All About Printable AWS-Certified-Advanced-Networking-Specialty Real Exam

NEW QUESTION 1
An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

• A. Use an internet connection.
• B. Set up an AWS VPN connection.
• C. Provision an AWS Direct Connection private virtual interface.
• D. Provision a Direct Connect public virtual interface.

Answer: A

NEW QUESTION 2
An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.
Which solution meets these requirements?

• A. Configure a private hosted zone for each application VPC, and create the requisite record
• B. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
• C. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolve
• D. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manage
• E. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inboundendpoints.
• F. Configure a public hosted zone for each application VPC, and create the requisite record
• G. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
• H. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolve
• I. Associate the application VPC private hosted zones with the egress VP
• J. and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manage
• K. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
• L. Configure a private hosted zone for each application VPC, and create the requisite record
• M. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPDefine Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolve
• N. Associate the application VPC private hosted zones with the egress VPand s

Answer: A

Explanation:
Creating a private hosted zone for each application VPC and creating the requisite records would enable end-to-end domain name resolution for the resources. Creating a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC would enable bi-directional DNS resolution between AWS and the existing on-premises environments. Defining Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver would enable DNS queries from AWS resources to on-premises resources. Associating the application VPC private hosted zones with the egress VPC and sharing the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager would enable DNS queries among different VPCs and accounts. Configuring the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints would enable DNS queries from on-premises resources to AWS resources1.

NEW QUESTION 3
A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for private communication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company's network
services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account. The company wants to use thiscentralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without sending traffic over the public internet.
What should the network engineer do to meet these requirements?

• A. In the shared services account, create an interface endpoint for AWS KM
• B. Modify the interface endpoint by disabling the private DNS nam
• C. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoin
• D. Associate the private hosted zone with the spoke VPCs in each AWS account.
• E. In the shared services account, create an interface endpoint for AWS KM
• F. Modify the interface endpoint by disabling the private DNS nam
• G. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoin
• H. Associate each private hosted zone with the shared services AWS account.
• I. In each spoke AWS account, create an interface endpoint for AWS KM
• J. Modify each interface endpoint by disabling the private DNS nam
• K. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoin
• L. Associate each private hosted zone with the shared services AWS account.
• M. In each spoke AWS account, create an interface endpoint for AWS KM
• N. Modify each interface endpoint by disabling the private DNS nam
• O. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoin
• P. Associate the private hosted zone with the spoke VPCs in each AWS account.

Answer: A

NEW QUESTION 4
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that minimizes data transfer cost.
Which solution will meet these requirements?

• A. Deploy the EC2 instances in the public subnet
• B. Create an S3 interface endpoint in the VP
• C. Modify the application configuration to use the S3 endpoint-specific DNS hostname.
• D. Deploy the EC2 instances in the private subnet
• E. Create a NAT gateway in the VP
• F. Create default routes in the private subnets to the NAT gatewa
• G. Connect to Amazon S3 by using the NAT gateway.
• H. Deploy the EC2 instances in the private subnet
• I. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets during endpoint creation to create routes to Amazon S3.
• J. Deploy the EC2 instances in the private subnet
• K. Create an S3 interface endpoint in the VP
• L. Modify the application configuration to use the S3 endpoint-specific DNS hostname.

Answer: C

Explanation:
Option C is the optimal solution as it involves deploying the EC2 instances in the private subnets, which provides additional security benefits. Additionally, creating an S3 gateway endpoint in the VPC will enable the EC2 instances to communicate with Amazon S3 directly, without incurring data transfer costs. This is because the S3 gateway endpoint uses Amazon's private network to transfer data between the VPC and S3, which is not charged for data transfer. Furthermore, specifying the route table of the private subnets during endpoint creation will create routes to Amazon S3, which is required for the EC2 instances to communicate with S3.

NEW QUESTION 5
A company’s network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources.
Which solution will meet these requirements?

• A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for change
• B. Configure the rule to invoke an AWS Lambda function to identify noncompliant resource
• C. Update an Amazon DynamoDB table with the changes that are identified.
• D. Create custom metrics from Amazon CloudWatch log
• E. Use the metrics to invoke an AWS Lambda function to identify noncompliant resource
• F. Update an Amazon DynamoDB table with the changes that are identified.
• G. Record the current state of network resources by using AWS Confi
• H. Create rules that reflect the desired configuration setting
• I. Set remediation for noncompliant resources.
• J. Record the current state of network resources by using AWS Systems Manager Inventor
• K. Use Systems Manager State Manager to enforce the desired configuration settings and to carry out remediation for noncompliant resources.

