EMT Practice Test

1. Question Content...


Question List

Question1: A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?

Question2: You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?

Question3: Considering your knowledge of both the OSI and TCP/IP models - select the following statement which you consider to NOT be true.

Question4: In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS.
These connections can terminate on one or two routers in your network. You can do this while
__________________ with AWS Direct Connect step.

Question5: Which is not a valid Route 53 record?
Choose the correct answer:

Question6: The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

Question7: What is the DNS server address for a VPC (10.111.0.0/16) with a subnet of 10.111.4.0/24?
Choose the correct answer:

Question8: Which one of the following options is not true about WorkSpaces? Choose the correct answer:

Question9: Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.
What are the minimum requirements for your router?

Question10: What two items are required for all AWS VPNs?
Choose the 2 correct answers:

Question11: An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution Bidirectional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.
Which solution meets these requirements?

Question12: What is the minimum number of subnets for an RDS subnet group? Choose the correct answer:

Question13: An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the `Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: `AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

Question14: Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall.
You advertise your company's public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP. This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap-southeast-1 region.
Which step should you take to provide concurrent AWS and Internet access?

Question15: What does the term "statistics" mean with respect to CloudWatch metrics?

Question16: An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in 24hrs. This business critical application is dependent a very large set of routes - required for integration with other system.
You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re-home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

Question17: An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance's CPU Utilization rate drops below the threshold John has set, what will happen and why?

Question18: Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

Question19: You currently use a single security group assigned to all nodes in a clustered NoSQL database.
Only your cluster members in one region must be able to connect to each other. This security group uses a self- referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions.
How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

Question20: A company has a hybrid environment across its on-premises network and the AWS Cloud. The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between on-premises services that are required to resolve DNS queries through on-premises DNS servers. The company wants to use a custom domain name to connect to Amazon EFS.
The company also wants to avoid using the Amazon EFS target IP address.
What should a network engineer do to meet these requirements?

Question21: You are preparing to launch Amazon WorkSpaces and need to configure the appropriate networking resources. What must be configured to meet this requirement?

Question22: A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees. The company is evaluating Amazon WorkSpaces as a solution.
A network engineer who is testing with a thin client is unable to connect to Amazon WorkSpaces.
After entering credentials, the network engineer receives the following error:
"An error occurred while launching your WorkSpace. Please try again."
What should the network engineer do to resolve this issue?

Question23: You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. You know you configured CloudFront to use cdn.yourdomain.com. What is the most likely reason why your users not seeing the images?
Choose the correct answer:

Question24: You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection.
Which two configuration values do you need to provide? (Select two.)

Question25: A company's web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours.
Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.
Which action should be taken to block more IP addresses, without compromising the existing security requirements?

Question26: Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS- owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a "backdoor", and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

Question27: You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

Question28: With respect to Amazon CloudFront, which one of the following statements is correct?

Question29: What is the maximum number of CloudTrails that you can create per AWS region?

Question30: You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.
Which two of the following components should be part of the design? (Select two.)

Question31: What number does the binary number 10101000 correspond to? Choose the correct answer:

Question32: You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

Question33: A VPC is deployed with a 10.0.0.0/16 CIDR block. The engineering team is reviewing DHCP options, and there is disagreement about the valid DNS addresses available for the VPC.
Which addresses are valid IP addresses provided by Amazon for this subnet? (Choose two.)

Question34: A company installed an AWS Site-to-Site VPN and configured it to use two tunnels. The company has learned that the VPN connectivity is unstable. During a ping test from the on-premises data center to AWS, a network engineer notices that the first few ICMP replies time out but that subsequent requests are successful. The AWS Management Console shows that the status for both tunnels last changed at the same time the ping responses were successfully received.
Which steps should the network engineer take to resolve the instability? (Choose two.)

Question35: You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.
Which action is required to support a successful Amazon EMR cluster launch?

