A company has a hybrid IT setup that includes services that run in an on-premises data center and in the AWS Cloud. The company is using AWS Direct Connect to connect its data center to AWS. The company is using one AWS Site-to-Site VPN connection as backup and requires a backup connectivity option to always be present. The company is transitioning to IPv6 by implementing dual-stack architectures.
Which combination of steps will transition the data center's connectivity to AWS in the LEAST amount of time? (Choose two.)
A. Create a new Site-to-Site VPN tunnel for the IPv6 traffic.
B. Create a new dual-stack Site-to-Site VPN connection between the data center and AWS. Provision routing. Delete the original Site-to-Site VPN connection.
C. Associate a new dual-stack public VIF with the Direct Connect connection. Migrate the Direct Connect traffic to the new VIF.
D. Add a new IPv6 peer in the existing VIF. Use the IPv6 address provided by Amazon on the peer router.
E. Send IPv6 traffic between the data center and AWS in a tunnel inside the existing IPv4 tunnels.
A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets.
All outbound internet traffic in the private subnets must be audited and logged. The company's network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting.
How should the network engineer configure Network Firewall logging to meet these requirements?
A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.
B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.
C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.
D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.
A company has set up a NAT gateway in a single Availability Zone (AZ1) in a VPC (VPC1) to access the internet from Amazon EC2 workloads in the VPC. The EC2 workloads are running in private subnets in three Availability Zones (AZ1, AZ2, AZ3). The route table for each subnet is configured to use the NAT gateway to access the internet.
Recently during an outage, internet access stopped working for the EC2 workloads because of the NAT gateway's unavailability. A network engineer must implement a solution to remove the single point of failure from the architecture and provide built-in redundancy.
Which solution will meet these requirements?
A. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a route table for private subnets to route traffic to the virtual IP addresses of the two NAT gateways.
B. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a route table to point the AZ2 private subnets to the NAT gateway in AZ2. Configure the same route table to point the AZ3 private subnets to the NAT gateway in AZ3.
C. Create a second VPC (VPC2). Set up two NAT gateways. Place each NAT gateway in a different VPC (VPC1 and VPC2) and in the same Availability Zone (AZ2). Configure a route table in VPC1 to point the AZ2 private subnets to one NAT gateway. Configure a route table in VPC2 to point the AZ2 private subnets to the second NAT gateway.
D. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a route table to point the AZ2 private subnets to the NAT gateway in AZ2. Configure a second route table to point the AZ3 private subnets to the NAT gateway in AZ3.
A company recently experienced an IP address exhaustion event in its VPCs. The event affected service capacity. The VPCs hold two or moresubnets in different Availability Zones.A network engineer needs to develop a solution that monitors IP address usage across resources in the VPCs. The company needs to receivenotification about possible issues so that the company can act before an incident happens.Which solution will meet these requirements with the LEAST operational overhead?
A. Set up Amazon VPC IP Address Manager (IPAM) with a new top-level pool. In the top-level pool, create a pool for each VPC. In each VPCpool, create a pool for each subnet in that VPC. Turn on the auto-import option for the VPC pools and the subnet pools. Configure anAmazon CloudWatch alarm to send an Amazon Simple Notification Service (Amazon SNS) notification if the availability limit threshold isreached.
B. Set up a log group in Amazon CloudWatch Logs for each subnet. Create an AWS Lambda function that reads each subnet's IP addressusage and publishes metrics to the log group. Configure an Amazon CloudWatch alarm to send an Amazon Simple Notification Service(Amazon SNS) notification if the availability limit threshold is reached.
C. Set up a custom Amazon CloudWatch metric for IP address usage for each subnet. Create an AWS Lambda function that reads eachsubnet's IP address usage and publishes a CloudWatch metric dimension. Schedule the Lambda function to run every 5 minutes. Configurea CloudWatch alarm to send an Amazon Simple Notification Service (Amazon SNS) notification if the availability limit threshold is reached.
D. Set up Amazon VPC IP Address Manager (IPAM) with a new top-level pool. In the top-level pool, create a pool for each VPC. In each VPCpool, create a pool for each subnet in that VPC. Turn on the auto-import option for the VPC pools and the subnet pools. Configure anAmazon EventBridge rule that monitors each pool availability limit threshold and sends an Amazon Simple Notification Service (AmazonSNS) notification if the limit threshold is reached.
AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely inthe AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other.Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliancerequirements, Example Corp must access the application through a limited contiguous block of approved IP addresses (10.1.0.0/24).A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC toadd a new CIDR range of 10.1.0.0/24.What should the network engineer do next to meet the requirements?
A. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a public NAT gateway ineach of the new subnets. Update the route tables that are associated with other subnets to route application traffic to the public NATgateway in the corresponding Availability Zone. Add a route to the route table that is associated with the subnets of the public NATgateways to send traffic destined for the application to the transit gateway.
B. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a private NAT gateway ineach of the new subnets. Update the route tables that are associated with other subnets to route application traffic to the private NATgateway in the corresponding Availability Zone. Add a route to the route table that is associated with the subnets of the private NATgateways to send traffic destined for the application to the transit gateway.
C. In the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the new subnet. Update the routetables that are associated with other subnets to route application traffic to the private NAT gateway.
Add a route to the route table that isassociated with the subnet of the private NAT gateway to send traffic destined for the application to the transit gateway.
D. In the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the new subnet. Update the routetables that are associated with other subnets to route application traffic to the public NAT gateway. Add a route to the route table that isassociated with the subnet of the public NAT gateway to send traffic destined for the application to the transit gateway.
A company has an on-premises data center in the United States. The data center is connected to AWS by an AWS Direct Connect connection.The data center has a private VIF that is connected to a Direct Connect gateway.Recently, the company opened a new data center in Europe and established a new Direct Connect connection between the Europe data centerand AWS. A new private VIF connects to the existing Direct Connect gateway.The company wants to use Direct Connect SiteLink to set up a private network between the data center in the United States and the datacenter in Europe.Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create a new public VIF from each data center. Enable SiteLink on the new public VIFs.
B. Create a new transit VIF from each data center. Enable SiteLink on the new transit VIFs.
C. Use the existing VIF from each data center. Enable SiteLink on the existing private VIFs.
D. Create a new AWS Site-to-Site VPN connection between the data centers. Configure the new connection to use SiteLink.
A company has a new AWS Direct Connect connection between its on-premises data center and the AWS Cloud. The company has created anew private VIF on this connection. However, the VIF status is DOWN.A network engineer verifies that the physical connection status is UP and RUNNING based on information from the AWS Management Console.The network engineer checks the customer Direct Connect router and can see the ARP entry for the VLAN interface created for the private VIFat AWS.What could be causing the private VIF to have a DOWN status?
A. ICMP is blocked on the customer Direct Connect router.
B. TCP port 179 is blocked on the customer Direct Connect router.
C. The IEEE 802.1Q VLAN identifier is misconfigured on the customer Direct Connect router.
D. The company has configured IEEE 802.1ad instead of 802.1Q on the customer Direct Connect router.
A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. The company's existingarchitecture includes a VPC that uses RFC 1918 IP address space. The VPC is connected to an on-premises data center over AWS DirectConnect Amazon Route 53 provides name resolution within the VPC. Locally managed DNS servers in the data center provide DNS services tothe on-premises hosts.The company has applications in the data center that need to download objects from an Amazon S3 bucket in us-west-2.Which solution can the company use to access Amazon S3 without using the public IP address space?
A. Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNShostname that is mapped to the S3 interface endpoint.
B. Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNSservers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.
C. Create an S3 gateway endpoint in the VPUpdate the on-premises application configuration to use the hostname that is mapped to theS3 gateway endpoint.
D. Create an S3 gateway endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNSservers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.
A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway.A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. Allinspected traffic and the actions that are taken on the traffic must be logged in a central log account.Which solution will meet these requirements with the LEAST administrative overhead?
A. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables tosupport the new attachment. Deploy an AWS Gateway Load Balancer that is backed by third-party, next-generation firewall appliances tothe central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances.Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to theS3 bucket.
B. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables tosupport the new attachment. Deploy an AWS Application Load Balancer that is backed by third-party, next-generation firewall appliancesto the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances.Create a syslog server in the central log account. Configure the firewall appliances to capture and save the network flow logs to the syslogserver.
C. Deploy network ACLs and security groups to each VPAttach the security groups to active network interfaces. Associate the networkACLs with VPC subnets. Create rules for the network ACLs and security groups to allow only the required traffic flows between subnets andnetwork interfaces. Create an Amazon S3 bucket in the central log account. Configure a VPC flow log that captures and saves all trafficflows to the S3 bucket.
D. Create a central log VPC and an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the newattachment. Deploy an AWS Network Load Balancer (NLB) that is backed by third-party, next-generation intrusion detection system (IDS)security appliances to the central VPC. Activate rules on the security appliances to monitor for intrusion signatures. For each networkinterface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB.
An ecommerce company needs to implement additional security controls on all its domain names that are hosted in Amazon Route 53. Thecompany's new policy requires data authentication and data integrity verification for all queries to the company's domain names. The currentRoute 53 architecture has four public hosted zones.A network engineer needs to implement DNS Security Extensions (DNSSEC) signing and validation on the hosted zones. The solution mustinclude an alert capability.Which combination of steps will meet these requirements? (Choose three.)
A. Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWSKey Management Service (AWS KMS).
B. Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWSKey Management Service (AWS KMS).
C. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record for each subdomain
D. Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record to the parent zone.
E. Set up an Amazon CloudWatch alarm that provides an alert whenever a DNSSECInternalFailure error orDNSSECKeySigningKeysNeedingAction error is detected.
F. Set up an AWS CloudTrail alarm that provides an alert whenever a DNSSECInternalFailure error or DNSSECKeySigningKeysNeedingActionerror is detected.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.