Amazon ANS-C01 Dumps Questions Answers

AWS Certified Advanced Networking - Specialty (ANS-C01)

One of the most challenging certification examinations offered by Amazon is the ANS-C01 for AWS Certified Networking Specialty. AWS and hybrid IT architectures to prevailing (better) networking liabilities The AWS Advanced Networking Specialty ANS-C01 exam tests an applicant's ability to handle the following tasks, among others:

Important skills to achieve AWS Certified Specialty certificate

• Designing, developing, and deploying cloud-based solutions
• Execute core AWS services as per the basic architectural best practices,
• AWS services - Developing and setting network architecture
• Interpretation of support tools for robotization of AWS networking tasks.

How many points must you receive to pass the test? And what kind of test questions were there?

If you wish to pass this exam, you must receive at least 750 marks; if not, you will be considered unsuccessful and will need to retake the test. According to Amazon test regulations, this exam will include multiple-choice and multiple-response questions.

AWS ANS-C00 exam outline for ANS-C01 - AWS Certified Advanced Networking Specialty Exam

1. Acknowledge the designing and implementation of hybrid IT network architectures (23%)
2. Explain the Designing and implementation of AWS networks (29%)
3. Explain the automation of AWS tasks (8%)
4. Explain the configuration of network integration with application services (15%)
5. Explain the designing and implementation for security and compliance (12%)
6. Explain the management, optimizing, and troubleshooting the network (13%)

Amazon ANS-C01 dumps pdf - The Best Resource for Passing Exam

Get the current and reliable ANS C01 test dumps that are supplied by our website if you want to ensure the accuracy of your AWS Certified Advanced Networking Specialty certification. The Amazon ANS-C01 PDF dumps are more easily understood and include useful and original study material. Utilizing the effective ANS-C01 dumps pdf and learning the essentials of the certification will make your preparation credible. You have a limitless number of doors to opportunity. If you receive excellent marks for the AWS Certified Specialty certification, you will have many options to find a rewarding career in your related sector.

Buy Amazon ANS-C01 question answers guide to pass your exam smoothly<>/h3

You must truly take the AWS Certified Advanced Networking Specialty test if you want to achieve the top outcomes, so grab our Amazon ANS C01 exam questions answers and fulfill your commitment to yourself;.;. Our qualified specialists eagerly recommend the ANS-C01 PDF questions so that you may plan with our offered help and achieve remarkable outcomes. Complete all of the criteria for the AWS Certified Advanced Networking Specialty certification using our ANS-C01 dumps pdf.

Exam formatting ANS-C01 - AWS Certified Advanced Networking Specialty Exam

Time limit:	170 min
Cost of the exam:	$300 USD
Exam deliver language:	English, Korean, and Japanese

Easily Prepare With the ANS-C01 Exam Dumps & Fulfill Your Objectives

Concentrate on the top-notch ANS C01 dumps pdf for competent and thorough preparation. The most recent study materials are included in our ANS-C01 exam questions to help you prepare for the entire exam. To ensure that your AWS Certified Advanced Networking Specialty exam preparation is up to date, the ANS-C01 exam dumps provide innovative ways of preparation.

Exam material design under expert supervision

Take advantage of this opportunity by studying with our ANS-C01 questions pdf and passing your certification because all of the preparation components have been examined by our specialists. The AWS Certified Advanced Networking Specialty test has been prepared for with the help of the ANS C01 real exam dumps, which contain the essential knowledge. Get all the advantages from this source and make your preparation worthwhile by using the AWS Certified Specialty exam questions and answers to practice real-world scenarios. With the mandatory content of the Amazon ANS C01 exam questions and additional practice using the online testing engines, you may without a doubt complete your assignment and become an AWS Qualified Advanced Networking Specialty certified.

Advantages over competitors after using our ANS-C01 genuine questions and answers guide:

• Finish early: Compared to other students, you will be able to complete your exam considerably more quickly. If you have any doubts, you will have extra time to review your responses.
• Boost in self-assurance: After passing the ANS-C01 test, you'll feel more assured in your day-to-day work life.
• Abilities Improvement: You will significantly increase your ANS-C01 test skills, which will help you on your final exam.
• Stand out from the crowd: If you pass the exam, other IT professionals will notice you. Compared to others who lack certification, your prospects of promotion are higher.

Amazon ANS-C01 Dumps

Dumps4download providing 100% reliable Exam dumps that are verified by experts panel. Our Dumps4download ANS-C01 study material are totally unique and exam questions are valid all over the world. By using our ANS-C01 dumps we assure you that you will pass your exam on first attempt. You can easily score more than 97%.

100% exam passing Guarantee on your purchased exams.

100% money back guarantee if you will not clear your exam.

Amazon ANS-C01 Practice Test Helps You Turn Dreams To Reality!

IT Professionals from every sector are looking up certifications to boost their careers. Amazon being the leader certification provider earns the most demand in the industry.

The Amazon Certification is your short-cut to an ever-growing success. In the process, Dumps4download is your strongest coordinator, providing you with the best ANS-C01 Dumps PDF as well as Online Test Engine. Let’s steer your career to a more stable future with interactive and effective ANS-C01 Practice Exam Dumps.

Many of our customers are already excelling in their careers after achieving their goals with our help. You can too be a part of that specialized bunch with a little push in the right direction. Let us help you tread the heights of success.

Apply for the ANS-C01 Exam right away so you can get certified by using our Amazon Dumps.

Bulk Exams Package

Dumps4download Leads You To A 100% Success in First Attempt!

