Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 11:

  A company wants to migrate its production and development applications to the AWS Cloud across multiple VPCs in three AWS Regions: us-east-1 (N. Virginia), eu-west-1 (Ireland), and ap-southeast-1 (Singapore). The company needs a scalable solution that provides connectivity between all three Regions. The solution also must provide private connectivity to the company's on-premises data center in Northern Virginia.

  Data that is transferred from on premises and data that is transferred between Regions must be encrypted in transit. The company requires predictable network performance and must minimize cost.

  The company has initiated a solution by deploying a transit gateway with two route tables in each Region. One route table is for the production environment, and one route table is for the development environment.

  What else must the company do to meet its requirements with the LOWEST latency?

  A. Deploy an AWS Direct Connect connection in us-east-1 and a public VIF to the on-premises data center. On each transit gateway, create a VPN attachment over the public VIF for the production and development route tables. Create transit gateway peering connections to route traffic between Regions.

  B. Deploy an AWS Direct Connect connection in us-east-1 and a transit VIF to the on-premises data center. Associate all transit gateways and the transit VIF with a different Direct Connect gateway. Create transit gateway peering connections to route traffic between Regions.

  C. Deploy an AWS Direct Connect connection in us-east-1 and a public VIF to the on-premises data center. On each transit gateway, create a VPN attachment over the public VIF for the production and development route tables. Route traffic between Regions through the VPN connections.

  D. Deploy an AWS Direct Connect connection in us-east-1 to the on-premises data center. Create one transit VIF for each transit gateway route table, and associate each transit VIF with a Direct Connect gateway. Associate all transit gateways with the Direct Connect gateway. Create transit gateway peering connections to route traffic between Regions.

  Correct Answer: D

• Question 12:

  A company has a message queue application that is based on Apache Kafka. The company runs the application across a fleet of Amazon EC2 instances in a VPC. The EC2 instances are deployed across multiple Availability Zones.

  A network engineer must ensure that the application is highly available and scalable. Additionally, the load on the EC2 instances must be automatically distributed. For security compliance, application clients must be able to create an allow list of the IP addresses for the application.

  Which solution meets these requirements?

  A. Add an Application Load Balancer (ALB) in front of the EC2 instances. Provide the ALB IP addresses to the application clients to create an allow list.

  B. Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB IP addresses to the application clients to create an allow list.

  C. Add an Application Load Balancer in front of the EC2 instances. Provide the CNAME to the application clients to create an allow list.

  D. Add a Network Load Balancer (NLB) in front of the EC2 instances. Provide the NLB's default alias to the application clients to create an allow list.

  Correct Answer: D

• Question 13:

  A network engineer is using the AWS CLI to provision a VPC and Amazon EC2 instances that use IPv6 addresses. An application that runs on the instances requires access to the internet to pull updates from a software vendor. The VPC ID is vpc-3c02b675. The network engineer uses the following command to provision an egress-only internet gateway:

  aws ac2 create-egress-only-internet-gateway --vpc-id vpc-3c02b675

  What else must the network engineer do so that the EC2 instances can pull the updates?

  A. Replace the egress-only internet gateway with a NAT gateway. Create a route with destination 0.0.0.0/0 and the NAT gateway ID as the target.

  B. Replace the egress-only internet gateway with a NAT gateway. Create a route with destination ::/0 and the NAT gateway ID as the target.

  C. Create a route with destination 0.0.0.0/0 and the egress-only internet gateway ID as the target.

  D. Create a route with destination ::/0 and the egress-only internet gateway ID as the target.

  Correct Answer: C

• Question 14:

  A company offers a web-based service that uses Amazon EC2 instances behind an Application Load Balancer (ALB). One of the company's large customers reports slow bulk transfer throughput. The company's network engineer suspects that this problem is the result of the TCP window size setting in the customer's corporate laptop computers.

  How can the network engineer check the value of the TCP window size?

  A. Configure VPC Flow Logs on the ALB elastic network interface. Use custom flow logs to add the TCP window size parameter to the captured metadata.

  B. Configure VPC Traffic Mirroring. Set the traffic mirror source to the ALB elastic network interface. Set the traffic mirror target to Amazon S3 for analysis with Amazon Athena.

  C. Configure VPC Traffic Mirroring. Set the traffic mirror source to the ALB elastic network interface. Set the traffic mirror target to an EC2 instance with packet capture software.

  D. Configure VPC Flow Logs on the ALB elastic network interface. Send the flow logs to Amazon S3 in the same AWS Region for analysis by AWS Network Manager.

  Correct Answer: D

• Question 15:

  A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS

  account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the

  Direct Connect connection.

  The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.

  What is the MOST scalable way to add VPCs with on-premises connectivity?

  A. Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs.

  B. Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network.

  C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to the corporate network.

  D. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway.

  Correct Answer: B

• Question 16:

  A financial services company that has on-premises infrastructure has acquired a startup company that has an API that is deployed in the AWS Cloud. As part of the acquisition, the financial services company has deployed an AWS Direct Connect private VIF to establish IP connectivity between the on-premises data center and the AWS environment.

  Initial IP connectivity testing and bidirectional DNS resolution testing are successful. However, when business users attempt to connect to the API. a network administrator discovers IP subnet overlap between the financial services company's existing network and the startup company's AWS deployment.

  A network architect receives the following diagram that summarizes the situation: What is the MOST operationally efficient solution to enable the connectivity?

  

  A. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy NAT gateways. Configure the virtual private gateway's next hop to be the NAT gateway. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the API servers.

  B. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints in a target group that is associated with the NLB. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-

  premises hosts to target the API endpoint through the NLB.

  C. Provision additional subnets with a non-overlapping IP range in a new VPC. Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints as targets by IP address in a target group that is associated with the NLB. Peer the two VPCs together, and relocate the virtual private gateway into the new VPC. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the NLB.

  D. Provision additional subnets with a non-overlapping IP range in the VPC. Deploy a Network Load Balancer (NLB) across the existing subnets. Configure the API endpoints in a target group that is associated with the NLB. Configure a VPC endpoint service that targets the newly created NLB, and deploy VPC endpoints into the new subnet. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the VPC endpoints.

  Correct Answer: D

• Question 17:

  A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.

  Which configuration change should a network engineer implement to resolve this issue?

  A. Configure the NAT gateway timeout to allow connections for up to 600 seconds

  B. Enable enhanced networking on the client EC2 instances

  C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds

  D. Close idle TCP connections though the NAT gateway

  Correct Answer: B

• Question 18:

  A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway. Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity to the company's on-premises environment.

  During a maintenance window, the networking team adds eight VPCs. The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment. Connectivity between all VPCs through the transit gateway is working as expected.

  Which of the following are possible causes of the connectivity issues? (Choose two.)

  A. The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs

  B. The route tables for the newly created VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment

  C. The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs

  D. The route tables for the newly created VPCs have only summary routes for the on-premises environment that point to the transit gateway attachment

  E. The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs

  Correct Answer: AD

• Question 19:

  A company has two AWS accounts: one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.

  Which set of steps should the network engineer follow in each AWS account to meet these requirements?

  A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts.

  2.

  In the Connectivity account: Accept the resource.

  3.

  In the Connectivity account: Create an attachment to the VPC subnets.

  4.

  In the Production account: Accept the attachment. Associate a route table with the attachment.

  B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts.

  2.

  In the Connectivity account: Accept the resource.

  3.

  In the Production account: Create an attachment on the transit gateway to the VPC subnets.

  4.

  In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

  C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts.

  2.

  In the Production account: Accept the resource.

  3.

  In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.

  4.

  In the Production account: Accept the attachment. Associate a route table with the attachment.

  D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID. Enable the feature to allow external accounts.

  2.

  In the Production account: Accept the resource.

  3.

  In the Production account: Create an attachment to the VPC subnets.

  4.

  In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

  Correct Answer: A

• Question 20:

  A company uses an AWS Site-to-Site VPN to connect its corporate network. The company recently added an AWS Direct Connect connection. A network engineer wants all traffic to use the Direct Connect connection, and for the VPN to be used as backup. However, after the Direct Connect connection was added, traffic continued to pass through the VPN connection.

  What should the network engineer do to route the traffic through the Direct Connect connection?

  A. Add routes to the VPC route tables that specify the Direct Connect connection.

  B. Set local preference BGP community tags on the on-premises router.

  C. Advertise the same network routes over the Direct Connect connection and VPN connection.

  D. Ensure the Direct Connect connection AS_PATH is longer than the VPN connection AS_PATH.

  Correct Answer: C