CertsTopics Logo

Summer Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Ace Your ANS-C01 AWS Certified Specialty Exam

Page: 16 / 21
Total 290 questions
Get ANS-C01 Full Access Download ANS-C01 PDF

Amazon AWS Certified Advanced Networking - Specialty Questions and Answers

Question 61

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.

In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.

How can the network engineer implement the required architecture?

Options:

A.

Configure the two network interfaces in the launch template. Define the primary network interface to be created in one of the private subnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IP addresses.

B.

Configure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init script after boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.

C.

Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambda function, assign a network interface to an AWS Global Accelerator endpoint.

D.

During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.

Question 62

A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.

The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.

In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs. the development VPC. and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.

Which combination of steps should the network engineer take next to complete this solution? (Select THREE.)

Options:

A.

Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.

B.

Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.

C.

Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.

D.

Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.

E.

Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and developmentVPC attachment to the new route table.

F.

Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.

Question 63

A company wants to implement a distributed architecture on AWS that uses a Gateway Load Balancer (GWLB) and GWLB endpoints.

The company has chosen a hub-and-spoke model. The model includes a GWLB and virtual appliances that are deployed into a centralized appliance VPC and GWLB endpoints. The model also includes internet gateways that are configured in spoke VPCs.

Which sequence of traffic flow to the internet from the spoke VPC is correct?

Options:

A.

1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

B.

1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

C.

1. An application in a spoke VPC sends traffic to the GWLB endpoint.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

D.

1. An application in a spoke VPC sends traffic to the GWLB.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

Question 64

A company needs to manage Amazon EC2 instances through command line interfaces for Linux hosts and Windows hosts. The EC2 instances are deployed in an environment in which there is

no route to the internet. The company must implement role-based access control for management of the instances. The company has a standalone on-premises environment.

Which approach will meet these requirements with the LEAST maintenance overhead?

Options:

A.

Set up an AWS Direct Connect connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and ACLs.

Connect to the instances by using the Direct Connect connection.

B.

Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance. Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instances by

using Session Manager.

C.

Establish an AWS Site-to-Site VPN connection between the on-premises environment and the VPC where the instances are deployed. Configure routing, security groups, and

ACLs. Connect to the instances by using the Site-to-Site VPN connection.

D.

Deploy an appliance to the VPC where the instances are deployed. Assign a public IP address to the appliance. Configure security groups and ACLs. Connect to the instances by

using the appliance as an intermediary.

Page: 16 / 21
Total 290 questions
Get ANS-C01 Full Access Download ANS-C01 PDF