AWS Advanced Networking Exam Flashcards
Max number of Inbound or outbound rules per security group
60
Max number of Security groups per network interface
5
What is egress-only Internet gateway?
It allows outbound communication over IPv6 from instances in your VPC to the Internet
Can you have many NAT GW inside VPC?
YES
To what speed does NAT GW scale?
Up to 45Gbps
Is NAT GW VPC specific or AZ specific?
AZ specific
What’s the limit of NAT GW concurrent connections to the same destination?
55K
Two types of Endpoints
- Interface (powered by PrivateLink)
- Gateway
How many Interface VPC Endpoints can you have per AZ (or subnet)
Only ONE
Can you access Interface VPC endpoint from AWS VPN?
Yes. As of 2018.
Can you access Interface VPC endpoint from AWS Direct Connect?
YES
Which services are supported on gateway endpoint?
- S3
- DynamoDB
Can you apply policy to VPC Endpoint?
YES (to control what’s allowed, etc.)
What’s the advantage of EBS optimized EC2 instance?
EBS-optimized instances deliver dedicated throughput between Amazon EC2 and Amazon EBS
Can a placement group span peered VPCs?
YES
Can you launch multiple instance types into a placement group?
YES
Standard MTU frame size inside AWS?
1522
Can a default ENI be moved to another EC2 isntance?
NO
Is VGW highly available
YES, built-in multiple AZ high availability
How many VGW can you have per VPC
only ONE
Can you re-attach VGW to another VPC
YES, same account and AWS Region
Single tunnel VPN performance
Up to 1.25Gbps
Local AWS Region community tag (received from AWS)
7224:8100
Local Continent AWS community tag (received from AWS)
7224:8200
Global AWS community tag (received from AWS)
No tag
Local AWS Region community tag (advertised to AWS)
7224:9100
Local Continent AWS community tag (advertised to AWS)
7224:9200
Global AWS community tag (advertised to AWS)
7224:9300
Maximum number of links in AWS LAG?
4
Which Layer 4 protocol does Network Load Balancer operate?
TCP and UDP
Can you assign EIP to Network Load Balancer?
Yes
On which Load Balancers Source IP is not preserved (replaced to LB IP address)?
Classic and Application LBs
On which load balancer source IP address is preserved?
Network LB.
If the target is IP address, the source IP address is not preserved.
Pricing components of Cloud Front
- gigabytes transferred
- request rates
- custom SSL Certificate
What is Lambda@Edge?
Extension of AWS Lambda that allows you to run Node.js code at global AWS locations.
Four Lambda@Edge triggers
- Viewer request
- Viewer response
- Origin request
- Origin response
Can you have more than one VPC peering connection between the same two VPCs at the same time?
NO
How to use AWS Certificate Manager with CloudFront?
To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region.
After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations
On which factor does NAT instance bandwidth depend on?
Instance type
Do all connections in the LAG must terminate at the same AWS Direct Connect Endpoint?
YES
How to monitor state of the DX connection?
Design an alarm whenever the ConnectionState (Boolean) metric is DOWN.
Which auto-negotation state is supported by AWS on DX?
DISABLED
How Simple AD work?
Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC. These DNS servers will resolve names configured in your Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone.
In which subnet place NAT Gateway to work?
public one
When creating VPC peering, can VPCs be in different regions and different accounts?
YES, they can
When CloudFront start forwarding packets to the user?
As soon as the first byte arrives from the origin.
How to ensure S3 objects can be accessed only via CloudFront distribution?
Create CloudFront Origin Identity which has access via the S3 bucket policy
Does EC2 receive new IP address when it’s stopped or restarted?
YES - public IP. Private one is persistent
What is Data Plane Development Kit (DPDK)?
Consist of libraries to accelerate packet processing workloads running on wide variety of CPU architectures
How Lambda function is executed inside VPC?
Elastic network interface (ENI) for each combination of security group and subnet in your function’s VPC configuration
How to ensure nodes in different regions communicate in a secure way?
Use VPN across regions or use inter-region peering (new feature)
Which protocol have to be enabled on the firewall to allow VPN traffic
IP 50 (ESP) and UDP 500
What is the hard limit of prefixes advertised via DX to AWS?
- 100 prefixes for private virtual interfaces or
- 1,000 prefixes for public virtual interfaces
Can you ping IP address of the NAT Gateway?
No. this is not the way NAT gateway works.
What is AWS hosted virtual interface?
It can be used to use your AWS Direct Connect connection with another AWS account
What is AWS hosted connection?
It’s a physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer.
What is Multivalue answer routing in Route 53?
Lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries
BGP Low Preference community
7224:7100
BGP Medium Preference community
7224:7200
BGP High Preference community
7224:7300
What is IP access control group?
An IP access control group acts as a virtual firewall that controls the IP addresses from which users are allowed to access their WorkSpaces.
How many IP access control groups can be associated with single AWS account?
Up to 100 IP access control groups per AWS account
How many IP access control groups can be associated with a single directory?
Up to 25 IP access control groups with a single directory
What is requester-managed network interface?
Network interface that an AWS service creates in your VPC. This network interface can represent an instance for another service, such as an Amazon RDS instance, or it can enable you to access another service or resource, such as an AWS PrivateLink service, or an Amazon ECS task
Default max number of VPCs per Region
5
3 Steps to Create VPC
- Choose IPv4 CIDR Range
- Choose a Tenancy
- Optionally Associate a IPv6 CIDR Range
Can more NICs be added to EC2 to improve bandwidth to or from the instance?
No. NIC Teaming is not supported.
Can Dynamic external IP address be disassociated from EC2 after launch?
NO
Can Security Group be associated with NAT Gateway?
NO
Which VPC Endpoint is powered by PrivateLink?
Interface Endpoint
Is VPC Endpoint Regional or Global servic
Regional
Is DNS resolution supported over VPC peering?
Yes, it can be enabled.
Can the existing flow log setting be modified?
NO. It has to be deleted and recreated
Where the VPC Flow Logs can be stored
- CloudWatch
- S3
What is the source/destination IP address in the VPC FlowLogs?
Always internal primary IP address associated with the ENI
What’s the IP address of AWS Time Sync Service?
169.254.169.123 - not captured by VPC FlowLogs
Is communication between VPC and DHCP servers captured by FlowLogs?
NO
Is traffic between ENI and Network Load Balancer Interface captured by FlowLogs?
NO
Are Jumbo Frames supported over DX?
YES (as of 2018)
What is authoritative DNS Name Server
It provides answers to queries they know about
What is non-authoritative DNS Name Server
Points to other servers or serves cached content from other name servers’ data
How to lock users in DNS to specific location?
Not set the default location.
What’s the preference of DNS geo-location?
The msot specific is always preferred.
How to improve the accuracy of geolocation routing?
Use edns-client-subnet extension.
What’s the max number of responses in a multi-value Response Routing Policy?
8
What is CAA Record in DNS
Certificate Authority Authorization
Specifies which certificate authorities (CAs) are allowed to issue certificates for a domain.
What is A and AAAA record in DNS?
Maps a host to an IP address (IPv4 or IPv6)
What is NS Record in DNS?
Name Server records direct traffic to the DNS servers that contain the authoritative DNS records
What is PTR Record in DNS?
Pointer Record is a reverse A record lookup. Maps an IP address to a host
What is SOA Record in DNS?
Start of Authority
What is CAA Record in DNS
Certificate Authority Authorization
Which ELBs support sticky sessions?
- Classic
- ALB
Does Network Load Balancer support sticky sessions?
NO
Min Subnet size for ELB?
/27 or larger
Feature which identify the IP address of a client when you use an HTTP or HTTPS load balancer
The X-Forwarded-For request header
Describe WebSockets
WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection.
Load Balancers supporting WebSockets
- Network LB
- Application LB (must enable stickiness)
How many IP addresses are required for ELB?
At least 8 available
Min Subnet size for ELB?
/27 or larger
Can Lambda function be a target in ELB?
YES
Which ELBs support SNI?
- Network
- Application
What is SNI
Server Name Indication - Support multiple certificates per load balancer
On which Origin can RTMP content live?
S3 only
How many geo-restrictions can one CDN distribution have?
Only ONE
Which distribution is supported by singed URL?
web and RTMP
Which distribution is supported by Signed cookies only?
WEB
Distribution method when access to large number of files is requried?
Signed cookies
Which origin type is supported by OAI (Origin Access Identities)
S3 only
Error returned by the CloudFront when self signed certificate or expired certificate is used
502 - BAD GATEWAY
Which ELB is used with AWS PrivateLink?
Network LB
What is required to enable lambda Internet Access
NAT GW or Instance
Can lambda receive public IP?
NO
What is required to run AppStream 2.0 locally?
HTML5 compatible browser
How many subnets are required to run AppStream 2.0?
1
Which port has to be enabled for IPsec over NAT
UDP 4500
Default ASN VGW number
- 64512
- 7224 in most regions prior to 2018
How many VPCs can be attached to VGW?
Only ONE
What is VPN split tunnel?
It allows the local client to use both local and Client VPN endpoint route tables
What happens to BGP when more prefixes are advertised than allowed?
goes into IDLE state
How many ENIs are supported by the Route53 Resolver Endpoint?
2-8
How many queries per second are supported by Route53 Resolver Endpoint ENI?
Up to 10.000
Can Outbound Route53 Endpoint be associated with another VPC in the same Region?
YES
MTU of DX Transit VIF
8500 bytes
MTU of VPC Peering
1500 bytes
How many route tables are supported by a single TGW
Up to 20
How many attachments are supported by a single TGW?
Up to 5000
How many DX GWs can be attached to s single TGW?
Up to 20
How many TGWs can be peered?
Up to 50
How many static routes are supported by a TGW?
Up to 10.000
How to enable AWS Standard Shield?
It’s automatically enabled to all AWS customers (at no charge)
What is EDoS
Economic Denial of Sustainability
Two types of rules in WAF
- normal
- rate-based
How many WAF ACL can you have (per account, per region)?
50 ACLs
How many WAF rules can you have (per account, per region)?
100 rules
How many WAF rate-based rules can you have (per account, per region)?
5 rate-based rules
How many WAF regex expressions can you have (per account, per region)?
10
How many WAF conditions can you have (per rule)?
10
How many WAF rules can you have per ACL?
10 rules per ACL
What’s the purpose of ip-ranges.json file
Contains the latest list of IP addresses used by AWS
If IP address range in which your primary VPC CIDR block is ublicly proutable CIDR block or 100.64.0.0/10 range. Which bloc is permitted for VPC extension?
Any other publicly routable IPv4 CIDR block (non-RFC 1918), or a CIDR block from the 100.64.0.0/10 range.
What is split-view DNS?
Feature that can be used to maintain internal and external versions of the same website or application
Which Load Balancer support source IP preservation?
Network Load Balancer (proxy feature is needed anyway)
Max number of simultaneous connections to each unique destination in NAT Gateway
55,000
This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute).
Does Autonomous System (AS) prepending work if you use a private ASN for a public virtual interface?
NO
Are Route53 health checks supported on UDP ports?
NO
Route53 health check supported protocols?
HTTP, HTTPS, or TCP
Which ELB support millions of session and the preservation of the source IP natively
Network Load Balancer
What’s the scope of DHCP option set?
VPC level (not subnet!)
What sort of encryption does Tape Gateway use?
All data transferred between the gateway and AWS storage is encrypted using SSL
With the enableDnsHostname attribute set to true, what will Amazon will do?
Auto-assign DNS hostnames to Ec2 instances
What exposes the Amazon side of a Virtual Private Network (VPN) connection?
Virtual Private Gateway (VGW)
How many Internet Protocol Security (IPsec) tunnels are available for a single Virtual Private Network (VPN) connection?
2
When setting up a client-to-site VPN using EC2 instance to access AWS resources, what configuration would be preferable considering the security and management?
Configure the client software to use an EC2 elastic IP as the VPN termination endpoint. Turn on EC2 auto-recovery on this instance.
You are deploying an application on multiple EC2 instances. The application must be U.S. Health Insurance Portability and Accountability Act (HIPAA) compliant and requires end-to-end encryption in motion. The application runs on Transmission Control Protocol (TCP) port 7128. What is the most effective way to deploy the application?
Use SSL to encrypt traffic at the application layer
Which parameter is automatically generated by AWS and you can not change it when you create a Virtual Private Network (VPN) connection to a Virtual Private Gateway (VGW)?
VGW Public IPs
Can you access VPC Gateway Endpoint via Private VIF?
NO
Can you access VPC Interface Endpoint via Private VIF?
YES
You have a hybrid IT application that requires access to Amazon DynamoDB. You have set up AWS Direct Connect between your data center and AWS. All data written to Amazon DynamoDB should be encrypted as it is written to the database. How will you enable connectivity from the on-premises application to Amazon DynamoDB in most simple and cost effective way?
You can use a public VIF to access Amazon DynamoDB. You can use Amazon DynamoDB client libraries to encrypt traffic as it is being written to the database.
You elect to use an AWS Direct Connect public Virtual Interface (VIF) to carry an IP Security (IPsec) Virtual Private Network (VPN) from your VPC VGW to your customer gateway. What rate is charged for all of the data transfer OUT over the VPN?
AWS has different Data transfer Out (DTO) charges depending on the source and destination of the traffic. Typically for Site-to-Site VPN (withour Direct Connect), its a standard internet DTO which is $0.09/GB. However if you configure VPN over DirectConnect connection then you get benefit of reduced data transfer charges which is typically $0.02/GB
A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the data privately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect the on-premises data center to a VPC. The network engineer plans to use this Direct Connect connection for the hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture?
Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application
A company is migrating many applications from two on-premises data centers to AWS. The company’s network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2. The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in each Region. All traffic to and from AWS must travel through the first data center. In the event of failure, the second data center must take over the traffic. How should the network team configure BGP to meet these requirements?
Configure the local BGP community tag 7224:7300 for the transit VIF connected to the first AWS Direct Connect connection. By default, AWS uses the distance from the local AWS Region to the Direct Connect location to determine the VIF or transit VIF for routing. You can modify this behavior by assigning local preference communities to VIFs. This question asks for the VIF in Direct Connect connection 1 to have a higher preference. AWS supports the 7224:7300 local preference tag for high-preference use cases.
You are using Amazon CloudFront for your website. A user requests content, which is routed to a local edge location. What happens before the requested content is available at that edge location?
If the content is already in the edge location with the lowest latency, Amazon Cloud- Front delivers it immediately. If the content is not currently in that edge location, Amazon CloudFront retrieves it from the origin server to deliver.
What is the default expiry time for an Amazon CloudFront cache?
24H
What does the Amazon CloudFront invalidation feature do?
This feature removes the object from every Amazon CloudFront edge location regardless of the expiration period that you set for that object on your origin server.
What does an Amazon CloudFront cache behavior do?
You control which requests are served by which origin and how requests are cached using a feature called cache behaviors.
When adding an alternate domain to your Amazon CloudFront distribution, the wildcard * can be used to do what?
When you add alternate domain names, you can use the wildcard * at the beginning of a domain name instead of specifying subdomains individually.
When using AWS Certification Manager (ACM) and Amazon CloudFront, you configured your certificate within ACM. When you try to enable Amazon CloudFront, however, you do not see the certificate available for use. What could be the problem?
To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region.
How can you use the wildcard * when invalidating objects with Amazon CloudFront?
To invalidate objects, you can specify either the path for individual objects or a path that ends with the * wildcard, which might apply to one object or many objects.
Which feature allows you to restrict access to your Amazon Simple Storage Service (Amazon S3) bucket to Amazon CloudFront distributions that you control?
Origin Access Control (OAC) - special Amazon CloudFront feature that you can associate with your CloudFront Distribution and restrict access to S3 bucket only from this CloudFront Distribution
What is the charge for data transfer out from Amazon S3 to Amazon CloudFront?
Data transfer from Amazon S3 to Amazon CloudFront is not charged
A gaming company is planning to launch a globally available game that is hosted in one AWS Region. The game backend is hosted on Amazon EC2 instances that are part of an Auto Scaling group. The game uses the gRPC protocol for bidirectional streaming between game clients and the backend. The company needs to filter incoming traffic based on the source IP address to protect the game. Which solution will meet these requirements?
AWS Global Accelerator will provide low-latency endpoints to the global users of the game. The accelerator also will route the traffic over the AWS network backbone to the AWS Region that is hosting the game. ALB will support the use of the gRPC protocol and client IP address preservation. ALB will distribute traffic to the Amazon EC2 instances in the Auto Scaling group to support the game’s load. The association of an AWS WAF web ACL with the ALB will provide the required IP filtering.
A company hosts its ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances are in a private subnet with the default DHCP options set. Internet connectivity is through a NAT gateway that is configured in the public subnet. A third-party audit of the security infrastructure identifies a DNS exfiltration vulnerability. The company must implement a highly available solution that protects against this vulnerability. Which solution will meet these requirements MOST cost-effectively?
With Amazon Route 53 Resolver DNS Firewall, you can monitor and control the domains that applications in your VPCs can access. DNS Firewall supports the use of allow lists or deny lists to filter the set of domains that you can use. This solution can effectively prevent the use of DNS queries to exfiltrate data.
What is Amazon VPC CNI?
Plugin for Kubernetes is the networking plugin for Pod networking in Amazon EKS clusters. The plugin is responsible for allocating VPC IP addresses to Kubernetes nodes and configuring the necessary networking for Pods on each node
Which address is used when POD (EKS) communicates to outside of it’s own VPC?
Amazon VPC CNI plugin translates the pod’s IPv4 address of the primary ENI of the node that the pod is running on
What EKS Multus CNI is used for?
Enables customers to attach multiple network interfaces and apply advanced network configuration to Kubernetes-based applications.
A company has decided to adopt IPv6 for its network. As an intermediary step in the path to fully adopting IPv6, the company is looking for dual-stack IPv4/IPv6 designs. To kickstart the change, the company has picked a straightforward hybrid network that consists of an on-premises connection to AWS over a Site-to-Site VPN connection via a Transit Gateway and an AWS Direct Connect connection between AWS and the on-premises data center.
As a Network Engineer, which measures would you suggest to meet the given requirements?
- To configure an IPv6-enabled VPC attachment for the Transit Gateway, the VPC and the attachment subnets need to have associated IPv6 CIDRs. The remaining Transit Gateway configurations continue to have the same functionalities across both stacks
- For dual-stack connectivity on the Site-to-Site VPN connection via a Transit Gateway, you need to create two VPN connections, one for the IPv4 and one for the IPv6 stack
- For AWS Direct Connect connection, reuse your existing VIFs and enable them for dual-stack support
A company has a Direct Connect connection between its on-premises data center and its VPC on the AWS Cloud. An application running on an EC2 instance in the VPC needs to access customer data stored in the on-premises data center with consistent performance. To meet the compliance guidelines, the data should remain encrypted during this operation.
As an AWS Certified Networking Specialist, which solutions would you recommend to address these requirements?
Set up a public VIF on the Direct Connect connection. Create an AWS Site-to-site VPN between customer gateway and the VGW in the VPC.
A developer has configured a private hosted zone using Route 53. The developer needs to configure health checks for record sets within the private hosted zone that are associated with EC2 instances.
How can the developer build a solution to address the given use-case?
Set up a Cloud Watch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then configure a health check that monitors the state of the alarm.
A company has a three-tier web application with separate subnets for Web, Application and Database tiers. The CTO at the company wants to monitor any malicious activity targeting the web application running on EC2 instances. As a network engineer, you have been tasked with developing a solution to notify the network security team in case the network exposure of EC2 instances on specific ports violates the security policies of the company.
Which AWS Services would you use to build such an automated notification system that requires the least development effort?
- Amazon Inspector
- Amazon SNS
A retail company has set up an AWS Direct Connect connection which includes a private Virtual Interface (VIF) and a VPN connection to the on-premises data center. On the AWS side, the application environment is contained in a VPC and includes a virtual private gateway.
For traffic originating in the VPC, what is the order of BGP path selection from the MOST preferred to the LEAST preferred?
Longest prefix match, Static routes, Direct-Connect routes, VPN BGP routes
A company has set up a network having two Transit Gateways configured as follows: Transit Gateway 1 is in AWS region 1 and has two VPC attachments connecting to VPC A and VPC B respectively. Transit Gateway 2 is in AWS region 2 and has one Site-to-Site VPN attachment to the corporate network and an AWS Direct Connect connection to the corporate data center. A service discovery application has been proposed that will be added to Transit Gateway 1 and it needs to connect to Transit Gateway 2. To support service discovery multicast traffic will be routed across the network.
