AWS Advanced Networking Exam Flashcards

Question

Global AWS community tag (received from AWS)

Answer 1

TCP and UDP

Answer 2

Classic and Application LBs

Answer 3

Network LB. | If the target is IP address, the source IP address is not preserved.

Answer 4

- gigabytes transferred - request rates - custom SSL Certificate

Answer 5

Extension of AWS Lambda that allows you to run Node.js code at global AWS locations.

Answer 6

- Viewer request - Viewer response - Origin request - Origin response

Answer 7

To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations

Answer 8

Instance type

Answer 9

Design an alarm whenever the ConnectionState (Boolean) metric is DOWN.

Answer 10

Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC. These DNS servers will resolve names configured in your Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone.

Answer 11

public one

Answer 12

YES, they can

Answer 13

As soon as the first byte arrives from the origin.

Answer 14

Create CloudFront Origin Identity which has access via the S3 bucket policy

Answer 15

YES - public IP. Private one is persistent

Answer 16

Consist of libraries to accelerate packet processing workloads running on wide variety of CPU architectures

Answer 17

Elastic network interface (ENI) for each combination of security group and subnet in your function's VPC configuration

Answer 18

Use VPN across regions or use inter-region peering (new feature)

Answer 19

IP 50 (ESP) and UDP 500

Answer 20

- 100 prefixes for private virtual interfaces or - 1,000 prefixes for public virtual interfaces

Answer 21

No. this is not the way NAT gateway works.

Answer 22

It can be used to use your AWS Direct Connect connection with another AWS account

Answer 23

It's a physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer.

Answer 24

Lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries

Answer 25

An IP access control group acts as a virtual firewall that controls the IP addresses from which users are allowed to access their WorkSpaces.

Answer 26

Up to 100 IP access control groups per AWS account

Answer 27

Up to 25 IP access control groups with a single directory

Answer 28

Network interface that an AWS service creates in your VPC. This network interface can represent an instance for another service, such as an Amazon RDS instance, or it can enable you to access another service or resource, such as an AWS PrivateLink service, or an Amazon ECS task

Answer 29

- Choose IPv4 CIDR Range - Choose a Tenancy - Optionally Associate a IPv6 CIDR Range

Answer 30

No. NIC Teaming is not supported.

Answer 31

Interface Endpoint

Answer 32

Yes, it can be enabled.

Answer 33

NO. It has to be deleted and recreated

Answer 34

- CloudWatch - S3

Answer 35

Always internal primary IP address associated with the ENI

Answer 36

169.254.169.123 - not captured by VPC FlowLogs

Answer 37

YES (as of 2018)

Answer 38

It provides answers to queries they know about

Answer 39

Points to other servers or serves cached content from other name servers' data

Answer 40

Not set the default location.

Answer 41

The msot specific is always preferred.

Answer 42

Use edns-client-subnet extension.

Answer 43

Certificate Authority Authorization Specifies which certificate authorities (CAs) are allowed to issue certificates for a domain.

Answer 44

Maps a host to an IP address (IPv4 or IPv6)

Answer 45

Name Server records direct traffic to the DNS servers that contain the authoritative DNS records

Answer 46

Pointer Record is a reverse A record lookup. Maps an IP address to a host

Answer 47

Start of Authority

Answer 48

Certificate Authority Authorization

Answer 49

- Classic - ALB

Answer 50

/27 or larger

Answer 51

The X-Forwarded-For request header

Answer 52

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection.

Answer 53

- Network LB - Application LB (must enable stickiness)

Answer 54

At least 8 available

Answer 55

/27 or larger

Answer 56

- Network - Application

Answer 57

Server Name Indication - Support multiple certificates per load balancer

Answer 58

web and RTMP

Answer 59

Signed cookies

Answer 60

502 - BAD GATEWAY

Answer 61

Network LB

Answer 62

NAT GW or Instance

Answer 63

HTML5 compatible browser

Answer 64

- 64512 - 7224 in most regions prior to 2018

Answer 65

It allows the local client to use both local and Client VPN endpoint route tables

Answer 66

goes into IDLE state

Answer 67

Up to 10.000

Answer 68

8500 bytes

Answer 69

1500 bytes

Answer 70

Up to 5000

Answer 71

Up to 10.000

Answer 72

It's automatically enabled to all AWS customers (at no charge)

Answer 73

Economic Denial of Sustainability

Answer 74

- normal - rate-based

Answer 75

5 rate-based rules

Answer 76

10 rules per ACL

Answer 77

Contains the latest list of IP addresses used by AWS

Answer 78

Any other publicly routable IPv4 CIDR block (non-RFC 1918), or a CIDR block from the 100.64.0.0/10 range.

Answer 79

Feature that can be used to maintain internal and external versions of the same website or application

Answer 80

Network Load Balancer (proxy feature is needed anyway)

Answer 81

55,000 This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute).

Answer 82

HTTP, HTTPS, or TCP

Answer 83

Network Load Balancer

Answer 84

VPC level (not subnet!)

Answer 85

All data transferred between the gateway and AWS storage is encrypted using SSL

Answer 86

Auto-assign DNS hostnames to Ec2 instances

Answer 87

Virtual Private Gateway (VGW)

Answer 88

Configure the client software to use an EC2 elastic IP as the VPN termination endpoint. Turn on EC2 auto-recovery on this instance.

Answer 89

Use SSL to encrypt traffic at the application layer

Answer 90

VGW Public IPs

Answer 91

You can use a public VIF to access Amazon DynamoDB. You can use Amazon DynamoDB client libraries to encrypt traffic as it is being written to the database.

Answer 92

AWS has different Data transfer Out (DTO) charges depending on the source and destination of the traffic. Typically for Site-to-Site VPN (withour Direct Connect), its a standard internet DTO which is $0.09/GB. However if you configure VPN over DirectConnect connection then you get benefit of reduced data transfer charges which is typically $0.02/GB

Answer 93

Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application

Answer 94

Configure the local BGP community tag 7224:7300 for the transit VIF connected to the first AWS Direct Connect connection. By default, AWS uses the distance from the local AWS Region to the Direct Connect location to determine the VIF or transit VIF for routing. You can modify this behavior by assigning local preference communities to VIFs. This question asks for the VIF in Direct Connect connection 1 to have a higher preference. AWS supports the 7224:7300 local preference tag for high-preference use cases.

Answer 95

If the content is already in the edge location with the lowest latency, Amazon Cloud- Front delivers it immediately. If the content is not currently in that edge location, Amazon CloudFront retrieves it from the origin server to deliver.

Answer 96

This feature removes the object from every Amazon CloudFront edge location regardless of the expiration period that you set for that object on your origin server.

Answer 97

You control which requests are served by which origin and how requests are cached using a feature called cache behaviors.

Answer 98

When you add alternate domain names, you can use the wildcard * at the beginning of a domain name instead of specifying subdomains individually.

Answer 99

To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region.

Answer 100

To invalidate objects, you can specify either the path for individual objects or a path that ends with the * wildcard, which might apply to one object or many objects.

Answer 101

Origin Access Control (OAC) - special Amazon CloudFront feature that you can associate with your CloudFront Distribution and restrict access to S3 bucket only from this CloudFront Distribution

Answer 102

Data transfer from Amazon S3 to Amazon CloudFront is not charged

Answer 103

AWS Global Accelerator will provide low-latency endpoints to the global users of the game. The accelerator also will route the traffic over the AWS network backbone to the AWS Region that is hosting the game. ALB will support the use of the gRPC protocol and client IP address preservation. ALB will distribute traffic to the Amazon EC2 instances in the Auto Scaling group to support the game’s load. The association of an AWS WAF web ACL with the ALB will provide the required IP filtering.

Answer 104

With Amazon Route 53 Resolver DNS Firewall, you can monitor and control the domains that applications in your VPCs can access. DNS Firewall supports the use of allow lists or deny lists to filter the set of domains that you can use. This solution can effectively prevent the use of DNS queries to exfiltrate data.

Answer 105

Plugin for Kubernetes is the networking plugin for Pod networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring the necessary networking for Pods on each node

Answer 106

Amazon VPC CNI plugin translates the pod's IPv4 address of the primary ENI of the node that the pod is running on

Answer 107

Enables customers to attach multiple network interfaces and apply advanced network configuration to Kubernetes-based applications.

Answer 108

- To configure an IPv6-enabled VPC attachment for the Transit Gateway, the VPC and the attachment subnets need to have associated IPv6 CIDRs. The remaining Transit Gateway configurations continue to have the same functionalities across both stacks - For dual-stack connectivity on the Site-to-Site VPN connection via a Transit Gateway, you need to create two VPN connections, one for the IPv4 and one for the IPv6 stack - For AWS Direct Connect connection, reuse your existing VIFs and enable them for dual-stack support

Answer 109

Set up a public VIF on the Direct Connect connection. Create an AWS Site-to-site VPN between customer gateway and the VGW in the VPC.

Answer 110

Set up a Cloud Watch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then configure a health check that monitors the state of the alarm.

Answer 111

- Amazon Inspector - Amazon SNS

Answer 112

Longest prefix match, Static routes, Direct-Connect routes, VPN BGP routes

Answer 113

Multicast traffic is only supported within and between VPC attachments to a Transit Gateway. Hence, peering at Transit Gateways across regions will not work in this scenario

Answer 114

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new security group with necessary inbound rules for QuickSight in the same VPC. Sign in to QuickSight as a QuickSight admin and create a new QuickSight VPC connection. Create a new dataset from the RDS DB instance.

Answer 115

- records without a health check are always considered healthy. If no record is healthy, all records are deemed to be healthy - if you're creating failover records in a private hosted zone, you must assign a public IP address to an instance in the VPC to check the health of an endpoint within a VPC by IP address

Answer 116

- Traffic from the corporate network cannot directly access VPC B by using the AWS Direct Connect connection to VPC A - VPC B can't directly access Amazon S3 using the VPC gateway endpoint connection to VPC A

Answer 117

10.2.0.2 169.254.169.253

Answer 118

Purchase another 10 Gbps Direct Connect dedicated connection from AWS in a different Direct Connect location that terminates in the associated AWS Region. Set up a new virtual interface (VIF) to the existing VPC and use BGP for load balancing

Answer 119

Create four private VIFs, that is, one VIF each from the on-premises data center to each of the VPCs. Enable VPC peering between all VPCs

Answer 120

Configure the VPN connection in an Active/Active configuration and advertise a more specific prefix for tunnel A

Answer 121

Configure your customer gateway to advertise the same prefix with the same Border Gateway Protocol (BGP) attributes on both public virtual interfaces

Answer 122

The on-premises network would be unreachable as the local route would be preferred for all traffic destined for 172.31.1.0/24

Answer 123

Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

Answer 124

Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.

Answer 125

Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.

Answer 126

Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.

Answer 127

Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.

Answer 128

- Deploy the SaaS service endpoint behind a Network Load Balancer. - Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.

Answer 129

- Use AWS Direct Connect with MACsec support for connectivity to the cloud. - Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. - Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Answer 130

- Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. - Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Answer 131

Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

Answer 132

Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.

Answer 133

- Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution. - Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.

Answer 134

Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group.

Answer 135

Change the router configurations to summarize the advertised routes.

Answer 136

Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.

Answer 137

- Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true. - Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets. - Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces.

Answer 138

Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups and health checks.

Answer 139

Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway.

Answer 140

Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource.

Answer 141

Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB. deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.

Answer 142

- Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint. - Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint. - Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.

Answer 143

- Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint. - Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.

Answer 144

Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.

Answer 145

Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transit gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPC. Remove the existing VPN connections that are attached directly to the virtual private gateways.

Answer 146

Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.

Answer 147

Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.

Answer 148

Enable the new Availability Zone on the NLB

Answer 149

During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool

Answer 150

Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone. Enable DNS hostnames for the application's VPC. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.

Answer 151

Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.

Answer 152

Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpoint for the web service in the existing production VPC.

Answer 153

Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices

Answer 154

Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

Answer 155

Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer 156

Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.

Answer 157

Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Answer 158

Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.

Answer 159

Retrieve client IP addresses by using the X-Forwarded-For header Use an Application Load Balancer.

Answer 160

Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs. Use zonal DNS names for the NLB in the services VPCs to minimize cross-AZ traffic from the ingress VPC to the services VPCs.

Answer 161

Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.

Answer 162

Enable transit gateway appliance mode on the VPC attachment in the shared VPC.

Answer 163

Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.

Answer 164

Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.

Answer 165

Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for on premises hosted domain names. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-based DNS servers. Terminate the EC2 instances.

Answer 166

Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes from the failover data center to 7224:7100

Answer 167

Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints for Amazon S3 and DynamoDB.

Answer 168

Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.

Answer 169

The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS. There is no interface VPC endpoint configured for Amazon SQS

Answer 170

In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.

Answer 171

Create a staging.example.com NS record in the example.com domain. Populate the value with the name servers from the staging.example.com domain. Set the routing policy type to simple routing. Create a public hosted zone for staging.example.com in the staging account.

Answer 172

Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPC. Specify the route table of the private subnets during endpoint creation to create routes to Amazon S3

Answer 173

1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID Enable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Production account: Create an attachment to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

Answer 174

Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.

Answer 175

Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the maximum application session length.

Answer 176

Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.

Answer 177

Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway.

Answer 178

Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Answer 179

Use VPC flow logs. Publish the flow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the flow logs to identify the AWS resources that are generating the suspicious traffic.

Answer 180

Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes. Configure inter-Region transit gateway peering between TGW-A and TGW-B. Add the peering routes in the transit gateway route tables. Add both the VPC-A and the VPC-B CIDR block under the allowed prefix list in the Direct Connect gateway association.

Answer 181

Use an Amazon Route 53 Resolver inbound endpoint. Use an Amazon Route 53 Resolver outbound endpoint. Create Amazon Route 53 private hosted zones.

