A company wants to migrate its DNS registrar and DNS hosting to Amazon Route 53. The company website receives tens of thousands of visitseach day, and the company's current DNS provider cannot keep up. The company wants to migrate as quickly as possible but cannot tolerateany downtime.Which solution will meet these requirements?
A. Transfer the domain name to Route 53. Create a Route 53 private hosted zone, and copy all the existing DNS records. Update the nameservers on the domain to use the name servers that are specified in the newly created private hosted zone.
B. Copy all DNS records from the existing DNS servers to a Route 53 private hosted zone. Update the name servers with the existingregistrar to use the private hosted zone name servers. Transfer the domain name to Route 53. Ensure that all the changes havepropagated.
C. Transfer the domain name to Route 53. Create a Route 53 public hosted zone, and copy all the existing DNS records. Set the TTL valueon each record to 1 second. Update the name servers on the domain to use the name servers that are specified in the newly createdpublic hosted zone.
D. Copy all DNS records from the existing DNS servers to a Route 53 public hosted zone. Update the name servers with the existingregistrar to use the Route 53 name servers for the hosted zone. When the changes have propagated, perform a domain name transfer toRoute 53.
A company is establishing connectivity between its on-premises site and an existing VPC on AWS to meet a new security requirement.According to the new requirement, all public DNS queries must use an on-premises DNS security solution. The company's security team hasallowed an exception for the AWS service endpoints because the company is using VPC endpoints to access AWS services.Which combination of steps should a network engineer take to configure the architecture to meet these requirements? (Choose three.)
A. Create a system rule for the domain name "." (dot) with a target IP address of the on-premises DNS security solution.
B. Create a new DHCP options set that provides the IP address of the on-premises DNS security solution. Update the VPC to use this newDHCP options set.
C. Create an Amazon Route 53 Resolver inbound endpoint. Associate this endpoint with the VPC.
D. Create an Amazon Route 53 Resolver outbound endpoint. Associate this endpoint with the VPC.
E. Create a system rule for the domain name amazonaws.com.
F. Create a forwarding rule for the domain name "." (dot) with a target IP address of the on-premises DNS security solution.
A network engineer is designing the DNS architecture for a new AWS environment. The environment must be able to resolve DNS names ofendpoints on premises, and the on-premises systems must be able to resolve the names of AWS endpoints. The DNS architecture must giveindividual accounts the ability to manage subdomains.The network engineer needs to create a single set of rules that will work across multiple accounts to control this behavior. In addition, thenetwork engineer must use AWS native services whenever possible.Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
A. Create an Amazon Route 53 private hosted zone for the overall cloud domain. Plan to create subdomains that align to other AWSaccounts that are associated with the central Route 53 private hosted zone.
B. Create AWS Directory Service for Microsoft Active Directory server endpoints in the central AWS account that hosts the private hostedzone for the overall cloud domain. Create a conditional forwarding rule in Microsoft Active Directory DNS to forward traffic to a DNSresolver endpoint on premises. Create another rule to forward traffic between subdomains to the VPC resolver.
C. Create Amazon Route 53 Resolver inbound and outbound endpoints in the central AWS account that hosts the private hosted zone forthe overall cloud domain. Create a forwarding rule to forward traffic to a DNS resolver endpoint on premises. Create another rule toforward traffic between subdomains to the Resolver inbound endpoint.
D. Ensure that networking exists between the other accounts and the central account so that traffic can reach the AWS Directory Servicefor Microsoft Active Directory DNS endpoints.
E. Ensure that networking exists between the other accounts and the central account so that traffic can reach the Amazon Route 53Resolver endpoints.
F. Share the Amazon Route 53 Resolver rules between accounts by using AWS Resource Access Manager (AWS RAM). Ensure thatnetworking exists between the other accounts and the central account so that traffic can reach the Route 53 Resolver endpoints.
A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCsthat host various workloads.The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company nowwants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to routedata to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the developmentVPC and the production VPCs.In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Defaultroute table association and default route table propagation are turned off. The network engineer attaches the production VPCs, thedevelopment VPC, and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to0.0.0.0/0 with the transit gateway as the next destination.Which combination of steps should the network engineer take next to complete this solution? (Choose three.)
A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
B. Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gatewayattachment to this route table.
D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allowconnections to and from the on-premises CIDR range only.
E. Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the DirectConnect gateway and development VPC attachment to the new route table.
F. Create a new transit gateway with default route table association and default route table propagation turned on. Attach the DirectConnect gateway and development VPC to the new transit gateway.
A company uses Amazon Route 53 to host a public hosted zone for example.com. A network engineer recently reduced the TTL on severalrecords to 60 seconds. The network engineer wants to assess whether the change has increased the number of queries to Route 53 beyondthe expected levels that the company identified before the change. The network engineer must obtain the number of queries that have beenmade to the example.com public hosted zone.Which solution will provide this information?
A. Create a new trail in AWS CloudTrail to include Route 53 data events. Send logs to Amazon CloudWatch Logs. Set up a CloudWatchmetric filter to count the number of queries and create graphs.
