1. A company runs workloads in multiple VPCs. The company needs to securely access a workload in one of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up an AWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamic routing for the connection, and communication works properly.
Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner created workloads that use the additional CIDR range.
The company’s on-premises network is unable to reach the new workloads. The network engineer needs to resolve the network connectivity issue and ensure that connectivity will not be affected if additional VPC CIDR ranges are added to the VPC in the future.
Which solution will meet these requirements with the MOST operational efficiency?
A. Configure route propagation for VPC-A to the VPN attachment route table.
B. Manually update the VPN attachment route table to include the new CIDR range.
C. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule to matches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table.
D. Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table. Restart the VPN tunnels.
Answer
A
2. A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an Amazon EC2 Auto Scaling group.
To comply with new security standards, the company must capture all application access data, including server response codes, request paths, latency, and client IP addresses. The company also needs to query the captured data for performance analysis.
Which solution will meet these requirements?
A. Enable VPC flow logs on the ALB subnets. Store the logs to an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.
B. Configure Amazon VPC Traffic Mirroring on all EC2 elastic network interfaces. Deploy a third-party monitoring appliance from AWS Marketplace in a private subnet. Use Amazon Data Firehose to send all mirrored traffic to the monitoring appliance. Query the logs directly from the monitoring appliance.
C. Configure Amazon CloudWatch detailed monitoring on the EC2 instances Include all available logs. Use Amazon Data Firehose to send all the collected logs to an Amazon S3 bucket. Query the data directly from the S3 bucket.
D. Enable access logs on the ALB. Store the logs in an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.
Answer
D
3. A company has an application VPC and a networking VPC that are connected through VPC peering. The networking VPC contains a Network Load Balancer (NLB). The application VPC contains Amazon EC2 instances that run an application. The EC2 instances are part of a target group that is associated with the NLB in the networking VPC.
The company configures a third VPC and peers it to the networking VPC. The new VPC contains a new version of the existing application. The new version of the application runs on new EC2 instances in an application subnet. The new version of the application runs in a different Availability Zone than that original version of the application.
The company needs to establish connectivity between the NLB and the new version of the application.
Which combination of steps will meet this requirement? (Choose three.)
A. Register the new application EC2 instances with the NLB by using the instance IDs.
B. Register the new application EC2 instances with the NLB by using instance IP addresses.
C. Configure the NLB in the Availability Zone where the new application EC2 instances run.
D. Configure the NLB to use zonal shift.
E. Configure the network ACL for the application subnet in the new VPC to allow outbound connections.
F. Configure the network ACL for the application subnet in the new VPC to allow inbound connections and outbound connections.
Answer
B, C, F
4. A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company’s applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups.
A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances.
Which solution will meet this requirement with the LEAST implementation and administrative effort?
A. Create a network ACL for each application. Reference the network ACL in the stateful rule group.
B. Create a prefix list for each application. Reference the prefix list in the stateful rule group.
C. Create an AWS Lambda function that queries the EC2 instance tags for each application name and then updates the stateful rule group with the IP address of each instance.
D. Create a resource group for each application name. Reference the Amazon Resource Name (ARN) for the resource groups in the stateful rule group.
Answer
D
5. A company hosts application servers on premises and on Amazon EC2 instances in a VPC. The application servers access data that is hosted in an Amazon S3 bucket through the public internet. The EC2 instances in the VPC use an AWS Site-to-Site VPN for connectivity with the on-premises application servers.
New company regulations state that all traffic between the application servers and the S3 bucket must remain private and must not use public IP addresses.
Which solution will meet these requirements MOST cost-effectively?
A. Configure an S3 gateway endpoint Modify the route table with the appropriate route for the endpoint. Access the S3 bucket through the gateway endpoint from the EC2 instances.
B. Configure an S3 interface endpoint. Update the on-premises servers and EC2 instances to use the interface endpoint DNS name to access the S3 bucket.
C. Configure an S3 interface endpoint. Update the on-premises servers to use the interface endpoint DNS name to access the S3 bucket. Configure an S3 gateway endpoint. Modify the route table so that the EC2 instances use the gateway endpoint.
D. Configure an S3 gateway endpoint. Modify the route table with the appropriate route for the endpoint. Use an S3 bucket policy to restrict access to the gateway endpoint. Configure a proxy server fleet behind a Network Load Balancer in the VPC so that the on-premises servers can access the S3 bucket.
Answer
C
6. A company has multiple AWS Site-to-Site VPN connections between an on-premises environment and multiple VPCs. The Site-to-Site VPN connections use virtual private gateways and are configured with IPv4 addresses. The company hosts several internal applications in the VPCs.
Application users have reported that the applications are performing slowly. A network engineer notices excessive latency in the network path that the VPN connections use. The network engineer needs to resolve the excessive latency.
Which solution will meet this requirement?
A. Use AWS Global Accelerator to deploy an accelerator on the existing Site-to-Site VPN connections.
B. Deploy a transit gateway and a new accelerated Site-to-Site VPN connection.
C. Replace the existing Site-to-Site VPN connections with new Site-to-Site VPN connections that use IPv6.
D. Replace the existing Site-to-Site VPN connections with AWS PrivateLink connections.
Answer
B
7. A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets.
All outbound internet traffic in the private subnets must be audited and logged. The company’s network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting.
How should the network engineer configure Network Firewall logging to meet these requirements?
A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.
B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.
C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.
D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.
Answer
B
8. A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses a NAT gateway. The company wants to transition to IPv6.
A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The network engineer deploys a new Amazon EC2 instance that has an IPv6 address into one of the subnets. During testing, the network engineer discovers that the new EC2 instance is not able to communicate with an IPv4-only service through the internet. The network engineer needs to enable the IPv6 EC2 instance to communicate with the IPv4-only service.
Which solution will meet this requirement?
A. Enable DNS64 for the IPv6-only subnets. Update the route tables for the IPv6-only subnets to send traffic through the NAT gateway.
B. Enable NAT64 for the testing VPC. Reconfigure the existing NAT gateway to support IPv6.
C. Enable DNS64 for the new EC2 instance. Create a new egress-only internet gateway that supports IPv6.
D. Enable NAT64 for each route table. Create a new NAT gateway that supports both IPv4 and IPv6.
Answer
A
9. A company deployed an application in two AWS Regions in one AWS account. The company has one VPC in each Region. The VPCs use non-overlapping private CIDR ranges.
The company needs to connect both VPCs to a single on-premises data center to test the application. The application requires up to 800 Mbps of throughput. A network engineer needs to establish connectivity between the VPCs and the on-premises data center.
Which solution will meet this requirement with the LEAST operational overhead?
A. Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gateway in each VPC. Create a private VIF for each virtual private gateway, and associate the virtual private gateways with the Direct Connect connection. Configure static routes in the VPC route tables and in the data center router.
B. Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gateway in each VPC. Create a private VIF for each virtual private gateway, and associate the virtual private gateways with the Direct Connect connection. Configure Open Shortest Path First (OSPF) routing between the private VIF and the data center.
C. Configure a customer gateway and a virtual private gateway in each VPConfigure an AWS Site-to-Site VPN connection between the data center and each VPConfigure static routes in each VPC route table to point to the subnets in the data center.
D. Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWS Site-to-Site VPN connection between the data center and each VPC. Configure BGP routing between the VPCs and the data center.
Answer
D
10. A company runs a workload in a single VPC on AWS. The company’s architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources.
After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access.
The security group currently uses the following rules:
• Inbound – Rule 1
Protocol: TCP –
Port: 443 –
Source: 0.0.0.0/0 –
• Inbound – Rule 2
Protocol: TCP –
Port: 443 –
Source: VPC CIDR –
• Outbound – Rule 1
Protocol: All –
Port: All –
Destination: 0.0.0.0/0 –
Which rule or rules should the company remove to meet with these requirements?
A. Outbound – Rule 2
B. Inbound – Rule 1 and Outbound – Rule 1
C. Inbound – Rule 2 and Outbound – Rule 1
D. Outbound – Rule 1
Answer
A