As a Network Engineer, what would you identify as the correct option for the given use case?
Multicast traffic is only supported within and between VPC attachments to a Transit Gateway. Hence, peering at Transit Gateways across regions will not work in this scenario
An analytics company uses Amazon QuickSight (Enterprise Edition) to easily create and publish interactive BI dashboards that can be accessed from any device. For a specific requirement, the company needs to create a private connection from Amazon QuickSight to an Amazon RDS DB instance that’s in a private subnet to fetch data for analysis.
What represents an optimal solution for configuring a private connection between QuickSight and Amazon RDS DB instance?
Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new security group with necessary inbound rules for QuickSight in the same VPC. Sign in to QuickSight as a QuickSight admin and create a new QuickSight VPC connection. Create a new dataset from the RDS DB instance.
A Network Engineer is setting up DNS failover configuration for Route 53. The engineer needs to use multiple routing policies (such as latency-based and weighted) to configure a more complex DNS failover.
What are the key points to consider while configuring a failover configuration on Route 53?
- records without a health check are always considered healthy. If no record is healthy, all records are deemed to be healthy
- if you’re creating failover records in a private hosted zone, you must assign a public IP address to an instance in the VPC to check the health of an endpoint within a VPC by IP address
A VPC peering connection exists between VPC A and VPC B. The network team has added the following additional configurations to the existing peering connection:
VPC A has an AWS Direct Connect connection to a corporate network
VPC A has a VPC gateway endpoint that connects it to Amazon S3
What will be the outcome?
- Traffic from the corporate network cannot directly access VPC B by using the AWS Direct Connect connection to VPC A
- VPC B can’t directly access Amazon S3 using the VPC gateway endpoint connection to VPC A
A VPC is deployed with a 10.2.0.0/16 CIDR block. The networking team is reviewing DHCP options, and there is disagreement about the valid DNS addresses available for the VPC.
Which addresses are valid IP addresses provided by Amazon for this scenario?
10.2.0.2
169.254.169.253
An e-commerce company has its technology infrastructure deployed in hybrid mode with applications running in a single AWS Region as well as its on-premises data center. The company has a 10 Gbps AWS Direct Connect connection from the data center to AWS that is 70% utilized. The company wants to deploy a new flagship application on AWS that will connect with existing applications running on-premises. The application SLA requires a minimum of 99.9% network uptime between the on-premises data center and the AWS Cloud. The company has an AWS Enterprise Support plan.
Which options would you recommend as the MOST cost-effective solution to address this requirement?
Purchase another 10 Gbps Direct Connect dedicated connection from AWS in a different Direct Connect location that terminates in the associated AWS Region. Set up a new virtual interface (VIF) to the existing VPC and use BGP for load balancing
The networking team at a global company has set up separate VPCs for applications managed by the Finance, Marketing, Audit and HR departments. You need to set up AWS Direct Connect to enable data flow from the on-premises data center to each of these VPCs. The company has monitoring software running in the Audit department’s VPC that needs to collect metrics from the instances in all the other VPCs.
Due to budget constraints, the data transfer charges should be kept to a minimum. Which solutions would you recommend for the given requirement?
Create four private VIFs, that is, one VIF each from the on-premises data center to each of the VPCs. Enable VPC peering between all VPCs
The networking team at a company wants to set up an AWS Site-to-Site VPN connection between its on-premises data center and the AWS Cloud. The VPN connection should use dynamic routing and the team wants to make sure that tunnel A is preferred over tunnel B when sending traffic from AWS to the on-premises network.
Which solution would you recommend for this requirement?
Configure the VPN connection in an Active/Active configuration and advertise a more specific prefix for tunnel A
The networking team at a company wants to set up two AWS Direct Connect connections between its on-premises data center and the AWS Cloud. The Direct Connect connections need to be set up in an Active/Active configuration from a public virtual interface using a public ASN.
As an AWS Certified Networking Specialist, which solution would you recommend for this requirement?
Configure your customer gateway to advertise the same prefix with the same Border Gateway Protocol (BGP) attributes on both public virtual interfaces
A retail company operates its IT infrastructure in a hybrid cloud configuration with the on-premises data center connected to the AWS Cloud via an AWS Site-to-Site VPN connection. The networking team has set up an AWS VPC with a CIDR range of 172.31.0.0/16 and the on-premises network has a CIDR range of 172.31.1.0/24. The VPC’s route table also has a propagated route to a virtual private gateway with a destination of 172.31.1.0/24.
Which options represents a correct statement regarding the routing for traffic destined to the on-premises network?
The on-premises network would be unreachable as the local route would be preferred for all traffic destined for 172.31.1.0/24
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.
Which solution will meet these requirements?
Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?
Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.
A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint.
Which solution will meet these requirements?
Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit’s applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?
Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?
Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider’s customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider’s AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider’s SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements?
- Deploy the SaaS service endpoint behind a Network Load Balancer.
- Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
A network engineer is designing the architecture for a healthcare company’s workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload?
- Use AWS Direct Connect with MACsec support for connectivity to the cloud.
- Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
- Configure AWS Shield Advanced and ensure that it is configured on all public assets.
A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway?
- Enable VPC flow logs on the NAT gateway’s elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
- Enable VPC flow logs on the NAT gateway’s elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider’s API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company’s servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers.
Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems.
Which combination of steps will meet these requirements?
- Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution.
- Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.
An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed.
Which solution will meet these requirements?
Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB’s target group.
A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner.
What should the network engineer do to meet these requirements?
Change the router configurations to summarize the advertised routes.
A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?
Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.
A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway.
In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.
Which combination of steps should the network engineer take to meet these requirements?
- Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true.
- Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets.
- Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces.
An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers.
The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services.
A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud.
Which solution will meet these requirements with the HIGHEST availability?
Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups and health checks.
A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud.
Which solution will meet these requirements while providing the HIGHEST throughput?
Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway.
A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back.
What should the network engineer do to resolve the error?
Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource.
A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.
Which solution will meet these requirements?
Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB. deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com to host the VPC resources.
The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The company’s on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement?
- Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
- Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
- Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
A government contractor is designing a multi-account environment with multiple VPCs for a customer. A network security policy requires all traffic between any two VPCs to be transparently inspected by a third-party appliance.
The customer wants a solution that features AWS Transit Gateway. The setup must be highly available across multiple Availability Zones, and the solution needs to support automated failover. Furthermore, asymmetric routing is not supported by the inspection appliances.
Which combination of steps is part of a solution that meets these requirements?
- Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group. Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Configure a default route in the inspection VPC’s transit gateway subnet toward the Gateway Load Balancer endpoint.
- Configure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define a static default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.
A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company’s on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.
The on-premises data center’s customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?
Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.
The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers. This traffic will increase over time.
Which solution will meet these requirements?
Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transit gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPC. Remove the existing VPN connections that are attached directly to the virtual private gateways.
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?
Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company’s customers access the website by using service example.com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement?
Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.
The company’s operations team notices that traffic is being routed only to the instances in the first Availability Zone.
What is the MOST operationally efficient solution to resolve this issue?
Enable the new Availability Zone on the NLB
A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?
During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application’s components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application within the application’s VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements?
Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.
Enable DNS hostnames for the application’s VPC.
Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.
Which solution will meet these requirements?
Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.
A company’s development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB).
The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17.
A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments.
Which solution will meet these requirements?
Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpoint for the web service in the existing production VPC.
A network engineer needs to update a company’s hybrid network to support IPv6 for the upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The company’s current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company’s on-premises devices have been updated to support the new IPv6 requirements.
The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.
When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network engineer also must block direct access to the instances’ new IPv6 addresses from the internet. However, the network engineer must allow outbound internet access from the instances.
What is the MOST operationally efficient solution that meets these requirements?
Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices
What is Perfect Forward Secrecy?
Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?
Change the ALB security policy to a policy that supports forward secrecy (FS)
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?
Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?
Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer configure the AWS resources to meet these requirements?
Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public websites. The application requires the customer’s source IP addresses.
A network engineer must implement a load balancing strategy that meets these requirements.
Which combination of actions should the network engineer take to accomplish this goal?
Retrieve client IP addresses by using the X-Forwarded-For header
Use an Application Load Balancer.
A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the application will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include an NLB that distributes traffic to the services pods in an EKS cluster.
The company is concerned about overall cost. User traffic will be responsible for more than 10 TB of data transfer from the ingress VPC to services VPCs every month. A network engineer needs to recommend how to design the communication between the VPCs.
Which solution will meet these requirements at the LOWEST cost?
Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs. Use zonal DNS names for the NLB in the services VPCs to minimize cross-AZ traffic from the ingress VPC to the services VPCs.
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic.
Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic.
What is causing the traffic to drop?
Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.
A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1 Region. The production VPCs are named
VPC A and VPC B.
A new security regulation requires all traffic between production VPCs to be inspected before the traffic is routed to its final destination. The company deploys a new shared VPC that contains a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCs to route traffic between VPC A and VPC B through the firewall appliance for inspection. During testing, the company notices that the transit gateway is dropping the traffic whenever the traffic is between two Availability Zones.
What should a network engineer do to fix this issue with the LEAST management overhead?
Enable transit gateway appliance mode on the VPC attachment in the shared VPC.
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?
Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
A security team is performing an audit of a company’s AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured.
The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?
Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company’s peak event at the end of the year.
The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries to the default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domain names. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDS and S3 bucket endpoints.
Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?
Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for on premises hosted domain names. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-based DNS servers. Terminate the EC2 instances.
A company’s network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.
The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failover data center only in the case of an outage.
Which solution will meet these requirements?
Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes from the failover data center to 7224:7100
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve new objects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with new watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?
Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints for Amazon S3 and DynamoDB.
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.
The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency.
How should the network engineer design the network architecture to meet these requirements?
Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which are possible causes of this problem?
The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.
There is no interface VPC endpoint configured for Amazon SQS
A network engineer needs to standardize a company’s approach to centralizing and managing interface VPC endpoints for private communication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company’s network services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account. The company wants to use this centralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without sending traffic over the public internet.
What should the network engineer do to meet these requirements?
In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.
A development team is building a new web application in the AWS Cloud. The main company domain, example.com, is currently hosted in an Amazon Route 53 public hosted zone in one of the company’s production AWS accounts.
The developers want to test the web application in the company’s staging AWS account by using publicly resolvable subdomains under the example.com domain with the ability to create and delete DNS records as needed. Developers have full access to Route 53 hosted zones within the staging account, but they are prohibited from accessing resources in any of the production AWS accounts.
Which combination of steps should a network engineer take to allow the developers to create records under the example com domain?
Create a staging.example.com NS record in the example.com domain. Populate the value with the name servers from the staging.example.com domain. Set the routing policy type to simple routing.
Create a public hosted zone for staging.example.com in the staging account.
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that minimizes data transfer cost.
Which solution will meet these requirements?
Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPC. Specify the route table of the private subnets during endpoint creation to create routes to Amazon S3
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?
- In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID Enable the feature to allow external accounts.
- In the Production account: Accept the resource.
- In the Production account: Create an attachment to the VPC subnets.
- In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched a replacement EC2 instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware.
Which solution will meet this requirement with the LEAST operational effort?
Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.
A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users report that they can log in but that they cannot use the application. Every new web request restarts the login process.
What should a network engineer do to resolve this issue?
Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the maximum application session length.
A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.
Which configuration change should a network engineer implement to resolve this issue?
Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.
A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?
Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway.
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company’s data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?
Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead.
Which solution will meet these requirements?
Use VPC flow logs. Publish the flow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the flow logs to identify the AWS resources that are generating the suspicious traffic.
A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data center in Dublin.
Which solutions will meet these requirements?
Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes.
Configure inter-Region transit gateway peering between TGW-A and TGW-B. Add the peering routes in the transit gateway route tables. Add both the VPC-A and the VPC-B CIDR block under the allowed prefix list in the Direct Connect gateway association.
A company’s network engineer is designing a hybrid DNS solution for an AWS Cloud workload. Individual teams want to manage their own DNS hostnames for their applications in their development environment. The solution must integrate the application-specific hostnames with the centrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also must minimize management overhead.
Which combination of steps should the network engineer take to meet these requirements?
Use an Amazon Route 53 Resolver inbound endpoint.
Use an Amazon Route 53 Resolver outbound endpoint.
Create Amazon Route 53 private hosted zones.
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally efficient solution that meets these requirements?
Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.
A cybersecurity company has its flagship application running on EC2 instances in a VPC and the application must publish custom metrics with proprietary information to CloudWatch in the same AWS Region. All connectivity must be established using private IP addresses.
Which option will address these requirements?
Connect the application to CloudWatch using an interface endpoint
An e-commerce company has built a hub-and-spoke network using AWS Transit Gateway. VPCs have been provisioned into multiple AWS accounts to facilitate network isolation and to enable delegated network administration. The organization is looking at a cost-effective, quick and secure way of maintaining this distributed architecture so that it provides access to services required by workloads in each of the VPCs.
As an AWS Certified Networking Specialist, which solution would you suggest for the given use case?
Use Centralized VPC Endpoints for connecting with multiple VPCs, also known as shared services VPC.
The networking team at a company has provisioned a new EC2 instance A by choosing the default security group of the default VPC. The team can ping instance A from other instances in the VPC. These other instances were also created using the default security group. The next day, the team launches another instance B by creating a new security group and attaching it to instance B. All other configuration options for instance B are chosen as default. However, the team is not able to ping instance B from other instances in the VPC.
As an AWS Certified Networking Specialist, which option you identify as the root cause of the issue?
Instance A is in the default security group. The default rules for the default security group allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group. Instance B is in a new security group. The default rules for a security group that you create allow no inbound traffic
An e-commerce company is building a hybrid Payment Card Industry Data Security Standard (PCI-DSS) compliant application that runs in the us-east-1 Region as well as on-premises. The application sends access logs from all locations to a single S3 bucket in the us-east-1 Region. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How would you configure the network to address these requirements?
Create a private virtual interface to a Direct Connect connection in us-east-1. Set up a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access S3
A network engineer at a social media company needs to monitor and analyze the DNS traffic. The company uses Route 53 as the DNS service for its public-hosted zone. All DNS queries must be captured for future analysis.
As an AWS Certified Networking Specialist, what would you suggest for the given requirement?
Use Route 53 query logging to log information to CloudWatch Logs about the Route 53 DNS queries
A retail company has applications deployed in two different AWS Regions. These applications must securely communicate with each other by VPN. According to the organization’s security team, the VPN must meet the following requirements:
AES 128-bit encryption
SHA-1 hashing
User access via SSL VPN
PFS using DH Group 2
Ability to maintain/rotate keys and passwords
Certificate-based authentication
Which solution would you recommend to address these requirements?
Third-party software VPN solution deployed from the AWS Marketplace
aA retail company has its corporate headquarters in New York with an on-premises data center using an AWS Direct Connect connection to the AWS VPC. The branch offices in San Francisco and Miami use Site-to-Site VPN connections to connect to the AWS VPC. The company is looking for a solution to have the branch offices send and receive data with each other as well as with their corporate headquarters.
As an AWS Certified Networking Specialist, what option would you suggest to address the given requirements?
Set up VPN CloudHub between branch offices and corporate headquarters which will enable branch offices to send and receive data with each other as well as with their corporate headquarters
A company is deploying a critical application on multiple EC2 instances in a VPC. Per the company policy, any failed client connections to the EC2 instances must be logged.
Which option would you recommend as the MOST cost-effective solution to address these requirements?
Set up VPC Flow Logs for the elastic network interfaces associated with the instances and configure the VPC Flow Logs to be filtered for rejected traffic. Publish the Flow Logs to CloudWatch Logs
A company operates a hybrid cloud infrastructure between its on-premises data center and AWS VPC using Direct Connect. The company wants to automate the provisioning of infrastructure for its flagship application. The security policy mandates that all traffic from AWS be routed through on-premises data center firewalls and also prohibits using a VPC internet gateway for internet access. The company enforces the use of a forward proxy server for all outbound network traffic. The networking team has validated that all resources inside the VPC are able to reach the on-premises servers. However, all package updates over the internet for EC2 Linux instances are failing and sending errors.
Which option represent the root cause behind these errors?
The EC2 instances are not configured to use the proxy server running in the data center for traffic on TCP port 80
You are configuring a VPN to AWS for your company. You have configured the Virtual Private Gateway (VGW) and the Customer Gateway (CGW). You have also run the necessary commands on your router for the VPN. You allowed all TCP and UDP traffic between your data center and your VPC. The tunnel still doesn’t get established.
What is the most likely cause behind this issue?
Traffic on Protocol 50 is being blocked by the firewall
For the safety of critical applications, the networking team at a company has implemented a host-based firewall on all of the Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. A new requirement needs the instance metadata.
Which firewall rule should be added to the instances to allow instance metadata access?
Outbound; Protocol TCP; Destination 169.254.169.254; Destination port 80
A business has a web application (store.mybusiness.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. As part of the network re-architecture, the CTO at the company wants the web application to be moved to a different subnet in the same Availability Zone.
Which solution would you suggest to meet these requirements?
Launch a new instance in the new subnet via an AMI created from the old instance. Direct traffic to this new instance using Route 53 and then terminate the old instance
The networking team at a company wants to set up an AWS Site-to-Site VPN connection between its on-premises data center and the AWS Cloud. The VPN connection should use static routing and the team wants to make sure that tunnel A is preferred over tunnel B when sending traffic from AWS to the on-premises network.
Which solution would you recommend for this requirement?
Configure the VPN connection in an Active/Passive configuration by assigning a higher priority to tunnel A while configuring the static routes
A social media company has installed an AWS Site-to-Site VPN and the networking team has noticed that the VPN tunnel is unstable or the tunnel status is frequently down on the customer gateway device.
Which steps should the networking team take to address this issue?
Create a host that sends ICMP requests to an instance in your VPC every 5 seconds
Customer gateway device is configured to receive and respond to dead peer detection (DPD) messages
The networking team at a retail company is configuring a virtual interface for accessing your VPC on a newly provisioned 10-Gbps AWS Direct Connect connection.
Which configuration values do you need to provide?
Virtual private gateway
Virtual local area network (VLAN) ID
A social media company is planning to release the major upgrade of its flagship application in a week. The development team is testing the alpha release of the application running on 10 EC2 instances managed by an Auto Scaling group in subnet 172.10.0.0/24 within VPC A having CIDR block 172.10.0.0/16. The team has noticed connection timeout errors in the application logs while connecting to a MySQL database running on an EC2 instance in the same region in subnet 172.40.0.0/24 within VPC B having CIDR block 172.40.0.0/16. The IP of the database instance is hard-coded in the application instances.
As a Networking Specialist, which solution would you suggest to the development team to solve the problem securely with minimal maintenance and overhead?
Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.40.0.0/16
Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC B that points to the IP address range of 172.10.0.0/16
A company is using AWS Local Zones to bring cloud resources closer to the end-users to ensure very low latency access to the required resources. The company is looking at adding Elastic Load Balancing for enhanced security and performance.
Which statements are relevant for configuring the ELB correctly?
Only Application Load Balancer (ALB) supports Local Zones
You cannot use a Lambda function as a target when using Local Zone subnets for configuring the ELB
A company has three VPCs: X, Y, and Z. VPCs X and Z are both peered with VPC Y. The IP address ranges are as follows:
VPC X: 10.1.0.0/16
VPC Y: 192.168.0.0/16
VPC Z: 10.1.0.0/16
Instance x-1 in VPC X has the IP address 10.1.0.10. Instance z-1 in VPC Z has the IP address 10.1.0.10. Instances y-1 and y-2 in VPC Y have the IP addresses 192.168.2.10 and 192.168.2.20 respectively. The instances y-1 and y-2 are in the subnet 192.168.2.0/24.
The networking team at the company has mandated that y-1 must be able to communicate with x-1, and y-2 must be able to communicate with z-1. However, the team has noticed that both y-1 and y-2 are only able to communicate with x-1, instead of y-1 communicating with x-1 and y-2 communicating with z-1.
Which combination of steps will address this issue?
Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC Y. Move y-1 to subnet 192.168.2.0/28 and y-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance
Create two route tables in VPC Y - one with a route for destination VPC X and another with a route for destination VPC Z
A mobile-app based social media company is using Amazon CloudFront to deliver media-rich content to its audience across the world. The Content Delivery Network (CDN) offers a multi-tier cache by default, with regional edge caches that improve latency and lower the load on the origin servers when the object is not already cached at the edge. However, there are certain content types that bypass the regional edge cache and go directly to the origin.