Our ANS-C01 Dumps PDF is intended to meet the requirements of the most suitable method for exam preparation. We especially hired a team of experts to make sure you get the latest and compliant ANS-C01 Practice Test Questions Answers. These questions are been selected according to the most relevance as well as the highest possibility of appearing in the exam. So, you can be sure of your success in the first attempt.

Interactive & Effective ANS-C01 Dumps PDF + Online Test Engine

Aside from our Amazon ANS-C01 Dumps PDF, we invest in your best practice through Online Test Engine. They are designed to reflect the actual exam format covering each topic of your exam. Also, with our interactive interface focusing on the exam preparation is easier than ever. With an easy-to-understand, interactive and effective study material assisting you there is nothing that could go wrong. We are 100% sure that our ANS-C01 Questions Answers Practice Exam is the best choice you can make to pass the exam with top score.

How Dumps4download Creates Better Opportunities for You!

Dumps4download knows how hard it is for you to beat this tough Amazon Exam terms and concepts. That is why to ease your preparation we offer the best possible training tactics we know best. Online Test Engine provides you an exam-like environment and PDF helps you take your study guide wherever you are. Best of all, you can download ANS-C01 Dumps PDF easily or better print it. For the purpose of getting concepts across as easily as possible, we have used simple language. Adding explanations at the end of the ANS-C01 Questions and Answers Practice Test we ensure nothing slips your grasp.

The exam stimulation is 100 times better than any other test material you would encounter. Besides, if you are troubled with anything concerning Amazon AWS Certified Advanced Networking - Specialty Exam or the ANS-C01 Dumps PDF, our 24/7 active team is quick to respond. So, leave us a message and your problem will be solved in a few minutes.

Get an Absolutely Free Demo Today!

Dumps4download offers an absolutely free demo version to test the product with sample features before actually buying it. This shows our concern for your best experience. Once you are thoroughly satisfied with the demo you can get the Amazon AWS Certified Advanced Networking - Specialty Practice Test Questions instantly.

24/7 Online Support – Anytime, Anywhere

Have a question? You can contact us anytime, anywhere. Our 24/7 Online Support makes sure you have absolutely no problem accessing or using Amazon AWS Certified Advanced Networking - Specialty Practice Exam Dumps. What’s more, Dumps4download is mobile compatible so you can access the site without having to log in to your Laptop or PC.

Features to use Dumps4download ANS-C01 Dumps:

• Thousands of satisfied customers.
• Good grades are 100% guaranteed.
• 100% verified by Experts panel.
• Up to date exam data.
• Dumps4download data is 100% trustworthy.
• Passing ratio more than 99%
• 100% money back guarantee.

Amazon ANS-C01 Frequently Asked Questions

Amazon ANS-C01 Sample Questions

Question # 1

A company ran out of IP address space in one of the Availability Zones in an AWS Region that thecompany uses. The Availability Zone that is out of space is assigned the10.10.1.0 CIDR block. The company manages its networking configurations in an AWSCloudFormation stack. The company's VPC is assigned the 10.10.0.0 CIDRblock and has available capacity in the 10.10.1.0 CIDR block.How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?

A.Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormationstack. Change the CidrBlock property to 10.10.1.0.
B.Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0.
C.Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to10.10.0.0. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0 for the Availability Zone.
D.Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0.

Show Answer

---

Question # 2

A company has multiple firewalls and ISPs for its on-premises data center. The company has a singleAWS Site-to-Site VPN connection from the company's on-premises data center to a transit gateway.A single ISP services the Site-to-Site VPN connection. Multiple VPCs are attached to the transitgateway.A customer gateway that the Site-to-Site VPN connection uses fails. Connectivity is completely lost,but the company's network team does not receive a notification.The network team needs to implement redundancy within a week in case a single customer gatewayfails again. The team wants to use an Amazon CloudWatch alarm to send notifications to an AmazonSimple Notification Service (Amazon SNS) topic if any tunnel of the Site-to-Site VPN connectionfails. Which solution will meet these requirements MOST cost-effectively?

A. Replace the existing customer gateway with a new router. Create a new Site-to-Site VPNconnection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarmfor the VPN connection. Use a value of 0 for the alarm
B. Use a second customer gateway and a second ISP. Create a new Site-to-Site VPN connection to thetransit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPNconnection. Use a value of less than 1 for the alarm.
C. Add an AWS Direct Connect connection to the existing Site-to-Site VPN connection to the transitgateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection.Use a value of failed for the alarm.
D. Use a second customer gateway with the existing ISP. Create a new Site-to-Site VPN connection tothe transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPNconnection. Use a value of unavailable for the alarm.

Show Answer

---

Question # 3

A company operates in the us-east-1 Region and the us-west-1 Region. The company is designing asolution to connect an on-premises data center to the company's AWS environment in us-east-1. Thesolution uses two AWS Direct Connect connections.Traffic from us-west-1 to the data center needs to traverse the Direct Connect connections. Anetwork engineer needs to set up active-passive functionality across the two Direct Connectconnections by using a Direct Connect gateway to influence inbound traffic from VPCs that are in uswest1 to the data center.Which solution will meet these requirements?

A. At the data center, set the local preference for the primary connection to be higher than the localpreference for the secondary connection.
B. Use AS path prepending to set the AS path on the primary connection to be longer than the ASpath on the secondary connection.
C. Use local preference BGP community tags to apply the 7224:7300 local preference BGPcommunity tag to the prefixes for the primary connection. Apply the 7224:7100 local preference BGPcommunity tag to the prefixes for the secondary connection.
D. Use local preference BGP community tags to apply the 7224:9300 local preference BGPcommunity tag to the prefixes for the primary connection. Apply the 7224:9100 local preference BGPcommunity tag to the prefixes for secondary connection.

