Amazon ANS-C00 Online Practice Questions and Exam Preparation

Amazon ANS-C00 Online Questions & Answers

• Question 331:

  A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Choose two.)

  A. Use Local Pref to control outbound traffic.
  B. Use AS Prepending to control inbound traffic.
  C. Use eBGP multi-hop between loopback interfaces.
  D. Use BGP Communities to control outbound traffic.
  E. Advertise more specific prefixes over one Direct Connect connection.
  C. Use eBGP multi-hop between loopback interfaces.
  E. Advertise more specific prefixes over one Direct Connect connection.

• Question 332:

  All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that it is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server. What is the reason for this failure?

  A. The NAT gateway does not support UDP traffic.
  B. The authentication server is not accepting traffic.
  C. The NAT gateway cannot allocate more ports.
  D. The NAT gateway is launched in a private subnet.
  C. The NAT gateway cannot allocate more ports.

• Question 333:

  Your VPC has a DX connection that is advertising 99 routes. You have two more prefixes to add: 10.223.1.0/24 and 10.223.2.0/24. You have several locations, so you need to be as exact as possible with your routing. How would you do this?

  A. Add the prefixes; AWS allows for as many BGP routes as you need but not static.
  B. Contact AWS to extend the number of prefixes you are allowed to advertise.
  C. Summarize the routes into a 10.223.0.0/22 and advertise that route instead.
  D. Summarize the routes into a 10.223.0.0/12 and advertise that route instead.
  C. Summarize the routes into a 10.223.0.0/22 and advertise that route instead.

• Question 334:

  What is the maximum size of a response body that Amazon CloudFront will return to the viewer?

  A. Unlimited
  B. 5 GB
  C. 100 MB
  D. 20 GB
  D. 20 GB

• Question 335:

  Which path will be chosen first?

  A. 192.168.0.0/16 AS 65000 over Direct Connect
  B. 192.0.0.0/8 AS 65000 over Direct Connect
  C. 192.168.1.0/24 AS 65000 65000 65000 over a Dynamic VPN
  D. 192.168.0.0/16 AS 65000 over a Static VPN
  C. 192.168.1.0/24 AS 65000 65000 65000 over a Dynamic VPN

• Question 336:

  Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.

  A. It depends on the Rule configuration
  B. Only if it remains non-compliant for more than 6 hours
  C. True
  D. False
  D. False

• Question 337:

  You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.

  You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

  A. Reboot the instance.
  B. Move the ENI from one server to the other.
  C. Associate the new ENI with the database security group.
  D. Configure a secondary ENI on the standby instance.
  C. Associate the new ENI with the database security group.
  D. Configure a secondary ENI on the standby instance.

• Question 338:

  A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers for name resolution. Outbound DNS requests to all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group:

  

  The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC. Why is the solution failing to meet the compliance requirement?

  A. The security group cannot filer outbound traffic to the Amazon DNS servers.
  B. The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
  C. The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.
  D. The security group cannot filter outbound traffic to destinations within the same VPC.
  C. The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers.

• Question 339:

  In AWS, which service provides a reliable and inexpensive way to backup and archive CloudTrail log files?

  A. Amazon Archiver
  B. Amazon Glacier
  C. AWS Storage Gateway
  D. Amazon Elastic Block Store
  B. Amazon Glacier

• Question 340:

  A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers. The company does not want to implement an access management solution that requires additional costs or effort.

  Which solution meets these requirements?

  A. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
  B. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.
  C. Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.
  D. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.
  B. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.