Special Summer Discounts Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 63r59951

ANS-C00 AWS Certified Advanced Networking Specialty Exam Questions and Answers

Questions 4

A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a

connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.

What is causing this issue?

Options:

A.

The NAT gateway does not support fragmented packets.

B.

The internet gateway only supports an MTU of 1500 bytes.

C.

An Amazon EC2 instance expects to communicate with an MTU of 9001.

D.

The security group on the instances does not allow PMTUD.

Buy Now
Questions 5

A company has a hybrid IT architecture with two AWS Direct Connect connections to provide high availability. The services hosted on-premises are accessible using public IPs, and are also on the 172.16.0.0/16 range. The AWS resources are on the 192.168.0.0/18 range. The company wants to use Amazon Elastic Load Balancing for SSL offloading, health checks, and sticky sessions.

What should be done to meet these requirements?

Options:

A.

Create a Network Load Balancer pointing to the on-premises server's private IP address.

B.

Create an Amazon CloudFront distribution for the on-premises service and use the public IPs of the on-premises servers as the origin.

C.

Create a Network Load Balancer pointing to the on-premises server's public IP address.

D.

Create an Application Load Balancer pointing to the on-premises server's private IP address.

Buy Now
Questions 6

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.

Which design should be recommended?

Options:

A.

Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B.

Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C.

Create a private VIF to the Management VPC, and peer this VPC to all other VPCs, enable source/destination NAT in the Management VPC.

D.

Create a total of four private VIFs, and enable VPC peering between all VPCs.

Buy Now
Questions 7

You need to set up a VPN between AWS VPC and your on-premises network. You create a VPN connection in the AWS Management Console, download the configuration file, and install it on your on-premises router. The tunnel is not coming up because of firewall restrictions on your router. Which two network traffic options should you allow through the firewall? (Select two.)

Options:

A.

UDP port 500

B.

IP protocol 50

C.

IP protocol 5

D.

TCP port 50

E.

TCP port 500

Buy Now
Questions 8

A company has an application running in an Amazon VPC that must be able to communicate with on-premises resources in a data center. Network traffic between AWS and the data center will initially be minimal, but will increase to more than 10 Gbps over the next

few months. The company's goal is to launch the application as quickly as possible.

The Network Engineer has been asked to design a hybrid IT connectivity solution.

What should be done to meet these requirements?

Options:

A.

Submit a 1 Gbps AWS Direct Connect connection request, then increase the number of Direct Connect connections, as needed.

B.

Allocate elastic IPs to Amazon EC2 instances for temporary access to on-premises resources, then provision AWS VPN connections between an Amazon VPC and the data center.

C.

Provision an AWS VPN connection between an Amazon VPC and the data center, then submit an AWS Direct Connect connection request. Later, cut over from the VPN connection to one or more Direct Connect connections, as needed.

D.

Provision a 100 Mbps AWS Direct Connect connection between an Amazon VPC and the data center, then submit a Direct Connect connection request. Later, cut over from the hosted connection to one or more Direct Connect connections, as needed.

Buy Now
Questions 9

The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.

Which of the following maximizes network performance on AWS? (Choose two.)

Options:

A.

Support for the enhanced networking drivers

B.

Support for sending traffic over the Direct Connect connection

C.

The instance sizes and families supported by the security appliance

D.

Support for placement groups within the VPC

E.

Security appliance support for multiple elastic network interfaces

Buy Now
Questions 10

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

Options:

A.

CloudWatch Logs at the VPC level

B.

Packet sniffing at the instance level

C.

VPC flow logs at the subnet level

D.

Packet sniffing at the VPC level

Buy Now
Questions 11

A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.

What is the MOST cost-effective solution that meets these requirements?

Options:

A.

Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the Security team.

B.

Enable Amazon GuardDuty on the account and the specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the Security team.

C.

Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the Security team.

D.

Enable Amazon GuardDuty on the account and specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.

Buy Now
Questions 12

A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed

The interim solution has worked for several weeks However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache Error from cloudfront" Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests

What is the likely cause of the error and what is the solution?

Options:

A.

The origin access identity is not correct Edit the CloudFront distribution and update the identity in the origins settings

B.

