Amazon ANS-C01 Online Practice Questions and Exam Preparation

Amazon ANS-C01 Online Questions & Answers

• Question 81:

  A company has critical VPC workloads that connect to an on-premises data center through two redundant active-passive AWS Direct Connect connections. However, a recent outage on one Direct Connect connection revealed that it takes more than a minute for traffic to fail over to the secondary Direct Connect connection. The company wants to reduce the failover time from minutes to seconds.

  Which solution will provide the LARGEST reduction in the BGP failover time?

  A. Reduce the BGP hold-down timer that is configured on the BGP sessions on the Direct Connect connection VIFs.
  B. Configure an Amazon CloudWatch alarm for the Direct Connect connection state to invoke an AWS Lambda function to fail over thetraffic.
  C. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the AWS side.
  D. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the on-premises router.
  D. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the on-premises router.

  ---

  Asynchronous BFD is automatically turned on for all AWS Direct Connect interfaces on the AWS side. You can't configure BFD settings on the AWS side. When creating a BFD session, the BFD protocol always selects the longer and slower timer.

• Question 82:

  A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and fromthe on-premises environment must be encrypted in transit. All traffic also must be inspected in the

  cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.

  The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide

  protection against financial liability for services that scale out during a DDoS event.

  Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

  A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
  B. Set up AWS WAF on all network components.
  C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
  D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
  E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
  F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.
  D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
  E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
  F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

  ---

  D https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html E https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/introduction.html F https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary.html

• Question 83:

  A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.

  Which solution will meet these requirements?

  A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB, deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.
  B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB, deploy a fleet of EC2 instances in an AutoScaling group. Use Traffic Mirroring only during non-business hours.
  C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB, deploy a fleet of EC2 instances in an Auto Scalinggroup. Use Traffic Mirroring as necessary.
  D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target. Behind the ALB, deploy a fleet of EC2instances in an Auto Scaling group. Use Traffic Mirroring only during active events or business hours.
  A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB, deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.

  ---

  https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-targets.html

• Question 84:

  A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses

  Amazon CloudWatch metrics for monitoring.

  Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB.

  What should the network engineer do next to determine which errors the ALB is receiving?

  A. Send the logs to Amazon CloudWatch Logs. Review the ALB logs in CloudWatch Insights to determine which error messages the ALB is receiving.
  B. Configure the Amazon S3 bucket destination. Use Amazon Athena to determine which error messages the ALB is receiving.
  C. Configure the Amazon S3 bucket destination. After Amazon CloudWatch Logs pulls the ALB logs from the S3 bucket automatically,review the logs in CloudWatch Logs to determine which error messages the ALB is receiving.
  D. Send the logs to Amazon CloudWatch Logs. Use the Amazon Athena CloudWatch Connector to determine which error messages the ALB is receiving.
  B. Configure the Amazon S3 bucket destination. Use Amazon Athena to determine which error messages the ALB is receiving.

  ---

  Access logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logs for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logs at any time. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

• Question 85:

  A global company is establishing network connections between the company's primary and secondary data centers and a VPC. A network engineer needs to maximize resiliency and fault tolerance for the connections. The network bandwidth must be greater than 10 Gbps.

  Which solution will meet these requirements MOST cost-effectively?

  A. Set up a 100 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up a second 100 Gbps connection at the secondary data center that terminates at a second Direct Connect location. Ensure the connections aremanaged by separate providers.
  B. Set up a 10 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up a second 10 Gbps connection at the secondary data center that terminates at a second Direct Connect location. Ensure the connections are managed by separate providers.
  C. Set up two 10 Gbps connections at the primary data center that terminate at one AWS Direct Connect location. Ensure the connections are managed by separate providers. Set up two 10 Gbps connections at the secondary data center that terminate at a second Direct Connect location. Ensure the connections are managed by separate providers.
  D. Set up a 10 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up an AWS Site-to-Site VPN connection at the secondary data center that terminates at a virtual private gateway in the same Region as the company's VPC.
  C. Set up two 10 Gbps connections at the primary data center that terminate at one AWS Direct Connect location. Ensure the connections are managed by separate providers. Set up two 10 Gbps connections at the secondary data center that terminate at a second Direct Connect location. Ensure the connections are managed by separate providers.

