Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 1:

  Your business has implemented a highly available Direct Connect system that makes use of two datacenters. Each data center is equipped with one LAG with two connections and one ordinary DX connection.

  How many LOAs will be completed in total if your organization successfully completes an order for the addition of a new connection to each of the LAGs?

  A. 1

  B. 11

  C. 2

  D. 6

  Correct Answer: D

  Per documentation: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html. When you create a LAG, you can download the Letter of Authorization and Connecting Facility Assignment (LOACFA) for each new physical connection individually from the AWS Direct Connect console. So that'd be 2 per LAG and 1 more for the individual connection, in total 6. Now to modify these LOA you can see https:// docs.aws.amazon.com/directconnect/latest/UserGuide/create-connection.html. If you need to change the LOA-CFA after it has been created (for example, you need to change the ports), contact AWS Support. No LOA is created.

• Question 2:

  An IT company wants to securely perform an on-off migration of its on-premises VMs to the AWS Cloud by using AWS Server Migration Service {AWS SMS) For the first phase of the migration, the company must migrate 50 development VMs m batches during non-peak times over the next 7 days The VMs are between 2 GB and 5 GB in size The company has 1 Gbps of available bandwidth over the internet.

  Which network connectivity option meets these requirements MOST cost-effectively?

  A. Contact an AWS partner to order a hosted VIF

  B. Use the existing internet connection

  C. Order an AWS Direct Connect connection Provision a public VIF

  D. Create a VPN connection to AWS.

  Correct Answer: B

• Question 3:

  A company's developers wrote an AWS Lambda function to modify existing private route tables in response to a security appliance's auto scaling events. The Lambda function will be invoked on lifecycle hooks for an Auto Scaling group and Is configured to run in a VPC The developers are unsure if the following 1AM policy provides sufficient permissions to be used as an execution role for this Lambda function.

  

  The developers ask a network engineer to review the permissions. Which set of permissions should the network engineer add lo the policy?

  A. lambda. ListFunctions, lambda:GetPolicy, and ec2 Delete RouteTable

  B. ec2:AssociateAddress, ec2 ModifylnstanceAttribute. and ec2 AssociateRouteTable

  C. ec2:CreateNetworklntertace ec2 DeleteNetworklnterface, and ec2 ReplaceRoute

  D. ec2:Describei.ifecydoHooks, ec2 DescribeScalingActivities, and ec2 DescribePolicies

  Correct Answer: C

• Question 4:

  A manufacturing company has a hybrid environment that includes an AWS Direct Connect gateway that is associated with an AWS Transit Gateway The company wants to extend a third-party application that is hosted in its on-premises data center into one of its VPCs.

  The application vendor has stated that It must use an overlay IP address to meet the company's requirement for high availability. The DHCP administrator has assigned a non-overlapping RFC1918 private address for use as the overlay IP address The security team requires connectivity to remain private.

  Which solution meets these requirements with the LEAST management overhead?

  A. Create a layer 2 VPN across a public VIF by using a software-based VPN on a pair of Amazon EC2 instances Use BGP to advertise the routes over the VPN.

  B. Create a transit VIF with automatically propagated routes in the transit gateway route table Create a new subnet in the VPC for the overlay IP address, and propagate the route to the VPC route table. Update the route tables on premises as needed.

  C. Create an external Network Load Balancer by using Amazon Route 53 to create records that point to the target application's overlay IP address. Create static entries in the VPC route table.

  D. Create a transit VIF Then create static routes in the transit gateway route table to point to the VPC that contains the overlay IP address Create static routes in the VPC route table that point to the transit gateway Update the route tables on premises as needed.

  Correct Answer: D

• Question 5:

  A company has established an AWS Direct Connect connection between its customer gateway at its on-premises data center and a virtual private gateway m the AWS Cloud The BGP routing protocol configuration includes the Autonomous System Number {ASN) of 7224 on the AWS end of the connection and the BGP ASN of 65004 on the company end of the connection.

  The company's IT administrators report that servers that run at the on-premises data center are not able to communicate with the company's web application that runs on a fleet of Amazon EC2 Instances A network engineer performs initial troubleshooting The network engineer finds that the private VIF is operational and that there is a fully established BGP peering session However, the company still cannot route traffic over the private VIF.

  Which of the following is a possible cause of this connectivity issue?

  A. Firewall or ACL rules are blocking TCP pod 179 or are blocking high-numbered ephemeral TCP pons.

  B. The provider is advertising 50 prefixes for private VIFs.

  C. VPC route tables am lacking prefixes that point to the virtual private gateway to which the private VIF is connected.

  D. Peer IP addresses for both sides of the BGP peering session are not configured correctly.

  Correct Answer: C

• Question 6:

  A company has two on-premises data center locations. There is a company-managed router at earn data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP and the router tor the second location is advertising 60 routes to the Direct Connect gateway by using BGP The Direct Connect gateway is attached to a company VPC through a virtual private gateway.