Show Answer

---

Question # 4

A company runs an application across multiple AWS Regions and multiple Availability Zones. Thecompany needs to expand to a new AWS Region. Low latency is critical to the functionality of theapplication.A network engineer needs to gather metrics for the latency between the existing. Regions and thenew Region. The network engineer must gather metrics for at least the previous 30 days.Which solution will meet these requirements?

A. Configure an AWS Network Access Analyzer Network Access Scope, and use the analysis to reviewthe latency.
B. Set up AWS Network Manager Infrastructure Performance. Publish network performance metricsto Amazon CloudWatch.
C. Use an Amazon VPC Reachability Analyzer path to review the latency.
D. Set up VPC Flow Logs. Publish log metrics to Amazon CloudWatch.

Show Answer

---

Question # 5

A company is establishing hybrid cloud connectivity from an on-premises environment to AWS in theus-east-1 Region. The company is using a 10 Gbps AWS Direct Connect dedicated connection. Thecompany has two accounts in AWS. Account A has transit gateways in four AWS Regions. Account Ð’has transit gateways in three Regions. The company does not plan to expand.To meet security requirements the company's accounts must have separate cloud infrastructure.Which solution will meet these requirements MOST cost-effectively?

A.Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM)to share the Direct Connect gateway with each account. Create a transit VIF for AccountA.Associatethe four transit gateways in Account A to the Direct Connect gateway. Create a transit VIF for AccountB.Associate the three transit gateways in Account Ð’ to the Direct Connect gateway.
B. Create one Direct Connect gateway in us-east-1 for AccountA. Create a second Direct Connectgateway in us-east-1 for Account B. Create a transit VIF for AccountA. Associate the four transitgateways in Account A to the Direct Connect gateway in AccountA. Create a transit VIF for Account B.Associate the three transit gateways in Account Ð’ to the Direct Connect gateway in Account Ð’.
C. Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM)to share the Direct Connect gateway with each account. Create a transit VIF for AccountA. Associatethe four transit gateways in Account A to the Direct Connect gateway. Order a new 10 Gbps DirectConnect dedicated connection for Account B. Create a transit VIF on the new Direct Connect connection for Account B. Associate the three transit gateways in Account Ð’ to the Direct Connectgateway.
D. Create one Direct Connect gateway in us-east-1 for AccountA. Create a second Direct Connectgateway in us-east-1 for Account B. Create a transit VIF for AccountA. Associate the four transitgateways in Account A to the Direct Connect gateway in AccountA. Order a new 10 Gbps DirectConnect dedicated connection for Account Ð’. Create a transit VIF on the new Direct Connectconnection for Account Ð’. Associate the three transit gateways in Account Ð’ to the Direct Connectgateway in Account Ð’.

Show Answer

---

Question # 6

A company has two AWS Direct Connect connections between Direct Connect locations and thecompany's on-premises environment in the US. The company uses the connections to communicatewith AWS workloads that run in the us-east-1 Region. The company has a transit gateway thatconnects several VPCs. The Direct Connect connections terminate at a Direct Connect gateway andthe transit VIFs to the transit gateway.The company recently acquired a smaller company that is based in Europe. The newly acquiredcompany has only on-premises workloads. The newly acquired company does notexpect to run workloads on AWS for the next 3 years. However, the newly acquired company requiresconnectivity to the parent company's AWS resources in us-east-1 and to theparent company's on-premises environment in the US. The parent company wants to use two newDirect Connect connections in Europe to provide the required connectivity.Which solution will meet these requirements with the LEAST operational overhead for the newlyacquired company?

A.Associate new transit VIFs to the existing Direct Connect gateway. Configure the new transit VIFsto use Direct Connect SiteLink.
B.Associate new transit VIFs to a new Direct Connect gateway and to a new transit gateway in theeu-west-1 Region. Use transit gateway peering to connect the transit gateways.
C.Associate new private VIFs to the existing Direct Connect gateway. Configure the existing transitVIFs and the new private VIFs to use Direct Connect SiteLink.
D.Associate new private VIFs to a new Direct Connect gateway and to a new VPC in us-east-1.Configure the existing transit VIFs and the new private VIFs to use Direct Connect SiteLink and AWSPrivateLink endpoints in the new VPC

Show Answer

---

Question # 7

AnyCompany deploys and manages networking resources in its AWS network account, namedAccountA.AnyCompany acquires Example Corp, which has an application that runs behind anApplication Load Balancer (ALB) in Example Corp's AWS account, named Account-B.Example Corp needs to use AWS Global Accelerator to create an accelerator to publish theapplication to users. AnyCompany's networking team will manage the accelerator.Which solution will meet these requirements with the LEAST management overhead?

A.Create an accelerator in Account-Ð’. Use a cross-account role from Account-A to grant thenetworking team access to manage the accelerator.
B.Deploy a Network Load Balancer (NLB) in Account-A to route traffic to the ALB in Account-Ð’.Create an accelerator, and set the NLB as the endpoint in Account-A.
C.Create a cross-account Global Accelerator attachment in Account-Ð’ for the Account-A principal.Create an accelerator in Account-A by using the shared attachment.
D.Create an accelerator in Account-A.Use AWS Resource Access Management (AWS RAM) to sharethe accelerator with Account-Ð’. Associate the ALB in Account-Ð’ with the accelerator in Account-A.

Show Answer

---

Question # 8

A media company is planning to host an event that the company will live stream to users. Thecompany wants to use Amazon CloudFront.A network engineer creates a primary origin and a secondary origin for CloudFront. The engineerneeds to ensure that the primary origin can fail over to the secondary origin within 15 seconds if adisruption occurs.Which solution will meet this requirement with the LEAST operational overhead?