Which content types skip the regional edge cache?
Dynamic content, as determined at request time (cache-behavior configured to forward all headers)
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin
The security team in its report has flagged malicious activity from 100 random IP addresses for malicious activity. As a network security engineer, you have to ensure the safety and accessibility of the AWS resources.
What action would you suggest to ensure safety from such types of threats?
Use AWS WAF rate-based rule to block the IP addresses
A Network Engineer is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The security team has flagged a concern of a probable attack on the origin server IP addresses, despite it being served by CloudFront.
Suggest a solution that provides the strongest level of protection to the origin server?
Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header
The networking team at a company has noticed issues with Quality of Service (QoS) in the traffic to the EC2 instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a programming error or a networking error.
As an AWS Certified Networking Specialist, what solution would you recommend for the given use case?
Configure traffic mirroring on the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance and stream the logs to an S3 bucket for further analysis
A company has an EC2 instance in a private subnet that has access to the internet via a NAT gateway in another public subnet. This EC2 instance behind the NAT gateway sends a 1 GB file to one of your Amazon Simple Storage Service (Amazon S3) buckets. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS Region (us-east-1) and the NAT gateway as well as the EC2 instance are in the same Availability Zone.
Which factors will contribute to the NAT Gateway cost?
NAT Gateway Hourly Charge
NAT Gateway Data Processing Charge
A company has set up an AWS network consisting of three transit gateways (tgw-1, tgw-2, and tgw-3) each present in different AWS accounts and different AWS Regions. The development team owns transit gateways tgw-1 and tgw-3. Transit gateway tgw-1 has a peering attachment with transit gateway tgw-2 owned by another team. The entire network is within AWS and does not consist of on-premises resources. The company has decided to use Transit Gateway Network Manager for managing the network topology.
What would you identify as the key points of consideration while implementing this requirement?
To enable multi-account functionality in Network Manager, you first need to set up an account in AWS Organizations
Create a global network in Network Manager and register the transit gateways tgw-1 and tgw-3 with your global network
When you register transit gateway tgw-1 in the Network Manager, you can see information about transit gateway tgw-2 in your global network
The networking team at a company needs to automate VPC creation to enforce the company’s network and security standards which mandate that each application is isolated in its own VPC. The solution must also ensure that the CIDR range used in each VPC is unique.
Which options would you recommend to address these requirements?
Deploy the VPC infrastructure using AWS CloudFormation and leverage a custom resource to request a CIDR range from an external IP address management (IPAM) service
An Elastic Load Balancer (ELB) is configured with an Auto Scaling Group (ASG) having a minimum of 4, a maximum of 10, and a desired value of 4 instances. The ASG cooldown and the termination policies are configured to the default values. Monitoring reports indicate a general usage requirement of 4 instances, while any traffic spikes result in an additional 7-8 instances. Customers have been complaining of request timeouts and partially loaded pages.
Which configuration change will you suggest as the first line of troubleshooting to fix this issue?
Configure connection draining on ELB
A company wants to use Amazon S3 to augment its on-premises data store. The company is looking at setting up a Direct Connect connection to provide high bandwidth and low latency access to S3. The company has requested AWS for an AWS-owned address to be used for configuring a Public Virtual Interface (VIF) since the company does not own a publicly routable IPv4 address block.
For the given scenario, what represents a valid security risk to the company?
EC2 instances in the same AWS Region with access to the Internet could directly reach the router
A company wants to establish an AWS Direct Connect link to connect the AWS Cloud with the internal corporate network. Using AWS Direct Connect would enable the company to deliver on its performance benchmark requirements including a three-second or less response time for sending small documents across the internal network. To facilitate this goal, the company wants to be able to resolve DNS queries for any resources in the on-premises network from the AWS VPC and also resolve any DNS queries for resources in the AWS VPC from the on-premises network.
As an AWS Certified Networking Specialist, what solution would you recommend for this use case?
Create an inbound endpoint on Route 53 Resolver and then DNS resolvers on the on-premises network can forward DNS queries to Route 53 Resolver via this endpoint
Create an outbound endpoint on Route 53 Resolver and then Route 53 Resolver can conditionally forward queries to resolvers on the on-premises network via this endpoint
A networking team working in a test environment has noticed inbound traffic in the VPC Flow Logs for a NAT Gateway. The team has connected with you to understand why the NAT gateway is accepting inbound traffic from the internet?
How will you troubleshoot/fix this issue?
NAT gateways managed by AWS don’t accept traffic initiated from the internet. However, if inbound internet traffic is permitted by your security group or Network ACLs then it appears as accepted
A company uses a VPN to connect to its AWS VPC. The CTO at the company wants to provision a 10 Gbps AWS Direct Connect connection for stability and performance. The telecom provider has provisioned the circuit from the company’s data center to an AWS Direct Connect facility and needs information on how to cross-connect (that is, which rack/port to connect).
What is the process mandated by AWS for providing this information?
Provision a new connection via the AWS Management Console and lookout for an email from AWS with the relevant information
An online retail organization runs its e-commerce website on AWS. The Amazon EC2 instances running the application are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services. Different URLs (mobile.shopping.com, web.shopping.com, api.shopping.com) will serve the required content to the end-users.
Which combination of services must be used to serve the content correctly to the end-users?
Use Host conditions in ALB listener to route *.shopping.com to appropriate target groups
Use Host conditions in ALB listener to route shopping.com to appropriate target groups
A department in a company has created a new AWS account that is not part of the organization’s consolidated billing family. The department has created a VPC for their workloads. Access is restricted by Network Access Control Lists (NACLs) to the department’s on-premises private IP allocation. An AWS Direct Connect private virtual interface for the VPC advertises a default route to the company’s network.
When the department downloads data from an Amazon Elastic Compute Cloud (EC2) instance hosted in its new VPC, what are the associated charges?
The department pays AWS Direct Connect Data Out charges
A financial services application runs on a fleet of Amazon EC2 instances that are configured with an Auto Scaling Group (ASG). The instances are fronted by an Elastic Load Balancer (ELB). The security team has flagged an exploitable vulnerability in the encryption protocol and cipher that the application uses. The listener of the ELB is configured on an HTTPS protocol.
Which step will you take to secure the application from the newly detected vulnerability?
Change the security policy on the ELB to disable vulnerable protocols and ciphers
A multi-player gaming application that runs on UDP protocol needs to add functionality where you can assign multiple players to a single session on a game server based on factors such as geographic location, player skill, and few more configurable parameters. The application is accessed by players spread out across different regions of the world.
What is the right way to configure this requirement?
Use custom routing accelerator of Global Accelerator to deterministically route one or more users to a specific instance
A media company wants to use AWS Cloudfront to manage its content. Firstly, it would like to allow only those new users who have paid the annual subscription fee the ability to download the application installation file. Secondly, only the subscribers should be able to view the files in the members’ area.
As a Networking Specialist, what would you recommend as the MOST optimal solutions to deliver restricted content to the bona fide end users?
Use CloudFront signed URLs to restrict access to the application installation file
Use CloudFront signed cookies to restrict access to all the files in the members’ area of the website
The development team at a company is deploying a web application in a VPC that requires SSL mutual authentication with a client-side certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.
Which load balancer protocol should you select for this application?
TCP
An online training application uses CloudFront distribution to share their content stored on Amazon S3 buckets. The team has a requirement to privately share hundreds of documents with some of their customers who will have access to these documents for a pre-defined time. The duration for which the document is shared is not the same for all clients or all documents.
What is the optimal way to configure this requirement with the least effort?
Create a CloudFront signed URL using a canned policy
A financial services company wants to modernize its applications and minimize its data center infrastructure. The company wants to explore a hybrid cloud environment with AWS so that it can start leveraging AWS services for some of its data analytics workflows. The engineering team at the company wants to establish a dedicated, encrypted, low latency, and high throughput connection between its data center and AWS Cloud. The engineering team has set aside sufficient time to account for the operational overhead of establishing this connection.
Which option represent the MOST optimal solution with the LEAST infrastructure set up required for provisioning the end to end connection?
Use AWS Direct Connect along with a site-to-site VPN to establish a connection between the data center and AWS Cloud
A retail company wants to block access to its application from specific countries; however, the company wants to allow its remote testing team (from one of the blocked countries) to have access to the application. The application is deployed on EC2 instances running under an Application Load Balancer (ALB) with AWS WAF.
As a Networking Specialist, what solution would you suggest as the BEST fit for the given use case?
Use WAF geo match statement listing the countries that you want to block
Use WAF IP set statement that specifies the IP addresses that you want to allow through
An IT company is running services in a VPC with a CIDR block of 10.6.0.0/23. Developers have reported that they are unable to provision new resources as some of the subnets in the VPC have run out of IP addresses.
As an AWS Networking Specialist, how would you resolve this issue?
Add 10.6.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet
An organization has a newly installed 1-Gbps AWS Direct Connect connection. The organization has opted to use cross-connect from the Direct Connect location provider to a port on the router in the same facility. To enable the use of the virtual interface, the router must be configured appropriately.
What are the minimum requirements for your router?
1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5
A retail company has a data center with a 2 connection LAG. The networking team at the company wants to add 2 more connections.
How many Letters of Authorization (LOAs) would you need to complete for the given use case?
2
A two-tier application has an Elastic Load Balancing (ELB) load balancer configured in front of the application tier that is driven via RESTful interfaces. The data tier uses RDS MySQL. The company’s new policies require end-to-end encryption of all data in transit.
How will you configure this requirement?
Configure the ELB with a TCP listener. Configure the application instances for SSL termination. Configure RDS for SSL, and use REQUIRE SSL grants
A financial services company is migrating sensitive data from its on-premises data center to AWS Cloud via an existing AWS Direct Connect connection. The company must ensure confidentiality and integrity of the data in transit to the AWS VPC.
Which options should be combined to set up the most cost-effective connection between your on-premises data center and AWS?
Create a VPC with a virtual private gateway
Set up a public virtual interface on the Direct Connect connection
Create an IPsec tunnel between your customer gateway appliance and the virtual private gateway
A company runs a hybrid cloud infrastructure and it has 99 routes in the dynamic BGP propagated route table. The networking team at the company wants to add 2 more routes for 10.1.0.0 and 10.3.0.0. You cannot modify or remove routes that have already been announced.
Which solution will you recommend?
Summarize the two routes to combine them into one and advertise it
The CTO at an e-commerce company is pursuing an IT re-engineering effort to migrate from multiple on-premises data centers to the AWS Cloud. The current on-premises data centers are in different locations and are inter-linked via a private fiber. Due to the unique constraints of the existing legacy applications, using NAT is not an option. During the migration period, many critical applications will need access to other applications deployed in both the on-premises data centers and AWS Cloud.
As an AWS Certified Networking Specialist, which option would you suggest to set up a hybrid network architecture that is highly available and supports high bandwidth for a multi-Region deployment post-migration?
Set up a Direct Connect to each on-premises data center from different service providers and configure routing to failover to the other on-premises data center’s Direct Connect in case one connection fails. Make sure that no VPC CIDR blocks overlap one another or the on-premises network
A health care company has two web applications and wants to run them in separate, isolated VPCs. The company is looking at using Elastic Load Balancing to distribute requests between application instances. The security and compliance team at the company has imposed the following restrictions:
Inbound HTTP requests to the application must be routed through a centralized VPC
Application VPCs must not be exposed to any other inbound traffic
Application VPCs cannot be allowed to initiate any outbound connections
Internet gateways must not be attached to the application VPCs
What solution would you recommend to address these requirements?
Configure the applications behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to route application traffic to the corresponding target group through the ALB
A company manages more than 500 public web applications on AWS Cloud which are deployed in a single AWS Region. The fully qualified domain names (FQDNs) of all of the applications are configured to use HTTPS and are served via Application Load Balancers (ALBs). These ALBs are configured to use public SSL/TLS certificates. The company has hired you to migrate the web applications to a multi-Region architecture. You must ensure that all HTTPS services continue to work without interruption.
Which solution would you suggest to address these requirements?
Generate a separate certificate for each FQDN in each AWS Region using AWS Certificate Manager. Associate the certificates with the corresponding ALBs in the relevant AWS Region
The networking team at a global social gaming company has been tasked to reduce the in-game latency and jitters. The team wants traffic from its end users to be routed to the AWS Region that is closest to the end users geographically. When maintenance occurs in an AWS Region, traffic must be routed to the next closest AWS Region with no changes to the IP addresses being used as connections by the end-users.
Which solution will you suggest to address these requirements?
Set up AWS Global Accelerator in front of all the AWS Regions
The networking team at a company wants to set up two AWS Direct Connect connections between its on-premises data center and the AWS Cloud. The Direct Connect connections need to be set up in an Active/Passive configuration from a public virtual interface using a private ASN.
As an AWS Certified Networking Specialist, which solution would you recommend for this requirement?
Set up the customer gateway to advertise the longer prefix on your primary connection
An application’s EC2 instances are located in a private subnet and these instances access sensitive data in S3 via a NAT gateway deployed in a public subnet. The S3 bucket is located in the same AWS Region as the EC2 instances. The development team at the company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
As an AWS Certified Networking Specialist, what solution would you suggest to meet these requirements?
Set up an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint
As Network Engineer, you have just set up AWS WAF. You now need to configure WAF for comprehensive logging to store logs in Amazon S3 buckets.
Which AWS services do you need to enable WAF comprehensive logging?
AWS WAF, Kinesis Data Firehose, Amazon S3
The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH.
How would you define the security rule for SSH?
Allow Inbound traffic on port 22 from the on-premises network
Consider a scenario where an EC2 instance in a private subnet reaches out to the internet via a NAT gateway in a public subnet. The EC2 instance sends a 1 GB file to one of the Amazon Simple Storage Service (Amazon S3) buckets via the NAT gateway. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS region. The NAT gateway and EC2 instance are in the same Availability Zone.
Which costs should be included when the total cost of this file transfer is calculated?
NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway
A company facilitates best-in-class sports broadcasting via its flagship application. Users access the content from different platforms including mobile, tablet, and desktop. Each platform is customized to provide a different user experience based on various viewing modes. Path-based headers are used to serve the content for different platforms, hosted on different Amazon EC2 instances. An Auto Scaling group (ASG) has also been configured for the EC2 instances to ensure that the solution is highly scalable.
Which combination of services can help minimize the cost while maximizing the performance?
Amazon CloudFront with Lambda@Edge
Application Load Balancer
A retail company wants to set up a hybrid cloud infrastructure between AWS Cloud and on-premises data center using Direct Connect as well as AWS Site-to-Site VPN. The networking team is working on configuring routing for this infrastructure and needs assistance with respect to the correct priority order for propagated and static routes for Direct Connect and Site-to-Site VPN when the prefixes are the same.
As an AWS Certified Networking Specialist, what would you identify as the correct order of priority from the most preferred to the least preferred?
BGP propagated routes from an AWS Direct Connect connection > Manually added static routes for a Site-to-Site VPN connection > BGP propagated routes from a Site-to-Site VPN connection
A retail company has set up an AWS Site-to-Site VPN as well as an AWS Direct Connect connection between its on-premises data center and AWS Cloud. The VPN uses dynamic routing. The networking team wants all traffic to use the Direct Connect connection and configure the VPN as a backup.
What would you do to route the traffic through Direct Connect as a preferred connection?
Use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC
Advertise the same prefix for Direct Connect and the VPN
An ecommerce company has a hybrid environment between its on-premises data center and the AWS Cloud. The company wants to use the Elastic File System (EFS) to store and share data between the on-premises applications that need to resolve DNS queries through the on-premises DNS servers. The company wants to use a custom domain name to connect to EFS. The company also wants to avoid using the Amazon EFS target IP address.
What solution would you recommend to address these requirements?
Set up a Route 53 Resolver inbound endpoint and configure it for the EFS-specific VPC. Set up a Route 53 private hosted zone and add a new CNAME record with the value of the EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone
A development team is looking at connecting their Amazon EC2 instances to the confidential data stored on Amazon S3 storage. The team has a requirement to use private IP addresses from their VPC to access Amazon S3 while also having the ability to access S3 buckets from their on-premises systems. In a few months, the S3 buckets will also be accessed from a VPC in another AWS Region.
What is the right way to configure the team’s requirement?
Configure Interface endpoints for Amazon S3
A social media company is delivering web content from an Amazon EC2 instance in a public subnet with address 2021:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 098765432112 eni-0596e500987654321 2021:db8:2:200::2 2021:db8:1:100::1 0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112 eni-0596e500987654321 2021:db8:1:100::1 2021:db8:2:200::2 0 0 58 236 42336 1551200195 1551200434 REJECT OK
What action will restore network reachability to the EC2 instance?
Update the network ACL associated with the subnet to allow outbound traffic
An ecommerce company is migrating its legacy web application to the AWS Cloud. Since the application is complex and may take several months to refactor, the CTO at the company tasked the development team to build an ad-hoc solution of using CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed. The ad-hoc solution has worked for several weeks, however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header “X-Cache: Error from CloudFront”. Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
Which attribute as the likely cause of the error and what is the solution to address this issue?
The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server
The networking team at a company wants to do a Simple AD deployment and use it for the company’s Microsoft Exchange email server. The team is having issues finding the AD server.
What is the most probable root cause behind this issue?
Simple AD does not support Microsoft Exchange
A retail company operates its IT infrastructure in a hybrid cloud configuration with the on-premises data center connected to the AWS Cloud via an AWS Site-to-Site VPN connection. The networking team has set up an AWS VPC with a CIDR range of 10.0.0.0/16 and the on-premises network has a CIDR range of 172.31.0.0/24. The VPC’s route table also has a static route to an internet gateway and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24.
What represent a correct statement regarding the routing for traffic destined to the on-premises network?
All traffic destined for 172.31.0.0/24 is routed via the internet gateway
A multi-national retail company runs a web service that is used by client applications deployed in multiple offices worldwide. The application architecture consists of an Elastic Load Balancer (ELB) distributing traffic across ten application servers deployed in an Auto Scaling group across two Availability Zones. The ELB uses round-robin configuration with no sticky sessions. The networking team has configured the NACLs and security groups to allow port 22 from a NAT instance being used as a jump host, and also allow port 80 from 0.0.0.0/0. The client configuration is managed by each regional IT team. The networking team has noticed that a significant number of requests from incorrectly configured client sites are causing a single application server to degrade. The remainder of the requests are equally distributed across all servers with no negative effects.
As an AWS Certified Networking Specialist, what would you suggest to remedy the situation and prevent future occurrences?
Update the Security Groups for the application servers to only allow incoming traffic on port 80 from the ELB
pharma company is building hybrid connectivity between an on-premises location and the AWS cloud. This connectivity will be used by a critical application to access data from Amazon EC2 instances in multiple VPCs. The project team has configured a dual Site-to-Site VPN terminating on an AWS Transit Gateway with VPN dead peer detection for resiliency. After the deployment, the application team raises concerns about the application performance on Site-to-Site VPN links. On-premises location is using IPCIDR block of 10.20.30.0/24. As a consultant, you are required to provide suggestions for maximizing performance efficiency on dual Site-to-Site VPN links along with resiliency.
What configuration will provide the performance efficiency required for this application?
Configure ECMP on each VPN connection terminating on AWS Transit Gateway. Advertise different specific routes (10.20.30.0/25 & 10.20.30.128/25) on each VPN link along with summarised routes (10.20.30.0/24) over BGP peering.
A company uses hybrid connectivity from an on-premises location to AWS using AWS Direct Connect & terminates on AWS Transit Gateway. Nodes at on-premises access application deployed on Amazon EC2 instance in multiple VPCs. Amazon EC2 network instance workload shares the same subnet with that of AWS Transit gateway association. During the Security audit, it was found that Network ACLs are missing & needs to apply immediately to meet security compliance. You have been assigned to configure Network ACL on these subnets.
How can network ACLs be configured for traffic flowing from the Amazon EC2 instance to the Transit gateway?
Create outbound rules which use a destination IP address for evaluation while inbound rules use a source IP address for evaluation.
An IT firm has created VPC A & VPC B which are associated with AWS Transit Gateway. Recently they have deployed a new shared services VPC C with a third-party security appliance and associated with a transit gateway. All traffic from VPC A & VPC B must be routed to a security appliance in VPC C for security inspection before it is forwarded to the destination. VPC C has two subnets, one for the Transit gateway and the other for appliances. Routing for AWS Transit Gateway is done & IT team is looking for your suggestions for creating routing entries in VPC A, VPC B, and VPC C.
How do route tables in VPC A, VPC B, and VPC C need to be set up to meet this requirement?
Create a route table in both VPC A & VPC B having a default route pointing to the Transit gateway. For VPC C, in the transit gateway subnet, create a default route with the target as an appliance in the appliance subnet. For VPC C, in the appliance subnet, create a default route pointing to the Transit gateway. For VPC attachments in shared services VPC, enable appliance mode.
A media company uses a single Network Load Balancer (NLB) to load balance traffic per availability zone to backend applications running on Amazon ECS. Amazon ECS Containers are placed in 3 Availability Zones accessing applications deployed in the same account across these 3 Availability Zones. It has been observed that containers are accessing applications deployed in other Availability Zone leading to high latency and high cost.
Whar solution can be implemented to enable containers to access applications from the local Availability Zone?
Append the availability zone name to the NLB DNS name which will resolve to the IP address of the NLB local node.
A State University has two VPCs - “service consumer VPC” and “service provider VPC”. It has deployed e-learning educational courses on Amazon EC2 instances in a service consumer VPC. These courses are accessed by global users via the Internet Gateway attached to this VPC. To strengthen the security of these media, they have deployed a security appliance & Gateway Load Balancer in the service provider VPC.
The Gateway Load Balancer endpoint is created in the service consumer VPC. The Amazon EC2 instance is part of the application server subnet while the Gateway endpoint is part of the Gateway Load Balancer endpoint subnet. All traffic flow to and from the Internet via the Internet Gateway from the service consumer VPC should be flowing via the security appliance in the security provider VPC where the traffic will be intercepted to identify any malware or security breaches.
The IT Team from this university is looking for your suggestions for configuring routing tables at the Internet gateway, Service consumer VPC & in the Gateway Load Balancer endpoint subnet.
What is the correct route table entries that need to be configured?
1) In the Internet Gateway route table, for the destination as application servers subnet target should be the Gateway Load Balancer endpoint.
2) In the Application server subnet, the default route should be added with Target as the Gateway Load Balancer endpoint.
3) In the Gateway Load Balancer endpoint subnet, the default route should be added with Target as the Internet gateway.
n engineering firm has deployed dual AWS Direct Connect links from an on-premises location to AWS Cloud. These links terminate on AWS Transit Gateway using a transit virtual interface accessing multiple VPCs. For outgoing traffic from on-premises to AWS, they are preferring primary AWS Direct Connect link. Still, traffic from AWS to on-premises is getting load balanced across both primary & secondary links. The IT Team from this firm requires return traffic to prefer the primary link instead of getting load balance across both links.
What BGP communities can be added to meet this requirement?
Apply local preference BGP community tag as 7224:7300 to the primary virtual interface & local preference BGP community tag as 7224:7100 to the secondary virtual interface.
A company has deployed a new application in AWS Cloud. The peak requirement for this application would be 2 Gbps. The company plans to use AWS Direct Connect for this requirement To access this application from an on-premises location. Connectivity should be fully resilient with proper backup solutions in place For this critical application. Any outage in the links will lead to a huge financial impact on the company.
What solution can be implemented to provide maximum resiliency for critical applications without any performance degradation?
Create a new 2 GB AWS Direct link with links terminating at two AWS Direct Connect locations on two different routers.
A healthcare company is setting hybrid connectivity using AWS Direct Connect between on-premises locations and the AWS cloud. They are looking for securing all types of data including control plane traffic flowing over this link. The proposed solution should not impact data speed for the traffic.
What encryption solution is best suited to meet this requirement?
Use MACsec with AWS Direct Connect.
An insurance company is planning to set up hybrid connectivity between on-premises locations & AWS. To establish this connectivity, the company has procured a 500 Mbps hosted connection from the AWS Direct Connect partner. Multiple VPCs created in different regions need to be accessed from a single on-premises location.
What solution can be designed to implement this connectivity in the most simple way?
Create a transit virtual interface to Direct Connect Gateway and terminate it to multiple AWS Transit Gateways in multiple regions which have VPC attachments to their respective VPCs in different regions.
A company has deployed an AWS CloudFront distribution with AWS Application Load Balancer as the origin. AWS Application Load Balancer further distributes traffic to Amazon EC2 instances deployed in multiple availability zones. The operations team monitoring this traffic observes that some of the user sessions are directly terminating on the Application Load balancer instead of via AWS CloudFront. This leads to additional load on Application Load Balancer.
What action can be initiated to overcome this problem?
Add custom headers in Amazon CloudFront & configure ALB to forward requests containing only custom headers to the EC2 Instance.
A streaming provider uses Amazon CloudFront to distribute content to users across the globe. The marketing team is looking for users’ physical locations to get the popularity of the content region-wise. The application team has suggested performing HTTP header manipulation by adding HTTP header True-Client-IP to the viewer request. As an AWS expert, you have been assigned to create a function for this requirement & deploy it at the Amazon CloudFront.
Which functions can be configured at CloudFront to get these details?
Use CloudFront functions & execute at the edge location.
An IT firm plans to deploy a new application that works on IPv6 addresses. A VPC with IPv4 address is already created with an Amazon EC2 instance deployed. For securing Amazon EC2 instances, security group & custom network ACL are configured. As a Network design lead, you have been asked to work on existing VPC to support IPv6.
What steps can be performed to have an existing VPC with IPv4 addressing migrated to IPv6 addressing?
Associate an IPv6 CIDR block to VPC & subnets. Update Route tables & security group rules to include IPv6 addresses. Manually add IPv6 subnets in custom network ACL created for IPv4 subnets. Select instance type supporting IPv6 & assign IPv6 to the instance.
An R&D firm has built a new graphics-intensive application that requires a very low latency for better performance. Users will be accessing this application from an on-premises location. The firm has already deployed services in the AWS cloud. All services deployed in the data center will gradually be moved to AWS Cloud. This application will be using Amazon S3 for storage which should be accessible with optimum latency.
Which solution can be implemented to meet this requirement?
Extend subnets from parent AWS VPC to AWS Local Zone. Deploy the application in the AWS Local Zone. Access Amazon S3 privately over AWS Private network.
An IT firm has deployed Kubernetes clusters using Amazon Elastic Kubernetes Service (Amazon EKS). These clusters are deployed in multiple member accounts which are part of AWS Organisation. They are using Amazon GuardDuty for monitoring security in all accounts. The Security Team is looking for the suspicious activity being carried out in Amazon EKS.
What steps can be taken to check GuardDuty findings from this Elastic Kubernetes Service (Amazon EKS)?
Enable Kubernetes protection for all member accounts in an Organisation using GuardDuty delegated administrators accounts. Retrieve GuardDuty findings through Amazon CloudWatch events.
A start-up firm has deployed application servers in multiple VPCs created in the same region. There would be low bandwidth intermittent sync traffic between these servers and existing servers at on-premises data centers. You have been assigned to deploy low-cost quick solutions to establish this connectivity with the least admin work.
Which solution can be suggested to meet this requirement?
Create a single AWS Managed VPN connection terminating on AWS Transit Gateway attached to multiple VPCs.
A finance company has deployed new application servers in multiple VPCs across multiple availability zones. These servers will be used for critical financial transactions. The security team is concerned about the DNS exfiltration of data moving out of the VPC. As an AWS expert, you have to propose a data filtering solution that will help in preventing this issue.
What can be set up to filter this traffic?
Use Route 53 Resolver DNS Firewall to filter outbound traffic from the VPC.
An engineering firm has hybrid connectivity between on-premises data center & AWS using AWS Direct Connect terminating on Amazon Transit gateway. Amazon EC2 instances are deployed in VPC across multiple availability zones. Interface VPC endpoints are created to establish connectivity from the Amazon EC2 instance to Amazon Kinesis Streams. New servers are deployed at on-premises data centers that require communication with Amazon Kinesis Streams via interface VPC endpoint. As an AWS consultant, you have been assigned to design Amazon Route 53 resolver to establish this connectivity over existing Hybrid connectivity.
What design can be used to achieve this?
Disable Private DNS name for VPC endpoint. Create an Amazon Route 53 private Zone using Alias record pointing to full service VPC endpoint name. Create an inbound Route 53 resolver endpoint in the same VPC as that of the VPC endpoint. Create conditional forward in the on-premises DNS server for the service name which will point to inbound Route 53 Resolver endpoint IP addresses.
A Company has created a VPC with multiple CIDR blocks for deploying applications. The company is using Hybrid connectivity from on-premises locations using AWS Direct Connect. DNS servers are deployed at on-premises locations. Multiple domains are created on-premises which will need access from all VPCs.
What configuration can be done to meet this requirement?
Create an outbound endpoint from each VPC. Create separate rules for each domain & associate them with the VPC which will be forwarding queries to the DNS servers deployed at on-premises.
A company has recently deployed new web applications on Amazon EC2 instances in multiple availability zones with IPv6 addresses. The company is using a third-party DNS provider & needs to point their zone apex record example.com to the Amazon EC2 DNS name. Third-party DNS Providers do not support alias records. Web applications need to be securely accessed globally by a large number of users.
What design pattern can be implemented to meet this requirement in the most cost-effective way?
Create a Network Load balancer in each AZ. Create AAAA records for the zone apex pointing to this Network Load Balancer which will, in turn, point traffic to Amazon EC2 instances in each AZ.
A company has created VPC peering between VPC A in the us-east-1 region and VPC B in the us-west-1 region. A large number of Amazon EC2 instances are launched in both VPCs. For inter-VPC communication, a secondary private IPv4 address assigned to the network interface is used. Operations Head is looking for top-talker instances generating traffic within these VPCs.
What actions can be initiated to get these details in the simplest way?
Create a flow log with the pkt-dstaddr field. Create a bucket in Amazon S3. Publish flow logs to this bucket. Use Amazon Athena to point logs in Amazon S3 and query the logs to get a list of top-talker instances.
A global IT company has deployed its applications in the AWS cloud. Remote workers of this company are accessing Amazon workspaces deployed in a private subnet of the VPC. Internet access to Amazon Workspaces is provided via NAT Gateway attached to this VPC. The security head had been instructed to keep the company’s vulnerability to attack from the outside world by reducing it’s attack surface to the minimum.. The solution deployed should be scalable and highly available and there should not be any impact on users accessing remotely.
What can be configured to meet security requirements?
Configure Network Firewall.
A global pharma company uses Software-defined Wide Area Network (SD-WAN) to connect its global data center with all branch offices globally over the public internet. Recently they have deployed applications in AWS cloud at the eu-west-2 region. The company is looking for high bandwidth options to connect data centers and branch offices to the AWS cloud. This connectivity should utilize existing SD-WAN infrastructure. The proposed solution should have the least operational cost and be scalable to connect to any other AWS regions in which applications will be deployed in the future.
Set up AWS Transit Gateway with Connect attachment to SD-WAN virtual appliance. Configure BGP peering between these devices over the GRE tunnel.
A global oil company has a head office & data center in New York while branch offices are in Tokyo and Sydney. The company is looking to move some of the applications to the AWS cloud. For application traffic between data centers & AWS, they are looking for a bandwidth capacity of 10 Gbps. At branch locations, 500Mbps bandwidth will be required. Communication should be enabled between the Branch office to Data Centre, Branch Office to AWS VPC in all regions. Communication should not be established between branch offices. Traffic should preferably ride on the AWS backbone for inter-region communication. All the connectivity should be fully resilient.
What design can be recommended to meet these requirements?
Create 2x 10Gbps AWS Direct Connect Links between data center & AWS using AWS Transit Gateway. Create Accelerated Site-to-Site VPN from branch office to nearest AWS edge location in respective AWS regions. Create Transit Gateway peering between transit gateway in each region. Configure Static routes at each transit gateway in different regions for routing traffic between regions. Configure Transit Gateway route tables to deny communication between branch offices.
An IT firm has deployed three VPCs as VPC A, VPC B, & VPC C. All internet traffic should be forwarded via VPC C. Two subnets are created in VPC C, a private subnet, and a public subnet. NAT Gateway & an Internet Gateway are deployed in the public subnet of VPC C. All VPC A, B, and C are inter-connected via AWS Transit Gateway using private subnets of each VPC.
In VPC A and VPC B, add a default route pointing to Transit Gateway. In Transit Gateway, create a static default 0.0.0.0/0 pointing to VPC C Attachment.
A cloud-based company has created a service provider VPC to share applications with another customer VPC. In Service provider VPC, the application is deployed on Amazon EC2 instance with an Application Load balancer as a front end for load balancing incoming traffic. In customer VPC, a host-based firewall is configured on all Amazon EC2 instances which needs to allow a destination IP pool to complete communication with the application in service provider VPC.
How settings can be configured to ensure communication between the EC2 instance and the application?
Deploy a Network Load Balancer in service provider VPC. Use the Application Load Balancer as a target for Network Load Balancer. Use the Static IP address of the Network Load Balancer to create rules in Firewall.
A start-up firm plans to deploy Application Load Balancer to distribute incoming traffic to multiple Amazon EC2 instance hosting applications. Amazon EC2 instances are configured in a group that has an application configured that caters to specific users based upon the source location. The firm is looking for your guidance in setting up Application Load Balancer to forward traffic from users to specific Amazon EC2 instances.
What suggestion can be provided to forward traffic to EC2 targets conditionally?
Create a listener rule with a condition rule matching http-header.
A Software as a service provider (SaaS) has created a service provider VPC for sharing Amazon Kinesis Data Streams. Users from Customer VPC connect to this service using AWS PrivateLink. To access Kinesis Data Streams, sustained high throughput of 20Gbps is required from each Availability zone.
How can the AWS PrivateLink interface be designed to meet throughput requirements?
Create two interface endpoints using AWS Private link with Private DNS disabled. Create a Private hosted zone in Amazon Route 53 for Kinesis Data Streams and associate it with Consumer VPC. Create a weighted route policy with Alias A records pointing to interface endpoints to distribute traffic on both interface endpoints
A media company plans to store on-premises data to Amazon S3 for backup purposes using Amazon S3 File Gateway. A large amount of data would be transferred from on-premises regularly. Optimal Latency is required for this data transfer. IT Team is looking for scalable and fully resilient connectivity for this data transfer from an on-premises file gateway to Amazon S3.
What connectivity can be designed for this purpose?
Setup an S3 interface endpoint from VPC private subnet. Connect Amazon S3 File Gateway using this interface endpoint to Amazon S3 over AWS Direct Connect links.
A start-up company plans to connect three of its locations to AWS Cloud using AWS Site-to-Site VPN. This connectivity will be established using existing internet connections. All three locations need to communicate with the VPC having subnets in multiple AZs. Additionally, all three locations need to communicate with each other. The company is planning to set up AWS Direct Connect at one of the locations in the near future; the proposed solution should be feasible for this connectivity as well.
How can connectivity be built to meet this requirement?
Create customer gateways with unique BGP ASN at each customer location. Create a Site-to-Site VPN with dynamic routing protocol BGP to a common VGW. Configure the customer gateway devices to advertise a site-specific prefix to the VGW.
An online grocery store has deployed a new application using Amazon RDS as a database. Developers located at on-premises need to access RDS DB instances. Developers might access the database from different locations. Due to a limited budget, they will be using existing internet links for connection to the AWS cloud. Security Head is seeking your advice to develop a security solution for this remote access. Also, the solution needs to be scalable.
What is the most secure way of accessing the Amazon RDS instance from the on-premises location?
Create an AWS Client VPN. Deploy the RDS instance in a private subnet in the VPC. Associate DB instance subnet with AWS Client VPN interface endpoint.
You are working as an AWS Consultant for a global IT company. The company has deployed its application in AWS Cloud across two regions. VPC peering is already configured between VPCs in these two regions. The company has deployed AWS Managed Microsoft Active Directory (AD) in these regions with multi-region replication configured between them. All global remote users need to be authenticated by this active directory before accessing applications in VPC. The company wants to build secure connectivity having optimal latency between global remote users and the active directory. A fully fault-tolerant and scalable solution should be deployed.
What design can be proposed to meet the requirement?
Create a Client VPN endpoint in both regions. Associate AWS Managed Microsoft AD instance with client VPN endpoints in both regions. Create a Route53 public-hosted zone. Create CNAME records pointing to the DNS name of the endpoint with latency-based routing and health checks.
An IT company has created a private hosted zone for a new application launched in VPC A. This application will be accessed from a large number of VPCs across multiple regions. The quality assurance team is looking for the DNS queries made while accessing this application in real-time to troubleshoot application issues related to the DNS.
What can be configured to meet this requirement?
Configure Route 53 Resolver Query Logs. Select the destination for these logs as Amazon Kinesis Data Firehose.
An engineering company uses hybrid connectivity between on-premises locations and the AWS cloud. The IT team has created a privately hosted zone example.com and has associated with the VPC. They have also created an outbound Route53 resolver for example.com, and have related to this VPC. IT Team observes traffic routed to an on-premises network instead of routing based on records in a private hosted zone.
What could be the possible reason for such behavior?
Resolver rules will take precedence over private hosted zones.
Sports Channel is broadcasting a major sports event. For this, the IT team has set up broadcasting using a multi-CDN architecture with Amazon CloudFront and a custom CDN deployed in Europe and Japan. This event will be viewed by viewers across the globe. Origin servers are deployed on Amazon EC2 instances in the us-east-1 region. The IT Team is observing an increase in load on origin servers during this event, due to which origin servers are intermittently becoming non-responsive. For future sports events, the IT team wants proactive measures to maintain the load on origin servers to acceptable levels.
What actions can be initiated to minimize load on origin servers?
Set up CloudFront Origin Shield in the Regional edge cache location of the us-east-1 region.
A government organization uses Amazon CloudFront to distribute content stored in Amazon EC2 instances. Some of this content is private & should not be cached at the CloudFront. When there is a viewer request for this private content, Amazon CloudFront should always retrieve this content from the Origin Amazon EC2 instance. For such content, the deployment team has added a header at the Origin as “Cache-Control: no-cache, no-store”. It is observed that in some cases, when there is a request from viewers for this content and origin servers are not reachable, Amazon CloudFront is distributing cache copies.
What setting can be done at the Origin server end to avoid sharing cache copies from Amazon CloudFront?
At Origin, set headers as Cache-Control: stale-if-error=0
A financial institution has implemented hybrid connectivity using dual dedicated AWS Direct Connect links terminating at two different AWS locations. Link 1 has a bandwidth of 40 Gbps, while Link 2 has a bandwidth of 10 Gbps. The operations team is observing some of the asymmetric traffic flow, in which outbound traffic from AWS to on-premises location flows on Link 1 while incoming traffic to AWS cloud is on Link 2.
Operations Head has instructed you to make all traffic flow symmetric, making Link 1 as the primary link for communication between AWS cloud and on-premises location. Link 2 should be used as a secondary link for all communications.
How can BGP policy be set up at the customer end routers for making Link 1 as the primary link?
In Outbound BGP policy add AS_Path with 3 AS for prefixes advertised on link 2. In inbound policy set the local preference as 300 for prefixes to be preferred on Link 1.
You are working as an AWS consultant for a pharma company. For setting up a new TEST laboratory for R&D, the company plans to build a sub-1 Gig link to AWS. The new link should have a pre-defined SLA and consistent latency. Connectivity should be fully resilient and establish communication with all VPCs created within the organization in the region. Connectivity should be established in the shortest possible timeline.
What connectivity can be proposed to meet their requirement?
AWS Direct Connect Hosted Connection terminating on AWS Transit Gateway
A global oil company has a head office located in London and regional offices in Paris and Sydney. They established hybrid connectivity using dedicated 10 Gbps AWS direct connect connections at all three locations.
A public virtual interface is created to access public AWS services at all these locations. Head-Office requires connectivity to public AWS services across the globe, while regional offices require connectivity to public AWS services for the region in which they are part of. The Head office should accept prefixes of public AWS services from the local continent while the regional office should accept public AWS services prefixes from the local region only. You have been assigned to implement BGP configuration on public virtual interfaces.
How can BGP community tags be attached at all three locations to meet these requirements?
