Free AWS Advanced Networking Specialty Exam ANS-C00 Exam Practice Test

Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.Which design should you set up?

• An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
• An AWS Direct Connect connection to us-east-1.
• An AWS Direct Connect connection to us-west-2.
• An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.How can this requirement be achieved?

• Use a Network Load Balancer to automatically preserve the source IP address.
• Use a Network Load Balancer and enable the X-Forwarded-For attribute.
• Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
• Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol

Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.Which method allows for efficient, automated integration of the IPAM with CloudFormation?

• AWS CloudFormation parameters using the ''Ref::'' intrinsic function
• AWS CloudFormation custom resource using an AWS Lambda invocation.
• CloudFormation::OpsWorks::Stack with custom Chef configuration.
• AWS CloudFormation parameters using the ''Fn::FindInMap'' intrinsic function. Cloudformation chapter under exam essentials it says 'custom resources in an AWS cloudformation template allows you to configure non-aws resources not supported by AWS. You can use custom resources to make calls to an IPAM'

A company is deploying a critical application on two Amazon EC2 instances in a VPC Failed client connections to the EC2 instances must be logged according to company policy.What is the MOST cost-effective solution to meet these requirements'?

• Move the EC2 instances to a dedicated VPC Enable VPC Flow Logs with a filter on the deny action Publish the flow logs to Amazon CloudWatch Logs
• Move the EC2 instances to a dedicated VPC subnet Enable VPC Flow Logs for the subnet with a filter on the reject action Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket
• Enable VPC Flow Logs, filtered for rejected traffic for the elastic network interfaces associated with the instances Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket
• Enable VPC Flow Logs, filtered for rejected traffic for the elastic network interfaces associated with the instances Publish the flow logs to Amazon CloudWatch Logs

Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location.Which solution will meet this requirement, while minimizing downtime and costs?

• Deploy a third-party vendor solution to perform deep packet inspection in a transit VPC.
• Enable VPC Flow Logs on each VPC. Set up a stream of the flow logs to a central Amazon Elasticsearch cluster.
• Enable Amazon Macie on each AWS account and configure central reporting.
• Enable Amazon GuardDuty on each account as members of a central account. References: https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.What connection option should the organization use to get up and running at minimal cost?

• Use an internet connection.
• Set up an AWS VPN connection.
• Provision an AWS Direct Connection private virtual interface.
• Provision a Direct Connect public virtual interface.

An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

• Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.
• Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.
• Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.
• Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

A gaming company is running an online multiplayer game in multiple AWS Regions The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end usersWhich solution will meet these requirements?

• Create an Amazon CloudFront distribution in front of all the Regions
• Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region
• Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region
• Configure AWS Global Accelerator in front of all the Regions

A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.What steps must be taken to order the cross-connect at the Direct Connect location?

• Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.
• Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.
• Obtain the LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The Facility Operator will ensure that the cross-connect is installed.
• Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.

A company's application runs in a VPC and stores sensitive data in Amazon S3 The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3 The S3 bucket is located in the same AWS Region as the EC2 instances The company wants to ensure that this bucket can be accessed only from the VPC where the application residesWhich changes should a network engineer make to the architecture to meet these requirements?

• Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet Configure the S3 security group to allow only the application instances to access the bucket
• Deploy an S3 VPC endpoint in the VPC where the application resides Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint
• Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket Allow access only from the VPC CIDR range, and deny all other IP address ranges
• Create a new 1AM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances Configure an S3 bucket policy to allow access only from the role