A.Configure a Lambda@Edge function to check the health status of both origins every 10 seconds.Reroute incoming requests when the origin health status is unhealthy.
B.Create a Network Load Balancer (NLB) in front of both origins Configure the NLB as the origin inCloudFront.
C.Set the CloudFront origin connection timeout value to 5 seconds Set the origin connectionattempts value to 2.
D.Configure a Lambda@Edge function to monitor incoming requests for an origin response. Rerouteincoming requests if no response is received from the primary origin within 10 seconds.

Show Answer

---

Question # 9

A company wants to analyze TCP internet traffic. The traffic originates from Amazon EC2 instances inthe companys VPC. The EC2 instances initiate connections through a NAT gateway.The company wants to capture data about the traffic including source and destination IP addressesports, and the first 8 bytes of the TCP segments of the traffic. The company needs to collect, store,and analyze all the required data points.Which solution will meet these requirements?

A.Configure the EC2 instances to be VPC traffic mirror sources. Deploy software on the traffic mirrortarget to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch LogsInsights
B.Configure the NAT gateway to be a VPC traffic mirror source. Deploy software on the traffic mirrortarget to forward the data to an Amazon S3 bucket. Analyze the data by using Amazon Athena
C.Turn on VPC Flow Logs for the EC2 instances. Specify the default format and set AmazonCloudWatch Logs as the log destination. Analyze the flow log data by using CloudWatch Logs Insights.
D.Turn on VPC Flow Logs for the EC2 instances. Specify a custom format and set Amazon S3 as thelog destination. Analyze the flow log data by using Amazon Athena.

Show Answer

---

Question # 10

A company operates in multiple AWS Regions. The company has deployed transit gateways in eachRegion. The company uses AWS Organizations to operate multiple AWS accounts in one organization.The company needs to capture all VPC flow log data when a new VPC is created. The company needsto send flow logs to a specific Amazon S3 bucket.Which solution will meet these requirements with the LEAST administrative effort?

A.Update IAM permissions for each user to include a condition that ensures users can createVPCs only when VPC Flow Logs is enabled and configured correctly
B.Create a custom AWS Config rule with automatic remediation that verifies VPC Flow Logs isenabled and configured correctly. Apply the AWS Config rule to the organization.
C.Enable VPC Flow Logs on each transit gateway. Configure VPC Flow Logs to send flow logs to thespecified S3 bucket.
D.Deploy a serverless application that uses AWS CloudTrail to monitor for VPC creation events ineach account. Configure the application to apply the correct VPC Flow Logs configuration.

Show Answer

---

Question # 11

A company has an AWS environment that includes multiple VPCs that are connected by a transitgateway. The company wants to use a certificate-based AWS Site-to-Site VPN connection to establishconnectivity between an on-premises environment and the AWS environment. The company doesnot have a static public IP address for the on-premises environment.Which combination of steps should the company take to establish VPN connectivity between the transit gateway and the on-premises environment? (Choose two.)

A.Create a public certificate in AWS Certificate Manager (ACM).
B.Create a private certificate in AWS Certificate Manager (ACM).
C.Configure the Site-to-Site VPN tunnels to use the pre-shared key (PSK).
D.Create a customer gateway. Specify the current dynamic IP address of the customer gatewaydevice's external interface.
E.Create a customer gateway. Do not specify the IP address of the customer gateway device.

Show Answer

---

Question # 12

A company has two teams: Team A and Team B. Team A has VPCs that run in AccountA.The teamuses a transit gateway (TGW-A) to route traffic between workloads that run in the different VPCs.Similarly, Team Ð’ has VPCs that run in Account B. Team Ð’ uses a different transit gateway (TGW-B) to route traffic between workloads that run in the different VPCs.The company's network team manages the routing for Team A and Team Ð’. The network team wantsto retire TGW-B and use a single transit gateway to manage routing for the VPCs of both teams.Which solution will meet this requirement with the LEAST operational overhead?

A.Create a resource share for TGW-A Share TGW-A with Account B. Create VPC attachments for theVPCs in Account Ð’. Configure routing for the VPCs in TGW-A route tables. Update the route tables ofthe VPCs in Account Ð’ to forward traffic to TGWA.Delete TGW-B attachments and TGW-B
A. Share TGW-A with Account Ð’. Replicate the TGW-Bconfiguration to TGW-A to automatically start routing changes for the VPCs in Account Ð’. DeleteTGW-B when routing changes are complete.
C.Create a new transit gateway (TGW-C) in AccountA. Create a resource share for TGW-C. ShareTGW-C with Account B. Create VPC attachments for the VPCs in Account A and Account Ð’. Configurerouting for all the VPCs in TGW-C route tables. Update the route tables for the VPCs in Account A andAccount Ð’ to forward traffic to TGW-C. Delete TGW-A attachments and TGW-B attachments. DeleteTGW-A and TGW-B.
D.Create a new transit gateway (TGW-C) in a new account (Account C). Create a resource share forTGW-C. Share TGW-C with Account A and Account B. Create VPC attachments for the VPCs inAccount A and Account Ð’. Configure routing for all the VPCs in TGW-C route tables. Update the routetables for the VPCs in Account A and Account Ð’ to forward traffic to TGW-C. Delete TGW-Aattachments and TGW-B attachments. Delete TGW-A and TGW-B.

Show Answer

---

Question # 13

A company has several AWS Site-to-Site VPN connections between an on-premises customergateway and a transit gateway. The company's application uses IPv4 to communicate through theVPN connections.The company has updated the VPC to be dual stack and wants to transition to using IPv6-only for newworkloads. When the company tries to communicate through the existing VPN connections, IPv6traffic fails.Which solution will provide IPv6 support with the LEAST operational overhead?