For regional data centers, advertise prefixes with BGP community tag as 7224:9100 and accept prefixes with BGP community tag 7224:8100. For the head office, advertise prefixes with BGP community tag as 7224:9300 and accept all prefixes with BGP community tag as 7224:8200
A global engineering company has two data centers in New York and Tokyo. The company has deployed application servers on Amazon EC2 instances in VPC created at four different AWS regions. You have been engaged in designing connectivity between these data centers and VPC. All VPCs should be able to communicate with all other VPCs as well as with both the data centers. The proposed connectivity should integrate data centers with any new AWS region in which the application will be deployed in the future.
Which design can be proposed to provide full resiliency?
Set up dual Direct Connect links terminating on two different Direct Connect Gateway from each Data Centre. Connect one Direct Connect gateway to three AWS Transit Gateways attached in three separate regions while another Direct Connect gateway to one Transit gateway attached to one region. Configure full mesh peering between four Transit Gateways created in each of the four regions.
A pharma company is building hybrid connectivity between an on-premises location and the AWS cloud. This connectivity will be used by a critical application to access data from Amazon EC2 instances in multiple VPCs. The project team has configured a dual Site-to-Site VPN terminating on an AWS Transit Gateway with VPN dead peer detection for resiliency. After the deployment, the application team raises concerns about the application performance on Site-to-Site VPN links. On-premises location is using IPCIDR block of 10.20.30.0/24. As a consultant, you are required to provide suggestions for maximizing performance efficiency on dual Site-to-Site VPN links along with resiliency.
What additional configurations will provide the performance efficiency required for this application?
Configure ECMP on each VPN connection terminating on AWS Transit Gateway. Advertise different specific routes (10.20.30.0/25 & 10.20.30.128/25) on each VPN link along with summarised routes (10.20.30.0/24) over BGP peering.
A company uses hybrid connectivity from an on-premises location to AWS using AWS Direct Connect & terminates on AWS Transit Gateway. Nodes at on-premises access application deployed on Amazon EC2 instance in multiple VPCs. Amazon EC2 network instance workload shares the same subnet with that of AWS Transit gateway association. During the Security audit, it was found that Network ACLs are missing & needs to apply immediately to meet security compliance. You have been assigned to configure Network ACL on these subnets.
How can network ACLs be configured for traffic flowing from the Amazon EC2 instance to the Transit gateway?
Create outbound rules which use a destination IP address for evaluation while inbound rules use a source IP address for evaluation.
An IT firm has created VPC A & VPC B which are associated with AWS Transit Gateway. Recently they have deployed a new shared services VPC C with a third-party security appliance and associated with a transit gateway. All traffic from VPC A & VPC B must be routed to a security appliance in VPC C for security inspection before it is forwarded to the destination. VPC C has two subnets, one for the Transit gateway and the other for appliances. Routing for AWS Transit Gateway is done & IT team is looking for your suggestions for creating routing entries in VPC A, VPC B, and VPC C.
How do route tables in VPC A, VPC B, and VPC C need to be set up to meet this requirement?
Create a route table in both VPC A & VPC B having a default route pointing to the Transit gateway. For VPC C, in the transit gateway subnet, create a default route with the target as an appliance in the appliance subnet. For VPC C, in the appliance subnet, create a default route pointing to the Transit gateway. For VPC attachments in shared services VPC, enable appliance mode.
A State University has two VPCs - “service consumer VPC” and “service provider VPC”. It has deployed e-learning educational courses on Amazon EC2 instances in a service consumer VPC. These courses are accessed by global users via the Internet Gateway attached to this VPC. To strengthen the security of these media, they have deployed a security appliance & Gateway Load Balancer in the service provider VPC.
The Gateway Load Balancer endpoint is created in the service consumer VPC. The Amazon EC2 instance is part of the application server subnet while the Gateway endpoint is part of the Gateway Load Balancer endpoint subnet. All traffic flow to and from the Internet via the Internet Gateway from the service consumer VPC should be flowing via the security appliance in the security provider VPC where the traffic will be intercepted to identify any malware or security breaches.
The IT Team from this university is looking for your suggestions for configuring routing tables at the Internet gateway, Service consumer VPC & in the Gateway Load Balancer endpoint subnet.
Which of the following are the correct route table entries that need to be configured?
1) In the Internet Gateway route table, for the destination as application servers subnet target should be the Gateway Load Balancer endpoint.
2) In the Application server subnet, the default route should be added with Target as the Gateway Load Balancer endpoint.
3) In the Gateway Load Balancer endpoint subnet, the default route should be added with Target as the Internet gateway.
An engineering firm has deployed dual AWS Direct Connect links from an on-premises location to AWS Cloud. These links terminate on AWS Transit Gateway using a transit virtual interface accessing multiple VPCs. For outgoing traffic from on-premises to AWS, they are preferring primary AWS Direct Connect link. Still, traffic from AWS to on-premises is getting load balanced across both primary & secondary links. The IT Team from this firm requires return traffic to prefer the primary link instead of getting load balance across both links.
What BGP communities can be added to meet this requirement?
Apply local preference BGP community tag as 7224:7300 to the primary virtual interface & local preference BGP community tag as 7224:7100 to the secondary virtual interface.
A large company has deployed a couple of applications in a VPC. Multiple accounts are in place within the company. Account A has created VPC A while account B has created VPC B. A new application will be deployed on an Amazon EC2 instance in VPC A which will communicate with servers in all other VPCs. This instance will be front-ended by a Network Load Balancer. During the POC of the application, all the traffic should be captured and sent to an Amazon EC2 instance launched in VPC B.
What configuration needs to be done to get these packet details?
Enable traffic mirroring from the ENI (Elastic Network Interface) and send mirrored traffic to ENI of the Amazon EC2 instance part of VPC B. Create traffic mirror filter rules to match source and destination CIDR block. Enable VPC peering between VPC A and VPC B.
A company has created multiple AWS accounts for each division, and all these accounts are part of the AWS Organization. Multiple VPCs are created in each of these accounts which host production and non-production environments. A separate VPC is created to launch the NAT gateway, and all internet traffic should flow via this VPC. The company is planning to implement VPC sharing between all these VPCs. The IT team is concerned about the subnets to be planned for the NAT Gateway, and devices to be launched in production and non-production environments in each of the VPC participants.
What is the best practice with respect to subnet sharing?
Dedicated subnets for NAT Gateway. For production environments, dedicated subnets per VPC participants. For non-production environments, shared subnets with many VPC participants.
A financial company has created two subnets A and B in a VPC. They have deployed servers in each of these subnets. The security team needs to inspect traffic flowing between these servers in subnet A and B using a third-party firewall appliance installed on the separate Amazon EC2 instance. You are assigned to configure necessary routing to ensure all traffic between subnet A and subnet B is via firewall appliance.
What changes can be implemented to get this routing done efficiently?
Configure firewall appliance in an Amazon EC2 instance in a separate subnet. Use Middlebox routing wizard to create routing tables.
The IT company has set up three-tier web servers in VPC A and VPC B. For communication between VPCs, they are using the AWS Transit gateway. They have created a Local Zone to deploy application servers closer to end-users. For this, they have created a new subnet in VPC A and extended it to the Local Zone. The project team has additional requirements to connect subnets in the Local Zone to subnets in VPC B.
What configuration can be done to establish this connectivity?
Create a Transit gateway attachment for VPC A and VPC B using parent Availability Zone subnets. In each VPC, add an entry in the routing table for the destination as another VPC CIDR with the target as the network interface id of the transit gateway attachment.
A media company is using Amazon CloudFront for distributing content to global users. Recently they have launched a new content for which the Quality Analysis team is looking for requests made to the distribution to analyze responses. The Quality Analysis team is specifically looking for the total number of bytes sent to the viewers in response to the request. These requests should be logged as soon as the requests are received from the users.
Which steps can be initiated to get the required logs?
Create a real-time log matching sc-bytes and send the logs to data streams in the Amazon Kinesis Data Streams.
An online sports network has deployed an application for sharing sports media on an Amazon EC2 instance in the eu-west-2 (London) region. Amazon CloudFront will be used to distribute this content to global users. The IT team plans to use a custom domain name for this distribution. During testing, users are getting domain-name-related certificate warnings. As an AWS SME, you have been assigned to work on the resolution of this warning.
Which additional settings can be proposed to provide resolution?
Request a public SSL/TLS certificate from AWS Certificate Manager in the US east (N. Virginia) region.
Import an SSL/TLS certificate with a key length less than 2048 bits into AWS Certificate Manager in the US east (N. Virginia) region.
n online streaming service provider has deployed a new set of origin servers behind an Amazon CloudFront. Before going to production, the IT Head is looking for a performance test to ensure end-users get better performance while viewing. Tests should ensure that no lag is observed for large scale global users concurrently accessing the content in the production environment.
What testing methodology can be used to test performance?
Clients should send requests from multiple geographical regions
Clients should make an independent DNS request
A large company is planning to deploy applications in separate VPCs. Each of these applications is accessed by global users via internet connectivity. The IT Head is looking for a solution to provide secure internet connectivity to all these applications with optimum cost and the least management. The proposed solution should allow only HTTP traffic from the internet, and all other traffic should be dropped. Few of the VPCs created have overlapping CIDR ranges. The proposed solution should be scalable with a large number of VPCs created in this account.
What solution can be designed to meet this requirement?
Create a separate VPC as “Internet VPC” with Internet gateway and Application Load Balancer. Deploy applications in all other VPCs with Network Load Balancer as the front end. Configure AWS PrivateLink interface in Internet VPC and provide internet access to applications via PrivateLink.
A Start-up firm is using an internet-facing application deployed in a VPC. The company uses a Gateway Load Balancer to forward all inbound internet traffic to a pair of firewalls for intrusion detection. It is observed that TCP flow is getting disconnected, and a new session flow is created to different firewalls. Due to this, intermittent timeouts are observed at the client end. Further analysis found that sessions are getting disconnected from Gateway Load Balancer. As an AWS consultant, you have been assigned to analyze the flow and suggest timers for the TCP flow.
What timers can be set to ensure flow is not removed from Gateway Load Balancer?
Set the firewall keep-alive timers to less than 350 seconds.
An IT company has deployed application servers on Amazon EC2 instances in multiple VPCs. A third-party firewall appliance is deployed in a separate VPC. All Traffic between source and destination Amazon EC2 instance is transparently forwarded to this appliance via Gateway Load balancer endpoint. Firewall Appliance and the Gateway Load balancer use Geneve protocol for traffic exchange. The Operations Team is concerned with the health checks between the Gateway Load Balancer and the appliance.
Which of the following settings will ensure the appliance successfully responds to the health checks from the Gateway load Balancer?
Respond to TCP/HTTP/HTTPS health checks from Gateway Load Balancer by finishing these checks within timeouts.
An IT company has set up a hybrid connectivity between AWS cloud and data center. They have set up a Route 53 private hosted zone in the AWS and have an existing DNS server in the data center. Route 53 resolver endpoint is configured to forward all queries for the domain example.com to the DNS server in the data center. Recently they have created a subdomain test.example.com in the AWS cloud. Queries for this subdomain to be resolved by the resolver and should not be forwarded to the DNS server in the data center.
What rules can be configured to get DNS resolution as per requirement?
Create a System rule and specify test.example.com
A company uses hybrid connectivity between data centers and AWS using AWS Direct Connect. The DNS server in the data center is forwarding DNS queries to VPC using an inbound Resolver endpoint. A new application will be deployed in the VPC. The operations team expects high growth in DNS queries due to deploying a new application in the VPC.
Which additional configuration can be done proactively to ensure DNS queries are successfully resolved?
Add more IP addresses to the inbound Resolver endpoint in a different Availability Zone.
A company has created a shared-services VPC for centralized DNS management. IT Team has created private hosted zones in this shared services VPC. Applications are deployed in different Spoke VPCs. Private hosted zone in shared-services VPC needs to be resolved across multiple accounts created in Spoke VPCs. The proposed solution should also be valid for forwarding DNS queries from on-premises to the shared service VPC in the near future.
What connectivity can be proposed to meet this requirement in the most cost-effective manner?
Establish network connectivity between shared services VPC and Spoke VPC using AWS Transit Gateway. Share the private hosted zone between accounts and associate with the Spoke VPC that needs resolution.
A start-up company is planning to use Amazon Route 53 as a DNS for applications in AWS Cloud Infrastructure. Applications will be deployed in multiple regions catering to local users in each region. While setting Route 53 route policies, the IT team should ensure that queries are responded based on the user’s location so that users can access applications from the nearest region. Route policy should respond to the queries in a stable and predictable way. The IT head needs you to ensure customers do not receive “no answer response” from Route 53.
What settings can be implemented to get this resolution in the desired way?
Create a Geolocation routing policy. Create a default policy for queries not mapped to any location.
A large engineering firm plans to deploy HPC applications in the AWS cloud for its R&D work. HPC applications will be deployed on Linux-based Amazon EC2 instances. All these instances will be launched in a single subnet of the VPC. Traffic between these instances should have the lowest latency without any impact on the network performance.
Which deployment option will provide optimum performance for HPC applications?
Enable enhanced networking on Amazon EC2 instance Elastic Fabric Adaptor (EFA). Place all Amazon EC2 instances in a cluster placement group.
A financial company has created hybrid connectivity using AWS Direct Connect connections. The company uses Direct Connect Gateway with a virtual private gateway to connect different VPCs created in multiple regions. For this, they have created a private virtual interface with dedicated Direct Connect connections. They are looking for VPC to VPC communication along with VPC to on-premises communication using the existing setup. This connectivity should support communication with all future VPCs created in multiple regions.
What configuration changes will be required to establish this connectivity?
Remove the association between Direct Connect gateway and virtual private gateway. Create a new transit virtual interface and associate Transit Gateway in each region with AWS Direct Connect Gateway using a unique BGP ASN for each Transit gateway.
A large company is using multiprotocol label switching (MPLS) to connect branch locations across the globe to its data center. They have created multiple VPCs in the AWS cloud and are looking to use existing MPLS connectivity to connect all branches to these VPCs. In the future, the company is planning to expand its presence in the AWS cloud by deploying applications in multiple VPCs. The company requires full control of network configuration and configuration should be less dependent on the MPLS service provider.
Which option can be implemented to establish a highly available fault-tolerant connectivity?
Deploy an MPLS device collocated at the AWS Direct Connect Location and an AWS Direct Connect link to the Direct Connect gateway connecting to multiple VPCs.
A customer is using AWS Client VPN for accessing resources in VPC A from an on-premises network. They are using a split-tunnel Client VPN. Recently, the IT team has created a new VPC B for different applications and established VPC peering between VPC A and VPC B. Users from on-premises can communicate with resources in VPC A but cannot establish connectivity with applications in VPC B.
What changes must be implemented in Client VPN to enable clients to communicate with subnets in peered VPC B?
Modify the Client VPN endpoint route table to add a route for peered VPC CIDR range. Reset the VPN connection so that new routes are sent to the client.
A start-up company has implemented hybrid connectivity between on-premises location and a single AWS VPC using Site-to-Site VPN. Due to the deployment of critical applications in the AWS cloud, they are looking to build redundancy to avoid any failure in connectivity. While implementing this connectivity, there should not be any single point of failure in the end-to-end path. Since there is a financial impact with failure in the application, there are no cost constraints for building additional connectivity.
What can be implemented to ensure end-to-end resiliency for this connectivity?
Setup a second Site-to-Site VPN on the same VGW. Deploy a new customer gateway at on-premises. Advertise on-premises prefixes from both on-premises devices.
A start-up firm is looking to establish hybrid connectivity from its datacenter to AWS Cloud. VPC A, VPC B, and VPC C are created in the AWS cloud. From the data center, communication should be established with servers deployed in all these VPCs. While setting the connectivity, redundancy and least management overhead should be considered. The proposed connectivity should be scalable and should also incur the least operational cost. In a normal scenario, end-to-end traffic should flow only on one of the redundant links.
Which solution can be designed to meet this requirement?
Setup two IPsec VPN tunnels from two customer gateway routers to the AWS Transit gateway. Create VPC attachments between all the VPCs and the Transit Gateway. Configure BGP routing to prefer one IPsec VPN tunnel over another.
A share broking firm is developing a couple of applications for trading. One application will be for share price ticker while the other application will be used for trading. Both these applications will be hosted on Amazon EC2 nitro instance and need multicast support. Recipients of these applications will be a separate ENI (Elastic Network Interface) of instances deployed in the different VPCs. The recipient should only receive multicast traffic from the group to which it has joined. These instances will be part of multiple VPCs created within a region, and inter-VPC communication will be established using AWS Transit Gateway.
What configuration changes will be required for the application deployment in the VPC and on the Transit gateway for the multicast support?
Create applications in two separate subnets of the VPC CIDR range. Associate both subnets to two different multicast domains created within a transit gateway. Create two different Multicast groups within the Transit gateway.
A global company has created VPCs in multiple regions for deploying applications. They are looking to integrate all these applications to provide scalable solutions to global users. Connectivity should use AWS-managed network infrastructure and should not traverse over the public internet. It should be scalable and support an additional large number of VPCs created in multiple regions.
Which of the following suits the company’s needs the best?
Connect multiple VPCs to AWS Transit Gateway. Use AWS Transit Gateway peering between Transit Gateway in each region.
A company has created multiple accounts as part of an AWS Organization. Each account has multiple VPCs created for deploying applications that are accessed from the Internet. Applications are deployed on an Amazon EC2 instance in a private subnet. These instances are front-ended by the Application Load balancer in the public subnet. Internet connectivity is provided by the Internet Gateway attached to each VPC. The Security Team is looking for protecting these applications from bot attacks and exploits such as SQLi/XSS attacks. Security solutions should be scalable and manage application protection for all accounts with least admin work. All the logs captured should be sent in near real-time for further analysis.
What can be deployed to meet these requirements?
Deploy AWS WAF on the Application Load Balancer. Use AWS Firewall Manager to centrally manage and configure WAF rules for all accounts in an AWS Organization. Enable logging for AWS WAF and inject logs to Amazon Kinesis Data Firehose.
Your company has set up an AWS Direct Connect connection with the help of an AWS Partner. The customer gateway is in an on-premises data center. Your operations department needs to be informed whenever the Direct Connect connection is down. How can you achieve this?
Use Cloudwatch metrics to check for the state of the connection
You are trying out an AWS VPN managed connection. You have created the VPN to your on-premises location. You earlier were also using an Internet gateway. You’ve added the VPN connection to your routing table and enabled propagation. Below is the Route table.
Traffic destined for 172.31.0.0/24 will go through the Internet gateway
Your company is planning to create a private hosted zone in AWS. They need to ensure that on-premises devices that are connected to AWS through VPN, can reach the resources defined in the private hosted zone. How can this be achieved, ensuring the least effort is put into setting this up?
Consider using Route53 Inbound Resolver endpoints for resolving DNS requests
You are designing an online shopping application for your company. This application will be running in a VPC on EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer managed database cluster. There should be no access to the database from the Internet. But the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements completely?
Public subnets for the application tier and NAT Gateway and private subnets for the database cluster
Your management plans to use AWS Cloudfront to speed up the distribution of content to users from an S3 bucket. They are worried about whether users will get the ideal response when they request for objects from Cloudfront. What would you communicate to them as to how users would get content from Cloudfront?
As soon as the first byte arrives from the origin, CloudFront begins to forward the files to the user
Your company has set up a CloudFront distribution. They are using multiple EC2 Instances as the origin. There is a requirement to ensure that cookies can be monitored in the requests. Based on the cookies, different sites can be relayed back to the users. Which of the following would help fulfill this requirement?
Consider using Lambda@Edge
A company currently hosts its architecture in the US region. They need to duplicate that architecture to the European region and extend the application hosted on the existing architecture to the new region. In order to ensure that users across the globe get the same seamless experience from either setup, what needs to be done?
Create a Geolocation Route53 policy to route the traffic based on the location
You’ve set up a set of EC2 Linux-based instances in a placement group. You’ve chosen instances with Enhanced Networking enabled. You want to ensure that maximum amount of the data is sent in the packets that are sent across the network interfaces. How could you achieve this?
Change the MTU setting on the network interface for each instance
You currently manage a set of web servers hosted on EC2 Servers with public IP addresses. These IP addresses are mapped to domain names. There was an urgent maintenance activity that had to be carried out on the servers and the servers had to be stopped and started again. Now the web application hosted on these EC2 Instances is not accessible via the domain names configured earlier. Which of the following could be a reason for this?
