AWS-Certified-Advanced-Networking-Specialty Free Practice Test

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC. Which of the following is the MOST reliable solution?

1. A. Create an inbound rule in the VPC's network ACL that matches the TCP por
2. B. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
3. C. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.
4. D. Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required por
5. E. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
6. F. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accesse
7. G. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

Correct Answer: A

A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers The company does not want to implement an access management solution that requires additional costs or effort.
Which solution meets these requirements?

1. A. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target networ
2. B. Add a rule to authorize client access to the target VP
3. C. and add a rule to authorize client access to the peered VP
4. D. Update resource security groups in both VPCs to allow traffic from the security group for the subnet associatio
5. E. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
6. F. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target networ
7. G. Add a rule to authorize client access to each target VP
8. H. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet association
9. I. Securely send the users the configuration options, and instruct the users to install Client VPN endpoints at the same time to gain access to the resources.
10. J. Deploy a Network Load Balancer in front of the company resource
11. K. Set up security groups that contain the IP addresses of each of the user laptop
12. L. Instruct the users to connect to the application securely over TCP.
13. M. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target networ
14. N. Add a rule to authorize client access to the target VP
15. O. and add a rule to authorize client access to the peered VP
16. P. Update resource security groups in both VPCs to allow traffic from the security group for the subnet associatio
17. Q. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptop
18. R. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.

Correct Answer: B

You manage a web service that is used by client applications deployed in 300 offices worldwide. The web service architecture is an Elastic Load balancer (ELB) distributing traffic across four application servers deployed in an autoscaling group across two availability zones.
The ELB is configured to use round robin, and sticky sessions are disabled. You have configured the NACLs and Security Groups to allow port 22 from your bastion host, and port 80 from 0.0.0.0/0. The client configuration is managed by each regional IT team.
Upon inspection you find that a large amount of requests from incorrectly configured sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects.
What should you do to remedy the situation and prevent future occurrences?

1. A. Mark the affected instance as degraded in the ELB and raise it with the client application team.
2. B. Update the NACL to only allow port 80 to the application servers from the ELB servers.
3. C. Update the Security Groups to only allow port 80 to the application servers from the ELB.
4. D. Terminate the affected instance and allow Auto Scaling to create a new instance.

Correct Answer: C

A company has a hybrid IT architecture with two AWS Direct Connect connections to provide high availability. The services hosted on-premises are accessible using public IPs, and are also on the 172.16.0.0/16 range. The AWS resources are on the 192.168.0.0/18 range. The company wants to use Amazon Elastic Load Balancing for SSL offloading, health checks, and sticky sessions.
What should be done to meet these requirements?

1. A. Create a Network Load Balancer pointing to the on-premises server's private IP address.
2. B. Create an Amazon CloudFront distribution for the on-premises service and use the public IPs of the on-premises servers as the origin.
3. C. Create a Network Load Balancer pointing to the on-premises server's public IP address.
4. D. Create an Application Load Balancer pointing to the on-premises server's private IP address.

Correct Answer: D

Changes made to a security group attached to an Application Load Balancer resulted in connectivity issues for a company's production web application. The Network Engineer needs to lock down permissions for the company's AWS account, automate auditing for any changes, and set up notifications.
What actions should accomplish this?

1. A. Configure IAM user policies to lock down permissions for specific user
2. B. Enable AWS CloudTrail to identify API calls from user
3. C. Use AWS Config to audit any changes, and configure Amazon SNS to send notifications.
4. D. Configure IAM user policies to lock down permissions for specific user
5. E. Enable AWS CloudTrail to identify the API calls from user
6. F. Configure AWS CodeCommit to audit any changes in configurations, and configure Amazon SNS to send notifications.
7. G. Configure IAM user policies to lock down permissions for specific user
8. H. Enable AWS CloudTrail to identify the API calls from user
9. I. Configure Amazon Macie to use machine learning to identify any configuration changes, and configure Amazon SNS to send notifications.
10. J. Configure IAM role policies to lock down permissions for specific user
11. K. Configure Amazon GuardDuty to audit and monitor configuration changes, and configure Amazon SNS to send notifications.

Correct Answer: A