• Question 86:

  A company has VPCs across 50 AWS accounts and is using AWS Organizations. The company wants to implement web filtering. The requirements for how the traffic must be filtered are the same for all the VPCs. A network engineer plans to use AWS Network Firewall. The network engineer needs to implement a solution that minimizes the number of firewall policies and rule groups that are necessary for this web filtering.

  Which combination of steps will meet these requirements? (Choose three.)

  A. Create a firewall policy or rule group in each account.
  B. Use SCPs to share the firewall policy or rule group.
  C. Create a firewall policy or rule group in the management account
  D. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
  E. Enable sharing within Organizations.
  F. Create OUs to share the firewall policy or rule group.
  C. Create a firewall policy or rule group in the management account
  D. Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
  E. Enable sharing within Organizations.

• Question 87:

  A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment has a transit gateway that is deployed to a central network services

  account. The central network services account has been shared with an organization in AWS Organizations through AWS Resource Access Manager (AWS RAM).

  A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.

  The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a VPC for application workloads to each new and existing member account.

  The VPCs must be connected to the transit gateway in the central network services account.

  Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)

  A. Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure.
  B. Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.
  C. Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.
  D. Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
  E. Create an AWSControlTowerBiueprintAccess role in the shared services account. Create an AWSControlTowerBiueprintAccess role in each member account.
  B. Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.
  C. Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.
  E. Create an AWSControlTowerBiueprintAccess role in the shared services account. Create an AWSControlTowerBiueprintAccess role in each member account.

• Question 88:

  An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the Remote (receiving) account are already in place.

  The template below creates the VPC peering connection in the Originating account. It contains these components:

  

  Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Choose two.)

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  E. Option E
  C. Option C
  E. Option E

  ---

  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

• Question 89:

  A company has started using AWS Cloud WAN with one edge location in the us-east-1 Region. The company has a production segment and a security segment in AWS Cloud WAN. The company also has a default core network policy.

  The company has created a production VPC for the production workload. The company has created an outbound inspection VPC to inspect internet-bound traffic from the production VPC. The company has attached the production VPC to the production segment and has attached the outbound inspection VPC to the security segment. The company has also created an AWS Network Firewall firewall in the outbound inspection VPC to inspect internet-based traffic.

  The company has updated a route table for the production VPC to send all internet-bound traffic to the AWS Cloud WAN core network. The company has updated a route table for the outbound inspection VPC to ensure that Network Firewall inspects any outgoing traffic and incoming traffic.

  During testing, an Amazon EC2 instance in the production VPC cannot reach the internet. The company checks the Network Firewall rules and confirms that the rules are not blocking the traffic.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Update the core network policy to configure segment sharing. Share the production segment with the security segment.
  B. Update the core network policy to create a static route for the security segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.
  C. Update the core network policy to create a static route for the production segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.
  D. Update the core network policy to create a static route for the production segment. Specify 10.2.0.0/16 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.
  E. Create an attachment to attach the outbound inspection VPC to the production segment. Update the core network policy to turn on isolated attachment for the production segment.
  A. Update the core network policy to configure segment sharing. Share the production segment with the security segment.
  C. Update the core network policy to create a static route for the production segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.

• Question 90:

  A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in

  the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.

  The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.

  Which solution will meet these requirements in the MOST secure manner?

  A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway
  B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
  C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.
  D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
  C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.

  ---

  VPC endpoint services powered by AWS PrivateLink will provide the highest level of security by keeping all network traffic within the AWS network. It allows for granular security controls by allowing only authorized traffic from the application VPC to the central shared services VPC, reducing the attack surface area.