The public IP addresses have changed after the instance was stopped and started
You have just recently set up a web and database tier in a VPC and hosted the application. When testing the application, you are not able to reach the home page of the app. You have verified the security groups. What can help you diagnose the issue?
Use VPC Flow logs to diagnose the traffic
Your company is planning to use an EC2 instance for handling voice-related traffic. A custom application will be installed on a Linux-based instance. Which of the following implementation will help to achieve higher bandwidth for the application?
Enable Enhanced networking on the instance
Your team is using applications that are hosted in 2 different regions in AWS. There is also an on-premises network that needs to connect to AWS resources in these regions. It is noticed on the connection that the current MTU is 1500, and you want to increase the payload size per packet. How can you increase this limit?
Use AWS Direct Connect and route packets between the on-premises network and AWS VPC using Jumbo Frames
You have 2 VPCs, VPC A and VPC B. Both the VPCs have been peered. You have configured the route tables in VPC A so that traffic can flow from VPC A to VPC B. You try to ping an instance in VPC B from VPC A, but are unable to do so. You have confirmed that the NACLs and Security Groups have been configured properly. What could be the reason for this issue?
The route tables in VPC B have not been configured
You have created 3 VPCs, VPC A, VPC B and VPC C. There is a VPC peering connection between VPC A and VPC B and a separate peering connection between VPC B and VPC C. What is true with regards to this VPC peering arrangement?
Instances launched in VPC A can reach instances in VPC C via a proxy instance in VPC B
Your company is planning to deploy an application to AWS. There is a requirement for low latency between the underlying instances that support the application. What you should consider in your design?
Place the instances in a cluster placement group
You work for an organization that has a Direct Connect Connection and a backup VPN connection. This has been set up just recently. After setting it up, the traffic flow still prefers the VPN connection instead of the Direct connection. You have prepended a longer AS_PATH on the VPN connection, but this connection is being preferred even then.
What can be used to ensure the Direct Connect connection is used?
Advertise a less specific prefix on the VPN connection
Your company is currently planning to use Route53 for managing Blue-Green deployments. They have already set up an 80%-20% for a new deployment. How can you ensure to stop sending traffic to the older setup once all testing is complete?
Change the resource record weight of the old deployment to 0
You have a set of instances set up in an AWS VPC. You need to ensure that instances in the VPC receive hostnames from the AWS DNS. You have the ‘enableDnsSupport’ attribute set to true for your VPC. But the instances are still not receiving the hostnames when they are being launched. What could be the underlying issue?
The “enableDnsHostnames” attribute might not have been set to ‘True’
You have set up a Cloudfront distribution in AWS. You want to use the AWS Certificate Manager along with Cloudfront. You are setting up Cloudfront. But you cannot see the ACM certificate that you created at an earlier stage to associate with the distribution. What could be the underlying issue?
You have not uploaded or created the certificate in the right region
Your team has created a cloudformation template. The template consists of a creation of a Virtual private gateway , Customer gateway and a VPN connection based on the created artefacts. The templates sometimes give errors since the routes are not being added because of the missing Virtual private gateway resource. How can you resolve this?
Ensure the route table has a “Depends On” attribute with a value of VGW
You currently have 9 EC2 instances running in a Placement Group. All these 9 instances were initially launched at the same time and seem to be performing as expected. You decide that you need to add 2 new instances of different instance types to the group. However, when you attempt to do this, you receive a ‘capacity error’. Which action will most likely fix this problem?
Replace instances of the same type. Stop and restart the instances in the Placement Group and then try the launch again
Your company hosts an application on AWS EC2 Instance. Currently, the application is experiencing several issues and you need to inspect the network packets to find out the error. What can help to address this issue?
Use a network monitoring tool provided by an AWS partner
You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient. Which options would you consider for configuring the web server infrastructure?
Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it
Configure your Web servers with EIPs. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers
An organization is planning to set up a management network on the AWS VPC. The organization is trying to secure the web server on a single EC2 instance of VPC such that it allows internet traffic and back-end management traffic. The organization wants to make it so that the back-end management network interface can only receive SSH traffic from a selected IP range. At the same time, the internet-facing web server will have an IP address that can receive traffic from all the internet IPs.
How can the organization achieve this by running a web server on a single instance?
The organization should create 2 network interfaces, one for the internet traffic and the other for the backend traffic
You have been requested to use CloudFormation to maintain version control and achieve automation for the applications in your organization. The environment will consist of several networking components and application services. What is the best way to design the template?
Create separate templates based on functionality, create nested stacks with CloudFormation
Your team is using a NAT instance on a Linux EC2 Instance. The private subnet has a route added for 0.0.0.0/0 for the NAT instance. This NAT instance is being used to download updates from the Internet for instances in the private subnet. But the IT administrators who are in charge of applying the updates complain of slow response times. What can be done to rectify this issue?
Replace the NAT instance with a NAT gateway
Upgrade the NAT instance to a larger instance type
Your current web application is hosted on a set of EC2 Instances placed behind an Application Load Balancer. All the Security groups and NACLs have been put into place for tight security. What extra measures can be taken to ensure the blocking of DDoS attacks?
Subscribe to AWS Shield Advanced service to use it in front of the Application Load balancer
You have set up an EC2 Instance that hosts a web application. You have set the following rules.
Security Group Rules
Allow Inbound Traffic on port 80 from 0.0.0.0/0
NACL Rules
Allow Inbound Traffic on port 80 from 0.0.0.0/0
Users are complaining that they cannot access the web server. How can you ensure that the issue gets resolved?
Allow Outgoing Traffic on the NACL for ephemeral ports
You’ve set up an EC2 Instance in a VPC. You are trying to ping the instance but are not able to do so. You have verified the following.
a. Internet gateway attached to the VPC
b. Route tables added for the Internet gateway
c. Public IP address assigned to the Instance
You have enabled VPC flow logs and can see a rejection request for the outgoing traffic.
2 123456789111 eni-3456b8ca 54.0.113.12 172.31.16.140 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789111 eni-3456b8ca 172.31.16.140 54.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What can be done to ensure that the ping request will work?
Ensure that the NACL allows outbound ICMP response
You have an EC2 Instance that will act as a custom origin for Cloudfront web distribution. You need to ensure that traffic is encrypted completely in transit. Which of the following step is part of the process to achieve this?
Configure the Viewer protocol policy as Redirect HTTP to HTTPS and Change the Origin Protocol Policy to Match Viewer
A company has set up a set of EC2 Instances behind an Application Load Balancer. There seems to be a barrage of requests from a series of URLs. You need to have these URLs blacklisted. How can you achieve this in an ongoing manner?
Put a WAF in front of the Application Load Balancer
You have created an Application Load Balancer. You need to point your domain names of www.example.com and example.com to the Application Load Balancer. Your Hosted zone is example.com. How can you achieve this?
Create an Alias record, for example.com and point it to the ALB as the target. Create a CNAME record for www.example.com and point it to example.com
You have created a VPC Endpoint for your private subnet to S3. The default endpoint policy is in place. You are trying to access a bucket, but you’re getting an access denied error. What must be done?
Add the VPC Endpoint to the S3 bucket policy
Your company currently has its application contents stored in S3 and hosts an application using AWS Cloudfront, which consists of NGINX web server hosted behind a load balancer. You need to ensure that you restrict access to certain locations for the content hosted on the Web server. How can you accomplish this?
Use the IP addresses in the X-Forwarded-For HTTP header and then restrict content via Cloudfront geo-restrictions
You are planning to set up a VPC with Subnets. The EC2 Instances hosted in the VPC need to get the time from a custom NTP server. How can you accomplish this?
Create a DHCP Options set and provide the NTP server name
You’ve set up a private hosted zone in Route 53. You’ve set up a VPN connection between the AWS VPC and your on-premises network. You need to ensure that you can resolve DNS names from on-premises to the resources records defined in the Private hosted zone. How can you accomplish this?
Configure a DNS forwarder on-premises, which will forward DNS requests to a Route53 Resolver Inbound Endpoint
You have established a VPN connection between your on-premises and an AWS VPC that has one subnet. You also need to ensure that instances in the VPC can reach the Internet. So you have also attached an Internet gateway. How would you set up the route table to ensure that traffic can flow via the VPN and the Internet?
Set up one route table. Add one route of 0.0.0.0/0 to the Internet and one specific prefix route for the Virtual Private gateway. Attach the Route table to the subnet in the VPC
You are planning to set up an AWS VPN managed connection. You have a customer gateway that is behind a NAT device. In such a case, what steps should be taken to ensure proper connectivity?
Use the public IP address of the NAT device
Ensure the on-premises firewall has UDP port 4500 unblocked
Your company needs VPN connectivity to an AWS VPC. There are around 100 mobile devices, 40 remote computers and a site office that needs to connect. How would you achieve this connectivity?
Use AWS Client VPN
Use a custom VPN server to accept connections from mobile and remote computers
You have configured a hosted zone in Route 53. You need to have the ability to see the types of records being requested to the zone. How can you configure this?
Configure Amazon Route 53 logging
You are planning to create a VPC endpoint for your SaaS product hosted in AWS. You will provide this link to a customer who will access the link from their application. The application works on the UDP protocol. You plan to provide the DNS name for the link to them. But the customer is not able to use the link from within their application. What could be the issue?
The service endpoint only works on the TCP protocol
You have created a load balancer in AWS with EC2 Instances behind them. The ELB is serving web traffic to users on the Internet. The Web servers behind the ELB are stateful. Users begin to report intermittent connectivity issues when accessing the website. What can be done to ensure that the issue is resolved?
Enable sticky sessions at the target group level
You have Instances in a private subnet in a VPC. You have provisioned a NAT gateway in a public subnet to allow for instances in the private subnet to communicate with the Internet. You are trying to ping the Elastic IP of the NAT gateway from your workstation, but cannot do so. What can be done to resolve this issue?
This is not possible, since this is how the NAT gateway works
A Global bank has a hybrid network architecture for its banking applications. The client gets authenticated with servers deployed in Bank Data Centre & once authenticated, access banking application servers based in AWS VPC. As per security norms, Client Credit Card transaction traffic should be over an encrypted link. All other traffic between servers in Data Centre & AWS need to have high bandwidth for quick response to client queries. In AWS VPC, a single server processes the minimal Credit card transaction traffic & multiple application servers handling a huge amount of client transactions. There is a separate CIDR range configured for both these servers. As a Solution Architect which of the following solution can be deployed to meet this requirement in the most cost-effective way?
Create an AWS Direct Connect link & VPN link. Route traffic with VPC CIDR range over AWS Direct Connect for all other traffic & specific route of Credit Card servers over VPN for credit card transaction traffic
Your company, with already a WAF configured in place has the following setup in AWS.
a. A set of EC2 Instances hosting a web application
b. An application load balancer placed in front of the EC2 Instances
There seem to be some malicious requests coming from a set of IP addresses. What can be used to protect against these requests?
Use Web ACLs to block the IP addresses
Your team is planning to create a set of instances in a VPC. They need to ensure high network performance for the underlying instances and enhanced communication between the instances. Which of the following steps would you take?
Enable Enhanced Networking for the underlying Instances
Create the Instances in the same Availability Zones and put them in a cluster placement group
Your company is planning to try out AWS Workspaces for 100 users. They want to have a standalone managed directory service along with AWS workspaces. Which of the following would be the ideal option that will have the least administrative overhead and also be cost-effective?
Choose Simple AD to use along with AWS Workspaces
You need to set up EC2 instances inside a VPC. The requirement is also to create a standby interface if any of the EC2 instances do not respond to traffic. How can you achieve this?
Attach a secondary ENI to the Instance
You’re planning to create a VPN connection to 2 VPCs in AWS. You are going to be using the same customer gateway in both cases. These VPCs have overlapping CIDR blocks. What can be done to ensure the routing is done right on the customer side?
Use VRF technology for routing
You have created a NAT gateway to ensure that instances in your private subnet can download updates from the internet. But the instances are still not able to reach the internet even after the gateway has been created. What could be the underlying issues?
The NAT gateway has been created in the private subnet
Your company has set EC2 Instances in a VPC. These Instances have been configured to query an on-premises Data center DNS server. But the Instances are not able to reach the on-premises server. Which of the following could be a reason for this?
The NACLs are blocking outgoing on port 53 for UDP
Your company is planning to use Cloudfront along with S3 as the origin. There is a requirement to serve private content from S3. There is a requirement to ensure that access is restricted for certain individual files. How would you deliver the private content?
Use Signed URLs
You need to have instances created in a VPC which can support network speeds of upto 20 Gbps. Which of the following would be part of your implementation steps?
Create an Instance from an Instance type that supports Enhanced Networking
Enable Enhanced Networking if not already done
Your company currently has VPCs located in us-west and us-east. The company has an AWS Direct Connect connection in the US East region. They want to have the ability to extend the connection to the us-west. They also need to minimize time and effort to have this in place. What two things you need here to satisfy the above requirement?
Make use of the Direct Connect gateway
Create a private VIF using the current connection
You have a RESTful service that your company develops. You want to provide secure access to this service to multiple clients within the same region in AWS. The service is hosted in a private subnet in one of your VPCs. How can you accomplish this?
Create a VPC Interface Endpoint that connects to the company’s endpoint service
You’re working as a consultant for a company that has a three-tier application. The application layer of this architecture sends over 20Gbps of data during peak hours to and from Amazon S3. Currently, you’re running two NAT gateways in two subnets to transfer the data from your private application layer to Amazon S3. You will also need to ensure that the instances receive software patches from a third-party repository without leaving the AWS network. What architecture changes should be made, if any?
Add a VPC endpoint
Your on-premises network has an IP address range of 10.55.0.0/16. You have been allocated an address range of 10.25.253.0/24 for the AWS Cloud. You need to design the VPC and ensure communication between the VPC and your on-premises network. You need to ensure a proper setup is configured at the customer end. How would you accomplish this?
Set up a VPC with an address range of 10.25.253.0/24
Establish a VPN connection using your customer gateway. Ensure a route is present in your on-premises router to route traffic via the customer gateway
You’re trying to do some housekeeping and delete some unwanted interfaces. You try to delete an interface manually that has the following information.
{
“Status”: “in-use”,
…
“Description”: “VPC Endpoint Interface vpce-08233123488812123”,
“NetworkInterfaceId”: “eni-c8fbc27e”,
“VpcId”: “vpc-1a2b3c4d”,
“PrivateIpAddresses”: [
{
“PrivateDnsName”: “ip-20-0-2-227.ec2.internal”,
“Primary”: true,
“PrivateIpAddress”: “20.0.2.227”
}
],
“RequesterManaged”: true,
…
}
But you are not able to delete the interface. What is the reason that you cannot delete the interface?
It’s because it is a requester managed interface
You have a collection of assets stored in an S3 bucket. You want to enable users across the world to access these assets with the least latency. The users must also access the distribution via your company domain name. How can you achieve this?
Create a web based distribution in Cloudfront
Create a resource record in a hosted zone and create an ALIAS record
The project team is deploying resources in AWS Cloud for a new application. For this application, they are deploying Internet gateway and Amazon EC2 instances across multiple Availability zones in a VPC. During the testing phase, the team will deploy different Amazon EC2 instance types. For each instance type, the project team needs to automate the verification of the SSH connectivity from Internet Gateway and need to capture hop-by-hop paths for compliance purposes.
What solution can meet this requirement?
Use Reachability Analyzer by specifying the path for the traffic from source as internet gateway and destination as Amazon EC2 instance. The protocol should be TCP and port 22
A financial institute has deployed applications using Amazon EC2 instances created in multiple VPC’s. For VPC-to-VPC communication, a Transit gateway is deployed. To meet security compliance all the traffic between these applications should be inspected and appropriate filter policies should be applied using the AWS Network firewall.
Which solution will meet these requirements?
Place Network Firewall in a separate VPC called a Security VPC with two subnets in each availability zone. One subnet will be used for Transit Gateway attachment while the other subnet will be used for firewall endpoints. In Transit Gateway, create a separate routing table for each VPC with the default route pointing to Security VPC
An e-commerce company is using Amazon Route 53 for its DNS service. Recently there are recurring complaints with respect to failed resolution and domain not reachable. To perform further analysis of this issue, the Operations team is looking for the logs for this domain.
What can a network engineer do to get these required details?
Configure query logging for the hosted zone in Amazon Route 53 and use Amazon CloudWatch to access query logs
A company has implemented hybrid connectivity between on-premises and AWS. They have set up a DNS server in DNS VPC which has a domain name ‘example.private’ and a DNS Server at on-premises name as ‘onpremexample.private’. Route 53 has forwarding rules to forward DNS queries to on-premises DNS servers using Amazon Route 53 resolver outbound endpoint. Recently the company has created new accounts and configured VPC in these accounts. Resources in the new VPC need to forward queries for ‘onpremexample.private’ to DNS servers at the on-premises location.
Create a private hosted zone in each of the VPCs with a unique subdomain of ‘example.private’
Share the forwarding rules with all the accounts using AWS RAM (Resource Access Manager) and associate it with VPC in each of the accounts
What is AWS Route53 ARC?
Amazon Route 53 Application Recovery Controller (ARC) can help to provide insights whether the application and resources are prepared for recovery and quickly mitigate impairments for multi-AZ or multi-region applications. It provides three capabilities.
A company has deployed an application having high-volume TCP requests in multiple Availability Zones A and Availability Zones B. Network Load Balancer is used to load balance traffic across multiple targets in these Availability Zones. Amazon Route 53 is used to create DNS routing policies to route traffic from Internet users to this application. Recently there was an outage in an Availability Zone due to wrong coding done by the deployment team. To mitigate such issues, Management is looking for a solution to quickly shift traffic to another Availability Zone. The solution should prefer automated settings instead of any additional configuration changes.
Which solution will meet this requirement?
Start a zonal shift for the Network Load balancer and turn OFF cross-zone load balancing
A large company has deployed a critical application on Amazon EC2 instances front-ended by Application Load balancer. All the Amazon EC2 instances are of varying instance types with different processing capabilities. Customers accessing this application are complaining of delayed response time intermittently. Further analysis shows that TargetResponseTime metrics in the CloudWatch are showing high average values. The company is looking at the resolution of the issue.
Which solution will help to resolve this issue?
Specify Least outstanding requests routing algorithm for the ALB
A company has established connectivity between third-party SD-WAN appliance and Transit Gateway using Connect Attachment over GRE tunnels. Using this connectivity, servers at on-premises can access applications deployed in multiple VPCs. Recently the application was upgraded to support IPv6 traffic. Project Team is looking for changes in the Connect Attachments which will be required to support IPv6 traffic from SD-WAN appliance to the Transit Gateway.
Which solution can a network engineer implement to meet this requirement?
Configure IPv4 BGP peering session with MP-BGP over GRE tunnel
A company has recently deployed a SD-WAN appliance at on-premises Site office. Team needs to have connectivity from this appliance to resources deployed in VPC A and VPC B in AWS Cloud. There is an existing Direct Connect connection from on-premises and VPC to VPC communication is established using Transit Gateway. SD-WAN appliance only supports GRE (Generic Routing Encapsulation). High amount of traffic is expected from this appliance towards VPC, and maximum throughput is required.
Which solution will meet these requirements?
For Site office, create a connect attachment over the Direct Connect attachment. Create multiple Connect peers on this attachment. Create BGP peers over these peers and advertise prefixes across all the Connect peers
An e-commerce company is migrating its on-premises application to AWS. The project team has set up dual AWS Direct Connect connections with 4x 10 Gig links in a LAG towards two Direct Connect locations. Both these connections are configured in an active passive state. Operations Team is observing congestion whenever multiple links in a primary connection are down in a LAG. This is impacting application performance and should be resolved in the most cost-effective way.
How can a network engineer resolve this issue?
Set the operational connection value for the LAG on the primary connection to three
A start-up firm is planning to set up a hybrid connectivity to migrate applications to AWS Cloud. They will deploy a 500 Mb AWS Direct Connect hosted connection for this requirement. On this new connectivity, a private virtual interface will be configured to access resources in VPC from on-premises. The project team is looking for your support to initiate this request and allocate VLAN for the private virtual interface.
How should a network engineer raise a request for these requirements?
