EMT Practice Test

1. Question Content...


Question List

Question1: A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application
servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users
now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

Question2: Your company operates a single AWS account. A common services VPC is deployed to provide shared
services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and
each VPC must peer with the common services VPC. You must choose the most efficient and cost
effective approach.
Which approach should be used to automate the required VPC peering?

Question3: An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney
regions. The organization wants to determine whether all available Elastic IP addresses (EIPs) in these
accounts are attached to Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the
specified regions for compliance and cost-optimization purposes.
Which of the following meets the requirements with the LEAST management overhead?

Question4: An AWS CloudFormation template is being used to create a VPC peering connection between two existing
operational VPCs, each belonging to a different AWS account. All necessary components in the
'Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these
components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create
an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

Question5: An organization will be expanding its current network design. When fully built out, there will be 99 VPCs
spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect
connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?

Question6: A department in your company has created a new account that is not part of the organization's
consolidated billing family. The department has also created a VPC for its workload. Access is restricted
by network access control lists to the department's on-premises private IP allocation. An AWS Direct
Connect private virtual interface for this VPC advertises a default route to the company network. When the
department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what
are the associated charges?

Question7: A customer is using ABC Telecom as a network provider. The customer has 10 different offices connected
to ABC Telecom's MPLS backbone. The customer is setting up an AWS Direct Connect connection to
AWS and has provided the LOA-CFA to ABC Telecom. ABC Telecom has terminated the Direct Connect
circuit into their MPLS backbone. To uniquely identify the customer's traffic over the MPLS backbone, the
customer must encapsulate all traffic with VLAN tag 100. The customer wants to send traffic to multiple
VPCs.
Which two steps should be taken to meet the customer's requirement? (Select two.)

Question8: You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The
application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update
your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in
your VPC.
Which action is required to support a successful Amazon EMR cluster launch?

Question9: An organization is replacing a tape backup system with a storage gateway. there is currently no
connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

Question10: Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on
nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the
client's IP address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?

Question11: You run a well-architected, multi-AZ application in the eu-central-1 (Frankfurt) AWS region. The application
is hosted in a VPC and is only accessed from the corporate network. To support large volumes of data
transfer and administration of the application, you use a single 10-Gbps AWS Direct Connect connection
with multiple private virtual interfaces. As part of a review, you decide to improve the resilience of your
connection to AWS and make sure that any additional connectivity does not share the same Direct
Connect routers at AWS. You need to provide the best levels of resilience to meet the application's needs.
Which two options should you consider? (Select two.)

Question12: You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway
is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet
gateway.
The instance has a security group configured to allow as follows:
Protocol: TCP

Port: 80 inbound, nothing outbound

The Network ACL for the subnet is configured to allow as follows:
Protocol: TCP

Port: 80 inbound, nothing outbound

When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

Question13: An organization will be extending its existing on-premises infrastructure into the cloud. The design consists
of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration
across two Availability Zones for automatic failover.
What MUST be configured for this design to work? (Select two.)

Question14: A company is about to migrate an application from its on-premises data center to AWS. As part of the
planning process, the following requirements involving DNS have been identified.
On-premises systems must be able to resolve the entries in an Amazon Route 53 private hosted zone.

Amazon EC2 instances running in the organization's VPC must be able to resolve the DNS names of

on-premises systems
The organization's VPC uses the CIDR block 172.16.0.0/16.
Assuming that there is no DNS namespace overlap, how can these requirements be met?

Question15: A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for
both content caching and for protecting the underlying origin. There is concern that an external agency
might be able to access the IP addresses for the application's origin and then attack the origin despite it
being served by CloudFront. Which of the following solutions provides the strongest level of protection to
the origin?

Question16: You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep
packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?

Question17: You are designing the network infrastructure for an application server in Amazon VPC. Users will access
all the application instances from the Internet and from an on-premises network. The on-premises network
is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?

Question18: An organization processes consumer information submitted through its website. The organization's
security policy requires that personally identifiable information (PII) elements are specifically encrypted at
all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have
access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an
iAM role.
Which combination of services will support these requirement? (Select two.)

Question19: An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end
instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is
fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6
CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch
an instance manually and receives the following message: "There are not enough free addresses in
subnet 'subnet-12345677' to satisfy the requested number of instances."
What action will resolve the availability problem?

Question20: An organization with a growing e-commerce presence uses the AWS CloudHSM to offload the SSL/TLS
processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to
handle the growth. What architectural approach is optimal to scale the encryption operation?