Answer 182

Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.

Answer 183

Connect the application to CloudWatch using an interface endpoint

Answer 184

Use Centralized VPC Endpoints for connecting with multiple VPCs, also known as shared services VPC.

Answer 185

Instance A is in the default security group. The default rules for the default security group allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. Instance B is in a new security group. The default rules for a security group that you create allow no inbound traffic

Answer 186

Create a private virtual interface to a Direct Connect connection in us-east-1. Set up a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access S3

Answer 187

Use Route 53 query logging to log information to CloudWatch Logs about the Route 53 DNS queries

Answer 188

Third-party software VPN solution deployed from the AWS Marketplace

Answer 189

Set up VPN CloudHub between branch offices and corporate headquarters which will enable branch offices to send and receive data with each other as well as with their corporate headquarters

Answer 190

Set up VPC Flow Logs for the elastic network interfaces associated with the instances and configure the VPC Flow Logs to be filtered for rejected traffic. Publish the Flow Logs to CloudWatch Logs

Answer 191

The EC2 instances are not configured to use the proxy server running in the data center for traffic on TCP port 80

Answer 192

Traffic on Protocol 50 is being blocked by the firewall

Answer 193

Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80

Answer 194

Launch a new instance in the new subnet via an AMI created from the old instance. Direct traffic to this new instance using Route 53 and then terminate the old instance

Answer 195

Configure the VPN connection in an Active/Passive configuration by assigning a higher priority to tunnel A while configuring the static routes

Answer 196

Create a host that sends ICMP requests to an instance in your VPC every 5 seconds Customer gateway device is configured to receive and respond to dead peer detection (DPD) messages

Answer 197

Virtual private gateway Virtual local area network (VLAN) ID

Answer 198

Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.40.0.0/16 Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC B that points to the IP address range of 172.10.0.0/16

Answer 199

Only Application Load Balancer (ALB) supports Local Zones You cannot use a Lambda function as a target when using Local Zone subnets for configuring the ELB

Answer 200

Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC Y. Move y-1 to subnet 192.168.2.0/28 and y-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance Create two route tables in VPC Y - one with a route for destination VPC X and another with a route for destination VPC Z

Answer 201

Dynamic content, as determined at request time (cache-behavior configured to forward all headers) Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin

Answer 202

Use AWS WAF rate-based rule to block the IP addresses

Answer 203

Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header

Answer 204

Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis

Answer 205

NAT Gateway Hourly Charge NAT Gateway Data Processing Charge

Answer 206

To enable multi-account functionality in Network Manager, you first need to set up an account in AWS Organizations Create a global network in Network Manager and register the transit gateways tgw-1 and tgw-3 with your global network When you register transit gateway tgw-1 in the Network Manager, you can see information about transit gateway tgw-2 in your global network

Answer 207

Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a CIDR range from an external IP address management (IPAM) service

Answer 208

Configure connection draining on ELB

Answer 209

EC2 instances in the same AWS Region with access to the Internet could directly reach the router

Answer 210

Create an inbound endpoint on Route 53 Resolver and then DNS resolvers on the on-premises network can forward DNS queries to Route 53 Resolver via this endpoint Create an outbound endpoint on Route 53 Resolver and then Route 53 Resolver can conditionally forward queries to resolvers on the on-premises network via this endpoint

Answer 211

NAT gateways managed by AWS don't accept traffic initiated from the internet. However, if inbound internet traffic is permitted by your security group or Network ACLs then it appears as accepted

Answer 212

Provision a new connection via the AWS Management Console and lookout for an email from AWS with the relevant information

Answer 213

Use Host conditions in ALB listener to route *.shopping.com to appropriate target groups Use Host conditions in ALB listener to route shopping.com to appropriate target groups

Answer 214

The department pays AWS Direct Connect Data Out charges

Answer 215

Change the security policy on the ELB to disable vulnerable protocols and ciphers

Answer 216

Use custom routing accelerator of Global Accelerator to deterministically route one or more users to a specific instance

Answer 217

Use CloudFront signed URLs to restrict access to the application installation file Use CloudFront signed cookies to restrict access to all the files in the members' area of the website

Answer 218

Create a CloudFront signed URL using a canned policy

Answer 219

Use AWS Direct Connect along with a site-to-site VPN to establish a connection between the data center and AWS Cloud

Answer 220

Use WAF geo match statement listing the countries that you want to block Use WAF IP set statement that specifies the IP addresses that you want to allow through

Answer 221

Add 10.6.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet

Answer 222

1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5

Answer 223

Configure the ELB with a TCP listener. Configure the application instances for SSL termination. Configure RDS for SSL, and use REQUIRE SSL grants

Answer 224

Create a VPC with a virtual private gateway Set up a public virtual interface on the Direct Connect connection Create an IPsec tunnel between your customer gateway appliance and the virtual private gateway

Answer 225

Summarize the two routes to combine them into one and advertise it

Answer 226

Set up a Direct Connect to each on-premises data center from different service providers and configure routing to failover to the other on-premises data center's Direct Connect in case one connection fails. Make sure that no VPC CIDR blocks overlap one another or the on-premises network

Answer 227

Configure the applications behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to route application traffic to the corresponding target group through the ALB

Answer 228

Generate a separate certificate for each FQDN in each AWS Region using AWS Certificate Manager. Associate the certificates with the corresponding ALBs in the relevant AWS Region

Answer 229

Set up AWS Global Accelerator in front of all the AWS Regions

Answer 230

Set up the customer gateway to advertise the longer prefix on your primary connection

Answer 231

Set up an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint

Answer 232

AWS WAF, Kinesis Data Firehose, Amazon S3

Answer 233

Allow Inbound traffic on port 22 from the on-premises network

Answer 234

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway

Answer 235

Amazon CloudFront with Lambda@Edge Application Load Balancer

Answer 236

BGP propagated routes from an AWS Direct Connect connection > Manually added static routes for a Site-to-Site VPN connection > BGP propagated routes from a Site-to-Site VPN connection

Answer 237

Use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC Advertise the same prefix for Direct Connect and the VPN

Answer 238

Set up a Route 53 Resolver inbound endpoint and configure it for the EFS-specific VPC. Set up a Route 53 private hosted zone and add a new CNAME record with the value of the EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone

Answer 239

Configure Interface endpoints for Amazon S3

Answer 240

Update the network ACL associated with the subnet to allow outbound traffic

Answer 241

The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server

Answer 242

Simple AD does not support Microsoft Exchange

Answer 243

All traffic destined for 172.31.0.0/24 is routed via the internet gateway

Answer 244

Update the Security Groups for the application servers to only allow incoming traffic on port 80 from the ELB

Answer 245

Configure ECMP on each VPN connection terminating on AWS Transit Gateway. Advertise different specific routes (10.20.30.0/25 & 10.20.30.128/25) on each VPN link along with summarised routes (10.20.30.0/24) over BGP peering.

Answer 246

Create outbound rules which use a destination IP address for evaluation while inbound rules use a source IP address for evaluation.