Question36: You have a static VPN connecting your data center and your VPC. You currently have 50 routes added to your route table. You want to add more; how should you do this? Choose the correct answer:

Question37: A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another.
Which approach will meet the technical and security requirements while minimizing costs?

Question38: You need to quickly view inbound traffic to an instance to determine why it isn't reaching the instance properly. What is the best tool for this? Choose the correct answer:

Question39: An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?

Question40: A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on- premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?

Question41: To allow all traffic to access an instance in "Subnet 1" that uses "Security Group 1", what two options need to be configured?
Choose the 2 correct answers:

Question42: What is the maximum size of a response body that Amazon CloudFront will return to the viewer?

Question43: You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?
Choose the correct answer:

Question44: A company offers a web-based service that uses Amazon EC2 instances behind an Application Load Balancer (ALB). One of the company's large customers reports slow bulk transfer throughput. The company's network engineer suspects that this problem is the result of the TCP window size setting in the customer's corporate laptop computers.
How can the network engineer check the value of the TCP window size?

Question45: When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created.
This object contains a(n) ____ attribute, which is a JSON-formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.

Question46: You have a management server that needs to be able to communicate with two subnets. One of these subnets is private. This subnet must remain private and must not pass any traffic back to other subnets. How would you configure this?
Choose the correct answer:

Question47: A company has a hybrid architecture with dual AWS Direct Connect connections and applications running in the AWS Cloud and on premises. The company uses its on-premises DNS servers to provide name resolution for is internal domain company.com. The company uses an Amazon Route 53 private hosted zone, aws.company.com, for resolution of AWS resource records.
A new application that runs on Amazon EC2 in the company's VPC needs to resolve records in the company.com domain and on other AWS resources.
What should the company do to meet these requirements?

Question48: Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC. The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.
Which step should you take to enable access to Amazon S3?

Question49: A Network Engineer has enabled VPC Flow Logs to troubleshoot an ICMP reachability issue for an echo reply from an Amazon EC2 instance. The flow logs reveal an ACCEPT record for the request from the client to the EC2 instance, and a REJECT record for the response from the EC2 instance to the client.
What is the MOST likely reason for there to be a REJECT record?

Question50: What is the IPv6 subnet CIDR used by a VPC?
Choose the correct answer:

Question51: A company runs a large-scale application on a fleet of Amazon EC2 instances that are distributed across several VPCs. A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances. The NLB's VPC is peered to all the application VPCs.
The application must process millions of requests each minute during times of peak utilization.
Users are reporting that the connections to the application are failing during peak times.
Monitoring shows an increase in port allocation errors on the NLB.
Which action will solve this issue with the LEAST change to the architecture?

Question52: A company hosts its application, example.com, behind Application Load Balancers in the us-east-
1 and eu-west-1 Regions. Users should be routed to the resources geographically nearest to them. Users must not be routed to the application when it is considered unhealthy.
How should a network engineer configure Amazon Route 53 to route clients to example.com?

Question53: A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company's on-premises router for this Direct Connect connection.
Which of the following actions will require the LEAST amount of configuration overhead on the customer router?

Question54: A network engineer is using the AWS CLI to provision a VPC and Amazon EC2 instances that use IPv6 addresses. An application that runs on the instances requires access to the internet to pull updates from a software vendor. The VPC ID is vpc-3c02b675. The network engineer uses the following command to provision an egress-only internet gateway:
aws ac2 create-egress-only-internet-gateway --vpc-id vpc-3c02b675
What else must the network engineer do so that the EC2 instances can pull the updates?

Question55: In Amazon CloudFront, which of the following is true of Smooth Streaming?

Question56: A company is deploying a new web application that uses a three-tier model with a public-facing Network Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company's data center. There is an AWS Direct Connect connection between the VPC and the company's data center. Load testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are required to handle peak loads.
The Network Engineer needs to design a VPC that has a /24 CIDR assigned to it.
How should the Engineer allocate subnets across three Availability Zones for each tier?

