A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. Theapplication will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store correspondingmetadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (AmazonSQS) queue.A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve newobjects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with newwatermarked objects. The company does not want public IP addresses on the EC2 instances.Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?
A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create aninternet gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internetgateway.
B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internetgateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway
C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints forAmazon S3 and DynamoDB.
D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints forAmazon S3 and DynamoDB.
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect thenew data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US datacenter and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centersand Regions with the lowest possible latency.How should the network engineer design the network architecture to meet these requirements?
A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transitgateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a DirectConnect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLinkfor both transit VIFs. Peer the two transit gateways.
C. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a DirectConnect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the newDirect Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new DirectConnect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF andthe private VIF.
A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set upAWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF thatconnects to a Direct Connect gateway that is associated with a transit gateway.The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should berouted to the failover data center only in the case of an outage.Which solution will meet these requirements?
A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100. Set the BGP community tag for all prefixes fromthe failover data center to 7224:7300
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes fromthe failover data center to 7224:7100
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300. Set the BGP community tag for all prefixes fromthe failover data center to 7224:9100
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100. Set the BGP community tag for all prefixes fromthe failover data center to 7224:9300
A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might beaccessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon ElasticKubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clustersare in separate subnets within the same VPC and have a Cluster Autoscaler configured.The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security teamwants to limit the number of flow logs and wants to examine the traffic from only the two applications.Which solution will meet these requirements with the LEAST operational overhead?
A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and thedstaddr field in the flow logs.
B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in theflow logs.
C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddrfield in the flow logs.
D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field andthe pkt-dstaddr field in the flow logs.
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and ishosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolveand connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. TheHPC cluster can increase in size by five to seven times during the company's peak event at the end of the year.The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries tothe default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domainnames. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDSand S3 bucket endpoints.Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?
A. Scale out the DNS service by adding two additional EC2 instances in the VPC. Reconfigure half of the HPC cluster nodes to use thesenew DNS servers. Plan to scale out by adding additional EC2 instance-based DNS servers in the future as the HPC cluster size grows.
B. Scale up the existing EC2 instances that the company is using as DNS servers. Change the instance size to the largest possibleinstance size to accommodate the current DNS load and the anticipated load in the future.
C. Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for onpremises hosted domain names. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-basedDNS servers. Terminate the EC2 instances.
D. Create Route 53 Resolver inbound endpoints. Create rules on the on-premises DNS servers to forward queries to the default VPCresolver. Reconfigure the HPC cluster nodes to forward all DNS queries to the on-premises DNS servers. Terminate the EC2 instances.
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application mustalways be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change tothe EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever achange is made to the security group. The solution also must notify the network engineer when the change affects the connection.Which solution will meet these requirements?
A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create analarm to notify the network engineer.
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarmto notify the network engineer
C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as thedestination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to thesecurity group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNStopic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when achange to the security group occurs.
D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instancesas the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change tothe security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to theSNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function whena change to the security group occurs.
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWSenvironment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs haveworkloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspectall east west (VPC-to-VPC) traffic.Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet ControlMessage Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer hasruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic.What is causing the traffic to drop?
A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.
B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.
C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC.
D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.
A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1Region. The production VPCs are namedVPC A and VPC B.A new security regulation requires all traffic between production VPCs to be inspected before the traffic is routed to its final destination. Thecompany deploys a new shared VPC that contains a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCsto route traffic between VPC A and VPC B through the firewall appliance for inspection. During testing, the company notices that the transitgateway is dropping the traffic whenever the traffic is between two Availability Zones.What should a network engineer do to fix this issue with the LEAST management overhead?
A. In the shared VPC, replace the VPC attachment with a VPN attachment. Create a VPN tunnel between the transit gateway and thefirewall appliance. Configure BGP.
B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC B.
C. Enable transit gateway appliance mode on the VPC attachment in the shared VPC.
D. In the shared VPC, configure one VPC peering connection to VPC A and another VPC peering connection to VPC B.
A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network LoadBalancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of theapplication will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include anNLB that distributes traffic to the services pods in an EKS cluster.The company is concerned about overall cost. User traffic will be responsible for more than 10 TB of data transfer from the ingress VPC toservices VPCs every month. A network engineer needs to recommend how to design the communication between the VPCs.Which solution will meet these requirements at the LOWEST cost?
A. Create a transit gateway. Peer each VPC to the transit gateway. Use zonal DNS names for the NLB in the services VPCs to minimizecross-AZ traffic from the ingress VPC to the services VPCs.
B. Create an AWS PrivateLink endpoint in every Availability Zone in the ingress VPC. Each PrivateLink endpoint will point to the zonal DNSentry of the NLB in the services VPCs.
C. Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs. Use zonal DNS names for the NLB in theservices VPCs to minimize cross-AZ traffic from the ingress VPC to the services VPCs.
D. Create a transit gateway. Peer each VPC to the transit gateway. Turn off cross-AZ load balancing on the transit gateway. Use RegionalDNS names for the NLB in the services VPCs.
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads toAWS and needs to extend its SD-WAN solution to support connectivity to these workloads.A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. Accordingto company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.How should the network engineer configure routing to meet these requirements?
A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that aremore specific to point to the primary SD-WAN virtual appliance.
B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.