A.Create a new Site-to-Site VPN connection that supports IPv6.
B.Create a new Site-to-Site VPN connection to a self-managed Amazon EC2 instance that runs opensource software.
C.Update the existing Site-to-Site VPN connections to support IPv6.
D.Update the on-premises customer gateway's public IP address from IPv4 to IPv6.

Show Answer

---

Question # 14

A company uses transit gateways to route traffic between the company's VPCs. Each transit gatewayhas a single route table. Each route table contains attachments and routes for the VPCs that are inthe same AWS Region as the transit gateway. The route tables in each VPC also contain routes to allthe other VPC CIDR ranges that are available through the transit gateways. Some VPCs route to localNAT gateways.The company plans to add many new VPCs soon. A network engineer needs a solution to add newVPC CIDR ranges to the route tables in each VPC.Which solution will meet these requirements in the MOST operationally efficient way?

A.Create a new customer-managed prefix list. Add all VPC CIDR ranges to the new prefix list. Updatethe route tables in each VPC to use the new prefix list ID as the destination and the appropriatetransit gateway ID as the target.
B.Turn on default route table propagation for the transit gateway route tables. Turn onroute propagation for each route table in each VPC.
C.Update the route tables in each VPC to use 0.0.0.010 as the destination and the appropriate transitgateway ID as the target.
D.Turn on default route table association for the transit gateway route tables. Turn on routepropagation for each route table in each VPC.

Show Answer

---

Question # 15

A company runs a workload in a single VPC on AWS. The companys architecture contains severalinterface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS KeyManagement Service (AWS KMS). The endpoints are configured to use a shared security group. Thesecurity group is not used for any other workloads or resources.After a security review of the environment, the company determined that the shared security groupis more permissive than necessary. The company wants to make the rules associated with thesecurity group more restrictive. The changes to the security group rules must not prevent theresources in the VPC from using AWS services through interface VPC endpoints. The changesmust prevent unnecessary access.The security group currently uses the following rules:Inbound - Rule 1Protocol: TCPPort: 443Source: 0.0.0.0/0Inbound - Rule 2Protocol: TCPPort: 443Source: VPC CIDROutbound - Rule 1Protocol: AllPort: AllDestination: 0.0.0.0/0Which rule or rules should the company remove to meet with these requirements?

A.Outbound - Rule 2
B.Inbound - Rule 1 and Outbound - Rule 1
C.Inbound - Rule 2 and Outbound - Rule 1
D.Outbound - Rule 1

Show Answer

---

Question # 16

A company deployed an application in two AWS Regions in one AWS account. The company has oneVPC in each Region. The VPCs use non-overlapping private CIDR ranges.The company needs to connect both VPCs to a single on-premises data center to test the application.The application requires up to 800 Mbps of throughput. A network engineer needs to establishconnectivity between the VPCs and the on-premises data center.Which solution will meet this requirement with the LEAST operational overhead?

A.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure static routes in the VPC route tables and inthe data center router
B.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure Open Shortest Path First (OSPF) routingbetween the private VIF and the data center
C.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWS SitetoSite VPN connection between the data center and each VPC. Configure static routes in each VPCroute table to point to the subnets in the data center.
D.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWSSiteto- Site VPN connection between the data center and each VPC. Configure BGP routing betweentheVPCs and the data center.

Show Answer

---

Question # 17

A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses aNAT gateway. The company wants to transition to IPv6.A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The networkengineer deploys a new Amazon EC2 instance that has an IPv6 address into one of the subnets.During testing, the network engineer discovers that the new EC2 instance is not able tocommunicate with an IPv4-only service through the internet. The network engineer needs to enablethe IPv6 EC2 instance to communicate with the IPv4-only service.Which solution will meet this requirement?

A.Enable DNS64 for the IPv6-only subnets. Update the route tables for the IPv6-only subnets to sendtraffic through the NAT gateway.
B.Enable NAT64 for the testing VPC. Reconfigure the existing NAT gateway to support IPv6.
C.Enable DNS64 for the new EC2 instance. Create a new egress-only internet gateway that supportsIPv6.
D.Enable NAT64 for each route table. Create a new NAT gateway that supports both IPv4 and IPv6.

Show Answer

---

Question # 18

A company has a transit gateway in a single AWS account. The company sends flow logs for thetransit gateway to an Amazon CloudWatch Logs log group.The company created an AWS Lambda function to analyze the logs. The Lambda function sends anotification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generatestraffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, andtotal amount of dropped packets.The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda functionmust automatically prevent the traffic that is identified in each notification from leaving a VPC byapplying a network ACL to the transit gateway attachment subnets in the VPC that generates thetraffic.Which solution will meet these requirements?

A.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an outbound rule by using thedestination IP addresses in the network ACL.
B.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an inbound rule by using thesource IP addresses in the network ACL.
C.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an outbound rule by using the source IP addresses in the network ACL.
D.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an inbound rule by using thedestination IP addresses in the network ACL.

Show Answer

---

Question # 19

A company has multiple AWS Site-to-Site VPN connections between an on-premises environmentand multiple VPCs. The Site-to-Site VPN connections use virtual private gateways and are configuredwith IPv4 addresses. The company hosts several internal applications in the VPCs.Application users have reported that the applications are performing slowly. A network engineernotices excessive latency in the network path that the VPN connections use. The network engineerneeds to resolve the excessive latency.Which solution will meet this requirement?