Answer: C

Explanation:
Recording the current state of network resources by using AWS Config would enable auditing and assessment of resource configurations and compliance3. Creating rules that reflect the desired configuration settings would enable evaluation of whether the network resources comply with network security policies3. Setting remediation for noncompliant resources would enable automatic correction of undesired configurations3.

NEW QUESTION 6
A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.
The on-premises data center's customer gateway is configured with a stateful firewall device thatfilters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?

• A. Create a VPN connection over the Direct Connect connection by using the on-premises firewal
• B. Use the firewall to block all traffic from on premises to AW
• C. Allow a stateful connection from the EC2 instances to initiate the requests.
• D. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instance
• E. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.
• F. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deploye
• G. Specify the NAT gateway type as privat
• H. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
• I. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed.Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

Answer: C

NEW QUESTION 7
A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use.
Employees at the London office are experiencing latency issues when they connect to the business applications.
What should a network engineer do to reduce this latency?

• A. Create a new Site-to-Site VPN connectio
• B. Set the transit gateway as the target gatewa
• C. Enable acceleration on the new Site-to-Site VPN connectio
• D. Update the VPN device in the London office with the new connection details.
• E. Modify the existing Site-to-Site VPN connection by setting the transit gateway as the target gateway.Enable acceleration on the existing Site-to-Site VPN connection.
• F. Create a new transit gateway in the eu-west-2 (London) Regio
• G. Peer the new transit gateway with the existing transit gatewa
• H. Modify the existing Site-to-Site VPN connection by setting the new transit gateway as the target gateway.
• I. Create a new AWS Global Accelerator standard accelerator that has an endpoint of the Site-to-Site VPN connectio
• J. Update the VPN device in the London office with the new connection details.

Answer: A

Explanation:
Enabling acceleration for a Site-to-Site VPN connection uses AWS Global Accelerator to route traffic from the on-premises network to an AWS edge location that is closest to the customer gateway device1. AWS Global Accelerator optimizes the network path, using the congestion-free AWS global network to route traffic to the endpoint that provides the best application performance2. Setting the transit gateway as the target gateway enables connectivity between the on-premises network and multiple VPCs that are attached to the transit gateway3.

NEW QUESTION 8
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?

• A. Create a new VPC for the SD-WAN hub virtual applianc
• B. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
• C. Configure BGP over the IPsec VPN connections
• D. Assign a new CIDR block to the transit gatewa
• E. Create a new VPC for the SD-WAN hub virtual applianc
• F. Attach the new VPC to the transit gateway with a VPC attachmen
• G. Add a transit gateway Connect attachmen
• H. Create a Connect peer and specify the GRE and BGP parameter
• I. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
• J. Create a new VPC for the SD-WAN hub virtual applianc
• K. Attach the new VPC to the transit gateway with a VPC attachmen
• L. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
• M. Configure BGP over the IPsec VPN connections.
• N. Assign a new CIDR block to the transit gatewa
• O. Create a new VPC for the SD-WAN hub virtual applianc
• P. Attach the new VPC to the transit gateway with a VPC attachmen
• Q. Add a transit gateway Connect attachmen
• R. Create a Connect peer and specify the VXLAN and BGP parameter
• S. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Answer: D

NEW QUESTION 9
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?

• A. Deploy a new public VIF with encryption on the existing Direct Connect connection
• B. Reroute traffic through the new public VIF.
• C. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs.
• D. Deploy a new pair of 10 GB Direct Connect connections with MACse
• E. Configure MACsec on the edge router
• F. Reroute traffic to the new Direct Connect connection
• G. Decommission the original Direct Connect connections
• H. Deploy a new pair of 10 GB Direct Connect connections with MACse
• I. Deploy a new public VIF on the new Direct Connect connection
• J. Deploy two AWS Site-to-Site VPN connections on top of the new public VI
• K. Reroute traffic from the existing private VIF to the new Site-to-Site connection
• L. Decommission the original Direct Connect connections.

Answer: C

NEW QUESTION 10
A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

• A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
• B. Set up AWS WAF on all network components.
• C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
• D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
• E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
• F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Answer: DEF

Explanation:
To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps:
Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D).
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E).
Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F).
These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks.

NEW QUESTION 11
A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a shared services VPC, and a VPN connection to the company’s on-premises environment. A network engineer needs to implement a transit gateway with the following requirements:
• Application VPCs must be isolated from each other.
• Bidirectional communication must be allowed between the application VPCs and the on-premises network.
• Bidirectional communication must be allowed between the application VPCs and the shared services VPC. The network engineer creates the transit gateway with options disabled for default route table association and default route table propagation. The network engineer also creates the VPN attachment for the on-premises network and creates the VPC attachments for the application VPCs and the shared services VPC.
The network engineer must meet all the requirements for the transit gateway by designing a solution that needs the least number of transit gateway route tables.
Which combination of actions should the network engineer perform to accomplish this goal?(Choose two.)