B. Use Amazon CloudWatch to access the AWS/Route 53 namespace and to check the DNSQueries metric for the public hosted zone.
C. Use Amazon CloudWatch to access the AWS/Route 53 Resolver namespace and to check the InboundQueryVolume metric for a specificendpoint.
D. Configure logging to Amazon CloudWatch for the public hosted zone. Set up a CloudWatch metric filter to count the number of queriesand create graphs.
A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attachesthe VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working.However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parametersthat the device is configured to support.The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device isconfigured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration file provides.What should the network engineer do to troubleshoot and correct the issue?
A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual privategateway requires.
B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gatewayrequires.
C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that thevirtual private gateway requires.
D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that thecustomer gateway requires.
A company is growing rapidly. Data transfers between the company's on-premises systems and Amazon EC2 instances that run in VPCs arelimited by the throughput of a single AWS Site-to-Site VPN connection between the company's on-premises data center firewall and an AWSTransit Gateway.A network engineer must resolve the throttling by designing a solution that is highly available and secure. The solution also must scale theVPN throughput from on premises to the VPC resources to support the increase in traffic.Which solution will meet these requirements?
A. Configure multiple dynamic BGP-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing(ECMP).
B. Configure multiple static routing-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing(ECMP).
C. Configure a new Site-to-Site VPN connection to the transit gateway. Enable acceleration for the Site-to-Site VPN connection.
D. Configure a software appliance-based VPN connection over the internet from the on-premises firewall to an EC2 instance that has alarge instance size and networking capabilities.
A company is running an online game on AWS. The game is played globally and is gaining popularity. Users are reporting problems with thegame's responsiveness. Replay rates are dropping, and the company is losing subscribers. Game servers are located in the us-west-2 Regionand use an Elastic Load Balancer to distribute client traffic.The company has decided to deploy game servers to 11 additional AWS Regions to reduce the round-trip times of network traffic to gameclients. A network engineer must design a DNS solution that uses Amazon Route 53 to ensure that user traffic is delivered to game serverswith an optimal response time.What should the network engineer do to meet these requirements?
A. Create Route 53 records for the Elastic Load Balancers in each Region. Specify a weighted routing policy. Calculate the weight by usingthe number of clients in each Region.
B. Create Route 53 records for the Elastic Load Balancers in each Region. Specify a latency routing policy. Set the Region to the Regionwhere the Elastic Load Balancer is deployed.
C. Create Route 53 records for the Elastic Load Balancers in each Region. Specify a multivalue answer routing policy. Test latency fromthe game client, and connect to the server with the best response.
D. Create Route 53 records for the Elastic Load Balancers in each Region. Specify a geolocation routing policy. Set the location to theRegion where the Elastic Load Balancer is deployed.
A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states thatany time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NATgateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possibleadministrative overhead. The solution also must provide the network security team with a simple way to view compliance history.Which solution will meet these requirements?
A. Develop a script that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NATgateway if a NAT gateway is detected. Deploy the script on an Amazon EC2 instance in each account. Use a cron job to run the script every5 minutes. Log the results of the checks to an Amazon RDS for MySQL database.
B. Create an AWS Lambda function that programmatically checks for NAT gateways in an AWS account, sends an email alert, andterminates the NAT gateway if a NAT gateway is detected. Deploy the Lambda function to each account by using AWS ServerlessApplication Model (AWS SAM) templates. Store the results of the checks on an Amazon OpenSearch Service cluster in each account.
C. Enable Amazon GuardDuty. Create an Amazon EventBridge rule for the Behavior:EC2/NATGatewayCreation GuardDuty finding type.Configure the rule to invoke an AWS Step Functions state machine to send an email alert and terminate a NAT gateway if a NAT gatewayis detected. Store the runtime log as a text file in an Amazon S3 bucket.
D. Create a custom AWS Config rule that checks for NAT gateways in an AWS account. Configure the AWS Config rule to perform an AWSSystems Manager Automation remediation action to send an email alert and terminate the NAT gateway if a NAT gateway is detected.Deploy the AWS Config rule and the Systems Manager runbooks to each account by using AWS CloudFormation StackSets
A company uses an AWS Direct Connect private VIF with a link aggregation group (LAG) that consists of two 10 Gbps connections. Thecompany's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company'snetwork team plans to use MACsec support for Direct Connect to meet the new requirement.Which combination of steps should the network team take to implement this functionality? (Choose three.)
A. Create a new Direct Connect LAG with new circuits and ports that support MACsec.
B. Associate the MACsec Connectivity Association Key (CAK) and the Connection Key Name (CKN) with the new LAG.
C. Associate the Internet Key Exchange (IKE) with the existing LAG.
D. Configure the MACsec encryption mode on the existing LAG.
E. Configure the MACsec encryption mode on the new LAG.
F. Configure the MACsec encryption mode on each Direct Connect connection that makes up the existing LAG.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.