Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 151:

  You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached.

  What is the first part of the command you would use?

  A. aws ec2 describe-network-acl

  B. aws ec2 describe-instances

  C. aws vpc describe-all

  D. aws ec2 describe-security-groups

  Correct Answer: B

  Explanation: aws ec2 describe-instances will tell a significant amount of information about the instances in your account. Apply a filter to be able to see information about your instance. Describe-security-groups and describe-network-acl would not allow you to see which group is associated with your instance and aws vpc describe-all doesn't exist.

• Question 152:

  You have a management server that needs to be able to communicate with two subnets. One of these subnets is private. This subnet must remain private and must not pass any traffic back to other subnets.

  How would you configure this?

  A. Configure a NACL to allow access from the management server to the private server.

  B. Add an ENI to the management server that resides in the subnet of the private server.

  C. You can't do this without allowing traffic back through the other subnet.

  D. Configure a security group rule to allow access from the management server to the private server.

  Correct Answer: B

  Explanation:

  Add an ENI to the management server that resides in the subnet of the private server. This will allow the

  management server to communicate with the private server without having to change security rules.

• Question 153:

  Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

  A. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

  B. To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.

  C. If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.

  D. Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.

  Correct Answer: D

  Explanation:

  AWS Direct Connect locations in the United States can access public resources in any US region. You can

  use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a

  remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

  To access public resources in a remote region, you must set up a public virtual interface and establish a

  border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in

  the US. You can then also establish a VPN connection to your VPC in the remote region.

  Any data transfer out of a remote region is billed at the remote region data transfer rate.

  Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html

• Question 154:

  You have been tasked with migrating your company's proprietary massively large dataset sorting application to AWS. The application currently runs on 4 highly spec'd servers that are in a cluster arrangement and runs 24x7, with the average CPU utilisation across any 24hr period being approx 85% the migration of this cluster once up and running on AWS is expected to run similarly. The servers shuffle data internally and between themselves. Your company's financial performance is entirely dependent on the speed at which it can sort your customers datasets, that is the faster a sorted result can be returned the better your company's bottom line.

  Of the choices presented below, select the optimal network configuration that will ensure the best financial results for your company.

  A. Disable Jumbo Frames to ensure better data throughput between instances

  B. Enable Jumbo Frames to ensure better data throughput between instances

  C. Create an autoscaled group of c4.8xlarge instances - with min 1 and max 4 - this will ensure your operational costs a minimal

  D. Configure a CloudWatch Alarm to add more CPUs to the instances when average cluster CPU utilisation breaches 85%

  Correct Answer: B

  Explanation: Answer C does not meet the brief - the question states that the requirement is to run a cluster of 4 servers 24x7 - and that the average CPU utilisation across any 24hr period is 85% - therefore have an ASG with min 1 and max 4 provides no benefit, and if anything scaling down from 4 machines would impact the speed at which sorting results are returned - and therefore this would affect the company's bottom line. We know that of the Answers A and B we need to choose one - Answer B best supports our requirements - to move data faster between servers. Answer D is nonsensical - AWS doesn't support adding or removing CPUs to instances.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

• Question 155:

  Convert the following IPv4 address in presented in binary form, into dotted decimal form 10101100.01111011.00001101.10011101.

  A. 172.123.13.157

  B. 173.13.13.157

  C. 172.122.13.15

  D. 172.124.13.57

  Correct Answer: A

  Explanation:

  An IPv4 address in dotted decimal format is constructed using binary arithmetic. In binary arithmetic, each

  bit within a group represents a power of two. Specifically, the first bit in a group represents 2 to the power

  of 0, the second bit represents 2 to the power of 1, the third bit represents 2 to the power of 2, and so on.

  Binary format is simple because each successive bit in a group is exactly twice the value of the previous

  bit.

  The first octet is 128 + 32 + 8 + 4 = 172

  The second octet 64 + 32 + 16 + 8 + 2 + 1 = 123

  The third octet 8 + 4 + 1 = 13

  The fourth octet is 128 + 16 + 8 + 4 + 1 = 157

  Reference: https://en.wikipedia.org/wiki/IPv4

• Question 156:

  An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in 24hrs. This business critical application is dependent a very large set of routes - required for integration with other system. You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re-home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

  A. Within the new VPC - establish a Direct Connect connection with max 10Gbps port speed for data replication. Establish a 802.1Q VLAN and configure a Virtual Private Gateway and Private Virtual Interface, and ensure Jumbo Frames is enabled.

  B. Within the new VPC - deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with BGP dynamic routing

  C. Within the new VPC - deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with static routing, and ensure Jumbo Frames is enabled.

  D. Within the new VPC - deploy a software based virtual router (for example a Cisco CSR). Configure with dual ENIs (external and internal), create and attach an EIP to the external ENI, Configure and setup IPsec VPN tunnels, and ensure Jumbo Frames is enabled.

  Correct Answer: B

  Explanation: Answer A - Let's start by stating that all possible options are actually workable solutions. The key criteria of the question is to complete the data migration aspects as *quickly* as possible. With this in mind we can immediately rule out Answer A - due to the time it takes to provision and activate a fully functional Direct Connect connection, 72+ hrs. Answer C is the same as Answer D but lacks BGP - therefore we would need to setup the routes manually - more time and effort. Additionally Answer D uses Jumbo Frames - but AWS does not support Jumbo frames over the Virtual Private Gateway - therefore Answer D's use of Jumbo Frames is negated. Overall Answer B is considered the quickest option.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

• Question 157:

  Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

  A. 8 subnets and 30 hosts per subnet

  B. 16 subnets and 14 hosts per subnet

  C. 32 subnets and 30 hosts per subnet

  D. 8 subnets and 14 hosts per subnet

  Correct Answer: B

  Explanation:

  16 subnets and 14 hosts per subnet are possible in the CIDR.

  Reference: https://en.wikipedia.org/wiki/IPv4_subnetting_reference

• Question 158:

  Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

  A. Frames

  B. Packets

  C. Data

  D. Segments

  Correct Answer: D

  Explanation:

  Segments is the PDU used between transport layers.

  Reference: https://en.wikipedia.org/wiki/Transmission_Control_Protocol

• Question 159:

  Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

  A. For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible

  B. Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway

  C. Jumbo Frames are not supported for traffic that exits the Internet Gateway

  D. T2.micro instances do not support Jumbo Frames

  Correct Answer: D

  Explanation:

  All answers except for Answer D are correct. Answer D is incorrect in that AWS does indeed support

  Jumbo Frames on all instance types within the T2 family class - including the T2.micro instance type.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

• Question 160:

  The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity.

  Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

  A. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5

  B. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES

  C. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

  D. The following protocols may be used to configure IPsec confidentiality, PSK, MD5

  E. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

  Correct Answer: B

  Explanation:

  Answer A is incorrect - as MD5 is a hashing protocol (data integrity) Answer C is incorrect - as PSK is

  short for Pre-Shared Keys (key exchange) - and again MD5 is a hashing protocol (data integrity)

  Answer D is incorrect - as both MD5 and SHA are hashing protocols (data integrity) Answer E is incorrect as both PSK and RSA are used for key exchanges This leaves Answer B is the only correct IPsec

  configuration covering confidentiality. DES, 3DES, and AES are all encryption protocols.

  Reference: https://en.wikipedia.org/wiki/IPsec