A.Use AWS Global Accelerator to deploy an accelerator on the existing Site-to-Site VPN connections.
B.Deploy a transit gateway and a new accelerated Site-to-Site VPN connection.
C.Replace the existing Site-to-Site VPN connections with new Site-to-Site VPN connections that useIPv6.
D.Replace the existing Site-to-Site VPN connections with AWS PrivateLink connections.

Show Answer

---

Question # 20

A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in thesame AWS account. Each VPC contains Amazon EC2 instances that host the company's applications.Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in AutoScaling groups.A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling grouplaunches and terminates EC2 instances.Which solution will meet this requirement with the LEAST implementation and administrative effort?

A.Create a network ACL for each application. Reference the network ACL in the stateful rule group.
B.Create a prefix list for each application. Reference the prefix list in the stateful rule group.
C.Create an AWS Lambda function that queries the EC2 instance tags for each application name andthen updates the stateful rule group with the IP address of each instance.
D.Create a resource group for each application name. Reference the Amazon Resource Name (ARN)for the resource groups in the stateful rule group.

Show Answer

---

Question # 21

A company hosts application servers on premises and on Amazon EC2 instances in a VPC. Theapplication servers access data that is hosted in an Amazon S3 bucket through the public internet.The EC2 instances in the VPC use an AWS Site-to-Site VPN for connectivity with the on-premisesapplication servers.New company regulations state that all traffic between the application servers and the S3 bucketmust remain private and must not use public IP addresses.Which solution will meet these requirements MOST cost-effectively?

A.Configure an S3 gateway endpoint Modify the route table with the appropriate route for theendpoint. Access the S3 bucket through the gateway endpoint from the EC2 instances.
B.Configure an S3 interface endpoint. Update the on-premises servers and EC2 instances to use theinterface endpoint DNS name to access the S3 bucket.
C.Configure an S3 interface endpoint. Update the on-premises servers to use the interface endpointDNS name to access the S3 bucket. Configure an S3 gateway endpoint. Modify the route table so thatthe EC2 instances use the gateway endpoint.
D.Configure an S3 gateway endpoint. Modify the route table with the appropriate route for theendpoint. Use an S3 bucket policy to restrict access to the gateway endpoint. Configure a proxyserver fleet behind a Network Load Balancer in the VPC so that the on-premises servers can accessthe S3 bucket.

Show Answer

---

Question # 22

A company uses AWS Site-to-Site VPN connections to encrypt traffic between the company's onpremiseslocation and a single VPC. The Site-to-Site VPN connections use two 1 Gbps AWS DirectConnect connections with public VIFs. The company plans to add 15 additional VPCs in the sameAWS Region.The company must maintain the same level of encryption that the Site-to-Site VPN connectionscurrently provide for each connection between the on-premises location and the new VPCs. The newconnections must not use public IP addresses. The bandwidth of the Site-to-Site VPN connections willremain less than the current provisioned speed.Which combination of steps will meet these requirements with LEAST operational overhead?(Choose three.)

A.Create a transit gateway and a Direct Connect gateway. Associate the transit gateway with theDirect Connect gateway. Attach all the new VPCs to the transit gateway.
B.For each new VPC, create a new Direct Connect private VIF to a Direct Connect gateway.Associate all VPCs with the Direct Connect gateway.
C.Assign a private IP CIDR block to the transit gateway.
D.Assign a public IP CIDR block to the transit gateway.
E.Create a transit VIF to the Direct Connect gateway. Create a Site-to-Site VPN private IP VPNconnection.Create a public VIF.
F.Create a Site-to-Site VPN public IP VPN connection.

Show Answer

---

Question # 23

A company has an application VPC and a networking VPC that are connected through VPC peering.The networking VPC contains a Network Load Balancer (NLB). The application VPC contains AmazonEC2 instances that run an application. The EC2 instances are part of a target group that is associatedwith the NLB in the networking VPC.The company configures a third VPC and peers it to the networking VPC. The new VPC contains a newversion of the existing application. The new version of the application runs on new EC2 instances inan application subnet. The new version of the application runs in a different Availability Zone thanthat original version of the application.The company needs to establish connectivity between the NLB and the new version of theapplication.Which combination of steps will meet this requirement? (Choose three.)

A.Register the new application EC2 instances with the NLB by using the instance IDs.
B.Register the new application EC2 instances with the NLB by using instance IP addresses.
C.Configure the NLB in the Availability Zone where the new application EC2 instances run.
D.Configure the NLB to use zonal shift.
E.Configure the network ACL for the application subnet in the new VPC to allow outboundconnections.
F.Configure the network ACL for the application subnet in the new VPC to allow inboundconnections and outbound connections.

Show Answer

---

Question # 24

A company is migrating its internet VPN connections to dedicated AWS Direct Connect connections.The company needs to set up the Direct Connect connections so that all network communicationsare encrypted in transit.Which combination of steps will meet this requirement? (Choose three.)

A.Create new Direct Connect connections while requesting MACsec ports.
B.Create a MACsec Connectivity Association Key Name (CKN) and Connectivity Association Key(CAK) pair. Associate the pair with each new connection
C.Update the on-premises routers to use MACsec and the shared Connectivity Association Key Name(CKN) and Connectivity Association Key (CAK) pair
D.Create a shared key for an IPsec connection.
E.Configure a new Direct Connect gateway. Associate the shared key with the new Direct Connectgateway.
F.Set up IPsec on the on-premises router. Associate the shared key with the IPsec configuration.