The SSL certificate on the CloudFront distribution has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate

C.

The SSL certificate on the legacy web application server has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate Export the public and private keys and install the certificate on the legacy web application

D.

The SSL certificate on the legacy web application server has expired Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA) Install the full certificate chain onto the legacy web application server

Buy Now
Questions 13

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

Which solution will fix the connectivity failures with the LEAST amount of effort?

Options:

A.

Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

B.

Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

C.

Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.

D.

Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Buy Now
Questions 14

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

Options:

A.

Use a Network Load Balancer to automatically preserve the source IP address.

B.

Use a Network Load Balancer and enable the X-Forwarded-For attribute.

C.

Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.

D.

Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Buy Now
Questions 15

A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company's Reliability Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection. During the resiliency tests, traffic failed to switch over to the backup VPN connection.

How can this failure be troubleshot?

Options:

A.

Ensure that Bidirectional Forwarding Detection is enabled on the Direct Connect connection

B.

Confirm that the same routes are being advertised over both the VPN and Direct Connect.

C.

Reconfigure the Direct Connect session from static routes to Border Gateway Protocol (BGP) peering.

D.

Configure a virtual private gateway for the VPN and another virtual private gateway for Direct Connect.

Buy Now
Questions 16

A company runs a large-scale application on a feel of Amazon EC2 instances that ate distributed across several VPCs A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances The NLB's VPC is peered to all the application VPCs

The application must process millions of requests each minute during times of peak utilization Users are reporting that the connections to the application are failing during peak times Monitoring shows an increase in port allocation errors on the NLB.

Which action will solve this issue with the LEAST change to the architecture?

Options:

A.

Increase the number of EC2 instances in the target group

B.

Create an Application Load Balancer for the target group

C.

Add a new target group to the same NLB listener

D.

Change the target group type to 'instance"

Buy Now
Questions 17

An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.

What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

Options:

A.

Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.

B.

Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.

C.

Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.

D.

Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

Buy Now
Questions 18

The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?

Options:

A.

Use inbound security group rules to block the IP addresses.

B.

Use inbound network ACL rules to block the IP addresses.

C.

Use AWS WAF to block the IP addresses.

D.

Write iptables rules on the instance to block the IP addresses.

Buy Now
Questions 19

An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.

Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: “There are not enough free addresses in subnet ‘subnet-12345677’ to satisfy the requested number of instances.”

What action will resolve the availability problem?

Options:

A.

Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.

B.

Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.

C.

Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.

D.

Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.

Buy Now
Questions 20

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.

What design will use the LEAST amount of IP space, while allowing for this growth?

Options:

A.

Use two /29 subnets for an Application Load Balancer in different Availability Zones.

B.

Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

C.

Use two /28 subnets for a Network Load Balancer in different Availability Zones.

D.

Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

Buy Now
Questions 21

You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.

Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

Options:

A.

Internet gateway

B.

VPC Flow Logs

C.

AWS CloudTrail

D.

Lambda

E.

AWS Inspector

Buy Now
Questions 22

A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable –‘app.example.com’.

Instances within the VPC should always connect to the private IP to minimize data transfer costs.

How should the engineer configure DNS to support these requirements?

Options:

A.

Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

B.

Create two A record entries for ‘app’ in the DNS zone ‘example.com’ – one for the public IP and one for the private IP.

C.

Use Route 53 to create an ALIAS record to the public DNS name for the instance.

D.

Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

Buy Now
Questions 23

Your company uses an NTP server to synchronize time across systems. The company runs multiple versions of Linux and Windows systems. You discover that the NTP server has failed, and you need to add an alternate NTP server to your instances.

Where should you apply the NTP server update to propagate information without rebooting your running instances?

Options:

A.

DHCP Options Set

B.

instance user-data

C.

cfn-init scripts

D.

instance meta-data

Buy Now
Exam Code: ANS-C00
Exam Name: AWS Certified Advanced Networking Specialty Exam
Last Update: Aug 10, 2022
Questions: 154

PDF + Testing Engine

$79.2  $175.99

Testing Engine

$59.4  $131.99
buy now ANS-C00 testing engine

PDF (Q&A)

$49.5  $109.99
buy now ANS-C00 pdf