A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers. The company does not want to implement an access management solution that requires additional costs or effort.
Which solution meets these requirements?
A. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
B. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.
C. Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.
D. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.
A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25 customers. The company creates a unique hostname for each customer to use to access the application. Hostnames use the format customer-name.example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name.example.com, the ALB should route the request to the correct group of EC2 instances. The company requires a highly available solution that is easy to maintain.
Which solution meets these requirements at the LOWEST cost?
A. Create one ALB for all customers. Create a listener rule that includes an HTTP header condition to match the URL. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
B. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Configure an NGINX proxy server to manage connections to each ALB. Use Amazon Route 53 to create a CNAME record for each customer-name.example.com hostname that points to the NGINX proxy server.
C. Create one ALB for all customers. Create a listener rule that includes a Host header condition to match the hostname. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
D. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Create an Amazon CloudFront distribution. Add each ALB to the distribution as a custom origin. Use Amazon Route 53 to create an alias for each customer-name.example.com hostname that points to the CloudFront distribution.
A VPC is deployed with a 10.0.0.0/16 CIDR block. The engineering team is reviewing DHCP options, and there is disagreement about the valid DNS addresses available for the VPC.
Which addresses are valid IP addresses provided by Amazon for this subnet? (Choose two.)
A. 8.8.8.8
B. 10.0.0.2
C. 10.1.0.2
D. 169.254.169.253
E. 169.254.169.254
A company has a hybrid environment across its on-premises network and the AWS Cloud. The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between on-premises services that are required to resolve DNS queries through on-premises DNS servers. The company wants to use a custom domain name to connect to Amazon EFS. The company also wants to avoid using the Amazon EFS target IP address.
What should a network engineer do to meet these requirements?
A. Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone.
B. Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
C. Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
D. Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward
queries for the custom domain host to the Route 53 private hosted zone.
A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor. A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed.
The interim solution has worked for several weeks. However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header βX-Cache: Error from cloudfront.β Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
What is the likely cause of the error, and what is the solution?
A. The origin access identity is not correct. Edit the CloudFront distribution and update the identity in the origins settings.
B. The SSL certificate on the CloudFront distribution has expired. Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate.
C. The SSL certificate on the legacy web application server has expired. Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate. Export the public and private keys, and install the certificate on the legacy web application.
D. The SSL certificate on the legacy web application server has expired. Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server.
A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3.
Which configuration values is the network engineer required to provide? (Choose two.)
A. Connection speed
B. VLAN ID
C. IP prefixes to advertise
D. Direct Connect location E. Virtual private gateway
A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?
A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
B. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
D. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.
A company has an application running on Amazon EC2 instances in a VPC. The application must publish custom metrics to Amazon CloudWatch in the same AWS Region. The metrics include proprietary information. All connectivity must be over private IP addresses.
Which solution will meet these requirements?
A. Connect to CloudWatch through a NAT gateway.
B. Connect to CloudWatch through a gateway endpoint.
C. Connect to CloudWatch through an internet gateway.
D. Connect to CloudWatch through an interface endpoint.
A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees. The company is evaluating Amazon WorkSpaces as a solution.
A network engineer who is testing with a thin client is unable to connect to Amazon WorkSpaces. After entering credentials, the network engineer receives the following error:
βAn error occurred while launching your WorkSpace. Please try again.β
What should the network engineer do to resolve this issue?
A. Update the inbound rules on the network ACL on the subnets used for Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.
B. Update the company's corporate firewall to allow outbound access to UDP on port 4172 and TCP on port 4172. Open inbound ephemeral ports explicitly to allow return communication.
C. Update the inbound rules on the security group assigned to Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.
D. Update the company's corporate firewall to allow inbound access to UDP on port 4172 and TCP on port 4172. Open outbound ephemeral ports explicitly to allow return communication.
A company installed an AWS Site-to-Site VPN and configured it to use two tunnels. The company has learned that the VPN connectivity is unstable. During a ping test from the on-premises data center to AWS, a network engineer notices that the first few ICMP replies time out but that subsequent requests are successful. The AWS Management Console shows that the status for both tunnels last changed at the same time the ping responses were successfully received.
Which steps should the network engineer take to resolve the instability? (Choose two.)
A. Enable dead peer detection (DPD) on the customer gateway device.
B. Change the tunnel configuration to active/standby on the virtual private gateway.
C. Use AS PATH prepending on one path to cause all traffic to prefer that tunnel.
D. Send ICMP requests to an instance in the VPC every 5 seconds from the on-premises network.
E. Use a higher multi-exit discriminator (MED) value on the preferred path to prefer that tunnel.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C00 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.