A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.
The company wants to access the management application by using the same URL as the web application, with a path prefix of/management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.
Which combination of steps should a network engineer take to meet these requirements? (Choose two.)
A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness. B. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes. C. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes. D. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match. E. Forward all requests to the web application target group. Edit the web application target group and disable stickiness.
A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness. E. Forward all requests to the web application target group. Edit the web application target group and disable stickiness. A to forward people to managment with stickiness E to forward people to the web application without stickiness https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html
Question 162:
A company has multiple firewalls and ISPs for its on-premises data center. The company has a single AWS Site-to-Site VPN connection from the company's on-premises data center to a transit gateway. A single ISP services the Site-to-Site VPN connection. Multiple VPCs are attached to the transit gateway.
A customer gateway that the Site-to-Site VPN connection uses fails. Connectivity is completely lost, but the company's network team does not receive a notification. The network team needs to implement redundancy within a week in case a single customer gateway fails again. The team wants to use an Amazon CloudWatch alarm to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic if any tunnel of the Site-to-Site VPN connection fails.
Which solution will meet these requirements MOST cost-effectively?
A. Replace the existing customer gateway with a new router. Create a new Site-to-Site VPN connection to the transit gateway. For each VPN connection, set up a CloudWatchTunnelState alarm for the VPN connection. Use a value of 0 for the alarm. B. Use a second customer gateway and a second ISP. Create a new Site-to-Site VPN connection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection. Use a value of less than 1 for the alarm. C. Add an AWS Direct Connect connection to the existing Site-to-Site VPN connection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection. Use a value of failed for the alarm. D. Use a second customer gateway with the existing ISP. Create a new Site-to-Site VPN connection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection. Use a value of unavailable for the alarm.
B. Use a second customer gateway and a second ISP. Create a new Site-to-Site VPN connection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection. Use a value of less than 1 for the alarm.
Question 163:
Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service.
Which firewall rule should you request to be added to your instances to allow instance metadata access?
A. Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254 B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80 C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80 D. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443
C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data- retrieval.html To view all categories of instance metadata from within a running instance, use the following URI. http://169.254.169.254/latest/meta-data/
Question 164:
A company uses Amazon Route 53 for its DNS needs. The company's security team wants to update the DNS infrastructure to provide the most recent security posture.
The security team has configured DNS Security Extensions (DNSSEC) for the domain. The security team wants a network engineer to explain who is responsible for the rotation of DNSSEC keys.
Which explanation should the network administrator provide to the security team?
A. AWS rotates the zone-signing key (ZSK). The company rotates the key-signing key (KSK). B. The company rotates the zone-signing key (ZSK) and the key-signing key (KSK). C. AWS rotates the AWS Key Management Service (AWS KMS) key and the key-signing key (KSK). D. The company rotates the AWS Key Management Service (AWS KMS) key. AWS rotates the key-signing key (KSK).
A. AWS rotates the zone-signing key (ZSK). The company rotates the key-signing key (KSK).
Question 165:
A company is building a new workload on AWS that uses an Application Load Balancer (ALB). The company has configured a new ALB target group that uses slow start mode. A team begins registering Amazon EC2 instances as targets in the new target group. During testing, the team observes that the targets did not enter slow start mode.
What caused the targets to not enter slow start mode?
A. The ALB configuration uses the round robin routing algorithm for traffic. B. The target group did not contain at least one healthy target configured in slow start mode. C. The target group must contain EC2 instances that are all the same instance type. D. The ALB configuration uses the 5-tuple criteria for traffic.
B. The target group did not contain at least one healthy target configured in slow start mode.
Question 166:
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?
A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts 2. In the Connectivity account: Accept the resource. 3. In the Connectivity account: Create an attachment to the VPC subnets. 4. In the Production account: Accept the attachment. Associate a route table with the attachment. B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts. 2. In the Connectivity account: Accept the resource. 3. In the Production account: Create an attachment on the transit gateway to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment. C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets. 4. In the Production account: Accept the attachment. Associate a route table with the attachment. D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID. Enable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Production account: Create an attachment to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID. Enable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Production account: Create an attachment to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment. D is correct, the first step is to share the TGW From the Connectivity account to the Production account, making all the other options incorrect.
Question 167:
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and thebackend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up tothousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS)duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.
Which solution will meet these requirements?
A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listeneron port 443 to forward traffic to the IP addresses of the backend service Pods. B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods. C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group. D. Create a target group. Add the EKS managed node group's Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.
A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listeneron port 443 to forward traffic to the IP addresses of the backend service Pods. ALB does support HTTP/2 and gRPC workloads. However, the title mentions that the company needs to use mutual TLS for mutual authentication between the client and the backend. This means that traffic cannot be decrypted between the client and the service backend. Since the ALB will terminate the TLS connection and decrypt the traffic, it does not meet the requirements in the title. In contrast, NLB can forward TCP traffic without decrypting the traffic, so it is more suitable for meeting the needs described in the title. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-mutual-tls-authentication-for-applications-running-on-amazon-eks.html
Question 168:
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own
private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is
causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?
A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps. C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection. D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. https://docs.aws.amazon.com/directconnect/latest/UserGuide/dedicated_connection.html "You cannot change the port speed after you create the connection request. To change the port speed, you must create and configure a new connection."
Question 169:
A company has two AWS Direct Connect links. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS.
How should a network engineer configure BGP to ensure that af-south-1 is used as a secondary link to AWS?
A. .On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100 .On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300 .On the Direct Connect BGP peer to us-east-1, set the local preference value to 200 .On the Direct Connect BGP peer to af-south-1, set the local preference value to 50 B. .On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300 .On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100 .On the Direct Connect BGP peer to us-east-1, set the local preference value to 200 .On the Direct Connect BGP peer to af-south-1, set the local preference value to 50 C. .On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100 .On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300 .On the Direct Connect BGP peer to us-east-1, set the local preference value to 50 .On the Direct Connect BGP peer to af-south-1, set the local preference value to 200 D. .On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300 .On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100 .On the Direct Connect BGP peer to us-east-1, set the local preference value to 50 .On the Direct Connect BGP peer to af-south-1, set the local preference value to 200
B. .On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300 .On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100 .On the Direct Connect BGP peer to us-east-1, set the local preference value to 200 .On the Direct Connect BGP peer to af-south-1, set the local preference value to 50 The higher the LOCAL_PREF value, the more preferred the route is.
Question 170:
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that
will provide a token for its authenticated customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized
customers.
What is the MOST operationally efficient solution that meets these requirements?
A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customized header to inform the web application of an authenticated customer request. B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Configure the ALB listener toinsert a customized header to inform the web application of an authenticated customer request. C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edgefunction also to insert a customized header to inform the web application of an authenticated customer request. D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.
C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edgefunction also to insert a customized header to inform the web application of an authenticated customer request. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions.html
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your ANS-C01 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.