Amazon ANS-C01 Exam Dumps

Question # 1

A company hosts application servers on premises and on Amazon EC2 instances in a VPC. Theapplication servers access data that is hosted in an Amazon S3 bucket through the public internet.The EC2 instances in the VPC use an AWS Site-to-Site VPN for connectivity with the on-premisesapplication servers.New company regulations state that all traffic between the application servers and the S3 bucketmust remain private and must not use public IP addresses.Which solution will meet these requirements MOST cost-effectively?

A.Configure an S3 gateway endpoint Modify the route table with the appropriate route for theendpoint. Access the S3 bucket through the gateway endpoint from the EC2 instances.
B.Configure an S3 interface endpoint. Update the on-premises servers and EC2 instances to use theinterface endpoint DNS name to access the S3 bucket.
C.Configure an S3 interface endpoint. Update the on-premises servers to use the interface endpointDNS name to access the S3 bucket. Configure an S3 gateway endpoint. Modify the route table so thatthe EC2 instances use the gateway endpoint.
D.Configure an S3 gateway endpoint. Modify the route table with the appropriate route for theendpoint. Use an S3 bucket policy to restrict access to the gateway endpoint. Configure a proxyserver fleet behind a Network Load Balancer in the VPC so that the on-premises servers can accessthe S3 bucket.

  Show Answer

Question # 2

A company uses AWS Site-to-Site VPN connections to encrypt traffic between the company's onpremiseslocation and a single VPC. The Site-to-Site VPN connections use two 1 Gbps AWS DirectConnect connections with public VIFs. The company plans to add 15 additional VPCs in the sameAWS Region.The company must maintain the same level of encryption that the Site-to-Site VPN connectionscurrently provide for each connection between the on-premises location and the new VPCs. The newconnections must not use public IP addresses. The bandwidth of the Site-to-Site VPN connections willremain less than the current provisioned speed.Which combination of steps will meet these requirements with LEAST operational overhead?(Choose three.)

A.Create a transit gateway and a Direct Connect gateway. Associate the transit gateway with theDirect Connect gateway. Attach all the new VPCs to the transit gateway.
B.For each new VPC, create a new Direct Connect private VIF to a Direct Connect gateway.Associate all VPCs with the Direct Connect gateway.
C.Assign a private IP CIDR block to the transit gateway.
D.Assign a public IP CIDR block to the transit gateway.
E.Create a transit VIF to the Direct Connect gateway. Create a Site-to-Site VPN private IP VPNconnection.Create a public VIF.
F.Create a Site-to-Site VPN public IP VPN connection.

  Show Answer

Question # 3

A company has an application VPC and a networking VPC that are connected through VPC peering.The networking VPC contains a Network Load Balancer (NLB). The application VPC contains AmazonEC2 instances that run an application. The EC2 instances are part of a target group that is associatedwith the NLB in the networking VPC.The company configures a third VPC and peers it to the networking VPC. The new VPC contains a newversion of the existing application. The new version of the application runs on new EC2 instances inan application subnet. The new version of the application runs in a different Availability Zone thanthat original version of the application.The company needs to establish connectivity between the NLB and the new version of theapplication.Which combination of steps will meet this requirement? (Choose three.)

A.Register the new application EC2 instances with the NLB by using the instance IDs.
B.Register the new application EC2 instances with the NLB by using instance IP addresses.
C.Configure the NLB in the Availability Zone where the new application EC2 instances run.
D.Configure the NLB to use zonal shift.
E.Configure the network ACL for the application subnet in the new VPC to allow outboundconnections.
F.Configure the network ACL for the application subnet in the new VPC to allow inboundconnections and outbound connections.

  Show Answer

Question # 4

A company is migrating its internet VPN connections to dedicated AWS Direct Connect connections.The company needs to set up the Direct Connect connections so that all network communicationsare encrypted in transit.Which combination of steps will meet this requirement? (Choose three.)

A.Create new Direct Connect connections while requesting MACsec ports.
B.Create a MACsec Connectivity Association Key Name (CKN) and Connectivity Association Key(CAK) pair. Associate the pair with each new connection
C.Update the on-premises routers to use MACsec and the shared Connectivity Association Key Name(CKN) and Connectivity Association Key (CAK) pair
D.Create a shared key for an IPsec connection.
E.Configure a new Direct Connect gateway. Associate the shared key with the new Direct Connectgateway.
F.Set up IPsec on the on-premises router. Associate the shared key with the IPsec configuration.

  Show Answer

Question # 5

A company runs workloads in multiple VPCs. The company needs to securely access a workload inone of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up anAWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamicrouting for the connection, and communication works properly.Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner createdworkloads that use the additional CIDR range.The company's on-premises network is unable to reach the new workloads. The network engineerneeds to resolve the network connectivity issue and ensure that connectivity will not be affected ifadditional VPC CIDR ranges are added to the VPC in the future.Which solution will meet these requirements with the MOST operational efficiency?

A.Configure route propagation for VPC-A to the VPN attachment route table.
B.Manually update the VPN attachment route table to include the new CIDR range.
C.Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule tomatches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPNattachment route table.
D.Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is anupdate to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachmentroute table. Restart the VPN tunnels.

  Show Answer

Question # 6

A company runs applications in two VPCs that are in separate AWS Regions. One VPC is in the useast1 Region. The second VPC is in the us-west-1 Region. The company needs to establishconnectivity between the two VPCs. The company also needs to connect the VPCs to applicationsthat run in an on-premises data center.The current traffic requirement between the VPCs is 50 ТВ per month. The company expects trafficvolume between the VPCs to increase. The traffic requirement from the VPCs to the on-premisesdata center is 10 ТВ per month. The company expects the traffic between the VPCs and the datacenter to remain constant.Which solution will meet these requirements MOST cost-effectively?

A.Create a transit gateway in each Region. Create VPN connections from the transit gateways to theon-premises firewall. Create a peering connection between the transit gateways.
B.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Configure the on-premises firewall to route the trafficbetween the two VPCs.
C.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Create a VPC peering connection between the two VPCs.
D.Create a virtual private gateway in each Region. Create VPN connections from the on-premisesfirewall to the virtual private gateways. Create a VPN connection between the virtual privategateways.

  Show Answer

Question # 7

A US-based company is expanding its business to Europe. A network engineer needs to extend thecompany's network infrastructure by setting up a new hub and spoke architecture in the eu-west-1Region. The network engineer uses a transit gateway peering connection to connect the newresources in eu-west-1 to an existing environment in the us-east-1 Region.The hub and spoke architecture in each AWS Region includes an inspection VPC that uses AWSNetwork Firewall to centralize traffic inspection for each Region. To reduce costs, the networkengineer decides to inspect inter-Region traffic by using the inspection VPC in the Region thatoriginates the traffic. The network engineer configures the transit gateway route tables accordinglyfor each Region.When the network engineer tests the new architecture, communication within each Region works asexpected. However, the network engineer finds that inter-Region communication is not working. Thenetwork engineer must resolve the inter-Region communication issue.Which solution will meet this requirement?

A.Configure Open Shortest Path First (OSPF) routing on the transit gateway peering connection topropagate the VPC CIDR blocks from each Region to the remote peer.
B.Use AWS Resource Access Manager (AWS RAM) to share access between the transit gateways.Enable the Allow sharing with anyone setting.
C.Prevent asymmetric routing in the inspection VPCs by ensuring that both requests and responsesare inspected by the same inspection VPC
D.Enable Appliance mode on both the transit gateway attachments for the inspection VPC.

  Show Answer

Question # 8

A company needs to capture and log traffic for Nitro-based Amazon EC2 instances to comply withregulations. The company's network team has prepared a solution that enables VPC traffic mirroringand sends traffic to a second set of EC2 instances in an Auto Scaling group.The network team has added a Network Load Balancer (NLB) in front of the EC2 instances the trafficwill be sent to. However, the solution does not send any mirrored traffic to the EC2 instances that arebehind the NLB.How should the network team configure traffic mirroring to use the NLB endpoint?

A.Select the NLB as a source for traffic mirroring. Use a UDP listener.
B.Select the NLB as a target for traffic mirroring. Use a TCP listener and a UDP listener.
C.Select the NLB as a target for traffic mirroring. Use a TCP listener.
D.Select the NLB as a target for traffic mirroring. Use a UDP listener.

  Show Answer

Question # 9

A company has a hybrid environment that connects an on-premises data center to the AWS Cloud.The hybrid environment uses a 10 Gbps AWS Direct Connect dedicated connection. The DirectConnect connection has multiple private VIFs that terminate in multiple VPCs.To comply with regulations, the company must encrypt all WAN traffic, regardless of the underlyingtransport. The company needs to implement an encryption solution that will not affect thecompany's bandwidth capacity.Which solution will meet these requirements?

A.Create a public VIF. Configure a new AWS Site-to-Site VPN connection to use the new public VIF.
B.Configure MAC security (MACsec) support on the port of the existing Direct Connect connection.Change the encryption mode to must_encrypt.
C.Configure a new Direct Connect connection that supports MAC security (MACSec) Associate theexisting VIFs to the new Direct Connect connection.
D.Create a public VIF. Configure a new private IP VPN that uses the Direct Connect connection.

  Show Answer

Question # 10

A company has five VPCs in the us-east-1 Region. The company hosts an internal web application inus-east-1. One of the company's VPCs. named VPC-A, needs to connect to an external partner's AWSenvironment. The partners environment is in the same AWS Region where the partner hosts a newversion of the company's web application. The partner hosts its version of the application in a VPCnamed VPC-B.The company has Amazon EC2 instances in VPC-A that need to connect to the web application inVPC-B A network engineer notices that the partner's VPC-B and the company's VPC-A use thesame IP space. The network engineer needs a solution to allow the EC2 instances to connect to theweb application. The solution must not negatively affect the exiting environment of the company orthe partner.Which combination of steps should the network engineer take meet these requirements? (Choosetwo.)

A.Establish a VPC peering connection between VPC-A to VPC-B.
B.Ensure the partner creates a VPC endpoint service that uses a Network Load Balancer in VPC-B.
D.Deploy a new routable VPC CIDR block as a secondary CIDR block to both VPC-A and VPC-B. Deploy a public NAT gateway in VPC-A.
E.Establish an AWS Site-to-Site VPN connection between VPC-A and VPC-B.

  Show Answer

Question # 11

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB).The instances are part of an Amazon EC2 Auto Scaling group.To comply with new security standards, the company must capture all application access data,including server response codes, request paths, latency, and client IP addresses. The company alsoneeds to query the captured data for performance analysis.Which solution will meet these requirements?

A.Enable VPC flow logs on the ALB subnets. Store the logs to an Amazon S3 bucket. Query the logs inthe S3 bucket by using Amazon Athena.
B.Configure Amazon VPC Traffic Mirroring on all EC2 elastic network interfaces. Deploy a third-partymonitoring appliance from AWS Marketplace in a private subnet. Use Amazon Data Firehose to sendall mirrored traffic to the monitoring appliance. Query the logs directly from the monitoringappliance.
C.Configure Amazon CloudWatch detailed monitoring on the EC2 instances Include all available logs.Use Amazon Data Firehose to send all the collected logs to an Amazon S3 bucket. Query the datadirectly from the S3 bucket.
D.Enable access logs on the ALB. Store the logs in an Amazon S3 bucket. Query the logs in the S3bucket by using Amazon Athena.

  Show Answer

Question # 12

A company is planning to migrate to AWS and use multiple VPCs in multiple AWS Regions. A networkengineer must connect the eu-west-1 and eu-central-1 Regions to the company headquarters and branch office, respectivelyThe network engineer created a production VPC, named Prod A, with a CIDR block of 10.0.0.0.Prod A runs in an account in eu-west-1. The network engineer then created another production VPC,named Prod B, with a CIDR block of 10.1.0.0. Prod Ð’ runs in a different account in eu-central-1.The network engineer performed the following steps to try to achieve the required connectivity:1.Created one transit gateway in each Region2.Shared and accepted the transit gateways with the production accounts in both Regions3.Configured the peering attachment between both transit gateways4.Attached both VPCs to the respective Region transit gateway5.Created both transit gateway route tables and associated the attachments with the route tables6.Configured a static route in both transit gateway route tables to send traffic to the remote VPC inthe other Region7.Activated route propagation on the VPC route tables in each RegionAfter the configuration, the network engineer tried to connect from Prod A to Prod B. However, theconnection was unsuccessful.What should the network engineer do to achieve the required connectivity?

A.Modify the IP address of the peering attachment to a wider range.
B.Delete the static routes that were in the transit gateway route table to send traffic to the remoteVPC and enable route propagation instead.
C.Create a new route destined to 10.0.0.0 in both production VPC route tables with the Regiontransit gateway as the target.
D.Modify the transit gateway route tables from the production accounts to propagateroutes dynamically between the production VPCs.

  Show Answer

Question # 13

A company is planning to use an AWS Transit Gateway hub and spoke architecture to migrate to AWS.The current on-premises multi-protocol label switching (MPLS) network has strict controls thatenforce network segmentation by using MPLS VPNs. The company has provisioned two 10 Gbps AWSDirect Connect connections to provide resilient, high-speed, low-latency connectivity to AWS.A security engineer needs to apply the concept of network segmentation to the AWS environment toensure that virtual routing and forwarding (VRF) is logically separated for each of the company'ssoftware development environments. The number of MPLS VPNs will increase in the future. OnpremisesMPLS VPNs will have overlapping address space. The company's AWS network design mustsupport overlapping address space for the VPNs.Which solution will meet these requirements with the LEAST operational overhead?

A.Deploy a software-defined WAN (SD-WAN) head-end virtual appliance and an SD-WAN controllerinto a Transit Gateway Connect VPC. Configure the company's edge routers to be managed by thenew SD-WAN controller and to use SD-WAN to segment the traffic into the defined segments foreach of the company's development environments.
B.Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of thecompany's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN.Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLSVPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit GatewayVPN attachment.
C.Create a transit VPC that terminates at the AWS Site-to-Site VRF-aware IPsec VPN. Configure IPsecVPN connections to each VPC for each of the company's development environment VRFs
D.Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edgerouters and Transit Gateway. Configure a transit gateway route table that matches the MPLS VPN foreach of the company's development environments.

  Show Answer

Question # 14

A company is planning to host a secure web application across multiple Amazon EC2 instances. Theapplication will have an associated DNS domain in an Amazon Route 53 hosted zone.The company wants to protect the domain from DNS poisoning attacks. The company also wants toallow web browsers to authenticate into the application by using a trusted third party.Which combination of actions will meet these requirements?

A.Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install self-signedX.509 certificates on the EC2 instances.
B.Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install X 509certificates that are signed by a public certificate authority on the EC2 instances.
C.Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509certificates that are signed by a public certificate authority on the EC2 instances.
D.Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install selfsignedX.509 certificates on the EC2 instances.

  Show Answer

Question # 15

A companys data center is connected to a single AWS Region by an AWS Direct Connect dedicatedconnection. The company has a single VPC in the Region. The company stores logs for all itsapplications locally in the data center.The company must keep all application logs for 7 years. The company decides to copy all applicationlogs to an Amazon S3 bucket.Which solution will meet these requirements?

A.Create a public VIF on the Direct Connect connection. Create an Amazon S3 gateway endpoint inthe VPC.
B.Create a private VIF on the Direct Connect connection. Create an Amazon S3 gateway endpoint inthe VPC.
C.Create a private VIF on the Direct Connect connection. Create an Amazon S3 interface endpoint inthe VPC.
D.Create a public VIF on the Direct Connect connection. Create an Amazon S3 interface endpointin the VPC.

  Show Answer