Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Amazon Web Services ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty

Amazon Web Services ANS-C01 Premium Access     Download Demo    
Page: 8 / 8
Total 288 questions

A company has developed a web service for language translation. The web service's application runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) and are deployed in a private subnet. The web service can process requests that contain hundreds of megabytes of data.

The company needs to give some customers the ability to access the web service. Each customer has its own AWS account. The company must make the web service accessible to approved customers without making the web service accessible to all customers.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

A.

Create VPC peering connections with the approved customers only.

B.

Create an AWS PrivateLink endpoint service. Configure the endpoint service to require acceptance that will be granted to approved customers only.

C.

Configure an authentication action for the endpoint service's load balancer to allow customers to log in by using their AWS credentials. Provide only approved customers with the URL.

D.

Configure a Network Load Balancer (NLB) and a listener with the ALB as a target. Associate the NLB with the endpoint service.

E.

Associate the ALB with the endpoint service.

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.

A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.

Which solution will meet these requirements?

A.

Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.

B.

Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnetroute tables to point IPv6 traffic to the NAT instance.

C.

Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

D.

Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

A network engineer is using AWS Direct Connect connections and MACsec to encrypt data from a corporate data center to the Direct Connect location. The network engineer learns that the MACsec secret key might have been compromised. The network engineer needs to update the connection with an uncompromised secure key.

Which solution will meet this requirement?

A.

Create a new MACsec secret key that uses an AWS Key Management Service (AWS KMS) AWS managed key. Associate the new pre-shared key, Connection Key Name (CKN). and Connectivity Association Key (CAK) with the connection.

B.

Create a new MACsec secret key that uses an AWS Key Management Service (AWS KMS) customer managed key. Associate the new pre-shared key, Connection Key Name (CKN). and Connectivity Association Key (CAK) with the connection.

C.

Modify the existing MACsec secret key. Re-associate the existing pre-shared key. Connection Key Name (CKN), and Connectivity Association Key (CAK) with the connection.

D.

Modify the existing MACsec secret key. Associate the new pre-shared key. ConnectionKey Name (CKN). and Connectivity Association Key (CAK) with the connection.

A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public websites. The application requires the customer’s source IP addresses.

A network engineer must implement a load balancing strategy that meets these requirements.

Which combination of actions should the network engineer take to accomplish this goal? (Choose two.)

A.

Use a Network Load Balancer

B.

Retrieve client IP addresses by using the X-Forwarded-For header

C.

Use AWS App Mesh load balancing

D.

Retrieve client IP addresses by using the X-IP-Source header

E.

Use an Application Load Balancer.

A company has two teams: Team A and Team B. Team A has VPCs that run in Account A. The team uses a transit gateway (TGW-A) to route traffic between workloads that run in the different VPCs. Similarly, Team Ð’ has VPCs that run in Account B. Team Ð’ uses a different transit gateway (TGW-B) to route traffic between workloads that run in the different VPCs.

The company's network team manages the routing for Team A and Team Ð’. The network team wants to retire TGW-B and use a single transit gateway to manage routing for the VPCs of both teams.

Which solution will meet this requirement with the LEAST operational overhead?

A.

Create a resource share for TGW-A Share TGW-A with Account B. Create VPC attachments for the VPCs in Account Ð’. Configure routing for the VPCs in TGW-A route tables. Update the route tables of the VPCs in Account Ð’ to forward traffic to TGW-A. Delete TGW-B attachments and TGW-B.

B.

Create a resource share for TGW-A. Share TGW-A with Account Ð’. Replicate the TGW-B configuration to TGW-A to automatically start routing changes for the VPCs in Account Ð’. Delete TGW-B when routing changes are complete.

C.

Create a new transit gateway (TGW-C) in Account A. Create a resource share for TGW-C. Share TGW-C with Account B. Create VPC attachments for the VPCs in Account A and Account Ð’. Configure routing for all the VPCs in TGW-C route tables. Update the routetables for the VPCs in Account A and Account Ð’ to forward traffic to TGW-C. Delete TGW-A attachments and TGW-B attachments. Delete TGW-A and TGW-B.

D.

Create a new transit gateway (TGW-C) in a new account (Account C). Create a resource share for TGW-C. Share TGW-C with Account A and Account B. Create VPC attachments for the VPCs in Account A and Account Ð’. Configure routing for all the VPCs in TGW-C route tables. Update the route tables for the VPCs in Account A and Account Ð’ to forward traffic to TGW-C. Delete TGW-A attachments and TGW-B attachments. Delete TGW-A and TGW-B.

A logistics company has multiple VPCs in an AWS Region. The company uses a transit gateway to connect the VPCs. The company has several on-premises offices that connect to the transit gateway by using AWS Site-to-Site VPN connections over the internet. The company has configured one transit gateway VPN attachment for each office.

Route propagation is enabled on all route tables. Each Site-to-Site VPN connection uses two tunnels in an active-passive configuration. The company configured each office with appropriate static routes on both the Site-to-Site VPN connection and the office’s customer gateway.

The company wants to use both IPsec tunnels of every office to maximize the overall VPN connection bandwidth.

Which design changes are necessary to meet these requirements?

A.

Create an AWS Transit Gateway Connect attachment for each office Use the existing VPN attachments as the transport for the new Connect attachments. Set up a Generic Routing

Encapsulation (GRE) tunnel on each customer gateway that terminates on the Connect attachment for each office. Move the static routes from the transit gateway VPN attachment to the customer gateway for the transit gateway Connect attachment.

B.

Enable equal-cost multi-path (ECMP) routing on the transit gateway. Ensure ECMP is supported by and enabled on the customer gateways. Enable ECMP on the Site-to-Site VPN connection. Ensure static routes on the customer gateways have equal metrics and administrative distance.

C.

Enable equal-cost multi-path (ECMP) routing on the transit gateway. (Ensure ECMP is supported by and enabled on the customer gateways. Change the routing configuration between the transit gateway and the customer gateways from static routing to BGP. Remove related static routes from the customer gateways.

D.

Enable equal-cost multi-path (ECMP) routing on the transit gateway. Ensure ECMP is supported by and enabled on the customer gateways. Change the routing configuration between the transit gateway and the customer gateways from static routing to BGP. Ensure the customer gateway applies the correct community strings to give the transit gateway the ability to perform ECMP forwarding.

AnyCompany deploys and manages networking resources in its AWS network account, named Account-A. AnyCompany acquires Example Corp, which has an application that runs behind an Application Load Balancer (ALB) in Example Corp's AWS account, named Account-B.

Example Corp needs to use AWS Global Accelerator to create an accelerator to publish the application to users. AnyCompany's networking team will manage the accelerator.

Which solution will meet these requirements with the LEAST management overhead?

A.

Create an accelerator in Account-Ð’. Use a cross-account role from Account-A to grant the networking team access to manage the accelerator.

B.

Deploy a Network Load Balancer (NLB) in Account-A to route traffic to the ALB in Account-Ð’. Create an accelerator, and set the NLB as the endpoint in Account-A.

C.

Create a cross-account Global Accelerator attachment in Account-Ð’ for the Account-A principal. Create an accelerator in Account-A by using the shared attachment.

D.

Create an accelerator in Account-A. Use AWS Resource Access Management (AWS RAM) to share the accelerator with Account-Ð’. Associate the ALB in Account-Ð’ with the accelerator in Account-A.

A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud.

Which solution will meet these requirements while providing the HIGHEST throughput?

A.

Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment.

B.

Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software.

C.

Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway.

D.

Configure a public VIF on the Direct Connect connection. Configure two AWS Site-to-Site VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing.