Amazon Amazon Certifications ANS-C01 Questions & Answers

• Question 161:

  A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data centerand two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premisesnetwork segments the traffic between the databases and the server.How should the network engineer set up the Direct Connect connection to meet these requirements?

  A. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPCin eu-west-1. Use one Direct. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Regionalong the path that has the lowest latency.

  B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPCin eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWSRegion along the path that has the lowest latency.

  C. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to theVPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWSRegion along the path that has the lowest latency.

  D. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to theVPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWSRegion along the path that has the lowest latency.

  Correct Answer: D

  A and B are wrong, Direct Connect *hosted* connections only support 1 VIF per connection, see: https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

  C is wrong, see: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html

  > "You cannot attach a Direct Connect gateway to a transit gateway when the Direct Connect gateway is already associated with a virtual private gateway or is attached to a private virtual interface."

• Question 162:

  A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances toa publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfullycompleted after 7 minutes but that the client EC2 instances never received the response.Which configuration change should a network engineer implement to resolve this issue?

  A. Configure the NAT gateway timeout to allow connections for up to 600 seconds.

  B. Enable enhanced networking on the client EC2 instances.

  C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.

  D. Close idle TCP connections through the NAT gateway.

  Correct Answer: C

  https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html#nat- gateway- troubleshooting-timeout

• Question 163:

  A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region.Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpassthe limit of VPCs and private VIFs for each connection.What is the MOST scalable way to add VPCs with on-premises connectivity?

  A. Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs.

  B. Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual privategateways to the corporate network.

  C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to thecorporate network.

  D. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create atransit VIF to the Direct Connect gateway.

  Correct Answer: D

  using DXGW with TGW allow you to also be flexible in case of expanding to new regions with more TGW in those regions.

• Question 164:

  A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zonesbehind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 forDNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment,users report that they can log in but that they cannot use the application. Every new web request restarts the login process.What should a network engineer do to resolve this issue?

  A. Modify the ALB listener configuration. Edit the rule that forwards traffic to the target group. Change the rule to enable group-levelstickiness. Set the duration to the maximum application session length.

  B. Replace the ALB with a Network Load Balancer. Create a TLS listener. Create a new target group with the protocol type set to TLSRegister the EC2 instances. Modify the target group configuration by enabling the stickiness attribute.

  C. Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to themaximum application session length.

  D. Remove the ALB. Create an Amazon Route 53 rule with a failover routing policy for the application name. Configure ACM to issuecertificates for each EC2 instance.

  Correct Answer: C

  https://aws.amazon.com/about-aws/whats-new/2021/02/application-load-balancer-supports-application-cookie-stickiness/

• Question 165:

  A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production accountVPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.Which set of steps should the network engineer follow in each AWS account to meet these requirements?

  A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theConnectivity account ID. Enable the feature to allow external accounts2. In the Connectivity account: Accept the resource.3. In the Connectivity account: Create an attachment to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

  B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivityaccount ID. Enable the feature to allow external accounts.2. In the Connectivity account: Accept the resource.3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

  C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Productionaccount ID. Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.4. In the Production account: Accept the attachment. Associate a route table with the attachment.

  D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide theProduction account ID Enable the feature to allow external accounts.2. In the Production account: Accept the resource.3. In the Production account: Create an attachment to the VPC subnets.4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

  Correct Answer: D

  D is correct, the first step is to share the TGW From the Connectivity account to the Production account, making all the other options incorrect.

• Question 166:

  A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited anapplication vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched areplacement EC2 instance that contains the updated application.The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise througha notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreadingmalware.Which solution will meet this requirement with the LEAST operational effort?

  A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.

  B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.

  C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for trafficinspection.

  D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.

  Correct Answer: A

  This solution involves using Amazon GuardDuty to monitor network traffic and analyze DNS requests and VPC flow logs for suspicious activity. This will allow the company to identify when an application is spreading malware by monitoring the network traffic patterns associated with the instance. GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. It requires minimal setup and configuration and can be integrated with other AWS services for automated remediation. This solution requires the least operational effort compared to the other options

• Question 167:

  A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with aninternet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of thesubnets are private and share a route table that does not have a default route.The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data.The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPCarchitecture that minimizes data transfer cost.Which solution will meet these requirements?