Question57: You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period. What is the best course of action? Choose the correct answer:

Question58: You have just configured an Elastic Load Balancer. Assuming all settings are configured properly, about how long will it take an instance to become healthy with a 6 second HealthCheck Interval, an unhealthy threshold of 5 and a healthy threshold of 10? Choose the correct answer:

Question59: Your company has a DX connection and you just added a new VPC and Private VIF to which you have connected to your DX link. You copied the settings from the other VPC to ensure it's the same. Once you connected the new VIF, you began seeing problems with connectivity to both VPCs. You checked to make sure you didn't use the same CIDR with each VPC, so what could be the problem?
Choose the correct answer:

Question60: An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

Question61: An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

Question62: Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you
______ .

Question63: Due to security requirements, all traffic must be encrypted between your VPC and your on- premises data center. You also want to maintain reliability.
What two options will allow you to achieve this?
Choose the 2 correct answers:

Question64: What are two reasons that could cause an HTTP health check to fail? Choose the 2 correct answers:

Question65: You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL.
Which of the following solutions should you deploy? (Select two.)

Question66: A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.
Which of the following actions meet the requirements? (Select two.)

Question67: A financial services company that has on-premises infrastructure has acquired a startup company that has an API that is deployed in the AWS Cloud. As part of the acquisition, the financial services company has deployed an AWS Direct Connect private VIF to establish IP connectivity between the on-premises data center and the AWS environment.
Initial IP connectivity testing and bidirectional DNS resolution testing are successful. However, when business users attempt to connect to the API. a network administrator discovers IP subnet overlap between the financial services company's existing network and the startup company's AWS deployment.
A network architect receives the following diagram that summarizes the situation:

What is the MOST operationally efficient solution to enable the connectivity?

Question68: Your company just deployed a WAF to protect its resources. You need to create a baseline before you start blocking traffic. How will you achieve this? Choose the correct answer:

Question69: Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account. Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Select two.)

Question70: A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?

Question71: With AWS CloudTrail, creating multiple trails in one region allows ____ to focus on one aspect of AWS operation.

Question72: A company uses multiple AWS accounts within AWS Organizations and has services deployed in a single AWS Region. The instances in a private subnet occasionally download patches from the internet through a NAT gateway. The company recently migrated from VPC peering to AWS Transit Gateway. The cumulative traffic through deployed NAT gateways Is less than 1Gbps. The NAT gateway hourly charge contributes to most of the NAT gateway costs across all linked accounts. What should the company do to reduce NAT gateway hourly costs?

Question73: A company has a service that runs on TCP port 443 in VPC A within AWS account A.
The company wants to expose the service to Amazon EC2 instances in VPC B within AWS account B.
The service must not be made public, and all other services in VPC A must not be accessible from VPC B.
A network engineer is using AWS PrivateLink for the configuration.
Which set of procedures should the network engineer follow to meet these requirements?

Question74: A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy.
What is the MOST cost-effective solution to meet these requirements?

Question75: To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.

Question76: Your company is expanding its cloud infrastructure and moving many of its flat files and static assets to S3. You currently use a VPN to access your compute infrastructure, but you require more reliability for your static files as you are offloading all of your important data to AWS. What is your best course of action while keeping costs low? Choose the correct answer:

Question77: A department in your company has created a new account that is not part of the organization's consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation.
An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?

Question78: A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?

Question79: You are architecting your e-business application for PCI compliance. To meet the compliance requirements, you need to monitor web application logs to identify any malicious activity. You also need to monitor for remote attempts to change the network interface of web instances.
Which two AWS services will be helpful to achieve this goal?

Question80: A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three global offices are connected to the us-east-1 Region through AWS Site-to-Site VPN links that terminate on a transit gateway with BGP routing activated.
The company recently started to produce content at a higher resolution to support 8K streaming.
The size of the content files has increased to three times the size of the content files from the previous format. Uploads of files to Amazon EC2 instances are taking 10 times longer than they did with the previous format.
Which actions should a network engineer recommend to reduce the upload times? (Choose two.)

