MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC.An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance For compliance purposes, data encryption is required.What should the network engineer do to meet these requirements?
Question2: Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC.The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.Which step should you take to enable access to Amazon S3?
Question3: Your organization's corporate website must be available on www.acme.com and acme.com.How should you configure Amazon Route 53 to meet this requirement?
Question4: A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3 Which configuration values is the network engineer required to provide? (Select TWO.)
Question5: You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.Which tool will enable you to look at this data?
Question6: A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2 To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses How should an engineer configure the network to meet these requirements?
Question7: Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?
Question8: A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy.Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone What is the MOST reliable way to implement DNS in this scenario?
Question9: A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company's Reliability Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection.During the resiliency tests, traffic failed to switch over to the backup VPN connection.How can this failure be troubleshot?
Question10: A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.Which of the following is the MOST reliable solution?
Question11: A legacy, on-premises web application cannot be load balances effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?
Question12: Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.Which step should you take to meet the requirements?
Question13: A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You congure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?
Question14: Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.Which two actions should you take to fix this problem? (Select two.)
Question15: Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution.The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.Which method allows for efficient, automated integration of the IPAM with CloudFormation?
Question16: A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed The interim solution has worked for several weeks However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache Error from cloudfront" Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests What is the likely cause of the error and what is the solution?
Question17: An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication.Which of the following options meets the organization's requirements?
Question18: Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.Which of the following connectivity options should you choose?
Question19: Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.You must prepare the system for global expansion. The end users must access the application with lowest latency.How should you use AWS services to meet these requirements?
Question20: An organization runs a consumer-facing website on AWS. The Amazon EC2-based web fleet is load balanced using the AWS Application Load Balancer, Amazon Route 53 is used to provide the public DNS services.The following URLs need to server content to end users:test.example.comweb.example.comexample.comBased on this information, what combination of services must be used to meet the requirement? (Select two.)
Question21: A department in your company has created a new account that is not part of the organization's consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?
Question22: An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.Which solution will fix the connectivity failures with the LEAST amount of effort?
Question23: An organization is migrating its on-premises applications to AWS by using a lift-and-shift approach, taking advantage of managed AWS services wherever possible. The company must be able to edit the application code during the migration phase. One application is a traditional three-tier application, consisting of a web presentation tier, an application tier, and a database tier. The external calling client applications need their sessions to remain sticky to both the web and application nodes that they initially connect to.Which load balancing solution would allow the web and application tiers to scale horizontally independent from one another other?
Question24: The Web Application Development team is worried about malicious activity from 200 random IP addresses.Which action will ensure security and scalability from this type of threat?
Question25: You need to set up a VPN between AWS VPC and your on-premises network. You create a VPN connection in the AWS Management Console, download the configuration file, and install it on your on-premises router.The tunnel is not coming up because of firewall restrictions on your router. Which two network traffic options should you allow through the firewall? (Select two.)
Question26: A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees The company is evaluating Amazon Workspaces as a solution A network engineer who is testing with a thin client is unable to conned to Amazon Workspaces After entering credentials the network engineer receives the following error:"An error occurred while launching your Workspace Please try again"What should the network engineer do to resolve this issue?
Question27: An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover.What MUST be configured for this design to work? (Select two.)
Question28: You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?
Question29: A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain"example.com" should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain "dev.example.com" should reside on-premises. The administrator has decided to use Amazon Route 53 to achieve this scenario.What procedurals steps must be taken to implement the solution?
Question30: A customer is using ABC Telecom as a network provider. The customer has 10 different offices connected to ABC Telecom's MPLS backbone. The customer is setting up an AWS Direct Connect connection to AWS and has provided the LOA-CFA to ABC Telecom. ABC Telecom has terminated the Direct Connect circuit into their MPLS backbone. To uniquely identify the customer's traffic over the MPLS backbone, the customer must encapsulate all traffic with VLAN tag 100. The customer wants to send traffic to multiple VPCs.Which two steps should be taken to meet the customer's requirement? (Select two.)
Question31: You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.Which action is required to support a successful Amazon EMR cluster launch?
Question32: A company is deploying a critical application on two Amazon EC2 instances in a VPC Failed client connections to the EC2 instances must be logged according to company policy.What is the MOST cost-effective solution to meet these requirements'?
Question33: You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 14329170271432917142 ACCEPT OK2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 14329170271432917082 ACCEPT OK2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 14329170941432917142 REJECT OKWhy are ICMP responses not received by the on-premises system?
Question34: A company has an application running on Amazon EC2 instances in a VPC The application must publish custom metrics to Amazon CloudWatch in the same AWS Region The metrics include proprietary information All connectivity must be over private IP addresses.Which solution will meet these requirements'?
Question35: An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the 'Remote' (receiving) account are already in place.The template below creates the VPC peering connection in the Originating account. It contains these components:AWSTemplateFormation Version: 2010-09-09Parameters:Originating VCId:Type: StringRemoteVPCId:Type: StringRemoteVPCAccountId:Type: StringResources:newVPCPeeringConnection:Type: 'AWS::EC2::VPCPeeringConnection'Properties:VpcdId: !Ref OriginatingVPCIdPeerVpcId: !Ref RemoteVPCIdPeerOwnerId: !Ref RemoteVPCAccountIdWhich additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)
Question36: A company uses an AWS Site-to-Site VPN to connect its corporate network The company recently added an AWS Direct Connect connection A network engineer wants all traffic to use the Direct Connect connection and for the VPN to be used as backup However after the Direct Connect connection was added traffic continued to pass through the VPN connection What should the network engineer do to route the traffic through the Direct Connect connection'?
Question37: An organization delivers high-resolution, dynamic web content. Internet users access the content from a variety of platforms, including mobile, tablet and desktop. Each platform receives a customized experience to account for the differences in viewing modes. A dedicated, automatic-scaling fleet of Amazon EC2 instances is used for each platform to server content based on path-based headers.Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Select two.)
Question38: An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?
Question39: You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)
Question40: You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.What should you do to provide on-premises users with access to the private hosted zone?
Question41: You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.Which two of the following components should be part of the design? (Select two.)
Question42: You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to budget requirements, you can only provision a single Direct Connect port. You have two border gateway routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.Which two design methodologies, in combination, will achieve this connectivity? (Select two.)
Question43: You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible.You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.Which design should you choose?
Question44: A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company's on-premises router for this Direct Connect connection.Which of the following actions will require the LEAST amount of configuration overhead on the customer router?
Question45: A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider's public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing.Which of the following actions should improve the connectivity issues? (Choose two.)
Question46: You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit. in front What ELB configuration complies with the corporate encryption policy?
Question47: A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.Which of the following actions meet the requirements? (Select two.)