Answer 247

Create a route table in both VPC A & VPC B having a default route pointing to the Transit gateway. For VPC C, in the transit gateway subnet, create a default route with the target as an appliance in the appliance subnet. For VPC C, in the appliance subnet, create a default route pointing to the Transit gateway. For VPC attachments in shared services VPC, enable appliance mode.

Answer 248

Append the availability zone name to the NLB DNS name which will resolve to the IP address of the NLB local node.

Answer 249

1) In the Internet Gateway route table, for the destination as application servers subnet target should be the Gateway Load Balancer endpoint. 2) In the Application server subnet, the default route should be added with Target as the Gateway Load Balancer endpoint. 3) In the Gateway Load Balancer endpoint subnet, the default route should be added with Target as the Internet gateway.

Answer 250

Apply local preference BGP community tag as 7224:7300 to the primary virtual interface & local preference BGP community tag as 7224:7100 to the secondary virtual interface.

Answer 251

Create a new 2 GB AWS Direct link with links terminating at two AWS Direct Connect locations on two different routers.

Answer 252

Use MACsec with AWS Direct Connect.

Answer 253

Create a transit virtual interface to Direct Connect Gateway and terminate it to multiple AWS Transit Gateways in multiple regions which have VPC attachments to their respective VPCs in different regions.

Answer 254

Add custom headers in Amazon CloudFront & configure ALB to forward requests containing only custom headers to the EC2 Instance.

Answer 255

Use CloudFront functions & execute at the edge location.

Answer 256

Associate an IPv6 CIDR block to VPC & subnets. Update Route tables & security group rules to include IPv6 addresses. Manually add IPv6 subnets in custom network ACL created for IPv4 subnets. Select instance type supporting IPv6 & assign IPv6 to the instance.

Answer 257

Extend subnets from parent AWS VPC to AWS Local Zone. Deploy the application in the AWS Local Zone. Access Amazon S3 privately over AWS Private network.

Answer 258

Enable Kubernetes protection for all member accounts in an Organisation using GuardDuty delegated administrators accounts. Retrieve GuardDuty findings through Amazon CloudWatch events.

Answer 259

Create a single AWS Managed VPN connection terminating on AWS Transit Gateway attached to multiple VPCs.

Answer 260

Use Route 53 Resolver DNS Firewall to filter outbound traffic from the VPC.

Answer 261

Disable Private DNS name for VPC endpoint. Create an Amazon Route 53 private Zone using Alias record pointing to full service VPC endpoint name. Create an inbound Route 53 resolver endpoint in the same VPC as that of the VPC endpoint. Create conditional forward in the on-premises DNS server for the service name which will point to inbound Route 53 Resolver endpoint IP addresses.

Answer 262

Create an outbound endpoint from each VPC. Create separate rules for each domain & associate them with the VPC which will be forwarding queries to the DNS servers deployed at on-premises.

Answer 263

Create a Network Load balancer in each AZ. Create AAAA records for the zone apex pointing to this Network Load Balancer which will, in turn, point traffic to Amazon EC2 instances in each AZ.

Answer 264

Create a flow log with the pkt-dstaddr field. Create a bucket in Amazon S3. Publish flow logs to this bucket. Use Amazon Athena to point logs in Amazon S3 and query the logs to get a list of top-talker instances.

Answer 265

Configure Network Firewall.

Answer 266

Set up AWS Transit Gateway with Connect attachment to SD-WAN virtual appliance. Configure BGP peering between these devices over the GRE tunnel.

Answer 267

Create 2x 10Gbps AWS Direct Connect Links between data center & AWS using AWS Transit Gateway. Create Accelerated Site-to-Site VPN from branch office to nearest AWS edge location in respective AWS regions. Create Transit Gateway peering between transit gateway in each region. Configure Static routes at each transit gateway in different regions for routing traffic between regions. Configure Transit Gateway route tables to deny communication between branch offices.

Answer 268

In VPC A and VPC B, add a default route pointing to Transit Gateway. In Transit Gateway, create a static default 0.0.0.0/0 pointing to VPC C Attachment.

Answer 269

Deploy a Network Load Balancer in service provider VPC. Use the Application Load Balancer as a target for Network Load Balancer. Use the Static IP address of the Network Load Balancer to create rules in Firewall.

Answer 270

Create a listener rule with a condition rule matching http-header.

Answer 271

Create two interface endpoints using AWS Private link with Private DNS disabled. Create a Private hosted zone in Amazon Route 53 for Kinesis Data Streams and associate it with Consumer VPC. Create a weighted route policy with Alias A records pointing to interface endpoints to distribute traffic on both interface endpoints

Answer 272

Setup an S3 interface endpoint from VPC private subnet. Connect Amazon S3 File Gateway using this interface endpoint to Amazon S3 over AWS Direct Connect links.

Answer 273

Create customer gateways with unique BGP ASN at each customer location. Create a Site-to-Site VPN with dynamic routing protocol BGP to a common VGW. Configure the customer gateway devices to advertise a site-specific prefix to the VGW.

Answer 274

Create an AWS Client VPN. Deploy the RDS instance in a private subnet in the VPC. Associate DB instance subnet with AWS Client VPN interface endpoint.

Answer 275

Create a Client VPN endpoint in both regions. Associate AWS Managed Microsoft AD instance with client VPN endpoints in both regions. Create a Route53 public-hosted zone. Create CNAME records pointing to the DNS name of the endpoint with latency-based routing and health checks.

Answer 276

Configure Route 53 Resolver Query Logs. Select the destination for these logs as Amazon Kinesis Data Firehose.

Answer 277

Resolver rules will take precedence over private hosted zones.

Answer 278

Set up CloudFront Origin Shield in the Regional edge cache location of the us-east-1 region.

Answer 279

At Origin, set headers as Cache-Control: stale-if-error=0

Answer 280

In Outbound BGP policy add AS_Path with 3 AS for prefixes advertised on link 2. In inbound policy set the local preference as 300 for prefixes to be preferred on Link 1.

Answer 281

AWS Direct Connect Hosted Connection terminating on AWS Transit Gateway

Answer 282

For regional data centers, advertise prefixes with BGP community tag as 7224:9100 and accept prefixes with BGP community tag 7224:8100. For the head office, advertise prefixes with BGP community tag as 7224:9300 and accept all prefixes with BGP community tag as 7224:8200

Answer 283

Set up dual Direct Connect links terminating on two different Direct Connect Gateway from each Data Centre. Connect one Direct Connect gateway to three AWS Transit Gateways attached in three separate regions while another Direct Connect gateway to one Transit gateway attached to one region. Configure full mesh peering between four Transit Gateways created in each of the four regions.

Answer 284

Configure ECMP on each VPN connection terminating on AWS Transit Gateway. Advertise different specific routes (10.20.30.0/25 & 10.20.30.128/25) on each VPN link along with summarised routes (10.20.30.0/24) over BGP peering.

