Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 251:

  You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

  A. Site A: VPN 10.0.1.0/24 AS 65000 65000

  B. Site B: VPN 10.0.1.252/30 AS 65000 65000 65000

  C. Site C: DX 10.0.0.0/8 AS 65000

  D. Site D: DX 10.0.0.0/16

  Correct Answer: B

  Explanation:

  Site B, the most specific prefix always wins.

• Question 252:

  You have two placement groups in a VPC. What communication speed can be expected between the two placement groups?

  A. 5Gbps

  B. 10Gbps

  C. 20Gbps

  D. You cannot communicate between two placement groups.

  Correct Answer: A

  Explanation:

  5Gbps is the maximum speed for traffic outside of a placement group.

• Question 253:

  Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company's concerns? (Choose two.)

  A. Remove any rules allowing ::/0 inbound in the security group.

  B. Block ::/0 inbound in the NACL.

  C. Create an egress-only internet gateway.

  D. Block 0.0.0.0/0 inbound in the NACL.

  Correct Answer: AC

  Explanation: 0.0.0.0/0 will only block IPv4, blocking ::/0 in the NACL will prevent return traffic and updates to the instances. An egress-only internet gateway or blocking ::/0 inbound in the security group will allow the instances to initiate outbound connections and receive the return traffic, while still preventing outside attackers from initiating connections to the instances.

• Question 254:

  When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this. (Choose two.)

  A. Keep both tunnels up.

  B. Configure AS_PATH prepending on one of the paths.

  C. Turn off one of the paths until you need it.

  D. Configure MED on one of the tunnels.

  Correct Answer: AB

  Explanation:

  AWS prefers AS_PATH prepending and for a tunnel to provide true failover, it must always be on.

• Question 255:

  You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

  A. You configured the rule number to be too low.

  B. A NACL can't protect against a DDoS.

  C. The DDoS isn't a TCP attack.

  D. You need to add a deny rule outbound also since NACLs are stateful.

  Correct Answer: C

  Explanation:

  The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless.

  The lower the rule number, the higher the priority.

• Question 256:

  You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and NACL rules. Which protocol do you need to allow to access your instance to remedy this?

  A. Protocol 6: TCP

  B. Protocol 47: GRE

  C. Protocol 17: UDP

  D. Protocol 1: ICMP

  Correct Answer: D

  Explanation:

  You need to allow Protocol 1, ICMP, to access your instance. tracepath specifically needs the "destination

  unreachable" feature of ICMP.

• Question 257:

  Your company needs an inexpensive solution to host their AD data in the cloud. They do not need all of the features of AD but do need to be able to use it with WorkSpaces. What is the best solution?

  A. AD Connector

  B. Hosted Microsoft AD

  C. Simple AD

  D. Deploy an AD server on an M3.large instance

  Correct Answer: C

  Explanation:

  Simple AD is the best choice here. If authentication is all you need, it is the most inexpensive option for in-

  cloud directory.

• Question 258:

  You have a static VPN connecting your data center and your VPC. You currently have 50 routes added to your route table. You want to add more; how should you do this?

  A. 50 is the most you can have for any connection.

  B. Just add them, you have a maximum of 100 static routes per route table.

  C. Set up Direct Connect. A VPN will not support more routes.

  D. Convert your VPN to a dynamic VPN and use BGP.

  Correct Answer: D

  Explanation:

  A dynamic routing table can support 100 routes. A static can only support 50 per IPv4 and 50 per IPv6.

  Direct Connect will work, but it would be more than you needed.

• Question 259:

  You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. What is most likely the problem?

  A. There is no record in Route 53 pointing cdn.yourdomain.com to the CloudFront ALIAS.

  B. You need to create Origin Access Identity for CloudFront and add it to your bucket policy.

  C. The images in S3 are saved as .png instead of .jpg.

  D. There is no rule in your bucket policy allowing public access.

  Correct Answer: B

  Explanation:

  You must have an OAI if the bucket policy does not allow public access, which is bad practice.

• Question 260:

  You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

  A. Create two subnets in the same AZ and create a placement group.

  B. Set the MTU of your instances to 1500.

  C. Create two subnets in different AZs and create a placement group.

  D. Ensure you choose instances that use enhanced networking.

  Correct Answer: AD

  Explanation:

  A placement group can only be deployed in the same AZ and is only useful with enhanced networking

  instances.