AWS-Certified-Advanced-Networking-Specialty Free Practice Test

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

1. A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.
2. B. Use one /29 subnet for the Network Load Balance
3. C. Add another VPC CIDR to the VPC to allow for future growth.
4. D. Use two /28 subnets for a Network Load Balancer in different Availability Zones.
5. E. Use one /28 subnet for an Application Load Balance
6. F. Add another VPC CIDR to the VPC to allow for future growth.

Correct Answer: C

A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

1. A. Create a self-signed certificate for service.example.co
2. B. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificat
3. C. Change the default behavior to redirect HTTP to HTTPS.
4. D. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificat
5. E. Change the default behavior to redirect HTTP to HTTPS.
6. F. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instance
7. G. Configure the backend to use this certificate for its HTTPS listene
8. H. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
9. I. Attach the existing Auto Scaling group to this new target group.
10. J. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instance
11. K. Configure the backend to use this certificate for its HTTPS listene
12. L. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
13. M. Attach the existing Auto Scaling group to this new target group.
14. N. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificat
15. O. Modify the CloudFront origin to use the HTTPS protocol onl
16. P. Delete the HTTPlistener on the ALB.
17. Q. Create a self-signed certificate for service-alb.example.co
18. R. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificat
19. S. Modify the CloudFront origin to use the HTTPS protocol onl
20. T. Delete the HTTP listener on the ALB.

Correct Answer: BDE

A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL (https://api.example.internal). Two on-premises Windows DNS servers provide internal DNS resolution.
The application on the EC2 instance needs to call the internal API service that is deployed in the on-premises environment. When the application on the EC2 instance attempts to call the internal API service by referring to the hostname that is assigned to the service, the call fails. When a network engineer tests the API service call from the same EC2 instance by using the API service's IP address, the call is successful.
What should the network engineer do to resolve this issue and prevent the same problem from affecting other resources in the VPC?

1. A. Create a new DHCP options set that specifies the on-premises Windows DNS server
2. B. Associate the new DHCP options set with the existing VP
3. C. Reboot the Amazon Linux 2 EC2 instance.
4. D. Create an Amazon Route 53 Resolver rul
5. E. Associate the rule with the VP
6. F. Configure the rule to forward DNS queries to the on-premises Windows DNS servers if the domain name matches example.internal.
7. G. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the service domain name (api.example.internal) to the IP address of the internal API service.
8. H. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VP
9. I. Change the IP addresses of the name servers in the file to the IP addresses of the company's on-premises Windows DNS servers.

Correct Answer: B
Creating an Amazon Route 53 Resolver rule and associating it with the VPC would enable forwarding of DNS queries for a specified domain name (example.internal) to a specified IP address (the on-premises Windows DNS servers)3. This would allow EC2 instances in the VPC to resolve the internal API service by using its hostname. Configuring the rule to forward DNS queries only if the domain name matches example.internal would also allow EC2 instances to use the Amazon Route 53 Resolver server for other DNS queries, such as those for AWS services through private VPC endpoints2.

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Use the ALB to inspect the authorized token inside the GET/POST request payloa
2. B. Use an AWS Lambda function to insert a customized header to inform the web application of an authenticated customer request.
3. C. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payloa
4. D. Configure the ALB listener to insert a customized header to inform the web application of an authenticated customer request.
5. E. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payloa
6. F. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.
7. G. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payloa
8. H. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

Correct Answer: C

A bank built a new version of its banking application in AWS using containers that content to an on-premises database over VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.
What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

1. A. Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
2. B. Use a Classic Load Balancer for the new applicatio
3. C. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DN
4. D. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
5. E. Use an Application Load Balancer for the new applicatio
6. F. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
7. G. Use an Application Load Balancer for the new applicatio
8. H. Register both the new and earlier application backends as separate target group
9. I. Use header-based routing to route traffic based on the application version.

Correct Answer: D