  A network engineer receives reports that resources In the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center. location are not being populated into the route table The network engineer must resolve this issue in the most operationally efficient manner.

  What should the network engineer do to meet these requirements?

  A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC.

  B. Change the router configurations to summarize the advertised routes.

  C. Open a support ticket to increase the quota on advertised routes to the VPC route table.

  D. Create an AWS Transit Gateway Attach the transit gateway to the VPC and connect the Direct Connect gateway to the transit gateway.

  Correct Answer: D

• Question 7:

  A financial services company receives real-time stock quotes in its ingestion VPC. The company plans to perform customer-specific data analysis on the stock quotes in various VPCs. The stock quotes must be distributed simultaneously from Amazon EC2 instances in the ingestion VPC to EC2 instances in the data analysis VPCs.

  Which set of configuration steps should the company lake to meet these requirements?

  A. Configure EC2 instances m f he ingestion VPC as IP unicast senders Configure a transit gateway to serve as a unicast router for instances that send traffic destined for the EC2 instances in the data analysis VPCs.

  B. Configure VPC peering between the ingestion VPC and the data analysis VPCs Configure an Application Load Balancer to distribute Virtual Extensible LAN (VXLAN)-encapsulated traffic from the sender EC2 instances to the receiver EC2 instances.

  C. Configure EC2 instances m the ingestion VPC as IP multicast senders Configure a transit gateway to serve as a multicast router for instances that send traffic destined for the EC2 instances m the data analysis VPCs

  D. Configure Amazon Kinesis Data Forehose to capture streaming data from the ingestion VPC and load the data into Amazon S3 Configure the instances in the data analysis VPCs to download the data from Amazon S3 for processing

  Correct Answer: C

  Multicast is a communication protocol used for delivering a single stream of data to multiple receiving computers simultaneously. Transit Gateway supports routing multicast traffic between subnets of attached VPCs, and it serves as a multicast router for instances sending traffic destined for multiple receiving instances.

• Question 8:

  A company is deploying a network security product that is based on virtual appliances that run on Amazon EC2 instances. The appliances are stateful and inspect request traffic and return traffic. The appliances require visibility to a network flow's bidirectional transaction.

  The central appliance VPC is connected to a transit gateway.

  A network administrator notices that connections to the appliances are dropped when the traffic crosses Availability Zones. The appliances run behind a Gateway Load Balancer. The appliances are deployed across multiple Availability zones in a central VPC.

  What is MOST likely causing the connections to drop?

  A. The transit gateway VPC attachment of the central appliance VPC is configured only for a subnet in a single Availability Zone

  B. The transit gateway VPC attachment of the appliance is not configured for appliance mode

  C. The route table that is attached to the subnet in one of the Availability Zones is missing a return route to the originating VPC

  D. The security group that is attached to one of the appliance instances is blocking traffic to port 6081

  Correct Answer: B

• Question 9:

  A company runs a web application on an Amazon EC2 instance. The application experiences performance issues for a short period at the same time every day. To diagnose the issue, the application vendor needs a packet capture of the web application network interface. The company's network administrator does not have SSH access to the instance.

  Which solution will meet these requirements?

  A. Use Traffic Mirroring. Create a new EC2 instance, and use its network interface as the traffic mirror target. Add a rule to the new instance's security group to allow UDP port 4789 inbound traffic.

  B. Use Traffic Mirroring. Enable enhanced networking support on the elastic network interface. Stream the packet capture to an Amazon Kinesis data stream.

  C. Use VPC Flow Logs. Enable enhanced networking support on the elastic network interface. Stream packets to Amazon CloudWatch Logs.

  D. Use VPC Flow Logs. Disable source/destination checks on the instance. Stream packets to Amazon CloudWatch Logs.

  Correct Answer: A

• Question 10:

  A logistics company has deployed a hybrid environment that has multiple VPCs in both the us-east-1 Region and the af-south-1 Region. The on-premises data center is connected to us-east-1 through an AWS Direct Connect connection. The Direct Connect connection is connected to a Direct Connect gateway that is associated with a transit gateway. The transit gateway is attached to all the VPCs in useast-1.

  An application that is deployed in af-south-1 requires access to a database in the data center. The application also requires access to file storage in a VPC in us-east-1.

  Which solution will meet these requirements with the LOWEST latency?

  A. Create a transit gateway in af-south-1, and attach the VPCs. Create a transit gateway peering connection between the transit gateways.

  B. Create a Direct Connect connection in af-south-1, and attach the VPCs with a Direct Connect gateway and a transit gateway. Create an AWS Site-to-Site VPN connection over the internet between the Direct Connect connections.

  C. Create a transit gateway in af-south-1, and attach the VPCs. Associate the transit gateway in af-south1 with the Direct Connect gateway in us-east-1.

  D. Create inter-Region VPC peering connections between the VPCs in each Region. Use the transit gateway attachments in us-east-1 to access the database in the data center.

  Correct Answer: A