Accept the connection created by the APN partner from the AWS Direct Connect console. Once Letter of Authorization and Connecting Facility Assignment (LOA-CFA) is available from AWS, download and share it with an APN partner to order cross-connect at the AWS Direct Connect location
For hosted private virtual interfaces, use the VLAN allocated by the AWS Direct Connect Partner
A global airline company uses hybrid connectivity for application servers deployed in high availability mode in both on-premises & VPC. They have created VPC A & VPC B spread across three Availability Zones for deploying multiple servers. The airline IT team is planning to set up a new DNS server at on-premises locations. Servers in both VPC A & VPC B will need to forward queries to new DNS servers. IT Head is looking to implement the least complex solution which can be implemented with ease. As AWS consultants, they are looking for your guidance to implement this solution with the least management overhead & low cost.
Which of the following solutions can be deployed to meet this requirement?
Configure Route 53 Resolver with an outbound endpoint in VPC A & forwarding rules shared with VPC B.
An online educational institute is using Hybrid architecture for its application servers. They use existing DNS servers deployed at on-premises data centers to resolve queries from servers hosted in VPC. Outbound Endpoints are created for this purpose for the entire domain name resolution. A new subdomain is created for testing new training programs. Dev-ops teams do not want on-premise DNS servers to resolve queries for this subdomain, but it should be handled locally within VPC.
Which of the following rules can be configured to use a separate DNS server for a new subdomain?
Create a system rule for the new subdomain.
A tractor manufacturing firm is using SCADA control systems architecture for its manufacturing plants. These systems require low latency to application servers deployed in AWS infrastructure. To meet this requirement, they plan to deploy AWS Outposts deploying application servers within their IT facility at manufacturing plants. The firm is seeking your guidance for provisioning AWS Outposts parenting to the nearest AWS region for management traffic & there should be no impact on connectivity from manufacturing plants to other servers deployed in VPC.
Which of the following suggestions will you provide to build this connectivity?
Create a Service Link Path.
Use internet Link to communicate with AWS IP ranges.
Each division within a start-up organization has a separate account & has created a separate VPC for deploying its servers. They have a regional office having existing internet links over which they are planning to access these servers for management purposes. All servers between these VPC need to have connectivity established between them. The CTO of this fastest growing startup is looking for a fully managed high available & scalable solution considering future growth in the number of VPCs.
Which design approache can be implemented to meet this requirement?
Create a Transit Gateway with all VPC attached to it & create a single VPN connection from the regional office to Transit Gateway.
A media company uses hybrid connectivity to access video editing applications deployed on EC2 instances launched in custom VPC in the us-west-1 region. Employees access these applications for uploading live production videos. Recently there are complaints of high latency while accessing these applications from employees. The company has decided to set up AWS Local Zones to mitigate the latency issue. Project Team deploying AWS Local zones is concerned about the IP address to be used for new EC2 instances in AWS Local Zones.
What is recommended for IP address assignment for EC2 instances in AWS Local Zones?
Enable Local Zone in us-west-1 region. Create a new subnet from an existing VPC in the parent region. Assign this subnet to AWS Local Zones. Assign an IP address for an EC2 instance in AWS Local Zones from this subnet.
A large electrical appliance firm is using AWS Cloud infrastructure for deploying application servers. It has created 3 VPC R&D, VPC Production & VPC IT. VPC IT has shared services servers deployed which need to have communication with servers in all three VPC. As per corporate guidelines, VPC R&D & VPC Production should be able to communicate with VPC IT, but there should not be any communication between VPC R&D & VPC Production. To support future demand in the number of VPC, the Transit gateway is deployed to have communication between these VPC.
What route table configuration on Transit Gateway will you design to meet this requirement?
Create Two Routing tables in Transit Gateway. Associate VPC R&D, VPC Production attachments to the route table having routes propagated from VPC IT. Associate VPC IT attachments with route tables having propagated routes from VPC R&D & VPC Production.
A global telecom firm is planning to launch a new application for its premium customers. This application requires ultra-low latency to EC2 application servers hosted in AWS cloud infrastructure. All application data need to be uploaded to Database servers with optimum latency. IT Head is concerned for the end-to-end connectivity from mobile users to the application servers. As an AWS Consultant, you have been instructed to work on a solution to reduce the number of hops & ensure the latency threshold is committed to end-users.
Whiat can be deployed to meet the requirement?
Create an AWS Wavelength zone within the telecom provider facility & launch Amazon EC2 instance within this zone. Deploy Database servers in the parent region connecting to this AWS Wavelength.
A finance institute has deployed its application servers in multiple VPCs created in us-east-1 & us-west-1 regions. Developer Team based at head office are accessing these servers over 10 Gig AWS Direct Connect connections in the us-east-1 region which is attached to the Direct Connect gateway associated with VGW in each VPC. They are planning to launch a new banking application for which they have deployed new servers in additional VPC’s created in us-east-1 & us-west-1 regions. The developer team requires high performance connectivity with new servers from the on-premises location in addition to connectivity to existing servers. Also, servers in all VPC need to have connectivity with each other for data synchronization.
Which of the following designs needs to be implemented to meet this requirement?
Remove the existing association between AWS Direct Connect Gateway & VGW. Connect all VPCs to the Transit Gateway. Create a new association between Transit Gateway & Direct Connect gateway over transit virtual interface.
A media firm has created Sales VPC, Marketing VPC & Media VPC. Media VPC has many servers hosting large size media content uploaded from an on-premises office. Users from on-premises offices also need to have access to Sales VPC & Marketing VPC. Servers in Marketing VPC download media content from Media VPC on a regular basis to create modified content for external clients. Sales VPC should be isolated from Media VPC & Marketing VPC with only need basis specific subnets to access these VPCs. The firm is looking for a cost-effective, scalable solution to be deployed.
As an AWS Architect, what will you suggest implementing to meet the requirement?
Create Private VIF over AWS Direct Connect Gateway to Media VPC. Create Transit VIF over another AWS Direct Connect Gateway to connect to Transit Gateway which will have an association with specific subnets from all three VPC. Create a VPC peering between Marketing VPC & Media VPC.
A multinational banking institute is using AWS infrastructure for deploying its application servers. A new application is being developed on a fleet of EC2 servers in VPC spread across multiple AZ & will be having ALB in the front-end. Global users would be accessing this banking application which needs to be highly secure & high-performance. The security team is concerned about the security of this application & needs a new solution to mitigate DDoS attacks.
Which solution will meet the requirement?
Create an internal ALB in a VPC with an internet gateway attached & without any Public IP address assigned to it. Associate ALB as an endpoint in AWS Global Accelerator.
When ALB is used as an endpoint for AWS Global Accelerator, all traffic towards this endpoint flows over AWS Global Accelerator. For this, a public IP address is not required to be assigned to ALB, but an internet gateway is required to be attached to VPC to indicate internet traffic is accepted in this VPC. With Internet traffic flowing only via a single-entry point of AWS Global Accelerator, it will help reduce DDoS attacks.
An IT company is using AWS Infrastructure in the us-west-1 region for deploying application servers across multiple VPC. Recently this company has expanded its geographical presence & acquired two startup firms in the Singapore & Sydney region. Since there is no dedicated bandwidth requirement, a secure VPN connection is established from these offices to VPC in the us-west-1 region to allow users in remote offices to access applications. Users are complaining of slow access to applications which is impacting their work &, in turn, affecting business. The CTO of this company is looking for performance improvement which should enhance remote user experience while accessing these applications.
What solution can be deployed quickly if cost is not a constraint?
Create an attachment from each VPC in the us-west-1 region to AWS Transit Gateway. Delete existing VPN connection from Singapore & Sydney office & create a new VPN Connection with attachments to transit gateway with acceleration enabled.
VPN connections with acceleration enabled use AWS Global Accelerator to improve performance of VPN tunnels. With acceleration enabled, VPN tunnels are formed with static IP address of nearest edge location & from edge location traffic is moved over AWS global backbone infrastructure to reach VPC in the destination region. A transit gateway is required to be created as Accelerated VPN connections only support termination on transit gateway & not on Virtual private gateway.
A company has deployed business critical three tier applications in a VPC having an attached internet gateway. Web tier is part of a public subnet while application and database servers are part of private subnets. To meet security compliance, all forward and reverse traffic between these subnets must pass through a network firewall endpoint deployed in a firewall subnet. Team must ensure there are no asymmetric paths for any resource traffic between private and public subnets.
How can routing be done to meet this requirement?
In the private subnets route table, modify target as Firewall endpoint instead of local for VPC CIDR. In Firewall subnet, use an implicit route table which will have a target as local for VPC CIDR. In the public subnet route table, add a default route towards Internet Gateway and add route for VPC CIDR with target as Firewall endpoint
A company is deploying a new containerised application using Amazon ECS cluster. Amazon ECS cluster will be deployed in a private subnet of the VPC. API Gateway’s HTTP API will be used as a front end for this application. Traffic from the global users should be load balanced across these clusters and multiple tasks from a single service should be allowed per instance in a cluster.
What solution can be designed to meet this requirement?
Create a VPC Link. Setup a private integration with Application Load balancer using this VPC link. Setup an Application Load balancer in front of the Amazon ECS cluster
A VPC link encapsulates traffic between API Gateway and the targeted resource within VPC. HTTP API private integration can use VPC links to allow access to resources in a private subnet. Application Load balancer supports dynamic host port mappings for Amazon ECS. This allows multiple tasks from the same service run on a single container instance. ALB also supports path-based routing enabling multiple services to use the same listener port on a single load balancer.
A financial company has deployed a static web site using Amazon S3 bucket and will be accessed by global users. Amazon CloudFront will be the front end as CDN to the users. Amazon CloudFront distribution is configured for this static web site.Team is looking to set Route 53 for this requirement in a cost-effective way.
What solution can meet this requirement?
Create an alias record in Amazon Route 53 which will point to the CloudFront distribution. In the Amazon CloudFront distribution, specify the domain name as the alternate domain name
Amazon Route 53 can be used to route traffic to an Amazon CloudFront distribution by using custom domain name. For this, an alias record needs to be created which will point to Amazon CloudFront distribution. For alias queries to the Amazon CloudFront, there are no charges involved.
A company has set up a hybrid connectivity between on-premises and AWS using AWS Direct Connect. Applications on premises are hosted in domain example.local and are using a local DNS server. In AWS cloud, applications would be part of a multi-account environment and each account will require management control of the sub-domains created for applications in each account. Company has created a separate account “A” for subdomain aws.example.local and have created resolver endpoints to forward on-premises application queries to on-premises DNS server. Applications in each account should be able to forward DNS queries to on-premises servers.
What solution can be set up with Amazon Route 53 for this requirement in a cost-effective manner?
For applications in each of the accounts, create a separate private host zone in individual accounts. Associate all these PHZs with VPC in the “A” account using cross-account association of Private hosted zone with VPC
For multi-account setup, private host zone (PHZ) can be created in a centralised account for the sub-domains where control is not required for individual accounts.
For sub-domains where individual accounts need management control, PHZs must be created in individual accounts.
For routing DNS queries from these accounts to on-premises DNS servers, PHZ in each account can be associated with VPC in account A using cross-account association of Private Hosted Zones with VPCs. With these associations, overlapping multiple PHZ will be created in account A, and route 53 will route traffic based upon most specific matches in a PHZ.
A company has hosted a website using domain name as example.com using Amazon route 53. Development team is testing a new application in a sub-domain test.example.com and prod.example.com. For these sub-domains, the team requires access rights only for specific users to perform management. Only a few users should be able to make changes in the records created for sub-domain.
What solution can meet this requirement?
Create a new hosted zone for the sub-domain and create a record in this hosted zone. Do not create additional name server (NS) records and start of authority (SOA) records in the hosted zone for the sub-domain and make no changes in NS & SOA records from the hosted zone for the domain
An Enterprise customer has set up a hybrid Active directory solution to support multiple business critical applications. At on-premises, Active Directory server is used while in AWS Cloud, AWS Managed Microsoft AD servers are used. In AWS Cloud, applications are deployed across multiple AWS accounts in separate Availability Zones. Customers are looking for a reliable and scalable DNS solution for AD-aware applications to communicate with each other. The proposed solution should incur least admin work.
What solution can meet this requirement?
Create a Route 53 resolver which will forward DNS queries to on-premises AD servers and AWS Managed Microsoft AD servers
A company needs to migrate Domain name for the website from the current DNS provider to Amazon Route 53. DNSSEC is enabled on the domain name for the current DNS provider. During this activity, the team needs to ensure that least downtime for the website is incurred if any issue arises during migration activity. Team has already created hosted zone and NS records in Amazon Route 53. Team is looking for additional changes for DNSSEC and changes which will result in reducing downtime.
What solution can meet this requirement?
Remove Delegation Signer (DS) record from the parent zone to deactivate DNSSEC
Set lower TTL for the NS record for both existing DNS providers and Route 53
An IT company is planning to deploy low-latency applications in a Local Zone. Application will be deployed on an Amazon EC2 instance having multiple IP addresses assigned. Customers will access this application from the Internet and Application load balancer in a Local Zone will distribute traffic across the multiple network interfaces of different instances. Project Team is looking for your consultation for setting ALB for this scenario.
What solution can be implemented to meet this requirement?
Specify Target Type as IP and ensure all targets are part of the same Local Zone
For Application Load balancer, when a target type is specified as Instance, it will route all incoming traffic to the primary IP address assigned to the instance.
In the above case, since traffic needs to be distributed to multiple network interfaces of the instance, the target type should be IP.
A company is planning to deploy containerized applications using Amazon EKS. Application will be using IPv6 addresses for this application. They have deployed Amazon EKS clusters across multiple Availability zones and all ingress traffic needs to be load balanced across this cluster.
What solution can meet this requirement?
Deploy AWS Load balancer controller in the EKS cluster and use annotation “alb.ingress.kubernetes.io/ip-address-type: dualstack” with traffic mode as IP
To load balance IPv6 traffic for a containerized application deployed in an Amazon EKS cluster following changes are required,
Deploy AWS Load balancer controller in an EKS cluster. It will choose subnets from the multiple Availability Zones.
AWS Load balancer controller supports two traffic modes: default mode as Instance and other as IP. To support IPv6 application traffic, traffic mode should be selected as IP.
To load balance traffic to IPv6 application traffic on the Pods, the following annotation is required,” alb.ingress.kubernetes.io/ip-address-type: dualstack”.
A large company has deployed a hybrid connectivity with head office connecting to AWS using AWS Direct Connect and branch office using AWS Site-to-Site VPN. There are multiple VPC’s created in AWS cloud for deploying multiple critical applications. These VPCs communicate with each other using AWS Transit Gateway. In the near future, there will be additional branch locations for which the company is planning to deploy a third-party SD-WAN appliance in an AWS cloud. Company is looking for seamless integration of this appliance with AWS Transit gateway with high performance and least administrative load. Third-party appliances do not support GRE tunnelling.
Which solution can be designed for this requirement?
Deploy third-party SD-WAN appliances in a separate VPC in AWS cloud. Create an AWS Transit Gateway VPC attachment between third-party SD-WAN appliances and Transit Gateway
A third-party SD-WAN appliance not supporting GRE can be integrated with AWS Transit Gateway using Transit Gateway VPC Attachments. For this appliance needs to be deployed in a separate VPC.
The application team is working on a microservices-based application using AWS Lambda functions. The application will be storing messages in multiple Amazon SQS queues which will be read, and further processed by Lambda functions. AWS Lambda functions should be able to connect to these queues seamlessly and without any complex code changes. The team is looking for an efficient way of passing SQS queues ARN to Lambda functions. What solution can meet this requirement?
Use AWS Cloud Map Service discovery to discover ARN of each SQS queue and call these queues from the Lambda functions using AWS SDK
AWS Cloud Map is a fully managed service discovery tool for the cloud resources and application components. It helps to connect to the correct endpoint of the application components seamlessly without any additional complex changes in the application code. In the above case, AWS Cloud Map can be used to discover ARN of the multiple AWS SQS queues. AWS Lambda function can connect to these ARNs using AWS SDK.
A company is planning to deploy a high-risk business-critical application across multiple accounts in an AWS Organization. This application will be accessed by global users. The Security Head instructed the team to make sure security best practices are followed and the risk surface of the application should be minimized by automatically blocking all unwanted application ports. For new deployments in any AWS account, this security practice should be followed, and any non-compliant rule should be alerted to management. This security policy should not impact other applications for which security will be handled by the individual accounts team. What solution can be implemented for this requirement?
Use AWS Firewall Manager to limit access to only required application ports
A company has established connectivity from on-premises to AWS using AWS Site-to-Site VPN. Two tunnels are set up for redundancy and the Operations team requires notification when any one of the tunnels is down. They will be using in-house monitoring tools to receive these notifications and take further actions. What solution can be used to send these notifications to in-house monitoring tools?
AWS Site-to-Site VPN will automatically send notifications to the AWS Health Dashboard. Use AWS Health API to integrate these notifications with existing in-house management tools to notify the Operations Team
A financial company has deployed an application in AWS Cloud across multiple Amazon EC2 instances. These instances are a mix of On-demand, Reserve instances, and Spot instances. Management is looking for the amount spent on On-Demand instances and savings that would have resulted from purchasing more Reserved instances. What reports can be used to fetch the required details?
Use RI coverage reports to identify costs
A company is planning to deploy a critical application on the Amazon EC2 instance behind the Application load balancer. Multiple domains will be created in Amazon EC2 instances and all end-user client traffic accessing these domains should be encrypted. Front-end connections will be terminated on the Application load balancer and then forwarded to the Amazon EC2 instance. The same ALB port should be used for multiple domains and certificates used for HTTPS traffic should be automatically renewed before expiration. What solution can meet this requirement?
Create certificates using AWS Certificate Manager. Specify the domain name on the certificate matching the custom domain name record. Add certificates to the certificate list and provide a different certificate for each domain
Amazon Certificate Manager can be used to provide a certificate for Application Load balancer enabling HTTPS traffic to terminate on it. It supports automatic certificate renewal before expiration. When a certificate is created in ACM for use with Load balancer, domain name must be specified. This domain name should match the custom domain name record. For load balancer to support multiple domains on the same port a certificate list must be created. The certificate list also allows you to have different certificates for each domain.
A company has deployed microservice applications using Amazon EKS with AWS Fargate deployment. Pods are deployed in nodes launched in multiple Availability zones. Incoming layer 4 user traffic should be load-balanced to multiple pods in a node but should not be routed to different nodes. For all the traffic, client IP should be preserved for security compliance. Which solution will meet these requirements?
Use AWS Load Balancer Controller and specify service type as LoadBalancer and target type as IP. Configure externalTrafficPolicy =Local for the load balancing service to preserve client IP
WS Load balancer Controllers support target type as IP only for Fargate deployments. When NLB is specified as a Load-balancing service, externalTrafficPolicy can be used to determine how incoming traffic can be routed to the nodes in an EKS cluster. When externalTrafficPolicy is specified as a Local, it will route traffic to multiple pods in a Node, but traffic will not be routed to other Nodes in an EKS cluster. This option preserves the client’s IP address. ExternalTrafficPolicy can also be specified as Cluster, which routes incoming traffic to multiple nodes in a cluster but does not preserve Client IP addresses.
A company has deployed multiple AWS accounts in an AWS Organization. The project Team is planning to share a VPC subnet with participants across these different AWS accounts. Management is concerned for security groups while launching the resources in a shared VPC subnet and the cost incurred. They are looking for consultation from you as an AWS expert. What solution can be suggested for this requirement?
Launch Amazon EC2 instance with a security group created in each account of the AWS Organization. Participants will pay for data transfer charges for the inter Availability zone and VPC owners will pay hourly charges for resources
A company has created a hybrid connectivity from an on-premises location to the AWS cloud using the AWS Direct Connect link. Multiple applications are deployed in a VPC which are accessed by users on-premises. The Operations Team needs to monitor all outgoing traffic from the VPC to the on-premises location and send this traffic to a monitoring appliance deployed in a VPC. The company is looking for your support to create traffic mirror filter rules which should ensure no other traffic apart from VPC to on-premises is captured. What solution will meet this requirement?
Create traffic mirror filter rules for both incoming and outgoing traffic. For incoming traffic, reject all traffic with source IP as VPC CIDR and accept all other traffic. For outgoing traffic, reject all traffic with the destination as VPC CIDR block and accept all other traffic
A large multinational company has deployed a Site-to-site VPN to Transit Gateway 1.
VPC A and VPC B have VPC attachments to Transit Gateway 2.
There is a peering attachment between Transit Gateway 1 and Transit Gateway 2.