• A. Configure a separate transit gateway route table for on premise
• B. Associate the VPN attachment with this transit gateway route tabl
• C. Propagate all application VPC attachments to this transit gateway route table.
• D. Configure a separate transit gateway route table for each application VP
• E. Associate each application VPC attachment with its respective transit gateway route tabl
• F. Propagate the shared services VPC attachment and the VPN attachment to this transit gateway route table.
• G. Configure a separate transit gateway route table for all application VPC
• H. Associate all application VPCs with this transit gateway route tabl
• I. Propagate the shared services VPC attachment and the VPNattachment to this transit gateway route table.
• J. Configure a separate transit gateway route table for the shared services VP
• K. Associate the shared services VPC attachment with this transit gateway route tabl
• L. Propagate all application VPC attachments to this transit gateway route table.
• M. Configure a separate transit gateway route table for on premises and the shared services VP
• N. Associate the VPN attachment and the shared services VPC attachment with this transit gateway route tabl
• O. Propagate all application VPC attachments to this transit gateway route table.

Answer: BD

NEW QUESTION 12
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.
Which architecture will meet these requirements MOST cost-effectively?

• A. Deploy a Gateway Load Balancer with the firewall appliances as target
• B. Configure the firewall appliances with a single network interface in a private subne
• C. Use a NAT gateway to send the traffic to the internet after inspection.
• D. Deploy a Gateway Load Balancer with the firewall appliances as target
• E. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
• F. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
• G. Deploy a Network Load Balancer with the firewall appliances as target
• H. Configure the firewall appliances with a single network interface in a private subne
• I. Use a NAT gateway to send the traffic to the internet after inspection.
• J. Deploy a Network Load Balancer with the firewall appliances as target
• K. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
• L. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.

Answer: B

NEW QUESTION 13
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

• A. * 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gatewa
• B. Provide the Connectivity account I
• C. Enable the feature to allow external accounts* 2. In the Connectivity account: Accept the resource.* 3. In the Connectivity account: Create an attachment to the VPC subnets.* 4. In the Production account: Accept the attachmen
• D. Associate a route table with the attachment.
• E. * 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnet
• F. Provide the Connectivity account I
• G. Enable the feature to allow external accounts.* 2. In the Connectivity account: Accept the resource.* 3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.* 4. In the Connectivity account: Accept the attachmen
• H. Associate a route table with the attachment.
• I. * 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnet
• J. Provide the Production account I
• K. Enable the feature to allow external accounts.* 2. In the Production account: Accept the resource.* 3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.* 4. In the Production account: Accept the attachmen
• L. Associate a route table with the attachment.
• M. * 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gatewa
• N. Provide the Production account ID Enable the feature to allow external accounts.* 2. In the Production account: Accept the resource.* 3. In the Production account: Create an attachment to the VPC subnets.* 4. In the Connectivity account: Accept the attachmen
• O. Associate a route table with the attachment.

Answer: A

Explanation:
step 1: In the Production account, create a resource share in AWS Resource Access Manager for the transit gateway and provide the Connectivity account ID. Enabling the feature to allow external accounts is also required to share resources between accounts. Step 2: In the Connectivity account, accept the shared resource. This action will allow the Production account to use the transit gateway in the Connectivity account. Step 3: In the Connectivity account, create an attachment to the VPC subnets. This attachment will enable communication between the VPC in the Production account and the transit gateway in the Connectivity account. Step 4: In the Production account, accept the attachment and associate a route table with the attachment. This will enable the VPC to route traffic through the transit gateway to other resources in the Connectivity account.

NEW QUESTION 14
A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users report that they can log in but that they cannot use the application. Every new web request restarts the login process.
What should a network engineer do to resolve this issue?

• A. Modify the ALB listener configuratio
• B. Edit the rule that forwards traffic to the target grou
• C. Change the rule to enable group-level stickines
• D. Set the duration to the maximum application session length.
• E. Replace the ALB with a Network Load Balance
• F. Create a TLS listene
• G. Create a new target group with the protocol type set to TLS Register the EC2 instance
• H. Modify the target group configuration by enabling the stickiness attribute.
• I. Modify the ALB target group configuration by enabling the stickiness attribut
• J. Use an application-based cooki
• K. Set the duration to the maximum application session length.
• L. Remove the AL
• M. Create an Amazon Route 53 rule with a failover routing policy for the application nam
• N. Configure ACM to issue certificates for each EC2 instance.