Question81: Which of the following does not configure Amazon CloudFront cache behaviors to forward cookies to an origin for web distributions?

Question82: A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable -'app.example.com'.
Instances within the VPC should always connect to the private IP to minimize data transfer costs.
How should the engineer configure DNS to support these requirements?

Question83: In Amazon CloudFront, if you need to quickly remove objects from a distribution, you can:

Question84: You would like to automate the monitoring of changes in the configurations of your AWS resources and respond programmatically to configurations of only a certain type. To do this, you could use Amazon ____ as the endpoint for the Amazon SNS topics that generate messages from AWS Config.

Question85: You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

Question86: You are a holdings company that buys many businesses and must integrate their VPCs into your network. You are constantly encountering networks with similar or overlapping subnets. What is the best way to manage this.
Choose the correct answer:

Question87: Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location.
Which solution will meet this requirement, while minimizing downtime and costs?

Question88: An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirement? (Select two.)

Question89: A company deployed its production Amazon VPC using CIDR block 33.16.0.0/16. The company has nearly depleted its addresses and now needs to extend the VPC network.
Which CIDR blocks meet the company's requirement to extend the VPC network with a secondary CIDR? (Choose two.)

Question90: Which service would you use to see if your infrastructure has changed? Choose the correct answer:

Question91: Each custom AWS Config rule you create must be associated with a(n) AWS ____, which contains the logic that evaluates whether your AWS resources comply with the rule.

Question92: Your application is hosted behind an Elastic Load Balancer (ELB) within an autoscaling group.
The autoscaling group is configured with a minimum of 2, a maximum of 14, and a desired value of 2. The autoscaling cooldown and the termination policies are set to the default value.
CloudWatch reports that the site typically requires just two servers, but spikes at the start and end of the business day can require eight to ten servers. You receive intermittent reports of timeouts and partially loaded web pages.
Which configuration change should you make to address this issue?

Question93: From the following options, select the answer that correctly describes the implementation of the HTTP protocol

Question94: Which two statements about placement groups are correct? Choose the 2 correct answers:

Question95: Your website is under attack and a malicious party is stealing large amounts of data.
You have default NACL rules. Stopping the attack is the ONLY priority in this case.
Which two commands should you use?
Choose the 2 correct answers:

Question96: You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period. What is the best course of action? Choose the correct answer:

Question97: You have 4 Direct Connect connections from your datacenter. Site A advertises 172.16.0.0/16 AS
65000, Site B advertises 172.16.0.128/25 AS 65000 65000 65000, Site C advertises 172.0.0.0/8 AS 65000 and Site D advertises 172.16.0.0/24 AS 65000. Which site will AWS choose to reach your network?
Choose the correct answer:

Question98: Your boss decides to assign an Elastic IP to a production instance. Once he does this, access to the URL for that website fails. What happened?
Choose the correct answer:

Question99: You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX
10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?
Choose the correct answer:

Question100: A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.
What is causing this issue?

Question101: Accompany has a public domain, company.com, that is hosted by a DNS provider. The company creates a public hosted zone, cloud.company.com, in Amazon Route 53. The company wants to keep all public AWS application DNS records under this hosted zone.
The company recently deployed its first public application behind an Elastic Load Balancer in its AWS environment. The domain name app1.cloud.company.comneeds to access the application.
Which solution will meet these requirements?

Question102: A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

Question103: You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?
Choose the correct answer:

Question104: You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

Question105: Which element of AWS Config can be used to help maintain internal and external compliance controls?

Question106: You have a web application (app.mycompany.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. Because of a network redesign, you need to move the web application to a different subnet in the same Availability Zone.
Which of the following migration strategies meets the requirements?