Answer 285

Create outbound rules which use a destination IP address for evaluation while inbound rules use a source IP address for evaluation.

Answer 286

Create a route table in both VPC A & VPC B having a default route pointing to the Transit gateway. For VPC C, in the transit gateway subnet, create a default route with the target as an appliance in the appliance subnet. For VPC C, in the appliance subnet, create a default route pointing to the Transit gateway. For VPC attachments in shared services VPC, enable appliance mode.

Answer 287

1) In the Internet Gateway route table, for the destination as application servers subnet target should be the Gateway Load Balancer endpoint. 2) In the Application server subnet, the default route should be added with Target as the Gateway Load Balancer endpoint. 3) In the Gateway Load Balancer endpoint subnet, the default route should be added with Target as the Internet gateway.

Answer 288

Apply local preference BGP community tag as 7224:7300 to the primary virtual interface & local preference BGP community tag as 7224:7100 to the secondary virtual interface.

Answer 289

Enable traffic mirroring from the ENI (Elastic Network Interface) and send mirrored traffic to ENI of the Amazon EC2 instance part of VPC B. Create traffic mirror filter rules to match source and destination CIDR block. Enable VPC peering between VPC A and VPC B.

Answer 290

Dedicated subnets for NAT Gateway. For production environments, dedicated subnets per VPC participants. For non-production environments, shared subnets with many VPC participants.

Answer 291

Configure firewall appliance in an Amazon EC2 instance in a separate subnet. Use Middlebox routing wizard to create routing tables.

Answer 292

Create a Transit gateway attachment for VPC A and VPC B using parent Availability Zone subnets. In each VPC, add an entry in the routing table for the destination as another VPC CIDR with the target as the network interface id of the transit gateway attachment.

Answer 293

Create a real-time log matching sc-bytes and send the logs to data streams in the Amazon Kinesis Data Streams.

Answer 294

Request a public SSL/TLS certificate from AWS Certificate Manager in the US east (N. Virginia) region. Import an SSL/TLS certificate with a key length less than 2048 bits into AWS Certificate Manager in the US east (N. Virginia) region.

Answer 295

Clients should send requests from multiple geographical regions Clients should make an independent DNS request

Answer 296

Create a separate VPC as “Internet VPC” with Internet gateway and Application Load Balancer. Deploy applications in all other VPCs with Network Load Balancer as the front end. Configure AWS PrivateLink interface in Internet VPC and provide internet access to applications via PrivateLink.

Answer 297

Set the firewall keep-alive timers to less than 350 seconds.

Answer 298

Respond to TCP/HTTP/HTTPS health checks from Gateway Load Balancer by finishing these checks within timeouts.

Answer 299

Create a System rule and specify test.example.com

Answer 300

Add more IP addresses to the inbound Resolver endpoint in a different Availability Zone.

Answer 301

Establish network connectivity between shared services VPC and Spoke VPC using AWS Transit Gateway. Share the private hosted zone between accounts and associate with the Spoke VPC that needs resolution.

Answer 302

Create a Geolocation routing policy. Create a default policy for queries not mapped to any location.

Answer 303

Enable enhanced networking on Amazon EC2 instance Elastic Fabric Adaptor (EFA). Place all Amazon EC2 instances in a cluster placement group.

Answer 304

Remove the association between Direct Connect gateway and virtual private gateway. Create a new transit virtual interface and associate Transit Gateway in each region with AWS Direct Connect Gateway using a unique BGP ASN for each Transit gateway.

Answer 305

Deploy an MPLS device collocated at the AWS Direct Connect Location and an AWS Direct Connect link to the Direct Connect gateway connecting to multiple VPCs.

Answer 306

Modify the Client VPN endpoint route table to add a route for peered VPC CIDR range. Reset the VPN connection so that new routes are sent to the client.

Answer 307

Setup a second Site-to-Site VPN on the same VGW. Deploy a new customer gateway at on-premises. Advertise on-premises prefixes from both on-premises devices.

Answer 308

Setup two IPsec VPN tunnels from two customer gateway routers to the AWS Transit gateway. Create VPC attachments between all the VPCs and the Transit Gateway. Configure BGP routing to prefer one IPsec VPN tunnel over another.

Answer 309

Create applications in two separate subnets of the VPC CIDR range. Associate both subnets to two different multicast domains created within a transit gateway. Create two different Multicast groups within the Transit gateway.

Answer 310

Connect multiple VPCs to AWS Transit Gateway. Use AWS Transit Gateway peering between Transit Gateway in each region.

Answer 311

Deploy AWS WAF on the Application Load Balancer. Use AWS Firewall Manager to centrally manage and configure WAF rules for all accounts in an AWS Organization. Enable logging for AWS WAF and inject logs to Amazon Kinesis Data Firehose.

Answer 312

Use Cloudwatch metrics to check for the state of the connection

Answer 313

Traffic destined for 172.31.0.0/24 will go through the Internet gateway

Answer 314

Consider using Route53 Inbound Resolver endpoints for resolving DNS requests

Answer 315

Public subnets for the application tier and NAT Gateway and private subnets for the database cluster

Answer 316

As soon as the first byte arrives from the origin, CloudFront begins to forward the files to the user

Answer 317

Consider using Lambda@Edge

Answer 318

Create a Geolocation Route53 policy to route the traffic based on the location

Answer 319

Change the MTU setting on the network interface for each instance

Answer 320

The public IP addresses have changed after the instance was stopped and started

Answer 321

Use VPC Flow logs to diagnose the traffic

Answer 322

Enable Enhanced networking on the instance

Answer 323

Use AWS Direct Connect and route packets between the on-premises network and AWS VPC using Jumbo Frames

Answer 324

The route tables in VPC B have not been configured

Answer 325

Instances launched in VPC A can reach instances in VPC C via a proxy instance in VPC B

Answer 326

Place the instances in a cluster placement group

Answer 327

Advertise a less specific prefix on the VPN connection

Answer 328

Change the resource record weight of the old deployment to 0

Answer 329

The "enableDnsHostnames" attribute might not have been set to 'True'

Answer 330

You have not uploaded or created the certificate in the right region

Answer 331

Ensure the route table has a "Depends On" attribute with a value of VGW

Answer 332

Replace instances of the same type. Stop and restart the instances in the Placement Group and then try the launch again

Answer 333

Use a network monitoring tool provided by an AWS partner

Answer 334

Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it Configure your Web servers with EIPs. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers

Answer 335

The organization should create 2 network interfaces, one for the internet traffic and the other for the backend traffic

Answer 336

Create separate templates based on functionality, create nested stacks with CloudFormation

Answer 337

Replace the NAT instance with a NAT gateway Upgrade the NAT instance to a larger instance type

Answer 338

Subscribe to AWS Shield Advanced service to use it in front of the Application Load balancer

Answer 339

Allow Outgoing Traffic on the NACL for ephemeral ports

Answer 340

Ensure that the NACL allows outbound ICMP response

Answer 341

Configure the Viewer protocol policy as Redirect HTTP to HTTPS and Change the Origin Protocol Policy to Match Viewer

Answer 342

Put a WAF in front of the Application Load Balancer

Answer 343

Create an Alias record, for example.com and point it to the ALB as the target. Create a CNAME record for www.example.com and point it to example.com

Answer 344

Add the VPC Endpoint to the S3 bucket policy

Answer 345

Use the IP addresses in the X-Forwarded-For HTTP header and then restrict content via Cloudfront geo-restrictions

Answer 346

Create a DHCP Options set and provide the NTP server name

Answer 347

Configure a DNS forwarder on-premises, which will forward DNS requests to a Route53 Resolver Inbound Endpoint

Answer 348

Set up one route table. Add one route of 0.0.0.0/0 to the Internet and one specific prefix route for the Virtual Private gateway. Attach the Route table to the subnet in the VPC

Answer 349

Use the public IP address of the NAT device Ensure the on-premises firewall has UDP port 4500 unblocked

Answer 350

Use AWS Client VPN Use a custom VPN server to accept connections from mobile and remote computers

Answer 351

Configure Amazon Route 53 logging

Answer 352

The service endpoint only works on the TCP protocol

Answer 353

Enable sticky sessions at the target group level

Answer 354

This is not possible, since this is how the NAT gateway works

Answer 355

Create an AWS Direct Connect link & VPN link. Route traffic with VPC CIDR range over AWS Direct Connect for all other traffic & specific route of Credit Card servers over VPN for credit card transaction traffic

Answer 356

Use Web ACLs to block the IP addresses

Answer 357

Enable Enhanced Networking for the underlying Instances Create the Instances in the same Availability Zones and put them in a cluster placement group

Answer 358

Choose Simple AD to use along with AWS Workspaces

Answer 359

Attach a secondary ENI to the Instance

Answer 360

Use VRF technology for routing

Answer 361

The NAT gateway has been created in the private subnet

Answer 362

The NACLs are blocking outgoing on port 53 for UDP

Answer 363

Use Signed URLs

Answer 364

Create an Instance from an Instance type that supports Enhanced Networking Enable Enhanced Networking if not already done

Answer 365

Make use of the Direct Connect gateway Create a private VIF using the current connection

Answer 366

Create a VPC Interface Endpoint that connects to the company's endpoint service

Answer 367

Add a VPC endpoint

Answer 368

Set up a VPC with an address range of 10.25.253.0/24 Establish a VPN connection using your customer gateway. Ensure a route is present in your on-premises router to route traffic via the customer gateway

Answer 369

It’s because it is a requester managed interface

Answer 370

Create a web based distribution in Cloudfront Create a resource record in a hosted zone and create an ALIAS record

Answer 371

Use Reachability Analyzer by specifying the path for the traffic from source as internet gateway and destination as Amazon EC2 instance. The protocol should be TCP and port 22

Answer 372

Place Network Firewall in a separate VPC called a Security VPC with two subnets in each availability zone. One subnet will be used for Transit Gateway attachment while the other subnet will be used for firewall endpoints. In Transit Gateway, create a separate routing table for each VPC with the default route pointing to Security VPC

Answer 373

Configure query logging for the hosted zone in Amazon Route 53 and use Amazon CloudWatch to access query logs

Answer 374

Create a private hosted zone in each of the VPCs with a unique subdomain of ‘example.private’ Share the forwarding rules with all the accounts using AWS RAM (Resource Access Manager) and associate it with VPC in each of the accounts

Answer 375

Amazon Route 53 Application Recovery Controller (ARC) can help to provide insights whether the application and resources are prepared for recovery and quickly mitigate impairments for multi-AZ or multi-region applications. It provides three capabilities.

Answer 376

Start a zonal shift for the Network Load balancer and turn OFF cross-zone load balancing

Answer 377

Specify Least outstanding requests routing algorithm for the ALB

Answer 378

Configure IPv4 BGP peering session with MP-BGP over GRE tunnel

Answer 379

For Site office, create a connect attachment over the Direct Connect attachment. Create multiple Connect peers on this attachment. Create BGP peers over these peers and advertise prefixes across all the Connect peers

Answer 380

Set the operational connection value for the LAG on the primary connection to three

Answer 381

Accept the connection created by the APN partner from the AWS Direct Connect console. Once Letter of Authorization and Connecting Facility Assignment (LOA-CFA) is available from AWS, download and share it with an APN partner to order cross-connect at the AWS Direct Connect location For hosted private virtual interfaces, use the VLAN allocated by the AWS Direct Connect Partner

Answer 382

Configure Route 53 Resolver with an outbound endpoint in VPC A & forwarding rules shared with VPC B.

Answer 383

Create a system rule for the new subdomain.

Answer 384

Create a Service Link Path. Use internet Link to communicate with AWS IP ranges.

Answer 385

Create a Transit Gateway with all VPC attached to it & create a single VPN connection from the regional office to Transit Gateway.

Answer 386

Enable Local Zone in us-west-1 region. Create a new subnet from an existing VPC in the parent region. Assign this subnet to AWS Local Zones. Assign an IP address for an EC2 instance in AWS Local Zones from this subnet.

Answer 387

Create Two Routing tables in Transit Gateway. Associate VPC R&D, VPC Production attachments to the route table having routes propagated from VPC IT. Associate VPC IT attachments with route tables having propagated routes from VPC R&D & VPC Production.

Answer 388

Create an AWS Wavelength zone within the telecom provider facility & launch Amazon EC2 instance within this zone. Deploy Database servers in the parent region connecting to this AWS Wavelength.

Answer 389

Remove the existing association between AWS Direct Connect Gateway & VGW. Connect all VPCs to the Transit Gateway. Create a new association between Transit Gateway & Direct Connect gateway over transit virtual interface.

Answer 390

Create Private VIF over AWS Direct Connect Gateway to Media VPC. Create Transit VIF over another AWS Direct Connect Gateway to connect to Transit Gateway which will have an association with specific subnets from all three VPC. Create a VPC peering between Marketing VPC & Media VPC.

Answer 391

Create an internal ALB in a VPC with an internet gateway attached & without any Public IP address assigned to it. Associate ALB as an endpoint in AWS Global Accelerator. ## Footnote When ALB is used as an endpoint for AWS Global Accelerator, all traffic towards this endpoint flows over AWS Global Accelerator. For this, a public IP address is not required to be assigned to ALB, but an internet gateway is required to be attached to VPC to indicate internet traffic is accepted in this VPC. With Internet traffic flowing only via a single-entry point of AWS Global Accelerator, it will help reduce DDoS attacks.

Answer 392

Create an attachment from each VPC in the us-west-1 region to AWS Transit Gateway. Delete existing VPN connection from Singapore & Sydney office & create a new VPN Connection with attachments to transit gateway with acceleration enabled. ## Footnote VPN connections with acceleration enabled use AWS Global Accelerator to improve performance of VPN tunnels. With acceleration enabled, VPN tunnels are formed with static IP address of nearest edge location & from edge location traffic is moved over AWS global backbone infrastructure to reach VPC in the destination region. A transit gateway is required to be created as Accelerated VPN connections only support termination on transit gateway & not on Virtual private gateway.