Recently the company has deployed a middle box appliance in VPC B, through which all traffic between VPN to VPC A passes through. Post deployment of middlebox appliances, the project team needs to ensure that traffic is properly routed end to end from VPN to VPC and for this, they will be using Route Analyzer. The team is concerned with specifying the source and destination in the route analyzer which will capture correct output. How can the source and destination be specified to meet this requirement?
Configure Source Transit Gateway 1, VPN attachment and specify IP address from on-premises IP range. Configure Destination as Transit gateway 2, VPC A attachment, and IP address from VPC A CIDR. Specify middleware location in the route analysis
A company has created multiple VPCs for deploying applications in AWS Cloud. VPC peering is configured for inter-VPC traffic. Recently for VPC A and VPC B, the AWS Transit gateway was deployed. For VPC attachments to the Transit gateway, a subnet from a single Availability zone from each VPC is used. Post-migration to the transit gateway, packet drops are observed for traffic between these 2 VPCs. The company is looking for your consultation for the resolution of the packet drop issue. What solution will meet this requirement?
Configure MTU as 8500 at both VPC attachments to AWS Transit Gateway
A company has deployed containerized applications using Amazon EKS. They are planning to integrate AWS App Mesh with EKS clusters using Envoy proxy containers. Each EKS pod has separate ARNs. The project team is looking for your guidance for the initial configuration of the Envoy containers. What configuration setting can be done for this requirement?
Add the Envoy container by setting an environmental variable to the ARN of the virtual node. Specify the Envoy admin port to be different from the listener of the virtual node
A global finance organization has built an AWS cloud environment with multiple accounts. AWS Direct Connect is used to establish connectivity with on-premises locations. Each account has created a separate VPC for deploying applications. Each account should have ownership of the Private hosted zones (PHZ) created for their domains. All VPCs should be able to forward queries to on-premises DNS servers. A shared services VPC is created which will have outbound Route 53 resolvers. DNS Failure in any account should not impact DNS service for any other account and proposed solution should consider scalability for DNS queries. What solution can meet this requirement?
Create PHZ in each VPC. Associate PHZ with other VPC’s as well as with Shared services VPC. Use Shared services VPC to forward queries to on-premises DNS servers
A company has deployed containerized applications using Amazon EKS clusters. This application will require digital certificates to be provisioned for secure authentication of internal users and encryption of transactions over TLS. Customized certificates should be provisioned per application with specific private key algorithms by the CA. For audit compliance, private keys for the CA should be updated on a regular basis and this change should not impact hard-coded ARN stored for the CA. What solution can meet this requirement?
Create CA hierarchy using AWS private CA and issue customized certificates for authenticating internal users. Rotate CA private key by importing a new CA certificate
A company has deployed a three-tier application in Amazon VPC. This application will be accessed by remote clients using AWS Client VPN. All the clients should be authenticated using certificate-based authentication. Along with accessing applications in the VPC, clients should be able to communicate with each other securely. Clients should not be able to access any other network elements. The client VPN endpoint is created in the same region as that of the VPC. What solution can meet these requirements?
Use a Mutual authentication method for authenticating clients
In the client VPN endpoint route table, add route destination as client CIDR range and target VPC subnet ID as local. Add two separate authorization rules, one rule to grant access to VPC application subnet and other rule for client CIDR subnet
A company is using AWS Client VPN for accessing resources in the AWS cloud. All the clients will be authenticated with a mutual authentication method. For security purposes, clients should be granted access only to the specific network elements and should not be granted access to any other elements. Each group of users has different access requirements for accessing resources in the AWS Cloud. What solution can meet this requirement?
Create multiple Client VPN endpoints to enable a specific group of users to access specific parts of the network
A global oil company has deployed applications in separate accounts with VPCs created across multiple AWS regions. Public hosted zones for domains in each account are created using Amazon Route 53. Security team is concerned for DNS exfiltration for the DNS lookups compromising security. All the accounts should have consistent security policy across all regions. What solution can meet this requirement?
Use Route 53 Resolver DNS Firewall with Resolver DNS firewall rule group associated with VPC in each region
Share DNS firewall rule groups with other accounts using Amazon RAM
A company has set up a hybrid connectivity for deploying applications in the AWS cloud. They have created a separate central VPC which has Amazon Route 53 resolver Inbound and Outbound endpoints. Different accounts will be using this central VPC for forwarding queries to on-premises DNS servers. The operations team is looking to store all these queries for audit purposes. All these query logs should be captured from all the accounts and stored for a long period. A high volume of queries is expected, and a cost-effective solution is required. How can logs be captured for this requirement?
Set up query logging from the centralized account to store logs in the Amazon S3 bucket which is part of the central account. Use RAM to share configuration from multiple accounts to central accounts
A company is using AWS Organization for managing multiple AWS accounts. AWS Site-to-Site VPN connections are created from multiple accounts VPC to on-premises location. All these VPC connections are configured in high availability with two tunnels at two different on-premises routers. Recently an outage was observed in one of the VPN connectivity, wherein one of the tunnels was not active for a long time and another active tunnel went down. The operations team is looking for a consolidated report from all accounts indicating inactive single tunnels for all VPN connections. How can reports be generated to meet this requirement?
Create an Organizational view report from AWS Trusted Advisor. Use Amazon Athena to query this report and generate a list of VPN connections that have one of the tunnels down
A company is using a multi-account environment with accounts A and B created in AWS Cloud. They have created two separate Transit Gateway 1 and 2 in account A while Transit Gateway 3 is part of account B. The Operations Team is looking to centrally manage all these transit gateways. They should be able to monitor peering attachments between these transit gateways and VPC attachments to individual transit gateways.
What solution can be added to this requirement?
Create a global network. Register Transit Gateway 1 and Transit Gateway 2 with the global network. Enable Multi-account access and register Transit Gateway 3 with the same global network
AWS Global Networks for Transit Gateway helps to centrally manage transit gateway and associated attachments. For this, the Transit Gateway needs to be registered in the global network. When transit gateways are part of different accounts, peering attachments are by default included in the global network but all other attachments for a transit Gateway part of different accounts are not included. To include these attachments, multi-account access needs to be enabled on the global network.
A company has deployed a hybrid connectivity using AWS Direct Connect. The private virtual interface is used to establish this connectivity to VGW. Static Routes are defined in the VGW routing table to forward traffic from applications in VPC towards on-premises hosts. Recently the application team has upgraded the application and requires jumbo frame support for connectivity from on-premises.
What changes can be made to establish this connectivity?
Enable propagated routes and set MTU as 9001
Private Virtual Interface has a default MTU as 1500. It supports jumbo frames with MTU as 9001. Jumbo frames are only supported when routes are propagated in VGW and for static routes MTU of 1500 is only supported. In the above case for jumbo frame support for the application, client will need to enable propagated routes in the VGW and then set MTU as 9001.
company has created a multi-account environment in AWS cloud. Account A will be used for managing all subnets while resources in Account B will be used to initiate all outbound traffic to the Internet. Account A is the owner of public subnets and will share these subnets with Account B using AWS RAM. Operations Team is concerned about the security controls which participants in Account B will be able to perform for controlling internet traffic.
What security controls can be initiated by participants in Account B?
Participants in account B will be able to create ingress and egress rules for security groups but will not be able to create NACLs
A customer has deployed an application on Amazon EC2 instance front-ended by Application Load Balancer. They are planning to deploy this application at on-premises nodes. For incoming internet users’ traffic to this application, Application Load Balancer should be able to distribute traffic across EC2 instances and on-premises nodes.
What solution can be done for this requirement?
Use Target Type as IP. Specify private routable IP address for on-premises nodes and use AWS Direct Connect connectivity for reachability to on-premises nodes
A company has created two accounts DEV and PROD for managing resources in the AWS cloud. AWS Transit Gateway is created in account PROD and is shared with account DEV using AWS RAM. A new remote office needs to be connected to this Transit Gateway which will be connecting using AWS Site-to-Site VPN. The project team is concerned with attaching this VPN attachment to the Transit Gateway in either of these accounts. Additionally, they are looking for your advice with respect to the modifications to route table propagation in the Transit Gateway shared with the DEV account.
What actions can be initiated for these requirements?
AWS Site-to-Site VPN attachment must be created in the account PROD which owns the Transit Gateway. Account DEV will not be able to make route table propagation changes in the Transit Gateway
AWS Transit Gateway can be shared with other accounts using AWS RAM. While sharing transit gateway following points needs to be considered,
- AWS Site-to-Site VPN attachment can be created only in the account which owns the Transit Gateway.
- Account to which transit gateway is shared cannot create, modify or delete Transit Gateway roue table or the route table propagations and its associations.
A company is planning to deploy AWS Direct Connect links from on-premises to AWS Cloud. In region 1, AWS Direct Connect links will be established with AWS Transit Gateway while in region 2 links will be established with virtual private gateway. Applications deployed on Amazon EC2 instances will be accessed over high-speed links from on-premises locations. Application will require jumbo frames support for optimum usage. Project team is looking for an MTU setting which will suffice this requirement.
What solution can be used for this requirement?
In region 1 use a virtual transit interface and Set MTU as 8500. In region 2, use virtual private interface with MTU as 9001
While deploying AWS Direct Connect links, private virtual interface is required for establishing connectivity with Virtual private gateway while virtual transit interface is required for AWS Transit Gateway. Jumbo frames are supported with AWS Direct Connect links by setting MTU as follows:
- Virtual Private Interface: MTU as 9001
- Virtual Transit Interface: MTU as 8500
- Virtual Public Interface: MTU as 1500
A multinational company has offices across the globe connected using MPLS. Connectivity to all offices is managed by an internal team. Company is looking for a high bandwidth MPLS connectivity to AWS cloud for accessing resources in multiple VPCs from global offices. The scalable solution should provide full control to the company for managing and performing any configuration changes.
What solution can be designed for this requirement?
Colocate dedicated MPLS nodes at the AWS Direct Connect Location. Create transit virtual interfaces from these nodes to Transit Gateway for accessing AWS resources from different VPCs
An IT company has implemented hybrid connectivity between on-premises networks and AWS Cloud. They have deployed two Microsoft Active Directory at on-premises locations. For contract workers, the company is planning to provide virtual desktops using Amazon Workspaces. Workspaces should be integrated with the on-premises AD so that these workers can use existing credentials to access applications.
How can a solution be implemented for this requirement?
Set up AWS Microsoft AD domain controller in AWS cloud. Create an interforest trust relationship between on-premises AD and AWS Microsoft AD domain controller
A company has implemented connectivity to multiple AWS regions from remote offices. Remote offices are connecting to AWS Transit Gateway using ECMP-enabled multiple VPN connections with AWS Site-to-Site VPN. Transit Gateway and remote offices are registered in the AWS Global network and used by the Operations Team for centrally managing all connectivity. During routine checks, the Operations team found that the route analyzer has listed a single VPN attachment even though both the VPN tunnels are UP.
What could be the possible cause for this input?
ECMP is misconfigured
A company has set up a hybrid connectivity using AWS Direct Connect. DNS Servers are deployed in AWS cloud and at on-premises locations. Applications are deployed on Amazon EC2 instances launched in a VPC on which “enableDnsHostnames” and “enableDnsSupport” are enabled. When remote clients perform SSH requests to these applications, reverse DNS queries need to be forwarded to on-premises DNS servers.
What solution can meet this requirement?
Turn off automatic rules and create forwarding rules to forward reverse DNS queries for specific domain names to on-premises DNS servers. Associate rules with the VPC
A company has deployed hybrid connectivity using AWS Direct Connect 100 G dedicated connections. Currently, 50 IPv4 Prefixes are advertised via BGP session over the private virtual interface. Recently the company has deployed an application that supports IPv6 addressing and needs to advertise these additional prefixes over the BGP session. The project team is looking to upgrade the AWS Direct Connect to support maximum bandwidth for new applications. The project team is concerned about the number of prefixes that can be allowed over a BGP session.
What changes can be made to meet this requirement?
Advertise 100 or less prefixes each for IPv4 and IPv6 over BGP session. Create a LAG with 2 x 100 G links to get maximum bandwidth
Advertise 100 or less prefixes each for IPv4 and IPv6 over BGP session. Create a LAG with 2 x 100 G links to get maximum bandwidth
The development team is working on a critical application that will be deployed on Amazon EC2 instances. Amazon EC2 instances are launched in a VPC which has private and public subnets and internet connectivity is via Internet gateway. Secure communication between resources is a prime requirement for this application. Amazon EC2 instances need to publish messages to SNS topics in a secure way and only specific instances should be allowed to publish these messages in the SNS topics.
What solution can meet this requirement?
Create a VPC endpoint for SNS in the VPC in which the instance resides. Create a topic policy that will restrict publishing messages only from the VPC endpoint
A company has deployed a high-volume internet-facing application in a VPC. AWS Network Firewall endpoint is created in that VPC. The operations team is observing performance issues post 100 Gbps of the traffic traversing through this firewall endpoint. The Operations Head has instructed you to resolve these performance issues with an optimized solution.
What actions can be implemented for this requirement?
Split resources in different subnets and create an AWS Network firewall endpoint in each subnet. Deploy Application resources in the different subnet as that of the firewall subnet
AWS Network Firewall supports 100 Gbps of network traffic per firewall endpoint. To provide additional throughput, the solution is to split subnets into multiple subnets and attach network firewall endpoints to each firewall. Also, while creating additional subnets, application resources and firewalls must be placed in a separate subnet. Firewall endpoints will not be able to filter traffic when resources are in the same subnet as that of the firewall.
A company has deployed internet-facing applications in Customer Subnet 1 and Subnet 2 provisioned in Availability Zone 1 and Availability Zone 2 respectively. The security team is required to secure these applications by performing deep packet inspection for all incoming internet traffic. The project team has deployed the AWS Network Firewall and is looking for your consultation for routing traffic via this firewall.
How can a solution be deployed for this requirement?
Create a Firewall subnet in each zone. In customer subnet route table 1, add route-target as firewall subnet 1 for destination 0.0.0.0. In customer subnet route table 2, add route-target as firewall subnet 2 for destination 0.0.0.0. In the Internet gateway route table for customer subnet 1, add a route target as firewall subnet 1 while for customer subnet 2 add a route target as firewall subnet 2
An IT firm uses Hybrid Connectivity by deploying most of their servers in AWS VPC while retaining some of their IT infrastructure at the on-premises location. Users access the data from servers hosted on EC2 instance in AWS VPC. The IT team has categorized IT services into 3 different groups; critical, normal & best efforts. To enhance user performance for accessing data over the cloud, the IT Head wants you as a Network Engineer to mark this traffic end to end between on-premises to AWS servers hosted on EC2 instance. This should allocate guaranteed bandwidth to end-users accessing critical services over users accessing normal services & the least bandwidth should be allocated to best effort IT service. Which of the following can be deployed to meet this requirement?
Use QOS Marking on applications & use QOS supporting Software VPN to terminate VPN on EC2 instance & prioritize traffic in EC2 OS level
A Global IT organization has deployed Hybrid Connectivity for its intranet application. They have set up AWS Direct Connect from regional offices to AWS. Finance Servers are deployed in each region. Central HR servers are deployed in the us-west-1 region along with servers in each regional office. Finance servers need to be assessed locally while HR servers need to assess from all regions globally. IT Head wants to ensure that Finance server IP prefixes are advertised only in the region where it is deployed, while all servers globally should have connectivity to central HR servers in the us-west-1 region to upload employee attendance details. You are working as a Network engineer for this organization & have been assigned the task to complete the BGP configuration for this setup. While advertising prefixes to BGP peers which tags can be used to control these prefixes advertisements?
Use BGP Community Tags 7224:9100 for the server to be accessed in each AWS region & no BGP community tags for servers to be accessed from all regions.
A banking organization has hybrid connectivity for its 3-tier application. They have set up redundant AWS Direct Connect links from DataCenter to AWS. Last week, a connectivity issue where fiber cut at the service provider end resulted in an outage of primary link & traffic was shifted to secondary after a long delay. This resulted in the failure of many banking transactions & financial loss.
After troubleshooting, it was found that traffic sent over primary link even after fiber cut & was getting blackholed. IT head is looking for an immediate solution to this problem to avoid such instances in the future. Which of the following solution can be deployed in a quick way?
Enable BFD at Customer end Router on a virtual interface.
A startup firm uses AWS VPN to store all documents in the Amazon S3 bucket from their regional office. Due to the huge growth in the number of users accessing Amazon S3, they are facing congestion & performance issues. Client internal users have a mixed IP address assigned with some using IPv4 address & others using IPv6 address. The client needs to ensure both users can efficiently access the S3 bucket without any change in the user end configuration. They are planning to set up an AWS Direct Connect link with dual-stack Public VIF for this requirement. Which address ranges ( client’s end IP configuration ) need to be finalized before setting a Public VIF with both IPv4 & IPv6 connections?
Use Public IPv4 pool owned by client for IPv4 connection while for IPv6 connection, peer IP addresses are automatically assigned by Amazon.
Multiple AWS DX Connections from 2 different locations are commissioned by a government organization to access web applications deployed in AWS cloud infrastructure. Users are complaining of session interruption while accessing a legacy software deployed on EC2 instance in AWS VPC. Further analysis shows an asymmetric traffic flow between users in the government offices & servers over both AWS DX links. To avoid varied latency from both AWS DX links, the client wants a primary AWS DX connection as a preferred path to AWS & a secondary AWS DX connection should be a backup in case of primary link failure. Which additional configuration changes will meet this requirement?
Add Local Preference BGP Community Tag 7224:7300 on the primary Link & Local Preference BGP Community Tag 7224:7100 on the secondary link.
A hugely popular video-sharing application is deployed on multiple EC2 instances in different AZs. Amazon CloudFront is configured to provide minimum latency to global users accessing this web application. Due to recent geopolitical tension, Security Team needs to provide the least preference for users accessing web applications from a list of countries sanctioned by law enforcement bodies. There should not be any impact for users in other countries accessing this application. Which of the following can be configured to meet this requirement with the least effort?
Use AWS WAF Geographic Match & rate limiting match rules with Amazon CloudFront to provide the least preference to users from this list of countries while accessing the application.
A global IT firm is planning to host an intranet HR web application on EC2 instance behind ELB. This HR application has multiple domains & will be accessed from their regional offices spread across the globe. To reduce latency & have enhanced performance, they are planning to deploy this web application in respective AWS regions. At all these locations, ELB will be deployed to provide high availability across multiple EC2 instances. IT Team has purchased SSL/TLS certificates from a third-party vendor for existing web applications which they want to reuse while deploying applications in AWS cloud infrastructure. IT head is concerned about reusing these certificates along with managing the expiration of these certificates. What is true with regards to certificate installation for ELB in the above case?
The certificate needs to be imported in each region where ELB is deployed & ACM will not perform the renewal of certificates.
A company plans to establish hybrid connectivity using AWS Direct Connect dedicated link between on-premises location and AWS. At on-premises, the company has created two VRFs (virtual routing and forwarding) VRF A and VRF B. Servers in VRF A need to have connectivity with CIDR A part of VPC A while server in VRF B needs to have connectivity with CIDR B of VPC B. Both VPC A and VPC B are created in the same AWS region. Routers at the on-premises location do not support GRE (Generic Routing Encapsulation). Traffic from respective VRFs should be end-to-end segmented over AWS Direct Connect connection.
Which of the following can be implemented for segmenting traffic in the most cost-effective way?
Create two public VIF over AWS Direct Connect Dedicated connection. Create two Site-to-Site VPN connections from on-premises routers to the AWS Transit Gateway. Each Site-to-Site VPN connection should be part of each VRF A and B created at the on-premises location. Create two VPC attachments between VPC A and VPC B with the AWS Transit Gateway. Create two separate route tables in AWS Transit Gateway for each traffic flow between VPC A-VRF A and VPC B- VRF B
A start-up company is establishing a hybrid connectivity between an on-premises network and AWS using AWS Direct Connect. They have created a Private virtual interface to the Virtual Private gateway. While performing tests, connectivity is not established from the on-premises network to the VPC. As an AWS Consultant, you have been asked to provide suggestions to troubleshoot this connectivity.
What checks need to be performed to ensure connectivity is properly established from VPC towards on-premises networks?
In VPC route tables, add entries for on-premises routes with the target as a virtual private gateway that has a private virtual interface connected.
Ensure that not more than 100 routes are advertised from the on-premises customer router.
