. In the AWS Management Console, the public subnet has a route to the internet gateway. The instance also has a public IP address associated with it.

What should the Engineer do next to troubleshoot this situation?

A. Configure the public IP on the interface.

B. Disable source/destination checking for the instance.

C. Associate an Elastic IP address to the interface.

D. Evaluate the security groups and the network access control list.

Your network utilizes jumbo frames on its servers and your router. You are trying to access your AWS resources, and you are having issues with packet loss. What is the best solution?

A. Remove the "Do not Fragment" flag on the packets.

B. Lower the MTU for your network.

C. Call AWS support.

D. You will have to upgrade to Direct Connect.

You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

A. Create two subnets in the same AZ and create a placement group.

B. Set the MTU of your instances to 1500.

C. Create two subnets in different AZs and create a placement group.

D. Ensure you choose instances that use enhanced networking.

You are using the CLI to assign multiple IP addresses to interfaces. The operation fails. What is the most

likely reason?

A. You cannot assign IP addresses in the CLI.

B. You can only assign 5 IP addresses at a time through the CLI.

C. One or more of the IP addresses could not be assigned.

D. All of the IP addresses could not be assigned.

What number does the binary number 10101000 correspond to?

A. 168

B. 128

C. 192

D. 160

What two items are required for all AWS VPNs? (Choose two.)

A. Virtual Private Gateway

B. ASN

C. A hardware router

D. Customer Gateway

You are your company's AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.

Select the correct option from the list below.

A. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been disabled.

B. Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication

C. All network communication remains blocked between all VPCs until the respective peering bidirectional communication flags are set to the appropriate setting that allows traffic to flow.

D. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been enabled.

In the context of CloudFront RTMP Distribution, the Adobe Flash Media Server _________ file specifies which domains can access media files in a particular domain.

A. accessdomain.JSON

B. crossdomain.xml

C. accessdomain.xml

D. crossdomain.JSON

You have a web application (app.mycompany.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. Because of a network redesign, you need to move the web application to a different subnet in the same Availability Zone.

Which of the following migration strategies meets the requirements?

A. Create an elastic network interface in the new subnet. Attach this interface to the instance, and detach the old interface.

B. Launch a new instance in the subnet via an AMI created from the instance, and redirect new connections to this new instance using DNS. Decommission the old instance.

C. Make an API call to change the subnet association of the elastic network interface.

D. Change the IP addresses manually to another subnet within the server operating system.

A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness.

Which of the below mentioned options is a recommended option for this case?

A. For the period when there is no data, the user should not send the data at all

B. The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring

C. For the period when there is no data the user should send the value as 0

D. For the period when there is no data the user should send a blank value

You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?

A. Create an EIP for the instance.

B. Configure the mail service to serve as an open relay.

C. Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.

D. Provide open security group access to your instance on ports 25, 3389 and 22.

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy.

Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.

What is the MOST reliable way to implement DNS in this scenario?

A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

An IT company wants to securely perform an on-off migration of its on-premises VMs to the AWS Cloud by using AWS Server Migration Service {AWS SMS) For the first phase of the migration, the company must migrate 50 development VMs m batches during non-peak times over the next 7 days The VMs are between 2 GB and 5 GB in size The company has 1 Gbps of available bandwidth over the internet.

Which network connectivity option meets these requirements MOST cost-effectively?

A. Contact an AWS partner to order a hosted VIF

B. Use the existing internet connection

C. Order an AWS Direct Connect connection Provision a public VIF

D. Create a VPN connection to AWS.