Answer 393

In the private subnets route table, modify target as Firewall endpoint instead of local for VPC CIDR. In Firewall subnet, use an implicit route table which will have a target as local for VPC CIDR. In the public subnet route table, add a default route towards Internet Gateway and add route for VPC CIDR with target as Firewall endpoint

Answer 394

Create a VPC Link. Setup a private integration with Application Load balancer using this VPC link. Setup an Application Load balancer in front of the Amazon ECS cluster ## Footnote A VPC link encapsulates traffic between API Gateway and the targeted resource within VPC. HTTP API private integration can use VPC links to allow access to resources in a private subnet. Application Load balancer supports dynamic host port mappings for Amazon ECS. This allows multiple tasks from the same service run on a single container instance. ALB also supports path-based routing enabling multiple services to use the same listener port on a single load balancer.

Answer 395

Create an alias record in Amazon Route 53 which will point to the CloudFront distribution. In the Amazon CloudFront distribution, specify the domain name as the alternate domain name ## Footnote Amazon Route 53 can be used to route traffic to an Amazon CloudFront distribution by using custom domain name. For this, an alias record needs to be created which will point to Amazon CloudFront distribution. For alias queries to the Amazon CloudFront, there are no charges involved.

Answer 396

For applications in each of the accounts, create a separate private host zone in individual accounts. Associate all these PHZs with VPC in the “A” account using cross-account association of Private hosted zone with VPC ## Footnote For multi-account setup, private host zone (PHZ) can be created in a centralised account for the sub-domains where control is not required for individual accounts. For sub-domains where individual accounts need management control, PHZs must be created in individual accounts. For routing DNS queries from these accounts to on-premises DNS servers, PHZ in each account can be associated with VPC in account A using cross-account association of Private Hosted Zones with VPCs. With these associations, overlapping multiple PHZ will be created in account A, and route 53 will route traffic based upon most specific matches in a PHZ.

Answer 397

Create a new hosted zone for the sub-domain and create a record in this hosted zone. Do not create additional name server (NS) records and start of authority (SOA) records in the hosted zone for the sub-domain and make no changes in NS & SOA records from the hosted zone for the domain

Answer 398

Create a Route 53 resolver which will forward DNS queries to on-premises AD servers and AWS Managed Microsoft AD servers

Answer 399

Remove Delegation Signer (DS) record from the parent zone to deactivate DNSSEC Set lower TTL for the NS record for both existing DNS providers and Route 53

Answer 400

Specify Target Type as IP and ensure all targets are part of the same Local Zone ## Footnote For Application Load balancer, when a target type is specified as Instance, it will route all incoming traffic to the primary IP address assigned to the instance. In the above case, since traffic needs to be distributed to multiple network interfaces of the instance, the target type should be IP.

Answer 401

Deploy AWS Load balancer controller in the EKS cluster and use annotation “alb.ingress.kubernetes.io/ip-address-type: dualstack” with traffic mode as IP ## Footnote To load balance IPv6 traffic for a containerized application deployed in an Amazon EKS cluster following changes are required, Deploy AWS Load balancer controller in an EKS cluster. It will choose subnets from the multiple Availability Zones. AWS Load balancer controller supports two traffic modes: default mode as Instance and other as IP. To support IPv6 application traffic, traffic mode should be selected as IP. To load balance traffic to IPv6 application traffic on the Pods, the following annotation is required,” alb.ingress.kubernetes.io/ip-address-type: dualstack”.

Answer 402

Deploy third-party SD-WAN appliances in a separate VPC in AWS cloud. Create an AWS Transit Gateway VPC attachment between third-party SD-WAN appliances and Transit Gateway ## Footnote A third-party SD-WAN appliance not supporting GRE can be integrated with AWS Transit Gateway using Transit Gateway VPC Attachments. For this appliance needs to be deployed in a separate VPC.

Answer 403

Use AWS Cloud Map Service discovery to discover ARN of each SQS queue and call these queues from the Lambda functions using AWS SDK ## Footnote AWS Cloud Map is a fully managed service discovery tool for the cloud resources and application components. It helps to connect to the correct endpoint of the application components seamlessly without any additional complex changes in the application code. In the above case, AWS Cloud Map can be used to discover ARN of the multiple AWS SQS queues. AWS Lambda function can connect to these ARNs using AWS SDK.

Answer 404

Use AWS Firewall Manager to limit access to only required application ports

Answer 405

AWS Site-to-Site VPN will automatically send notifications to the AWS Health Dashboard. Use AWS Health API to integrate these notifications with existing in-house management tools to notify the Operations Team

Answer 406

Use RI coverage reports to identify costs

Answer 407

Create certificates using AWS Certificate Manager. Specify the domain name on the certificate matching the custom domain name record. Add certificates to the certificate list and provide a different certificate for each domain ## Footnote Amazon Certificate Manager can be used to provide a certificate for Application Load balancer enabling HTTPS traffic to terminate on it. It supports automatic certificate renewal before expiration. When a certificate is created in ACM for use with Load balancer, domain name must be specified. This domain name should match the custom domain name record. For load balancer to support multiple domains on the same port a certificate list must be created. The certificate list also allows you to have different certificates for each domain.

Answer 408

Use AWS Load Balancer Controller and specify service type as LoadBalancer and target type as IP. Configure externalTrafficPolicy =Local for the load balancing service to preserve client IP ## Footnote WS Load balancer Controllers support target type as IP only for Fargate deployments. When NLB is specified as a Load-balancing service, externalTrafficPolicy can be used to determine how incoming traffic can be routed to the nodes in an EKS cluster. When externalTrafficPolicy is specified as a Local, it will route traffic to multiple pods in a Node, but traffic will not be routed to other Nodes in an EKS cluster. This option preserves the client's IP address. ExternalTrafficPolicy can also be specified as Cluster, which routes incoming traffic to multiple nodes in a cluster but does not preserve Client IP addresses.

