A company needs to transfer data between its VPC and its on-premises data center. The data must travel through a connection that hasdedicated bandwidth. The data also must be encrypted in transit. The company has been working with an AWS Partner Network (APN) Partnerto establish the connection.Which combination of steps will meet these requirements? (Choose three.)
A. Request a hosted connection from the APN Partner.
B. Request a hosted public VIF from the APN Partner.
C. Create an AWS Site-to-Site VPN connection.
D. Create an AWS Client VPN connection.
E. Create a private VIF.
F. Create a public VIF.
A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its on-premises data center. The connectionprovides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN toconnect to the data center. These employees are reporting slowness when they access the application during business hours. On-premisesusers have started to report similar slowness while they are in the office.The company plans to build an additional application on AWS. On-site and remote employees will use the additional application. After thedeployment of this additional application, the company will need 20% more bandwidth than the company currently uses. With the increasedusage, the company wants to add resiliency to the AWS connectivity. A network engineer must review the current implementation and mustmake improvements within a limited budget.What should the network engineer do to meet these requirements MOST cost-effectively?
A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and theadditional application. Create a link aggregation group (LAG).
B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the on-premises routing for the remote employees toconnect to the Site-to-Site VPN connection.
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces.
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections. Create an AWS ClientVPN endpoint in the application VPC. Instruct the remote employees to connect to the Client VPN endpoint.
A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Regiononly. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an AutoScaling group behind an Application Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. TheALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that isassociated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP addressranges.Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated. Update theDynamoDB table with the new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IPaddress ranges and security groups from the DynamoDB table to update the security groups. Deploy this solution in all accounts.
B. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use Amazon EventBridge (Amazon CloudWatch Events)rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix list. Deploy thissolution in all accounts.
C. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list across different accounts by using AWSResource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address range. Update theprefix list with the new IP address range when the company adds a new partner.
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated. Update the S3 bucket withthe new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IP address ranges andsecurity groups from the S3 bucket to update the security groups. Deploy this solution in all accounts.
A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a sharedservices VPC, and a VPN connection to the company's on-premises environment. A network engineer needs to implement a transit gatewaywith the following requirements:. Application VPCs must be isolated from each other.. Bidirectional communication must be allowed between the application VPCs and the on-premises network.. Bidirectional communication must be allowed between the application VPCs and the shared services VPC.The network engineer creates the transit gateway with options disabled for default route table association and default route tablepropagation. The network engineer also creates the VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designing a solution that needs the least number of transitgateway route tables.Which combination of actions should the network engineer perform to accomplish this goal? (Choose two.)
A. Configure a separate transit gateway route table for on premises. Associate the VPN attachment with this transit gateway route table.Propagate all application VPC attachments to this transit gateway route table.
B. Configure a separate transit gateway route table for each application VPC. Associate each application VPC attachment with itsrespective transit gateway route table. Propagate the shared services VPC attachment and the VPN attachment to this transit gatewayroute table.
C. Configure a separate transit gateway route table for all application VPCs. Associate all application VPCs with this transit gateway routetable. Propagate the shared services VPC attachment and the VPN attachment to this transit gateway route table.
D. Configure a separate transit gateway route table for the shared services VPC. Associate the shared services VPC attachment with thistransit gateway route table. Propagate all application VPC attachments to this transit gateway route table.
E. Configure a separate transit gateway route table for on premises and the shared services VPC. Associate the VPN attachment and theshared services VPC attachment with this transit gateway route table. Propagate all application VPC attachments to this transit gatewayroute table.
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set isassociated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. Theapplication must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL (https://api.example.internal). Two on-premisesWindows DNS servers provide internal DNS resolution.The application on the EC2 instance needs to call the internal API service that is deployed in the on-premises environment. When theapplication on the EC2 instance attempts to call the internal API service by referring to the hostname that is assigned to the service, the callfails. When a network engineer tests the API service call from the same EC2 instance by using the API service's IP address, the call issuccessful.What should the network engineer do to resolve this issue and prevent the same problem from affecting other resources in the VPC?
A. Create a new DHCP options set that specifies the on-premises Windows DNS servers. Associate the new DHCP options set with theexisting VPC. Reboot the Amazon Linux 2 EC2 instance.
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configure the rule to forward DNS queries to the on-premises Windows DNS servers if the domain name matches example.internal.
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the service domain name (api.example.internal) to the IPaddress of the internal API service.
D. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VPC. Change the IP addresses of the name servers inthe file to the IP addresses of the company's on-premises Windows DNS servers.
A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The companyhas established network connectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. Theapplications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.What should a network engineer do to meet these requirements?
A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC. Update each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC.
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPUpdate each application VPC's DHCP configurationto point DNS resolution to the new Resolver endpoint.
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosteddomains. Associate the rules with the new Resolver endpoint and each application VPC.
A company has been using an outdated application layer protocol for communication among applications. The company decides not to usethis protocol anymore and must migrate all applications to support a new protocol. The old protocol and the new protocol are TCP-based, butthe protocols use different port numbers.After several months of work, the company has migrated dozens of applications that run on Amazon EC2 instances and in containers. Thecompany believes that all the applications have been migrated, but the company wants to verify this belief. A network engineer needs toverify that no application is still using the old protocol.Which solution will meet these requirements without causing any downtime?
A. Use Amazon Inspector and its Network Reachability rules package. Wait until the analysis has finished running to find out which EC2instances are still listening to the old port.
B. Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internettraffic to filter out occasions when the same port is used as an ephemeral port.
C. Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use Amazon Athena to query the data and to filter for the portnumber that is used by the old protocol.
D. Inspect all security groups that are assigned to the EC2 instances that host the applications. Remove the port of the old protocol if thatport is in the list of allowed ports. Verify that the applications are operating properly after the port is removed from the security groups.
A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediatesnoncompliant changes to security groups.Which solution will meet these requirements?
A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
B. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
D. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security groupconfiguration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with privatesubnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?
A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single networkinterface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.
B. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces:one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.
C. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single networkinterface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.
D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces:one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.
A company's network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor thechanges that are made to network resources and must ensure strict compliance with network security policies. The company also needsaccess to the historical configurations of network resources.Which solution will meet these requirements?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes. Configurethe rule to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes thatare identified.
B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke an AWS Lambda function to identify noncompliantresources. Update an Amazon DynamoDB table with the changes that are identified.
C. Record the current state of network resources by using AWS Config. Create rules that reflect the desired configuration settings. Setremediation for noncompliant resources.
D. Record the current state of network resources by using AWS Systems Manager Inventory. Use Systems Manager State Manager toenforce the desired configuration settings and to carry out remediation for noncompliant resources.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.