A company that provides a RESTful API is designing a network architecture for deployment to the AWS Cloud. The company needs a scalable design that is cost-optimized and secure. The company is conducting pre-release testing with some of its customers, but the company expects to expand to several hundred customers when the final version is released.
The data that is exchanged through the API is confidential. All data must be exchanged on private IP addresses that are not accessible through the internet. All customers who use the API operate on AWS in VPCs.
What should the company do with its architecture to meet these requirements?
A. Use a Network Load Balancer (NLB) as the front end to the API. Use a transit VPC with VPC peering to each customer's VPC.
B. Use AWS PrivateLink endpoints in customer VPCs as the front end for an AWS Fargate containers deployment with auto scaling enabled.
C. Use an Amazon API Gateway API with a regional API endpoint as the front end for all API interactions that invoke AWS Lambda functions.
D. Use an Amazon API Gateway API with an edge-optimized API endpoint as the front end for all API interactions that invoke AWS Lambda functions.
A company has 20 AWS accounts and has hundreds of VPCs within those accounts. Each account has several security groups. Most of the security groups share a common set of CIDR range rules.
The company wants to simplify the management of these CIDR ranges that the security groups use. The company's network team does not have full access to all the accounts. The common CIDR ranges are 10.10.0.0/16, 10.8.0.0/16, and 192.168.128.0/24.
Which solution should a network engineer recommend to meet these requirements?
A. Use AWS CloudFormation and AWS CloudFormation StackSets to configure all the accounts and VPCs with the same security groups.
B. Use a CLI and a shell script to configure all the accounts and VPCs with the same security groups.
C. Use AWS CloudFormation to configure a VPC prefix list, and share the prefix list with all the accounts in AWS Resource Access Manager.
D. Use a CLI and a shell script to configure all the accounts and VPCs with the same network ACLs.
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB).
The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?
A. Configure the ALB to store logs in an Amazon S3 bucket. Download the files from Amazon S3, and use a spreadsheet application to analyze the logs.
B. Configure the ALB to push logs to Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to analyze the logs.
C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon Elasticsearch Service (Amazon ES). Use search operations in Amazon ES to analyze the data.
D. Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.
Accompany has a public domain, company.com, that is hosted by a DNS provider. The company creates a public hosted zone, cloud.company.com, in Amazon Route 53. The company wants to keep all public AWS application DNS records under this hosted zone.
The company recently deployed its first public application behind an Elastic Load Balancer in its AWS environment. The domain name app1.cloud.company.com needs to access the application.
Which solution will meet these requirements?
A. On the DNS provider, create A records for cloud under company.com. Point these records to Route 53 name server IP addresses of the public hosted zone. In Route 53, create an ALIAS (A) record for app1 under cloud.company.com. Point this record to the Elastic Load Balancer.
B. On the DNS provider, create a subdomain for cloud under company.com. Create a CNAME record for app1 under cloud.company.com. Point this record to the Elastic Load Balancer public DNS name. In Route 53, create NS records for cloud.company.com. Point these records to the DNS provider name servers.
C. On the DNS provider, create NS records for cloud under company.com. Point these records to Route 53 name servers of the public hosted zone. In Route 53, create an ALIAS (A) record for app1 under cloud.company.com. Point this record to the Elastic Load Balancer.
D. On the DNS provider, create a subdomain for cloud under company.com. Create a CNAME record for app1 under cloud.company.com. Point this record to the Elastic Load Balancer public DNS name. In Route 53, create A records for cloud.company.com. Point these records to the DNS provider name servers.
A company uses multiple AWS accounts within AWS Organizations and has services deployed in a single AWS Region. The instances in a private subnet occasionally download patches from the internet through a NAT gateway. The company recently migrated from VPC peering to AWS Transit Gateway. The cumulative traffic through deployed NAT gateways is less than 1 Gbps. The NAT gateway hourly charge contributes to most of the NAT gateway costs across all inked accounts.
What should the company do to reduce NAT gateway hourly costs?
A. Deploy and use NAT gateways in the same Availability Zone as the heavy-traffic resources.
B. Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC. Use VPC peering to send traffic through the centralized NAT gateways.
C. Use VPC endpoints to send traffic to AWS services in the same Region.
D. Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC. Use AWS Transit Gateway to send traffic through the centralized NAT gateways.
A company requires connectivity between two workloads that are located in separate VPCs: VPC A and VPC B. The VPCs are located in the same AWS Region. A network engineer has configured a VPC peering relationship between the VPCs.
The network engineer is testing for connectivity by using the ping command from an Amazon EC2 instance in VPC A with address 10.1.1.1 to another EC2 instance in VPC B with address 10.2.2.2. The pings are timing out.
Which combination of stops should the network engineer take to troubleshoot the problem? (Choose three.)
A. Ensure that the security group rules allow ICMP traffic from the source EC2 instance to the target EC2 instance.
B. Ensure that the security group rules allow the flow of UDP traffic from the source EC2 instance to the target EC2 instance.
C. Ensure that the network ACL rules allow ICMP traffic between the source EC2 instance and the target EC2 instance.
D. Ensure that the security group rules allow the flow of TCP traffic from the source EC2 instance to the target EC2 instance.
E. Verify that routes have been added to the respective VPC route tables to forward traffic that is destined for the other VPC through the peering connection.
F. Configure the VPC peering settings to activate bidirectional traffic support.
A company runs a large-scale application on a fleet of Amazon EC2 instances that are distributed across several VPCs. A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances. The NLB's VPC is peered to all the application VPCs.
The application must process millions of requests each minute during times of peak utilization. Users are reporting that the connections to the application are failing during peak times. Monitoring shows an increase in port allocation errors on the NLB.
Which action will solve this issue with the LEAST change to the architecture?
A. Increase the number of EC2 instances in the target group.
B. Create an Application Load Balancer for the target group.
C. Add a new target group to the same NLB listener.
D. Change the target group type to "instance."
A company wants to migrate a proprietary application from on premises to the AWS Cloud. The application
implements segregation of different types of network traffic.
The application uses services that listen to multiple ports on two different IP addresses. One IP address is used for customer-facing traffic, and the other IP address is used for management traffic. The application requires the IP addresses to belong to different subnets.
How can the company deploy the application with the LEAST management overhead?
A. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Configure two elastic network interfaces in the task definition.
B. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Create an AWS Lambda function to attach a second elastic network interface. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the function.
C. Deploy the application to an Amazon EC2 instances that has a secondary elastic network interface attached. Select different subnets for each network interface.
D. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Create an AWS Lambda function to attach a second elastic network interface. Use an AWS Step Functions workflow to invoke the function.
A company runs its applications on Amazon EC2 instances. A network engineer must deny specific ports for all applications and must allow only approved ports for each application. All outbound traffic from the instances must be allowed.
Which solution will meet these requirements?
A. Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security group with the appropriate subnets.
B. Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACL with the appropriate subnets.
C. Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all ports outbound. Associate the network ACL with the appropriate subnets.
D. Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate the additional security group with the appropriate instances.
A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three global offices are connected to the us-east-1 Region through AWS Siteto-Site VPN links that terminate on a transit gateway with BGP routing activated.
The company recently started to produce content at a higher resolution to support 8K streaming. The size of the content files has increased to three times the size of the content files from the previous format. Uploads of files to Amazon EC2 instances are taking 10 times longer than they did with the previous format.
Which actions should a network engineer recommend to reduce the upload times? (Choose two.)
A. Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing.
B. Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location.
C. Replace the existing VPN tunnels with new tunnels that have acceleration activated.
D. Upgrade each EC2 instance to a modern instance type. Activate Jumbo MTU in the operating system.
E. Replace the existing VPN tunnels with new tunnels that have IGMP activated.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C00 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.