  A. Deploy the EC2 instances in the public subnets. Create an S3 interface endpoint in the VPC. Modify the application configuration to usethe S3 endpoint-specific DNS hostname.

  B. Deploy the EC2 instances in the private subnets. Create a NAT gateway in the VPC. Create default routes in the private subnets to theNAT gateway. Connect to Amazon S3 by using the NAT gateway.

  C. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnetsduring endpoint creation to create routes to Amazon S3.

  D. Deploy the EC2 instances in the private subnets. Create an S3 interface endpoint in the VPC. Modify the application configuration touse the S3 endpoint-specific DNS hostname.

  Correct Answer: C

  Recurring questions about gateway VPC endpoints https://repost.aws/knowledge-center/vpc-reduce-nat-gateway-transfer-costs

• Question 168:

  A development team is building a new web application in the AWS Cloud. The main company domain, example.com, is currently hosted in anAmazon Route 53 public hosted zone in one of the company's production AWS accounts.The developers want to test the web application in the company's staging AWS account by using publicly resolvable subdomains under theexample.com domain with the ability to create and delete DNS records as needed. Developers have full access to Route 53 hosted zoneswithin the staging account, but they are prohibited from accessing resources in any of the production AWS accounts.Which combination of steps should a network engineer take to allow the developers to create records under the example com domain?(Choose two.)

  A. Create a public hosted zone for example com in the staging account

  B. Create a staging example.com NS record in the example.com domain. Populate the value with the name servers from thestaging.example.com domain. Set the routing policy type to simple routing.

  C. Create a private hosted zone for staging example com in the staging account.

  D. Create an example com NS record in the staging example.com domain. Populate the value with the name servers from theexample.com domain. Set the routing policy type to simple routing.

  E. Create a public hosted zone for staging.example.com in the staging account.

  Correct Answer: BE

  When a client queries a DNS server for a domain name, the DNS server typically starts by looking for NS records to determine which name servers are authoritative for the domain. The DNS server then queries the authoritative name servers to obtain the information about the domain that the client requested.

  For example, suppose you own the domain example.com, but you want to delegate control of the subdomain sub.example.com to a different set of name servers. You would create NS records in the example.com zone file that point to the name servers for sub.example.com. This tells DNS servers that the name servers for sub.example.com are authoritative for that subdomain, and they should query those name servers for any requests related to sub.example.com.

• Question 169:

  A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instancehosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default networkACL with no modification applied. The EC2 instance has the default security group with no modification applied.The SQS queue is not receiving messages.Which of the following are possible causes of this problem? (Choose two.)

  A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.

  B. The security group is blocking traffic to the IP address range used by Amazon SQS

  C. There is no interface VPC endpoint configured for Amazon SQS

  D. The network ACL is blocking return traffic from Amazon SQS

  E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

  Correct Answer: AC

  A - EC2 requires IAM role that allows write operations to Amazon SQS C - Being in private subnet, interface endpoint is required to access SQS

• Question 170:

  A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for privatecommunication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company's network services team must manage all Amazon Route 53 zones and interface endpoints within a sharedservices AWS account. The company wants to use this centralized model to provide AWS resources with access to AWS Key ManagementService (AWS KMS) without sending traffic over the public internet.What should the network engineer do to meet these requirements?

  A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNSname. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associatethe private hosted zone with the spoke VPCs in each AWS account.

  B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNSname. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate eachprivate hosted zone with the shared services AWS account.

  C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNSname. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associateeach private hosted zone with the shared services AWS account.

  D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNSname. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associatethe private hosted zone with the spoke VPCs in each AWS account.

  Correct Answer: A

  Option A is the correct answer because it creates a private hosted zone in the shared services account with an alias record that points to the interface endpoint, and associates the private hosted zone with the spoke VPCs in each AWS account. Disabling the private DNS name of the interface endpoint ensures that DNS resolution of the endpoint is restricted to the Amazon Route 53 private hosted zone. This option creates a centralized model for managing interface endpoints and Route 53 zones in a shared services AWS account, which simplifies administration and reduces complexity.