Amazon Web Services SAP-C02 Study & Exam Dumps 2025

AWS Certified Solutions Architect - Professional Questions and Answers

Question 1

A company has a transit gateway that connects multiple VPCs in the same AWS Region. The company needs a centralized way to inspect network traffic and allow internet access for the workload VPCs.

Which solution meets these requirements?

Options:

Create a Gateway Load Balancer (GWLB), GWLB endpoints, and a network virtual appliance in an existing workload VPC. Update the route table in the remaining workload VPCs to send traffic to the transit gateway. Configure the transit gateway route tables to forward traffic to the GWLB endpoints. Enable appliance mode on the GWLB.

Create a Gateway Load Balancer (GWLB) in an existing workload VPC. Create GWLB endpoints and network virtual appliances in a different workload VPC. Update the route tables in all workload VPCs to send traffic to the transit gateway. Configure the transit gateway route tables to forward traffic to the GWLB endpoints. Enable appliance mode on the GWLB endpoints.

Create an inspection VPC and an internet access VPC. Create a Gateway Load Balancer (GWLB) and GWLB endpoints in the inspection VPC. Create a network virtual appliance in the internet VPC. Enable flow logs in the workload VPCs to route traffic to the transit gateway. Enable appliance mode on the network virtual appliance.

Create an inspection VPC that contains a Gateway Load Balancer (GWLB), GWLB endpoints, and a network virtual appliance. Update the route tables in all workload VPCs to send traffic to the transit gateway. Configure the transit gateway route tables to forward traffic to the GWLB endpoints. Enable appliance mode on the transit gateway.

Buy Now

Answer:

Explanation:

The company needs centralized traffic inspection and centralized internet access for multiple workload VPCs connected by a transit gateway. The standard AWS hub-and-spoke pattern for centralized inspection is to use an inspection VPC that hosts network virtual appliances behind a Gateway Load Balancer, and to steer traffic from spoke VPCs through the transit gateway to the inspection VPC. Gateway Load Balancer endpoints are used to privately connect VPCs to the GWLB, allowing traffic to be transparently redirected to the appliances for inspection without changing application configurations.

To ensure symmetric routing for stateful inspection (so that return traffic traverses the same appliance path), appliance mode is enabled on the transit gateway attachment that connects to the inspection VPC. Appliance mode is specifically used with transit gateways and third-party appliances to preserve flow symmetry and avoid asymmetric routing issues.

Option D matches the centralized model: it creates a dedicated inspection VPC that contains the GWLB, endpoints, and the inspection appliance. It updates workload VPC routes to send traffic to the transit gateway and configures the transit gateway route tables to forward relevant traffic to the GWLB endpoints in the inspection VPC. Enabling appliance mode on the transit gateway is the key operational setting to maintain symmetric routing through the appliance fleet for inspected traffic.

Option A is incorrect because it places the inspection components inside an existing workload VPC rather than using a centralized inspection VPC. This increases coupling, makes the architecture harder to manage, and does not match the typical centralized inspection pattern. It also references enabling appliance mode on the GWLB, whereas appliance mode is a transit gateway attachment feature used for routing symmetry with appliances, not a setting “on the GWLB” itself.

Option B is incorrect because it splits the GWLB and endpoints/appliances across different workload VPCs, which complicates the design and is not the intended GWLB pattern. GWLB endpoints are created in VPCs that need to send traffic to the GWLB service; the appliances sit behind the GWLB in the provider/inspection VPC. The option also refers to enabling appliance mode on endpoints, but the appliance mode setting is associated with the transit gateway attachment.

Option C is incorrect because VPC flow logs are for logging and visibility; flow logs do not route traffic. Also, separating “inspection VPC” and “internet access VPC” with the appliances in the internet VPC does not align with the standard GWLB centralized inspection architecture and introduces unnecessary complexity.

Therefore, creating a dedicated inspection VPC with GWLB and endpoints and enabling appliance mode on the transit gateway attachment is the correct centralized approach.

[References:AWS documentation on AWS Transit Gateway centralized inspection architectures using an inspection VPC.AWS documentation on Gateway Load Balancer and Gateway Load Balancer endpoints for inserting third-party appliances transparently.AWS documentation on transit gateway appliance mode for preserving symmetric routing through network appliances., , ]

Question 2

A company uses a software package for surveys. During surveys, data is uploaded from a field operator's device to an Amazon S3 bucket. A custom application that runs on several Amazon EC2 instances polls the S3 bucket for new data. When new data is available, the software processes the data.

The data uploads are infrequent. The processing software can take up to 25 minutes to analyze each data upload. The company wants to optimize the application workflow to process the S3 data.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Modify the application to accept new S3 object keys as inputs. Containerize the application. Deploy the container to an Amazon ECS cluster that uses the AWS Fargate launch type. Configure S3 bucket notifications to send events to Amazon EventBridge when new objects are uploaded. Create an EventBridge rule that invokes an ECS task to run the application when a new S3 object event occurs.

Modify the application to accept new S3 object keys as inputs. Containerize the application. Deploy the container image to AWS Lambda functions. Create a new AWS Step Functions state machine to invoke the Lambda functions. Configure the state machine with a Task state that calls the Lambda functions. Set the Task state's Timeout property to 30 minutes.

Modify the application to accept new S3 object keys as inputs. Move the application from EC2 instances to Amazon ECS by using the EC2 capacity provider. Create an AWS Glue crawler to check the S3 bucket and invoke the application. Configure the application to process the data when the data is uploaded to Amazon S3.

Modify the application to use HTTP to poll new S3 object keys that reference data to process. Containerize the application. Deploy the container image to AWS Lambda functions. Configure S3 bucket notifications to send events to Amazon EventBridge when new objects are uploaded. Create an EventBridge rule that invokes the Lambda functions to post the new objects to HTTP endpoints by using fan-out.

Question 3

A company has a Windows-based desktop application that is packaged and deployed to the users' Windows machines. The company recently acquired another company that has employees who primarily use machines with a Linux operating system. The acquiring company has decided to migrate and rehost the Windows-based desktop application lo AWS.

All employees must be authenticated before they use the application. The acquiring company uses Active Directory on premises but wants a simplified way to manage access to the application on AWS (or all the employees.

Which solution will rehost the application on AWS with the LEAST development effort?

Options:

Set up and provision an Amazon Workspaces virtual desktop for every employee. Implement authentication by using Amazon Cognito identity pools. Instruct employees to run the application from their provisioned Workspaces virtual desktops.

Create an Auto Scarlet group of Windows-based Ama7on EC2 instances. Join each EC2 instance to the company's Active Directory domain. Implement authentication by using the Active Directory That is running on premises. Instruct employees to run the application by using a Windows remote desktop.

Use an Amazon AppStream 2.0 image builder to create an image that includes the application and the required configurations. Provision an AppStream 2.0 On-Demand fleet with dynamic Fleet Auto Scaling process for running the image. Implement authentication by using AppStream 2.0 user pools. Instruct the employees to access the application by starling browse'-based AppStream 2.0 streaming sessions.

Refactor and containerize the application to run as a web-based application. Run the application in Amazon Elastic Container Service (Amazon ECS) on AWS Fargate with step scaling policies Implement authentication by using Amazon Cognito user pools. Instruct the employees to run the application from their browsers.

Get Free SAP-C02 Questions and Answers

Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

SAP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified Solutions Architect - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce