A network engineer is designing a hybrid networking environment that will connect a company's corporate network to the company's AWSenvironment. The AWS environment consists of 30 VPCs in 3 AWS Regions.The network engineer needs to implement a solution to centrally filter traffic by using a firewall that the company's security team hasapproved. The solution must give all the VPCs the ability to connect to each other. Connectivity between AWS and the corporate network mustmeet a minimum bandwidth requirement of 2 Gbps.Which solution will meet these requirements?
A. Deploy an IPsec VPN connection between the corporate network and a new transit gateway. Connect all VPCs to the transit gateway.Associate the approved firewall with the transit gateway.
B. Deploy a single 10 Gbps AWS Direct Connect connection between the corporate network and virtual private gateway of each VPC.Connect the virtual private gateways to a Direct Connect gateway. Build an IPsec tunnel to a new transit VPC. Deploy the approved firewallto the transit VPC.
C. Deploy two 1 Gbps AWS Direct Connect connections in different Direct Connect locations to connect to the corporate network. Build atransit VIF on each connection to a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway for eachRegion. Configure the VIFs to use equal-cost multipath (ECMP) routing. Connect all the VPCs in the three Regions to the transit gateway.Configure the transit gateway route table to route traffic to an inspection VPDeploy the approved firewall to the inspection VPC.
D. Deploy four 1 Gbps AWS Direct Connect connections in different Direct Connect locations to connect to the corporate network. Build atransit VIF on each connection to a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway for eachRegion. Connect the transit gateways by using a transit gateway peering attachment. Configure the VIFs to use equal-cost multipath(ECMP) routing. Configure transit gateway route tables to route traffic to an inspection VPC. Deploy the approved firewall to the inspectionVPC.
A company has an AWS Site-to-Site VPN connection between its office and its VPC. Users report occasional failure of the connection to theapplication that is hosted inside the VPC. A network engineer discovers in the customer gateway logs that the Internet Key Exchange (IKE)session ends when the connection to the application fails.What should the network engineer do to bring up the IKE session if the IKE session goes down?
A. Set the dead peer detection (DPD) timeout action to Clear. Initiate traffic from the VPC to on premises.
B. Set the dead peer detection (DPD) timeout action to Restart. Initiate traffic from on premises to the VPC.
C. Set the dead peer detection (DPD) timeout action to None. Initiate traffic from the VPC to on premises.
D. Set the dead peer detection (DPD) timeout action to Cancel. Initiate traffic from on premises to the VPC.
A software-as-a-service (SaaS) company is migrating its private SaaS application to AWS. The company has hundreds of customers thatconnect to multiple data centers by using VPN tunnels. As the number of customers has grown, the company has experienced more difficultyin its effort to manage routing and segmentation of customers with complex NAT rules.After the migration to AWS is complete, the company's AWS customers must be able to access the SaaS application directly from their VPCs.Meanwhile, the company's on-premises customers still must be able to connect through IPsec encrypted tunnels.Which solution will meet these requirements?
A. Connect the AWS customer VPCs to a shared transit gateway. Use AWS Site-to-Site VPN connections to the transit gateway for the on-premises customers
B. Use AWS PrivateLink to connect the AWS customers. Use a third-party routing appliance in the SaaS application VPC to terminateonpremises Site-to-Site VPN connections.
C. Peer each AWS customer's VPCs to the VPC that hosts the SaaS application. Create AWS Site-to-Site VPN connections on the SaaS VPCvirtual private gateway.
D. Use Site-to-Site VPN tunnels to connect each AWS customer's VPCs to the VPC that hosts the SaaS application. Use AWS Site-to-SiteVPN to connect the on-premises customers.
A company's existing AWS environment contains public application servers that run on Amazon EC2 instances. The application servers run in aVPC subnet. Each server is associated with an Elastic IP address.The company has a new requirement for firewall inspection of all traffic from the internet before the traffic reaches any EC2 instances. Asecurity engineer has deployed and configured a Gateway Load Balancer (GLB) in a standalone VPC with a fleet of third-party firewalls.How should a network engineer update the environment to ensure that the traffic travels across the fleet of firewalls?
A. Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update theapplication subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allowstraffic from the GLB endpoint.
B. Update the application subnet route table to have a default route to the GLOn the standalone VPC that contains the firewall fleet, add aroute in the route table for the application VPC's CIDR block with the GLB endpoint as the destination. Update the EC2 instances' securitygroup to allow traffic from the GLB.
C. Provision a GLB endpoint in the application VPC in a new subnet. Create a gateway route table with a route that specifies theapplication subnet CIDR block as the destination and the GLB endpoint as the target. Associate the gateway route table with the internetgateway in the application VPUpdate the application subnet route table's default route destination to be the GLB endpoint.
D. Instruct the security engineer to move the GLB into the application VPC. Create a gateway route table. Associate the gateway routetable with the application subnet. Add a default route to the gateway route table with the GLB as its destination. Update the route tableon the GLB to direct traffic from the internet gateway to the application servers. Ensure that the EC2 instances' security group allowstraffic from the GLB.
A company runs an application on Amazon EC2 instances. A network engineer implements a NAT gateway in the application's VPC to replaceself-managed NAT instances. After the network engineer shifts traffic from the self-managed NAT instances to the NAT gateway, users begin toreport issues.During troubleshooting, the network engineer discovers that the connection to the application is closing after approximately 6 minutes ofinactivity.What should the network engineer do to resolve this issue?
A. Check for increases in the IdleTimeoutCount Amazon CloudWatch metric for the NAT gateway. Configure TCP keepalive on theapplication EC2 instances.
B. Check for increases in the ErrorPortAllocation Amazon CloudWatch metric for the NAT gateway. Configure an HTTP timeout value on theapplication EC2 instances.
C. Check for increases in the PacketsDropCount Amazon CloudWatch metric for the NAT gateway. Configure an HTTPS timeout value onthe application EC2 instances.
D. Check for decreases in the ActiveConnectionCount Amazon CloudWatch metric for the NAT gateway. Configure UDP keepalive on theapplication EC2 instances.
A company's network engineer is configuring an AWS Site-to-Site VPN connection between a transit gateway and the company's on-premisesnetwork. The Site-to-Site VPN connection is configured to use BGP over two tunnels in active/ active mode with equal-cost multi-path (ECMP)routing activated on the transit gateway.When the network engineer attempts to send traffic from the on-premises network to an Amazon EC2 instance, traffic is sent over the firsttunnel. However, return traffic is received over the second tunnel and is dropped at the customer gateway. The network engineer must resolvethis issue without reducing the overall VPN bandwidth.Which solution will meet these requirements?
A. Configure the customer gateway to use AS PATH prepending and local preference to prefer one tunnel over the other.
B. Configure the Site-to-Site VPN options to set the first tunnel as the primary tunnel to eliminate asymmetric routing.
C. Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.
D. Configure the Site-to-Site VPN to use static routing in active/active mode to ensure that traffic flows over a preferred path.
A company's security guidelines state that all outbound traffic from a VPC to the company's on-premises data center must pass through asecurity appliance. The security appliance runs on an Amazon EC2 instance. A network engineer needs to improve the network performancebetween the on-premises data center and the security appliance.Which actions should the network engineer take to meet these requirements? (Choose two.)
A. Use an EC2 instance that supports enhanced networking.
B. Send outbound traffic through a transit gateway.
C. Increase the EC2 instance size.
D. Place the EC2 instance in a placement group within the VPC.
E. Attach multiple elastic network interfaces to the EC2 instance.
A company's application team is unable to launch new resources into its VPC. A network engineer discovers that the VPC has run out ofusable IP addresses. The VPC CIDR block is 172.16.0.0/16.Which additional CIDR block can the network engineer attach to the VPC?
A. 172.17.0.0/29
B. 10.0.0.0/16
C. 172.17.0.0/16
D. 192.168.0.0/16
A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company's trading platform includes athird-party pricing service that the EC2 instances communicate with over UDP on port 50000.Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectlyformatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning.The third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricingservice. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoringaccount.Which set of steps should a network engineer take to capture the data and meet these requirements?
A. 1. Configure VPC flow logs to capture the data that flows in the VPC.2. Send the data to an Amazon S3 bucket.3. In the monitoring account, extract the data that flows to the EC2 instance's IP address and filter the traffic for the UDP data.4. Provide the data to the third-party vendor.
B. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of thenew EC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.
C. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the newEC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.
D. 1. Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance.2. Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume.3. Export the data from the EBS volume to Amazon S3.4. Provide the data to the third-party vendor.
A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue.What should the network engineer do to meet this requirement?
A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route tables. Use VPCflow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables arecorrect. Use AWS Firewall Manager to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables arecorrect. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. UseVPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.