Question107: Use ___________ to get more visibility into the health of your AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance degradation.

Question108: You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and NACL rules. Which protocol do you need to allow to access your instance to remedy this? Choose the correct answer:

Question109: A company has two AWS accounts: one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which sot of stops should the network engineer follow in each AWS account to meet those requirements?

Question110: A company wants to migrate its production and development applications to the AWS Cloud across multiple VPCs in three AWS Regions: us-east-1 (N. Virginia), eu-west-1 (Ireland), and ap- southeast-1 (Singapore). The company needs a scalable solution that provides connectivity between all three Regions. The solution also must provide private connectivity to the company's on-premises data center in Northern Virginia.
Data that is transferred from on premises and data that is transferred between Regions must be encrypted in transit. The company requires predictable network performance and must minimize cost.
The company has initiated a solution by deploying a transit gateway with two route tables in each Region. One route table is for the production environment, and one route table is for the development environment.
What else must the company do to meet its requirements with the LOWEST latency?

Question111: You have two public applications on different domains that use two front-end servers and two back-end servers each. You wish to achieve high availability for both applications. What two options should you configure?
Choose the 2 correct answers:

Question112: Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot.
You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?

Question113: Which service would you use to see CPU usage?
Choose the correct answer:

Question114: In Amazon CloudFront, you cannot configure CloudFront to process cookies for_________.

Question115: You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in from of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit.
What ELB configuration complies with the corporate encryption policy?

Question116: How many tunnels do you get with each VPN connection hosted by AWS? Choose the correct answer:

Question117: The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity. Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

Question118: An organization is migrating its on-premises applications to AWS by using a lift-and-shift approach, taking advantage of managed AWS services wherever possible. The company must be able to edit the application code during the migration phase. One application is a traditional three- tier application, consisting of a web presentation tier, an application tier, and a database tier. The external calling client applications need their sessions to remain sticky to both the web and application nodes that they initially connect to.
Which load balancing solution would allow the web and application tiers to scale horizontally independent from one another other?

Question119: A company uses multiple AWS accounts within AWS Organizations and has services deployed in a single AWS Region. The instances in a private subnet occasionally download patches from the internet through a NAT gateway. The company recently migrated from VPC peering to AWS Transit Gateway. The cumulative traffic through deployed NAT gateways is less than 1 Gbps. The NAT gateway hourly charge contributes to most of the NAT gateway costs across all inked accounts.
What should the company do to reduce NAT gateway hourly costs?

Question120: Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different Direct Connect locations.
You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Select two.)

Question121: In the context of CloudFront RTMP Distribution, the Adobe Flash Media Server _________ file specifies which domains can access media files in a particular domain.

Question122: You manage a webserver that serves a webpage on AWS infrastructure. You utilize an Application Load Balancer, CloudFront, S3, and some other AWS services for this site. You are only responsible for the server and you don't have access to the AWS console or API. You need to find out what IPs are accessing your website. What is the best way to achieve this? Choose the correct answer:

Question123: An organization delivers high-resolution, dynamic web content. Internet users access the content from a variety of platforms, including mobile, tablet and desktop. Each platform receives a customized experience to account for the differences in viewing modes. A dedicated, automatic- scaling fleet of Amazon EC2 instances is used for each platform to server content based on path- based headers.
Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Select two.)

Question124: How many BGP advertised routes can you have per route table? Choose the correct answer:

Question125: What is the name of the label applied to packets to allow routers to know where to forward in an MPLS network?
Choose the correct answer:

Question126: You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?

Question127: When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created.
This object contains another JSON string in its ____ parameter, which describes the event that triggered the rule.

