A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of thefollowing:. A transit gateway with all VPCs attached to it. Several hundred application VPCs. A centralized egress internet VPC with a NAT gateway and an internet gateway. A centralized ingress internet VPC that hosts public Application Load Balancers. On-premises connectivity through an AWS Direct Connect gateway attachmentThe application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route(0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south(internet-bound and on-premises network) traffic by using Suricata compatible rules.The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existingproduction environment.Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
A. Deploy Network Firewall in all Availability Zones in each application VPC.
B. Deploy Network Firewall in all Availability Zones in a centralized inspection VPC.
C. Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
D. Update the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.
E. Configure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.
F. Configure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate thecentralized inspection VPC with the other transit gateway route table.
A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between theVPCs.The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A networkengineer must implement connectivity between the VPCs.Which solution will meet these requirements with the HIGHEST throughput?
A. Configure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transitgateway.
B. Configure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs.
C. Configure a transit VPConfigure a VPN gateway in each VPCreate an AWS Site-to-Site VPN tunnel from each VPC to the transit VPUseBGP routing to route traffic between the VPCs and the transit VPC.
D. Configure AWS Site-to-Site VPN connections between each VPC. Enable route propagation for each Site-to-Site VPN connection to routetraffic between the VPCs.
A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and thefirst 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points.Which solution will meet these requirements?
A. Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to AmazonCloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.
B. Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an AmazonOpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.
C. Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyzethe flow log data by using CloudWatch Logs Insights.
D. Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data byusing Amazon Athena.
A company has critical VPC workloads that connect to an on-premises data center through two redundant active-passive AWS Direct Connectconnections. However, a recent outage on one Direct Connect connection revealed that it takes more than a minute for traffic to fail over tothe secondary Direct Connect connection. The company wants to reduce the failover time from minutes to seconds.Which solution will provide the LARGEST reduction in the BGP failover time?
A. Reduce the BGP hold-down timer that is configured on the BGP sessions on the Direct Connect connection VIFs.
B. Configure an Amazon CloudWatch alarm for the Direct Connect connection state to invoke an AWS Lambda function to fail over thetraffic.
C. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the AWS side.
D. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the on-premises router.
A European car manufacturer wants to migrate its customer-facing services and its analytics platform from two on-premises data centers tothe AWS Cloud. The company has a 50-mile (80.4 km) separation between its on-premises data centers and must maintain that separationbetween its two locations in the cloud. The company also needs failover capabilities between the two locations in the cloud.The company's infrastructure team creates several accounts to separate workloads and responsibilities. The company provisions resources inthe eu-west-3 Region and in the eu-central-1 Region. The company selects an AWS Direct Connect Partner in each Region and requests tworesilient 1 Gbps fiber connections from each provider.The company's network engineer must establish a connection between all VPCs in the accounts and between the on-premises network andthe AWS Cloud. The solution must provide access to all services in both Regions in case of network issues.Which solution will meet these requirements?
A. Create a Direct Connect gateway. Create a private VIF on each of the Direct Connect connections. Attach the private VIFs to the DirectConnect gateway. Use equal-cost multi-path (ECMP) routing to aggregate the four connections across the two Regions. Attach the DirectConnect gateway directly to each VPC's virtual private gateway.
B. Create a Direct Connect gateway. Create a transit gateway. Attach the transit gateway to the Direct Connect gateway. Create a transitVIF on each of the Direct Connect connections. Attach the transit VIFs to the Direct Connect gateway. Use a link aggregation group (LAG)to aggregate the four connections across the two Regions. Attach the transit gateway directly to each VPC.
C. Create a Direct Connect gateway. Create a transit gateway in each Region. Attach the transit gateways to the Direct Connect gateway.Create a transit VIF on each of the Direct Connect connections. Attach the transit VIFs to the Direct Connect gateway. Peer the transitgateways. Attach the transit gateways in each Region to the VPCs in the same Region.
D. Create a Direct Connect gateway. Create a private VIF on each of the Direct Connect connections. Attach the private VIFs to the DirectConnect gateway. Use a link aggregation group (LAG) to aggregate the four connections across the two Regions. Create a transit gateway.Attach the transit gateway to the Direct Connect gateway. Attach the transit gateway directly to each VPC.
A company has two AWS Direct Connect links. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect linkterminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS.How should a network engineer configure BGP to ensure that af-south-1 is used as a secondary link to AWS?