Question21: You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs
record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1 432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1 432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1 432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

Question22: You operate a production VPC with both a public and a private subnet. Your organization maintains a
restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the
private subnet should access the bucket. You implement VPC endpoints(VPC-E) for Amazon S3 and
remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is
applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

Question23: The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data
must use strong cryptography. These merchants must also use security protocols to protect sensitive data
during transmission over public networks.
You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC
behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

Question24: Refer to the image.

You have three VPCs: A, B, and C.
VPCs A and C are both peered with VPC B.
The IP address ranges
are as follows:
VPC A: 10.0.0.0/16

VPC B: 192.168.0.0/16

VPC C: 10.0.0.0/16

Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10.
Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and
i-4 are in the subnet 192.168.1.0/24.
i-3 must be able to communicate with i-1

i-4 must be able to communicate with i-2

i-3 and i-4 are able to communicate with i-1, but not with i-2.

Which two steps will fix this problem? (Select two.)

Question25: A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS
Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software
running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to
budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

Question26: You have a three-tier web application with separate subnets for Web, Applications, and Database tiers.
Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying
the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

Question27: You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application
and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with
a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use
approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the
corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as
possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution
regarding cost, performance, and time to deploy.
Which design should you choose?

Question28: All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability
Zones. The application servers need to send frequent UDP probes to a single central authentication server
on the Internet to confirm that is running up-to-date packages. The network is designed for application
servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are
unable to communicate with the authentication server.

Question29: Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a
fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway.
You configure a new VPC and peer with the common service VPC as required by policy. You launch an
Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common
services VPC. The application on this server should successfully interact with Amazon S3 using its
properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning
403 errors to the application.
Which step should you take to enable access to Amazon S3?

Question30: A multinational organization has applications deployed in three different AWS regions. These applications
must securely communicate with each other by VPN. According to the organization's security team, the
VPN must meet the following requirements:
AES 128-bit encryption

SHA-1 hashing

User access via SSL VPN

PFS using DH Group 2

Ability to maintain/rotate keys and passwords

Certificate-based authentication

Which solution should you recommend so that the organization meets the requirements?

Question31: DNS name resolution must be provided for services in the following four zones:
company.private.
emea.company.private.
apac.company.private.
amer.company.private.
The contents of these zones is not considered sensitive, however, the zones only need to be used by
services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all
zones.
How can you use Amazon route 53 to meet these requirements?

Question32: Your organization uses a VPN to connect to your VPC but must upgrade to a 1-G AWS Direct Connect
connection for stability and performance. Your telecommunications provider has provisioned the circuit
from your data center to an AWS Direct Connect facility and needs information on how to cross-connect
(e.g., which rack/port to connect).
What is the AWS-recommended procedure for providing this information?

Question33: Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the
company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to
provide high bandwidth, low latency access to S3. Since the company does not own a publically routable
IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface
(VIF).
The security team is calling this new connection a "backdoor", and you have been asked to clarify the risk
to the company.
Which concern from the security team is valid and should be addressed?

Question34: An organization delivers high-resolution, dynamic web content. Internet users access the content from a
variety of platforms, including mobile, tablet and desktop. Each platform receives a customized experience
to account for the differences in viewing modes. A dedicated, automatic-scaling fleet of Amazon EC2
instances is used for each platform to server content based on path-based headers.
Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Select two.)

Question35: Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two
Direct Connect connections terminate at two different Direct Connect locations. You are using two routers,
R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity
between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall
on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Select two.)

Question36: You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the
lowest latency and the highest packet-per-second network performance. The application will talk to other
servers in a peered VPC.
Which two of the following components should be part of the design? (Select two.)

Question37: The Web Application Development team is worried about malicious activity from 200 random IP
addresses. Which action will ensure security and scalability from this type of threat?

Question38: Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your
corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with
dynamic (BGP) routing enabled.
The applications require access to a common authentication service in the shared services VPC. You
need to enable native network access from the corporate network to both application VPCs.
Which step should you take to meet the requirements?

Question39: You are building an application that provides real-time audio and video services to customers on the
Internet. The application requires high throughput. To ensure proper audio and video transmission,
minimal latency is required.
Which of the following will improve transmission quality?

Question40: You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due
to budget requirements, you can only provision a single Direct Connect port. You have two border gateway
routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.
Which two design methodologies, in combination, will achieve this connectivity? (Select two.)