Answer: C

NEW QUESTION 15
A company operates its IT services through a multi-site hybrid infrastructure. The company deploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. The company also deploys resources in its own data centers that are located in the United States (US) and in the United Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect 15 VPCs to each other. The company has created a transit gateway peering connection between the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP addresses used within the data centers. The VPC CIDR prefixes can also be aggregated either on a Regional level or for the company's entire AWS environment.
The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through Interior BGP (iBGP) sessions. The data centers maintain connectivity to AWS through one AWS Direct Connect connection in the US and one Direct Connect connection in the UK. Each Direct Connect connection is terminated on a Direct Connect gateway and is associated with a local transit gateway through a transit VIF.
Traffic follows the shortest geographical path from source to destination. For example, packets from the UK data center that are targeted to resources in eu-west-2 travel across the local Direct Connect connection. In cases of cross-Region data transfers, such as from the UK data center to VPCs in us-east-1, the private WAN connection must be used to minimize costs on AWS. A network engineer has configured each transit gateway association on the Direct Connect gateway to advertise VPC-specific CIDR IP prefixes only from the local Region. The routes toward the other Region must be learned through BGP from the routers in the other data center in the original, non-aggregated form.
The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original traffic routing goal when the network is
operating normally.
Which modifications will meet these requirements? (Choose two.)

• A. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connectio
• B. Add the company's entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection.
• C. Add the CIDR prefixes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connectio
• D. Configure data center routers to make routing decisions based on the BGP communities received.
• E. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection.
• F. Add the aggregate IP prefix for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection.
• G. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connectio
• H. Add both Regional aggregate IP prefixes to the list of subnets advertised through the Direct Connect connection on both sides of the networ
• I. Configure data center routers to make routing decisions based on the BGP communities received.

Answer: AD

NEW QUESTION 16
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?

• A. Create a central transit gatewa
• B. Create a VPC attachment to each application VP
• C. Provide full mesh connectivity between all the VPCs by using the transit gateway.
• D. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
• E. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
• F. Create a central transit VPC with a VPN appliance from AWS Marketplac
• G. Create a VPN attachment from each VPC to the transit VP
• H. Provide full mesh connectivity among all the VPCs.

Answer: C

Explanation:
Option C provides a secure and scalable solution using VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink enables private connectivity between VPCs and services without exposing the data to the public internet or using a VPN connection. By creating VPC endpoints in each application VPC, the company can securely access the central shared services VPC without the need for complex network configurations. Furthermore, PrivateLink supports cross-account connectivity, which makes it a scalable solution as more business units consume data from the central shared services VPC in the future.

NEW QUESTION 17
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

• A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
• B. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
• C. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
• D. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
• E. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listener
• F. Create an AWS Global Accelerator accelerator in front of the AL
• G. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
• H. Place the EC2 instances behind an Amazon CloudFront distributio
• I. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

NEW QUESTION 18
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally efficient solution that meets these requirements?

• A. Use the ALB to inspect the authorized token inside the GET/POST request payloa
• B. Use an AWS Lambda function to insert a customized header to inform the web application of an authenticated customer request.
• C. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payloa
• D. Configure the ALB listener to insert a customized header to inform the web application of an authenticated customer request.
• E. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payloa
• F. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.
• G. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payloa
• H. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

Answer: C

NEW QUESTION 19
A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprise customers will connect to the application over HTTPS from office locations.
The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customers must be able to access the application with the least amountof latency.
Which change should a network engineer make in the infrastructure to meet these requirements?

• A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.
• B. Create a new Amazon CloudFront distributio
• C. Set the ALB as the distribution’s origin.
• D. Create a new accelerator in AWS Global Accelerato
• E. Add the ALB as an accelerator endpoint.
• F. Create a new Amazon Route 53 hosted zon
• G. Create a new record to route traffic to the ALB.

Answer: B

Explanation:
Amazon CloudFront is a content delivery network (CDN) that can speed up the delivery of static and dynamic web content, such as images, videos, and APIs2. CloudFront can also provide end-to-end encryption for HTTPS traffic by using SSL certificates from AWS Certificate Manager (ACM) or other sources2. CloudFron can also support session affinity (sticky sessions) with a load balancer-generated cookie or an application-based cookie policy2.

NEW QUESTION 20
A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud.
Which solution will meet these requirements while providing the HIGHEST throughput?

• A. Configure a public VIF on the Direct Connect connectio
• B. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment.
• C. Configure a transit VIF on the Direct Connect connectio
• D. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software.
• E. Configure MACsec for the Direct Connect connectio
• F. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway.
• G. Configure a public VIF on the Direct Connect connectio
• H. Configure two AWS Site-to-Site VPN connections to the transit gatewa
• I. Enable equal-cost multi-path (ECMP) routing.

Answer: C

Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-c

NEW QUESTION 21
......