Summer Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: v4s65

  1. Home
  2. Amazon Web Services
  3. AWS Certified Specialty
  4. ANS-C01 - Amazon AWS Certified Advanced Networking - Specialty

ANS-C01 Exam Dumps - Amazon AWS Certified Advanced Networking - Specialty

Go to page:
Question # 25

A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.

What should a network engineer do to meet these requirements with the LEAST amount of configuration?

A.

Set up an AWS Site-to-Site VPN connection between on premises and AWS. Deploy an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.

B.

Set up an AWS Direct Connect connection with a private VIF. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.

C.

Set up an AWS Client VPN connection between on premises and AWS. Deploy an Amazon Route 53 Resolver inbound endpoint in the VPC.

D.

Set up an AWS Direct Connect connection with a public VIF. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that is hosting the VPC. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Full Access
Question # 26

A finance company runs multiple applications on Amazon EC2 instances in two VPCs that are within a single AWS Region. The company uses one VPC for stock trading applications. The company uses the second VPC for financial applications. Both VPCs are connected to a transit gateway that is configured as a multicast router.

In the stock trading VPC, an EC2 instance that has an IP address of 10.128.10.2 sends trading data over a multicast network to the 239.10.10.10 IP address on UDP Port 5102. The company recently launched two new EC2 instances in the financial application VPC. The new EC2 instances need to receive the multicast stock trading data from the EC2 instance that is in the stock trading VPC.

Which combination of steps should the company take to meet this requirement? (Choose three.)

A.

Add the elastic network interfaces of the two new EC2 instances as members of the multicast group by using the group IP address of 239.10.10.10.

B.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows:

Protocol: IGMP Version 2. Port: 5102, and Source: 239 10.10.10/32

C.

Create associations to two EC2 instance IDs on the financial application VPC transit gateway attachment under the transit gateway multicast domain.

D.

Create an association to EC2 instance subnets on the financial application VPC transit gateway attachment under the transit gateway multicast domain.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows.

E.

Protocol: UDP, Port: 5102, and Source: 10.128.10.2/32

F.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows:

Protocol: IGMP Version 2. Port: All, and Source: 0 0.0.0/32

Full Access
Question # 27

A company has business operations in the United States and in Europe. The company's public applications are running on AWS and use three transit gateways. The transit gateways are located in the us-west-2. us-east-1. and eu-central-1 Regions. All the transit gateways are connected to each other in a full mesh configuration.

The company accidentally removes the route to the eu-central-1 VPCs from the us-west-2 transit gateway route table. The company also accidentally removes the route to the us-west-2 VPCs from the eu-central-1 transit gateway route table.

How can a network engineer identify the misconfiguration with the LEAST operational overhead?

A.

Use the Route Analyzer feature for AWS Transit Gateway Network Manager

B.

Use the AWSSupport-SetuplPMonitoringFromVPC AWS Systems Manager Automation runbook. Push network telemetry data to Amazon CloudWatch Logs for analysis.

C.

Use VPC flow togs in eu-central-1 and us-west-2 to analyze the missing routes.

D.

Use Amazon VPC Traffic Mirroring in eu-central-1 or us-west-2 to take packet captures and troubleshoot the connectivity issues.

Full Access
Question # 28

A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit.

Which solution will meet these requirements?

A.

Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to access Amazon S3. Use HTTPS for communication.

B.

Create an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.

C.

Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.

D.

Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to the transit gateway. Create an attachment for Amazon S3. Use HTTPS for communication.

Full Access
Question # 29

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.

The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.

Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

A.

Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.

B.

Set up AWS WAF on all network components.

C.

Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.

D.

Use AWS Direct Connect with MACsec support for connectivity to the cloud.

E.

Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.

F.

Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Full Access
Question # 30

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.

A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.

Which solution will meet these requirements?

A.

Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.

B.

Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnetroute tables to point IPv6 traffic to the NAT instance.

C.

Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

D.

Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

Full Access
Question # 31

A company uses the us-east-1 Region and the ap-south-1 Region for its business units (BUs). The BUs are named BU-1 and BU-2. For each BU. there are two VPCs in us-east-1 and one VPC in ap-south-1.

Because of workload isolation requirements, resources can communicate within the same BU but cannot communicate with resources in the other BU. The company plans to add more BUs and plans to expand into more Regions.

Which solution will meet these requirements with the MOST operational efficiency?

A.

Configure an AWS Cloud WAN network that operates in the required Regions Attach all BU VPCs to the AWS Cloud WAN core network. Update the AWS Cloud WAN segment actions to configure new routes to deny traffic between the different BU segments.

B.

Configure a transit gateway in each Region. Configure peering between the transit gateways. Attach the BU VPCs to the transit gateway in the corresponding Region. Configure the transit gateway and VPC route tables to isolate traffic between BU VPCs.

C.

Configure an AWS Cloud WAN network that operates in the required Regions. Attach all BU VPCs to the AWS Cloud WAN core network. Update the core network policy by setting the isolate-attachments parameter for each segment.

D.

Configure an AWS Cloud WAN network that operates in the required Regions. Create AWS Cloud WAN segments for each BU. Configure VPC attachments for each BU's VPCs to the corresponding BU segment.

Full Access
Question # 32

A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. The company's existing architecture includes a VPC that uses RFC 1918 IP address space. The VPC is connected to an on-premises data center over AWS Direct Connect Amazon Route 53 provides name resolution within the VPC. Locally managed DNS servers in the data center provide DNS services to the on-premises hosts.

The company has applications in the data center that need to download objects from an Amazon S3 bucket in us-west-2.

Which solution can the company use to access Amazon S3 without using the public IP address space?

A.

Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.

B.

Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.

C.

Create an S3 gateway endpoint in the VPC. Update the on-premises application configuration to use the hostname that is mapped to the S3 gateway endpoint.

D.

Create an S3 gateway endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.

Full Access
Go to page:

Hot Exams

ADM-201 Dumps
Platform-App-Builder Dumps
AZ-500 Dumps
350-701 Dumps
SY0-601 Dumps
NCSE-Core Dumps
PDP9 Dumps
DP-203 Dumps
AZ-700 Dumps
NSE7_EFW-7.0 Dumps
Integration-Architect Dumps
CS0-003 Dumps