A. . On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100. On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300. On the Direct Connect BGP peer to useast-1, set the local preference value to 200. On the Direct Connect BGP peer to af-south-1, set the local preference value to 50
B. . On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300. On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100. On the Direct Connect BGP peer to useast-1, set the local preference value to 200. On the Direct Connect BGP peer to af-south-1, set the local preference value to 50
C. . On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100. On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300. On the Direct Connect BGP peer to useast-1, set the local preference value to 50. On the Direct Connect BGP peer to af-south-1, set the local preference value to 200
D. . On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300. On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100. On the Direct Connect BGP peer to useast-1, set the local preference value to 50. On the Direct Connect BGP peer to af-south-1, set the local preference value to 200
A team of infrastructure engineers wants to automate the deployment of Application Load Balancer (ALB) components by using the AWSCloud Development Kit (AWS CDK). The CDK application must deploy an infrastructure stack that is reusable and consistent across multipleenvironments, AWS Regions, and AWS accounts.The lead network architect on the project has already bootstrapped the target accounts. The lead network architect also has deployed corenetwork components such as VPCs and Amazon Route 53 private hosted zones across the multiple environments and Regions. Theinfrastructure engineers must design the ALB components in the CDK application to use the existing core network components.Which combination of steps will meet this requirement with the LEAST manual effort between environment deployments? (Choose two.)
A. Design the CDK application to read AWS CloudFormation parameters for the values that vary across environments and Regions.Reference these variables in the CDK stack for resources that require the variables.
B. Design the CDK application to read environment variables that contain account and Region details at runtime. Use these variables asproperties of the CDK stack. Use context methods in the CDK stack to retrieve variable values.
C. Create a dedicated account for shared application services in the multi-account environment. Deploy a CDK pipeline to the dedicatedaccount. Create stages in the pipeline that deploy the CDK application across different environments and Regions.
D. Write a script that automates the deployment of the CDK application across multiple environments and Regions. Distribute the script toengineers who are working on the project.
E. Use the CDK toolkit locally to deploy stacks to each environment and Region. Use the --context flag to pass in variables that the CDKapplication can reference at runtime.
An IoT company collects data from thousands of sensors that are deployed in the Unites States and South Asia. The sensors use a proprietarycommunication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling groupand run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region.Occasionally, the data from the sensors in South Asia gets lost in transit over the internet and does not reach the EC2 instances.Which solutions will resolve this issue? (Choose two.)
A. Use AWS Global Accelerator with the existing NLB.
B. Create an Amazon CloudFront distribution. Specify the existing NLB as the origin.
C. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 latency routingpolicy to resolve to the Region that provides the least latency.
D. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 failover routingpolicy to resolve to an alternate Region in case packets are dropped.
E. Turn on enhanced networking on the EC2 instances by using the most recent Elastic Network Adapter (ENA) drivers.
A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic toand from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection.Which solution will meet these requirements?
A. Configure VPC flow logs on each EC2 network interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2appliance to acquire flow logs from the S3 bucket. Log in to the appliance to monitor network content.
B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session.Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session,specify the EC2 elastic network interfaces for all the instances that host the application.
C. Configure a mirror session. Specify an Amazon Kinesis Data Firehose delivery stream as the mirror target. Specify a mirror filter tocapture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instancesthat host the application. Create a third-party EC2 appliance. Send all traffic to the appliance through the Kinesis Data Firehose deliverystream for content inspection.
D. Configure VPC flow logs on each EC2 network interface. Send the logs to Amazon CloudWatch. Create a third-party EC2 appliance.Configure a CloudWatch filter to send the flow logs to Amazon Kinesis Data Firehose to load the logs into the appliance.
A company uses Amazon Route 53 to register a public domain, example.com, in an AWS account. A central services group manages theaccount. The company wants to create a subdomain, test.example.com, in another AWS account to offer name services for Amazon EC2instances that are hosted in the account. The company does not want to migrate the parent domain to the subdomain account.A network engineer creates a new Route 53 hosted zone for the subdomain in the second account.Which combination of steps must the network engineer take to complete the task? (Choose two.)
A. Add records for the hosts of the new subdomain to the new Route 53 hosted zone.
B. Update the DNS service for the parent domain by adding name server (NS) records for the subdomain.
C. Update the DNS service for the subdomain by adding name server (NS) records for the parent domain.
D. Create an alias record from the parent domain that points to the hosted zone for the subdomain in the second account.
E. Add a start of authority (SOA) record in the parent domain for the subdomain.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.