Show Answer

---

Question # 25

A company runs workloads in multiple VPCs. The company needs to securely access a workload inone of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up anAWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamicrouting for the connection, and communication works properly.Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner createdworkloads that use the additional CIDR range.The company's on-premises network is unable to reach the new workloads. The network engineerneeds to resolve the network connectivity issue and ensure that connectivity will not be affected ifadditional VPC CIDR ranges are added to the VPC in the future.Which solution will meet these requirements with the MOST operational efficiency?

A.Configure route propagation for VPC-A to the VPN attachment route table.
B.Manually update the VPN attachment route table to include the new CIDR range.
C.Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule tomatches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPNattachment route table.
D.Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is anupdate to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachmentroute table. Restart the VPN tunnels.

Show Answer

---

Question # 26

A company runs applications in two VPCs that are in separate AWS Regions. One VPC is in the useast1 Region. The second VPC is in the us-west-1 Region. The company needs to establishconnectivity between the two VPCs. The company also needs to connect the VPCs to applicationsthat run in an on-premises data center.The current traffic requirement between the VPCs is 50 ТВ per month. The company expects trafficvolume between the VPCs to increase. The traffic requirement from the VPCs to the on-premisesdata center is 10 ТВ per month. The company expects the traffic between the VPCs and the datacenter to remain constant.Which solution will meet these requirements MOST cost-effectively?

A.Create a transit gateway in each Region. Create VPN connections from the transit gateways to theon-premises firewall. Create a peering connection between the transit gateways.
B.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Configure the on-premises firewall to route the trafficbetween the two VPCs.
C.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Create a VPC peering connection between the two VPCs.
D.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Create a VPN connection between the virtual privategateways.

Show Answer

---

Question # 27

A US-based company is expanding its business to Europe. A network engineer needs to extend thecompany's network infrastructure by setting up a new hub and spoke architecture in the eu-west-1Region. The network engineer uses a transit gateway peering connection to connect the newresources in eu-west-1 to an existing environment in the us-east-1 Region.The hub and spoke architecture in each AWS Region includes an inspection VPC that uses AWSNetwork Firewall to centralize traffic inspection for each Region. To reduce costs, the networkengineer decides to inspect inter-Region traffic by using the inspection VPC in the Region thatoriginates the traffic. The network engineer configures the transit gateway route tables accordinglyfor each Region.When the network engineer tests the new architecture, communication within each Region works asexpected. However, the network engineer finds that inter-Region communication is not working. Thenetwork engineer must resolve the inter-Region communication issue.Which solution will meet this requirement?

A.Configure Open Shortest Path First (OSPF) routing on the transit gateway peering connection topropagate the VPC CIDR blocks from each Region to the remote peer.
B.Use AWS Resource Access Manager (AWS RAM) to share access between the transit gateways.Enable the Allow sharing with anyone setting.
C.Prevent asymmetric routing in the inspection VPCs by ensuring that both requests and responsesare inspected by the same inspection VPC
D.Enable Appliance mode on both the transit gateway attachments for the inspection VPC.

Show Answer

---

Question # 28

A company needs to capture and log traffic for Nitro-based Amazon EC2 instances to comply withregulations. The company's network team has prepared a solution that enables VPC traffic mirroringand sends traffic to a second set of EC2 instances in an Auto Scaling group.The network team has added a Network Load Balancer (NLB) in front of the EC2 instances the trafficwill be sent to. However, the solution does not send any mirrored traffic to the EC2 instances that arebehind the NLB.How should the network team configure traffic mirroring to use the NLB endpoint?

A.Select the NLB as a source for traffic mirroring. Use a UDP listener.
B.Select the NLB as a target for traffic mirroring. Use a TCP listener and a UDP listener.
C.Select the NLB as a target for traffic mirroring. Use a TCP listener.
D.Select the NLB as a target for traffic mirroring. Use a UDP listener.

Show Answer

---

Question # 29

A company has a hybrid environment that connects an on-premises data center to the AWS Cloud.The hybrid environment uses a 10 Gbps AWS Direct Connect dedicated connection. The DirectConnect connection has multiple private VIFs that terminate in multiple VPCs.To comply with regulations, the company must encrypt all WAN traffic, regardless of the underlyingtransport. The company needs to implement an encryption solution that will not affect thecompany's bandwidth capacity.Which solution will meet these requirements?

A.Create a public VIF. Configure a new AWS Site-to-Site VPN connection to use the new public VIF.
B.Configure MAC security (MACsec) support on the port of the existing Direct Connect connection.Change the encryption mode to must_encrypt.
C.Configure a new Direct Connect connection that supports MAC security (MACSec) Associate theexisting VIFs to the new Direct Connect connection.
D.Create a public VIF. Configure a new private IP VPN that uses the Direct Connect connection.

Show Answer

---

Question # 30

A company has five VPCs in the us-east-1 Region. The company hosts an internal web application inus-east-1. One of the company's VPCs. named VPC-A, needs to connect to an external partner's AWSenvironment. The partners environment is in the same AWS Region where the partner hosts a newversion of the company's web application. The partner hosts its version of the application in a VPCnamed VPC-B.The company has Amazon EC2 instances in VPC-A that need to connect to the web application inVPC-B A network engineer notices that the partner's VPC-B and the company's VPC-A use thesame IP space. The network engineer needs a solution to allow the EC2 instances to connect to theweb application. The solution must not negatively affect the exiting environment of the company orthe partner.Which combination of steps should the network engineer take meet these requirements? (Choosetwo.)

A.Establish a VPC peering connection between VPC-A to VPC-B.
B.Ensure the partner creates a VPC endpoint service that uses a Network Load Balancer in VPC-B.
D.Deploy a new routable VPC CIDR block as a secondary CIDR block to both VPC-A and VPC-B. Deploy a public NAT gateway in VPC-A.
E.Establish an AWS Site-to-Site VPN connection between VPC-A and VPC-B.

