ANS-C01 Free Practice Test

A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?

1. A. Deploy a new public VIF with encryption on the existing Direct Connect connection
2. B. Reroute traffic through the new public VIF.
3. C. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs.
4. D. Deploy a new pair of 10 GB Direct Connect connections with MACse
5. E. Configure MACsec on the edge router
6. F. Reroute traffic to the new Direct Connect connection
7. G. Decommission the original Direct Connect connections
8. H. Deploy a new pair of 10 GB Direct Connect connections with MACse
9. I. Deploy a new public VIF on the new Direct Connect connection
10. J. Deploy two AWS Site-to-Site VPN connections on top of the new public VI
11. K. Reroute traffic from the existing private VIF to the new Site-to-Site connection
12. L. Decommission the original Direct Connect connections.

Correct Answer: C

An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed.
Which solution will meet these requirements?

1. A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the AL
2. B. Configure the Auto Scaling group to register instances with the ALB's target group.
3. C. Create an Amazon CloudFront distributio
4. D. Configure the distribution with a custom SSL/TLS certificat
5. E. Set the Auto Scaling group as the distribution's origin.
6. F. Create a Network Load Balancer (NLB). Add a TCP listener to the NL
7. G. Configure the Auto Scaling group to register instances with the NLB's target group.
8. H. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group.

Correct Answer: C
To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at all stages between the customers and the application servers without decryption at intermediate points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution allows for end-to-end encryption of traffic without decryption at intermediate points.

A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner.
What should the network engineer do to meet these requirements?

1. A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC.
2. B. Change the router configurations to summarize the advertised routes.
3. C. Open a support ticket to increase the quota on advertised routes to the VPC route table.
4. D. Create an AWS Transit Gatewa
5. E. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.

Correct Answer: B
"If you advertise more than 100 routes each for IPv4 and IPv6 over the BGP session, the BGP session will go into an idle state with the BGP session DOWN."https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

A bank built a new version of its banking application in AWS using containers that content to an on-premises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.
What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

1. A. Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
2. B. Use a Classic Load Balancer for the new applicatio
3. C. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DN
4. D. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
5. E. Use an Application Load Balancer for the new applicatio
6. F. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
7. G. Use an Application Load Balancer for the new applicatio
8. H. Register both the new and earlier application backends as separate target group
9. I. Use header-based routing to route traffic based on the application version.

Correct Answer: D

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

1. A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.
2. B. The security group is blocking traffic to the IP address range used by Amazon SQS
3. C. There is no interface VPC endpoint configured for Amazon SQS
4. D. The network ACL is blocking return traffic from Amazon SQS
5. E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

Correct Answer: CE