ANS-C01 Free Practice Test

A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The company has established network connectivity from all VPCs to the
on-premises DNS servers.
Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. The applications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.
What should a network engineer do to meet these requirements?

1. A. Create a new Route 53 Resolver inbound endpoint in the shared services VP
2. B. Create forwarding rules for the on-premises hosted domain
3. C. Associate the rules with the new Resolver endpoint and each application VP
4. D. Update each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
5. E. Create a new Route 53 Resolver outbound endpoint in the shared services VP
6. F. Create forwarding rules for the on-premises hosted domain
7. G. Associate the rules with the new Resolver endpoint and each application VPC.
8. H. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosted domain
9. I. Associate the rules with the new Resolver endpoint and each application VPUpdate each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
10. J. Create a new Route 53 Resolver inbound endpoint in the shared services VP
11. K. Create forwarding rules for the on-premises hosted domain
12. L. Associate the rules with the new Resolver endpoint and each application VPC.

Correct Answer: B
Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1. Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2. Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2. This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.
Which solution will meet these requirements?

1. A. Deploy a Network Load Balancer (NLB) as the traffic mirror targe
2. B. Behind the NL
3. C. deploy a fleet of EC2 instances in an Auto Scaling grou
4. D. Use Traffic Mirroring as necessary.
5. E. Deploy an Application Load Balancer (ALB) as the traffic mirror targe
6. F. Behind the ALB, deploy a fleet of EC2 instances in an Auto Scaling grou
7. G. Use Traffic Mirroring only during non-business hours.
8. H. Deploy a Gateway Load Balancer (GLB) as the traffic mirror targe
9. I. Behind the GL
10. J. deploy a fleet of EC2 instances in an Auto Scaling grou
11. K. Use Traffic Mirroring as necessary.
12. L. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror targe
13. M. Behind the AL
14. N. deploy a fleet of EC2 instances in an Auto Scaling grou
15. O. Use Traffic Mirroring only during active events or business hours.

Correct Answer: A

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

1. A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
2. B. Set up AWS WAF on all network components.
3. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
4. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
5. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
6. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct Answer: DEF
To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps:
Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D).
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E).
Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F).
These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks.

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

1. A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.
2. B. Use one /29 subnet for the Network Load Balance
3. C. Add another VPC CIDR to the VPC to allow for future growth.
4. D. Use two /28 subnets for a Network Load Balancer in different Availability Zones.
5. E. Use one /28 subnet for an Application Load Balance
6. F. Add another VPC CIDR to the VPC to allow for future growth.

Correct Answer: C

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?

1. A. Configure the two network interfaces in the launch templat
2. B. Define the primary network interface to be created in one of the private subnet
3. C. For the second network interface, select one of the public subnet
4. D. Choose the BYOIP pool ID as the source of public IP addresses.
5. E. Configure the primary network interface in a private subnet in the launch templat
6. F. Use the user data option to run a cloud-init script after boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
7. G. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launchin
8. H. In the Lambda function, assign a network interface to an AWS Global Accelerator endpoint.
9. I. During creation of the Auto Scaling group, select subnets for the primary network interfac
10. J. Use the user data option to run a cloud-init script to allocate a second network interface and to associate anElastic IP address from the BYOIP pool.

Correct Answer: D
During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
This solution meets all of the requirements stated in the question. The primary network interface can be configured in a private subnet during creation of the Auto Scaling group. The user data option can be used to run a cloud-init script that will allocate a second network interface and associate an Elastic IP address from the BYOIP pool with it.