Show Answer

---

Question # 31

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB).The instances are part of an Amazon EC2 Auto Scaling group.To comply with new security standards, the company must capture all application access data,including server response codes, request paths, latency, and client IP addresses. The company alsoneeds to query the captured data for performance analysis.Which solution will meet these requirements?

A.Enable VPC flow logs on the ALB subnets. Store the logs to an Amazon S3 bucket. Query the logs inthe S3 bucket by using Amazon Athena.
B.Configure Amazon VPC Traffic Mirroring on all EC2 elastic network interfaces. Deploy a third-partymonitoring appliance from AWS Marketplace in a private subnet. Use Amazon Data Firehose to sendall mirrored traffic to the monitoring appliance. Query the logs directly from the monitoringappliance.
C.Configure Amazon CloudWatch detailed monitoring on the EC2 instances Include all available logs.Use Amazon Data Firehose to send all the collected logs to an Amazon S3 bucket. Query the datadirectly from the S3 bucket.
D.Enable access logs on the ALB. Store the logs in an Amazon S3 bucket. Query the logs in the S3bucket by using Amazon Athena.

Show Answer

---

Question # 32

A company is planning to migrate to AWS and use multiple VPCs in multiple AWS Regions. A networkengineer must connect the eu-west-1 and eu-central-1 Regions to the company headquarters and branch office, respectivelyThe network engineer created a production VPC, named Prod A, with a CIDR block of 10.0.0.0.Prod A runs in an account in eu-west-1. The network engineer then created another production VPC,named Prod B, with a CIDR block of 10.1.0.0. Prod Ð’ runs in a different account in eu-central-1.The network engineer performed the following steps to try to achieve the required connectivity:1.Created one transit gateway in each Region2.Shared and accepted the transit gateways with the production accounts in both Regions3.Configured the peering attachment between both transit gateways4.Attached both VPCs to the respective Region transit gateway5.Created both transit gateway route tables and associated the attachments with the route tables6.Configured a static route in both transit gateway route tables to send traffic to the remote VPC inthe other Region7.Activated route propagation on the VPC route tables in each RegionAfter the configuration, the network engineer tried to connect from Prod A to Prod B. However, theconnection was unsuccessful.What should the network engineer do to achieve the required connectivity?

A.Modify the IP address of the peering attachment to a wider range.
B.Delete the static routes that were in the transit gateway route table to send traffic to the remoteVPC and enable route propagation instead.
C.Create a new route destined to 10.0.0.0 in both production VPC route tables with the Regiontransit gateway as the target.
D.Modify the transit gateway route tables from the production accounts to propagateroutes dynamically between the production VPCs.

Show Answer

---

Question # 33

A company is planning to use an AWS Transit Gateway hub and spoke architecture to migrate to AWS.The current on-premises multi-protocol label switching (MPLS) network has strict controls thatenforce network segmentation by using MPLS VPNs. The company has provisioned two 10 Gbps AWSDirect Connect connections to provide resilient, high-speed, low-latency connectivity to AWS.A security engineer needs to apply the concept of network segmentation to the AWS environment toensure that virtual routing and forwarding (VRF) is logically separated for each of the company'ssoftware development environments. The number of MPLS VPNs will increase in the future. OnpremisesMPLS VPNs will have overlapping address space. The company's AWS network design mustsupport overlapping address space for the VPNs.Which solution will meet these requirements with the LEAST operational overhead?

A.Deploy a software-defined WAN (SD-WAN) head-end virtual appliance and an SD-WAN controllerinto a Transit Gateway Connect VPC. Configure the company's edge routers to be managed by thenew SD-WAN controller and to use SD-WAN to segment the traffic into the defined segments foreach of the company's development environments.
B.Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of thecompany's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN.Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLSVPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit GatewayVPN attachment.
C.Create a transit VPC that terminates at the AWS Site-to-Site VRF-aware IPsec VPN. Configure IPsecVPN connections to each VPC for each of the company's development environment VRFs
D.Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edgerouters and Transit Gateway. Configure a transit gateway route table that matches the MPLS VPN foreach of the company's development environments.

Show Answer

---

Question # 34

A company is planning to host a secure web application across multiple Amazon EC2 instances. Theapplication will have an associated DNS domain in an Amazon Route 53 hosted zone.The company wants to protect the domain from DNS poisoning attacks. The company also wants toallow web browsers to authenticate into the application by using a trusted third party.Which combination of actions will meet these requirements?

A.Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install self-signedX.509 certificates on the EC2 instances.
B.Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install X 509certificates that are signed by a public certificate authority on the EC2 instances.
C.Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509certificates that are signed by a public certificate authority on the EC2 instances.
D.Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install selfsignedX.509 certificates on the EC2 instances.

Show Answer

---

Question # 35

A companys data center is connected to a single AWS Region by an AWS Direct Connect dedicatedconnection. The company has a single VPC in the Region. The company stores logs for all itsapplications locally in the data center.The company must keep all application logs for 7 years. The company decides to copy all applicationlogs to an Amazon S3 bucket.Which solution will meet these requirements?

A.Create a public VIF on the Direct Connect connection. Create an Amazon S3 gateway endpoint inthe VPC.
B.Create a private VIF on the Direct Connect connection. Create an Amazon S3 gateway endpoint inthe VPC.
C.Create a private VIF on the Direct Connect connection. Create an Amazon S3 interface endpoint inthe VPC.
D.Create a public VIF on the Direct Connect connection. Create an Amazon S3 interface endpointin the VPC.

Show Answer

---

Testimonials