Answer 409

Launch Amazon EC2 instance with a security group created in each account of the AWS Organization. Participants will pay for data transfer charges for the inter Availability zone and VPC owners will pay hourly charges for resources

Answer 410

Create traffic mirror filter rules for both incoming and outgoing traffic. For incoming traffic, reject all traffic with source IP as VPC CIDR and accept all other traffic. For outgoing traffic, reject all traffic with the destination as VPC CIDR block and accept all other traffic

Answer 411

Configure Source Transit Gateway 1, VPN attachment and specify IP address from on-premises IP range. Configure Destination as Transit gateway 2, VPC A attachment, and IP address from VPC A CIDR. Specify middleware location in the route analysis

Answer 412

Configure MTU as 8500 at both VPC attachments to AWS Transit Gateway

Answer 413

Add the Envoy container by setting an environmental variable to the ARN of the virtual node. Specify the Envoy admin port to be different from the listener of the virtual node

Answer 414

Create PHZ in each VPC. Associate PHZ with other VPC’s as well as with Shared services VPC. Use Shared services VPC to forward queries to on-premises DNS servers

Answer 415

Create CA hierarchy using AWS private CA and issue customized certificates for authenticating internal users. Rotate CA private key by importing a new CA certificate

Answer 416

Use a Mutual authentication method for authenticating clients In the client VPN endpoint route table, add route destination as client CIDR range and target VPC subnet ID as local. Add two separate authorization rules, one rule to grant access to VPC application subnet and other rule for client CIDR subnet

Answer 417

Create multiple Client VPN endpoints to enable a specific group of users to access specific parts of the network

Answer 418

Use Route 53 Resolver DNS Firewall with Resolver DNS firewall rule group associated with VPC in each region Share DNS firewall rule groups with other accounts using Amazon RAM

Answer 419

Set up query logging from the centralized account to store logs in the Amazon S3 bucket which is part of the central account. Use RAM to share configuration from multiple accounts to central accounts

Answer 420

Create an Organizational view report from AWS Trusted Advisor. Use Amazon Athena to query this report and generate a list of VPN connections that have one of the tunnels down

Answer 421

Create a global network. Register Transit Gateway 1 and Transit Gateway 2 with the global network. Enable Multi-account access and register Transit Gateway 3 with the same global network ## Footnote AWS Global Networks for Transit Gateway helps to centrally manage transit gateway and associated attachments. For this, the Transit Gateway needs to be registered in the global network. When transit gateways are part of different accounts, peering attachments are by default included in the global network but all other attachments for a transit Gateway part of different accounts are not included. To include these attachments, multi-account access needs to be enabled on the global network.

Answer 422

Enable propagated routes and set MTU as 9001 ## Footnote Private Virtual Interface has a default MTU as 1500. It supports jumbo frames with MTU as 9001. Jumbo frames are only supported when routes are propagated in VGW and for static routes MTU of 1500 is only supported. In the above case for jumbo frame support for the application, client will need to enable propagated routes in the VGW and then set MTU as 9001.

Answer 423

Participants in account B will be able to create ingress and egress rules for security groups but will not be able to create NACLs

Answer 424

Use Target Type as IP. Specify private routable IP address for on-premises nodes and use AWS Direct Connect connectivity for reachability to on-premises nodes

Answer 425

AWS Site-to-Site VPN attachment must be created in the account PROD which owns the Transit Gateway. Account DEV will not be able to make route table propagation changes in the Transit Gateway ## Footnote AWS Transit Gateway can be shared with other accounts using AWS RAM. While sharing transit gateway following points needs to be considered, - AWS Site-to-Site VPN attachment can be created only in the account which owns the Transit Gateway. - Account to which transit gateway is shared cannot create, modify or delete Transit Gateway roue table or the route table propagations and its associations.

Answer 426

In region 1 use a virtual transit interface and Set MTU as 8500. In region 2, use virtual private interface with MTU as 9001 ## Footnote While deploying AWS Direct Connect links, private virtual interface is required for establishing connectivity with Virtual private gateway while virtual transit interface is required for AWS Transit Gateway. Jumbo frames are supported with AWS Direct Connect links by setting MTU as follows: - Virtual Private Interface: MTU as 9001 - Virtual Transit Interface: MTU as 8500 - Virtual Public Interface: MTU as 1500

Answer 427

Colocate dedicated MPLS nodes at the AWS Direct Connect Location. Create transit virtual interfaces from these nodes to Transit Gateway for accessing AWS resources from different VPCs

Answer 428

Set up AWS Microsoft AD domain controller in AWS cloud. Create an interforest trust relationship between on-premises AD and AWS Microsoft AD domain controller

Answer 429

ECMP is misconfigured

Answer 430

Turn off automatic rules and create forwarding rules to forward reverse DNS queries for specific domain names to on-premises DNS servers. Associate rules with the VPC

Answer 431

Advertise 100 or less prefixes each for IPv4 and IPv6 over BGP session. Create a LAG with 2 x 100 G links to get maximum bandwidth ## Footnote Advertise 100 or less prefixes each for IPv4 and IPv6 over BGP session. Create a LAG with 2 x 100 G links to get maximum bandwidth

Answer 432

Create a VPC endpoint for SNS in the VPC in which the instance resides. Create a topic policy that will restrict publishing messages only from the VPC endpoint

Answer 433

Split resources in different subnets and create an AWS Network firewall endpoint in each subnet. Deploy Application resources in the different subnet as that of the firewall subnet ## Footnote AWS Network Firewall supports 100 Gbps of network traffic per firewall endpoint. To provide additional throughput, the solution is to split subnets into multiple subnets and attach network firewall endpoints to each firewall. Also, while creating additional subnets, application resources and firewalls must be placed in a separate subnet. Firewall endpoints will not be able to filter traffic when resources are in the same subnet as that of the firewall.

Answer 434

Create a Firewall subnet in each zone. In customer subnet route table 1, add route-target as firewall subnet 1 for destination 0.0.0.0. In customer subnet route table 2, add route-target as firewall subnet 2 for destination 0.0.0.0. In the Internet gateway route table for customer subnet 1, add a route target as firewall subnet 1 while for customer subnet 2 add a route target as firewall subnet 2

Answer 435

Use QOS Marking on applications & use QOS supporting Software VPN to terminate VPN on EC2 instance & prioritize traffic in EC2 OS level

Answer 436

Use BGP Community Tags 7224:9100 for the server to be accessed in each AWS region & no BGP community tags for servers to be accessed from all regions.

Answer 437

Enable BFD at Customer end Router on a virtual interface.

Answer 438

Use Public IPv4 pool owned by client for IPv4 connection while for IPv6 connection, peer IP addresses are automatically assigned by Amazon.

Answer 439

Add Local Preference BGP Community Tag 7224:7300 on the primary Link & Local Preference BGP Community Tag 7224:7100 on the secondary link.

Answer 440

Use AWS WAF Geographic Match & rate limiting match rules with Amazon CloudFront to provide the least preference to users from this list of countries while accessing the application.

Answer 441

The certificate needs to be imported in each region where ELB is deployed & ACM will not perform the renewal of certificates.

Answer 442

Create two public VIF over AWS Direct Connect Dedicated connection. Create two Site-to-Site VPN connections from on-premises routers to the AWS Transit Gateway. Each Site-to-Site VPN connection should be part of each VRF A and B created at the on-premises location. Create two VPC attachments between VPC A and VPC B with the AWS Transit Gateway. Create two separate route tables in AWS Transit Gateway for each traffic flow between VPC A-VRF A and VPC B- VRF B

Answer 443

In VPC route tables, add entries for on-premises routes with the target as a virtual private gateway that has a private virtual interface connected. Ensure that not more than 100 routes are advertised from the on-premises customer router.