A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy.
Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?
A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.
B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.
C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.
D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?
A. Configure an AWS Direct Connect private virtual interface to the company's AWS VPC in us-west-2. Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
B. Configure a VPN connection to the company's AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3.
C. Configure a Direct Connect connection public virtual interface to us-west-2. Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection.
D. Configure a VPN connection to the company's AWS VPC in us-west-2. Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
A company wants to migrate its workloads to the AWS Cloud. The company has two web applications and wants to run them in separate, isolated VPCs. The company needs to use Elastic Load Balancing to distribute requests between application instances.
For security reasons, internet gateways must not be attached to the application VPCs. Inbound HTTP requests to the application must be routed through a centralized VPC, and the application VPCs must not be exposed to any other inbound traffic. The application VPCs cannot be allowed to initiate any outbound connections.
What should a network engineer do to meet these requirements?
A. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private DNS names of the ALBs. Configure host-based routing to route application traffic to the corresponding target group through the NLB.
B. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private IP addresses of the ALBs. Configure host-based routing to route application traffic to the corresponding target group through the NLB.
C. Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Create VPC peering connections between the application VPCs and the centralized VPC. Create a public Application Load Balancer (ALB) in the centralized VPC. Create target groups for the private DNS names of the NLBs. Configure host-based routing to route application traffic between individual applications though the ALB.
D. Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Configure each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Create target groups that include the private IP addresses of each endpoint. Create a public Application Load Balancer (ALB) in the centralized VPC. Configure host-based routing to route application traffic to the corresponding target group through the ALB.
A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a private Virtual Interface (VIF), and a VPN connection to the on-premises data center.
For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?
A. Direct Connect BGP routes; static routes; longest prefix match; VPN BGP routes.
B. Static routes; longest prefix match; Direct Connect BGP routes; VPN BGP routes.
C. Longest prefix match; static routes; Direct-Connect BGP routes; VPN BGP routes.
D. Longest prefix match; VPN BGP routes; static routes; Direct Connect BGP routes.
A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2001:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 012345678912 eni-0596e500123456789 2001:db8:2:200::2 2001:db8:1:100::1 0 0 58 234 24336 1551299195 1551299434 ACCEPT OK 2 012345678912 eni-0596e500123456789 2001:db8:1:100::1 2001:db8:2:200::2 0 0 58 234 24336 1551299195 1551299434 REJECT OK
Which action will restore network reachability to the EC2 instance?
A. Update the security group associated with eni-0596e500123456789to permit inbound traffic.
B. Update the security group associated with eni-0596e500123456789to permit outbound traffic.
C. Update the network ACL associated with the subnet to permit inbound traffic.
D. Update the network ACL associated with the subnet to permit outbound traffic.
You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?
A. Create an EIP for the instance.
B. Configure the mail service to serve as an open relay.
C. Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.
D. Provide open security group access to your instance on ports 25, 3389 and 22.
What does the term "statistics" mean with respect to CloudWatch metrics?
A. Time of a metric collection
B. Data aggregation over a specific period of time
C. Status of a metric
D. Unit of a metric
An AWS CloudTrail log file provides the identity and source IP address of the API caller, and a time of the API call, request parameters, and ____.
A. response elements
B. event selectors
C. port alarms
D. destination buckets
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.
A. trusted signers
B. optimistic locking
C. integrity validation
D. root credentialing
Which of the following services is used to send an alert from CloudWatch?
A. AWS SNS
B. AWS EBS
C. AWS SES
D. AWS SQS
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C00 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.