A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed atransit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that isconnected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to otherVPCs that are attached to the transit gateway.Which solution will meet these requirements?
A. Create a new VPC for the SD-WAN hub virtual appliance. Create two IPsec VPN connections between the SD-WAN hub virtual applianceand the transit gateway. Configure BGP over the IPsec VPN connections
B. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to thetransit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGPparameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
C. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Create twoIPsec VPN connections between the SD-WAN hub virtual appliance and the transit gateway. Configure BGP over the IPsec VPNconnections.
D. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to thetransit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the VXLAN andBGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are allattached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.How should a network engineer configure the AWS resources to meet these requirements?
A. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicastdomain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic fromthe source to all receivers and to allow UDP traffic that is sent to the multicast group address.
B. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicastdomain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to allow TCP traffic fromthe source to all receivers and to allow TCP traffic that is sent to the multicast group address.
C. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicablesubnets with the multicast domain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLsto allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicablesubnets with the multicast domain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLsto allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
A company is creating new features for its ecommerce website. These features will use several microservices that are accessed throughdifferent paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for allof its public websites. The application requires the customer's source IP addresses.A network engineer must implement a load balancing strategy that meets these requirements.Which combination of actions should the network engineer take to accomplish this goal? (Choose two.)
A. Use a Network Load Balancer
B. Retrieve client IP addresses by using the X-Forwarded-For header
C. Use AWS App Mesh load balancing
D. Retrieve client IP addresses by using the X-IP-Source header
E. Use an Application Load Balancer.
A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. Theapplication is hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transitgateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have been updated to support the new IPv6 requirements.The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets fordual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. Thenetwork engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer mustallow outbound internet access from the instances.What is the MOST operationally efficient solution that meets these requirements?
A. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPNconnection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and routetables to provide connectivity within the VPC and between the VPC and the on-premises devices
B. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Update the existing VPNconnection to support IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tablesto provide connectivity within the VPC and between the VPC and the on-premises devices.
C. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPNconnection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and routetables to provide connectivity within the VPC and between the VPC and the on-premises devices.
D. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPNconnection that supports IPv6 connectivity. Add a NAT gateway. Update any affected VPC security groups and route tables to provideconnectivity within the VPC and between the VPC and the on-premises devices.
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of aunique random session key.What should the network engineer do to meet this requirement?
A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
D. Change the ALB security policy to a policy that supports forward secrecy (FS)
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDRblock of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group asthe target of a Network Load Balancer (NLB).The company wants to perform testing to determine whether users who receive product recommendations spend more money than users whodo not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing productionenvironment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of192.168.128 0/17.A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existingenvironments.Which solution will meet these requirements?
A. Create a VPC peering connection between the web service VPC and the existing production VPC. Add a routing rule to the appropriateroute table to allow data to flow to 192.168.224.0/19 from the existing production environment and to flow to 192.168.128.0/17 from theweb service environment. Configure the relevant security groups and ACLs to allow the systems to communicate.
B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there.
C. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpointfor the web service in the existing production VPC.
D. Create a transit gateway in the existing production environment. Create attachments to the production VPC and the web service VPC.Configure appropriate routing rules in the transit gateway and VPC route tables for 192.168.224.0/19 and 192.168.128.0/17. Configure therelevant security groups and ACLs to allow the systems to communicate.
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service(Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivityinitiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. Theapplication must scale in a manageable way as more consumers use the application.Which solution will meet these requirements?
A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to thetarget group from Amazon ECS as required to handle scaling. Specify the GLB in the service definition. Create a VPC peer for external AWSaccounts. Update the route tables so that the AWS accounts can reach the GLB.
B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allowthe application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPCendpoint service for the ALB Share the VPC endpoint service with other AWS accounts.
C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allowthe application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPCpeer for the external AWS accounts. Update the route tables so that the AWS accounts can reach the ALB.
D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition.Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.
A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly availablearchitecture. The network engineer is configuring the new launch template for the Auto Scaling group.In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by theapplication to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an ElasticIP address that should be used as the public IP address for the second network interface.How can the network engineer implement the required architecture?
A. Configure the two network interfaces in the launch template. Define the primary network interface to be created in one of the privatesubnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IPaddresses.
B. Configure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init scriptafter boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambdafunction, assign a network interface to an AWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-initscript to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the companyand its internet applications, all of which are offered from the same domain name.A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. Theapplication has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with ElasticIP addresses assigned. The backend components are deployed in private subnets from RFC1918.Components of the application need to be able to access other components of the application within the application's VPC by using the samehost names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes,such as the introduction of new host names or the retirement of DNS entries.Which combination of steps will meet these requirements? (Choose three.)
A. Add a geoproximity routing policy in Route 53.
B. Create a Route 53 private hosted zone for the same domain name Associate the application's VPC with the new private hosted zone.
C. Enable DNS hostnames for the application's VPC.
D. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the publichosted zone. Create an AWS Lambda function as the target of the rule. Configure the function to use the event information to update theprivate hosted zone.
F. Add the private IP addresses in the existing Route 53 public hosted zone.
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLBtarget group.The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.What is the MOST operationally efficient solution to resolve this issue?
A. Enable the new Availability Zone on the NLB
B. Create a new NLB for the instances in the second Availability Zone
C. Enable proxy protocol on the NLB
D. Create a new target group with the instances in both Availability Zones
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.