A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content deliverynetwork. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an AutoScaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. TheCloudFront origin points to an ALB that uses service-alb.example.com as the domain name.The company's security policy requires the traffic to be encrypted in transit at all times between the users and the backend.Which combination of changes must the company make to meet this security requirement? (Choose three.)
A. Create a self-signed certificate for service.example.com. Import the certificate into AWS Certificate Manager (ACM). ConfigureCloudFront to use this imported SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
B. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this customSSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
C. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instances. Configure the backend touse this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPSprotocol for its targets. Attach the existing Auto Scaling group to this new target group.
D. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend touse this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPSprotocol for its targets. Attach the existing Auto Scaling group to this new target group.
E. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener thatuses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only.Delete the HTTP listener on the ALB.
F. Create a self-signed certificate for service-alb.example.com. Import the certificate into AWS Certificate Manager (ACM). On the ALB adda new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificate. Modify the CloudFrontorigin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requiresconnectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWSand its on-premises network to accommodate the growing demand for the application.The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWSand the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.What should a network engineer do to meet these requirements with the LEAST operational overhead?
A. Deploy a new public VIF with encryption on the existing Direct Connect connections. Reroute traffic through the new public VIF.
B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroutetraffic from the Direct Connect private VIF to the new VPNs.
C. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Configure MACsec on the edge routers. Reroute traffic to the newDirect Connect connections. Decommission the original Direct Connect connections
D. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Deploy a new public VIF on the new Direct Connect connections.Deploy two AWS Site-to-Site VPN connections on top of the new public VIF. Reroute traffic from the existing private VIF to the new Site-to-Site connections. Decommission the original Direct Connect connections.
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced anetwork security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port,and user agent of each user that accesses the application.What is the MOST operationally efficient solution that meets these requirements?
A. Configure the ALB to store logs in an Amazon S3 bucket. Download the files from Amazon S3, and use a spreadsheet application toanalyze the logs.
B. Configure the ALB to push logs to Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to analyze the logs.
C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service).Use search operations in Amazon OpenSearch Service (Amazon Elasticsearch Service) to analyze the data.
D. Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.
A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to atransit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundantDirect Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from onpremises over Direct Connect.What should a network engineer do to meet these requirements?
A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes. Configure a CloudWatch alarm to send notificationswhen routes change.
B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use Amazon EventBridge (Amazon CloudWatchEvents) to send notifications when routes change.
C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications whenroutes change.
D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes. Create a metric filter Set an alarm on the filter to sendnotifications when routes change.
A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. Thewebsite has static content such as images. The company is using Amazon S3 to store the content.The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scalinggroup behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render thewebpages. The company is using AWS Direct Connect with a public VIF for on-premises connectivity to the S3 bucket.A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing through a NAT gateway. As traffic increases, thecompany's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from thetraffic between the EC2 instances and Amazon S3.Which solution will meet these requirements?
A. Create a Direct Connect private VIF. Migrate the traffic from the public VIF to the private VIF.
B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF.
C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table.
D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table.
A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The companyhosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs ineach Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. Thecompany has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500Mbps.The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architectureand allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers.This traffic will increase over time.Which solution will meet these requirements?
A. Set up an AWS Direct Connect connection from each data center to AWS in each Region. Create and attach private VIFs to a singleDirect Connect gateway. Attach the Direct Connect gateway to all the VPCs. Remove the existing VPN connections that are attacheddirectly to the virtual private gateways.
B. Create a single transit gateway with VPN connections from each data center. Share the transit gateway with each account by using AWSResource Access Manager (AWS RAM). Attach the transit gateway to each VPC. Remove the existing VPN connections that are attacheddirectly to the virtual private gateways.
C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transitgateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to eachVPRemove the existing VPN connections that are attached directly to the virtual private gateways.
D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC. Create new VPNconnections from each data center to the transit VPCs. Terminate the original VPN connections that are attached to all the original VPCs.Retain the new VPN connection to the new transit VPC in each Region.
A government contractor is designing a multi-account environment with multiple VPCs for a customer. A network security policy requires alltraffic between any two VPCs to be transparently inspected by a third-party appliance.The customer wants a solution that features AWS Transit Gateway. The setup must be highly available across multiple Availability Zones, andthe solution needs to support automated failover. Furthermore, asymmetric routing is not supported by the inspection appliances.Which combination of steps is part of a solution that meets these requirements? (Choose two.)
A. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect theinspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the targetgroup. Create a Network Load Balancer (NLB), and set it up to forward to the newly created target group. Configure a default route in theinspection VPCs transit gateway subnet toward the NLB.
B. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect theinspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the targetgroup. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in theinspection VPC's transit gateway subnet toward the Gateway Load Balancer endpoint.
C. Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs.Associate the other route table with the inspection VPC's attachment. Propagate all VPC attachments into the inspection route table.Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
D. Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs.Associate the other route table with the inspection VPCs attachment. Propagate all VPC attachments into the application route table.Define a static default route in the inspection route table. Enable appliance mode on the attachment that connects the inspection VPC.
E. Configure one route table on the transit gateway. Associate the route table with all the VPCs. Propagate all VPC attachments into theroute table. Define a static default route in the route table.
A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC,including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can beallowed to open communications directly to the EC2 instances.The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests toand from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instancesto its data center from a single IP address.Which solution will meet these requirements with the LEAST amount of operational overhead?
A. Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic fromon premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.
B. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connectionif the EC2 instances in the VPC initiate the traffic.
C. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private.Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
D. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall toallow connections from the IP address that is assigned to the NAT instance.
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The companyhas production applications that run in the on-premises data center. The company also has production applications that run in a VPC. Theapplications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is usingcorp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone foraws.example.com to host the VPC resources.The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. Thecompany's on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in theVPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.Which combination of steps should a network engineer take to make this replacement? (Choose three.)
A. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the outbound endpoint.
B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
D. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
F. Configure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.
A company's network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer hasconfigured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2instance hosts tools that the company's security team uses to analyze the traffic. The network engineer needs to design a highly availablesolution that can scale to meet the demand of the mirrored traffic.Which solution will meet these requirements?
A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB. deploy a fleet of EC2 instances in an Auto Scalinggroup. Use Traffic Mirroring as necessary.
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB, deploy a fleet of EC2 instances in an AutoScaling group. Use Traffic Mirroring only during non-business hours.
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB. deploy a fleet of EC2 instances in an Auto Scalinggroup. Use Traffic Mirroring as necessary.
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target. Behind the ALB. deploy a fleet of EC2instances in an Auto Scaling group. Use Traffic Mirroring only during active events or business hours.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.