Question128: You have just provisioned a new VPC a with a CIDR block of 172.16.12.0/24. The entire CIDR block is fully utilised by subdividing it into 6 subnets, we will refer to these as Subnet1 through to Subnet6. The first 2 subnets (Subnet1 and Subnet2) are the same size. The last 4 subnets (Subnet3, Subnet4, Subnet5, Subnet6) are also the same size. Subnet5 is half the size of Subnet2. The address space as occupied by the first two subnets is contiguous, as is the address space occupied by the last 4 subnets. Within Subnet3 AWS reserves the address 172.16.12.129 for the VPC router. Select the correct IP address reserved by AWS for DNS in the Subnet2.

Question129: Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?

Question130: A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3.
Which configuration values is the network engineer required to provide? (Choose two.)

Question131: You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

Question132: You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24x7 for this particular connection, as real-time data is passed continually backwards and forwards between your on- prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets. Select the correct network configuration that best facilitates your company's continued growth plans.

Question133: When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this.
Choose the 2 correct answers:

Question134: Over which of the following Ethernet standards does AWS Direct Connect link your internal network to an AWS Direct Connect location?

Question135: You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached. What is the first part of the command you would use?
Choose the correct answer:

Question136: Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?

Question137: You have a data center with a 2 connection LAG. You wish to add 2 more connections, how many LOAs must you complete?
Choose the correct answer:

Question138: You manage a web service that is used by client applications deployed in 300 offices worldwide.
The web service architecture is an Elastic Load balancer (ELB) distributing traffic across four application servers deployed in an autoscaling group across two availability zones.
The ELB is configured to use round robin, and sticky sessions are disabled. You have configured the NACLs and Security Groups to allow port 22 from your bastion host, and port 80 from
0.0.0.0/0. The client configuration is managed by each regional IT team.
Upon inspection you find that a large amount of requests from incorrectly configured sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects.
What should you do to remedy the situation and prevent future occurrences?

Question139: A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?

Question140: In order to change the name of the AWS Config ____, you must stop the configuration recorder, delete the current one, and create a new one with a new name, since there can only be one of these per AWS account.

Question141: For web distributions in Amazon CloudFront, your origin can be either an Amazon S3 bucket or
_______ .

Question142: A publishing company recently merged with an ecommerce company. Each company uses a VPC to run compute resources. The two VPCs have overlapping CIDR ranges. The publishing company needs to access an internal application that runs on Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones in the ecommerce company VPC.
Which set of actions will provide the needed interconnectivity between the VPCs?

Question143: A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway. Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity to the company's on-premises environment.
During a maintenance window, the networking team adds eight VPCs. The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment. Connectivity between all VPCs through the transit gateway is working as expected.
Which of the following are possible causes of the connectivity issues? (Choose two.)

Question144: A company runs a web application on an Amazon EC2 instance. The application experiences performance issues for a short period at the same time every day. To diagnose the issue, the application vendor needs a packet capture of the web application network interface. The company's network administrator does not have SSH access to the instance.
Which solution will meet these requirements?

Question145: Which of these is not a requirement to set up a DX connection? Choose the correct answer:

Question146: When using AWS Config, which two items are stored on S3 as a part of its operation?

Question147: A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session wall maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

Question148: A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor. A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed.
The interim solution has worked for several weeks. However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from cloudfront." Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
What is the likely cause of the error, and what is the solution?

Question149: A company's website is hosted on an Amazon EC2 instance. The website delivers dynamic content through Amazon CloudFront to users.
After instance maintenance, users receive HTTP 502 (Bad Gateway) errors while attempting to access the website.
What is the MOST likely cause of this issue?

Question150: Which service would you use to see the DSCP value in a packet header? Choose the correct answer:

Question151: A company runs a large-scale application on a feel of Amazon EC2 instances that ate distributed across several VPCs. A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances. The NLB's VPC is peered to all the application VPCs. The application must process millions of requests each minute during times of peak utilization. Users are reporting that the connections to the application are failing during peak times. Monitoring shows an increase in port allocation errors on the NLB.
Which action will solve this issue with the LEAST change to the architecture?

Question152: What is NOT a benefit of CloudFront?
Choose the correct answer: