Amazon AWS Certified Advanced Networking - Specialty ANS-C01 Exam Practice Questions (P. 2)
- Full Access (272 questions)
- Six months of Premium Access
- Access to one million comments
- Seamless ChatGPT Integration
- Ability to download PDF files
- Anki Flashcard files for revision
- No Captcha & No AdSense
- Advanced Exam Configuration
Question #6
A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
- ADeploy the SaaS service endpoint behind a Network Load Balancer.
- BConfigure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
- CDeploy the SaaS service endpoint behind an Application Load Balancer.
- DConfigure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
- EDeploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.
Correct Answer:
CD
CD
GPT-4o - Answer
Deploying the SaaS solution behind an Application Load Balancer (ALB) integrates well with AWS PrivateLink, which allows for secure, private connections that can seamlessly manage traffic, distributing it efficiently across multiple targets, such as EC2 instances. When considering the need for routing traffic while avoiding IP address conflicts, configuring a VPC peering and using NAT gateways become an ideal choice. This setup bypasses address overlaps as it routes customer traffic to the SaaS provider through NAT, thereby separating internal address spaces and escalating network efficiency without revealing either party's internal IP layout.
Question #7
A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)
- AUse Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
- BSet up AWS WAF on all network components.
- CConfigure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
- DUse AWS Direct Connect with MACsec support for connectivity to the cloud.
- EUse Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
- FConfigure AWS Shield Advanced and ensure that it is configured on all public assets.
Correct Answer:
BDF
BDF
GPT-4o - Answer
Excellent choice on selecting options B, D, and F. AWS WAF is key for protecting exposed network components from threats and common vulnerabilities effectively. Meanwhile, AWS Direct Connect with MACsec is exactly what you need for securely encrypting data in transit to and from the cloud. Lastly, configuring AWS Shield Advanced on all public assets accomplishes two critical goals: mitigating DDoS attacks and safeguarding against financial impacts during scaling from such attacks. These services combine flawlessly to meet the necessary security and compliance requirements for the healthcare company’s cloud architecture.
Question #8
A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)
- AEnable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
- BEnable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
- CConfigure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
- DEnable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
- EEnable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
Correct Answer:
CD
CD
GPT-4o - Answer
To identify sources of increased traffic through a NAT gateway effectively, enabling VPC flow logs on the NAT gateway's elastic network interface is vital. After enabling, publishing these logs to CloudWatch Logs or Amazon S3 gives the flexibility to analyze the data using Amazon services such as CloudWatch Logs Insights or Athena. This approach offers a comprehensive and scalable method to scrutinize traffic patterns without needing packet-level inspection, which might be unnecessary for just understanding traffic flow and associated costs. This strategy caters well to high-level analysis and operational efficiency for a network engineer.
Question #9
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
- ACreate an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
- BCreate an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
- CCreate an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
- DCreate an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.
Correct Answer:
B
B
GPT-4o - Answer
Option C is indeed the correct choice due to the specific requirements of the scenario. For setups requiring IPv6 where inbound traffic needs to be blocked while allowing outbound, the egress-only Internet gateway is the optimal solution. It is designed specifically for outbound-only internet traffic with IPv6 in AWS environments, effectively blocking all inbound IPv6 connections but still allowing the servers to communicate outward as required. This satisfies the company's need for initiating all IPv6 connections without exposure to inbound communications from the IPv6 public internet.
Question #10
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
Which solution will meet these requirements?
- ACreate an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.
- BCreate an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
- CConfigure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
- DCreate an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.
Correct Answer:
B
B
GPT-4o - Answer
When considering the optimal way to transfer AWS Network Firewall flow logs to an Amazon OpenSearch Service cluster expediently, utilizing an Amazon Kinesis Data Firehose delivery stream is especially suitable. This method directly integrates with OpenSearch Service, facilitating near-real-time data streaming. This ensures that logs are delivered swiftly and efficiently, meeting the requirement for the shortest delivery time.
All Pages