CertsTopics Logo

Weekend Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services ANS-C01 Actual Questions

Page: 9 / 21
Total 288 questions
Get ANS-C01 Full Access Download ANS-C01 PDF

Amazon AWS Certified Advanced Networking - Specialty Questions and Answers

Question 33

A company's network engineer is configuring an AWS Site-to-Site VPN connection between a transit gateway and the company's on-premises network. The Site-to-Site VPN connection is configured to use BGP over two tunnels in active/active mode with equal-cost multi-path (ECMP) routing activated on the transit gateway.

When the network engineer attempts to send traffic from the on-premises network to an Amazon EC2 instance, traffic is sent over the first tunnel. However, return traffic is received over the second tunnel and is dropped at the customer gateway. The network engineer must resolve this issue without reducing the overall VPN bandwidth.

Which solution will meet these requirements?

Options:

A.

Configure the customer gateway to use AS PATH prepending and local preference to prefer one tunnel over the other.

B.

Configure the Site-to-Site VPN options to set the first tunnel as the primary tunnel to eliminate asymmetric routing.

C.

Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.

D.

Configure the Site-to-Site VPN to use static routing in active/active mode to ensure that traffic flows over a preferred path.

Question 34

A company has critical VPC workloads that connect to an on-premises data center through two redundant active-passive AWS Direct Connect connections. However, a recent outage on one Direct Connect connection revealed that it takes more than a minute for traffic to fail over to the secondary Direct Connect connection. The company wants to reduce the failover time from minutes to seconds.

Which solution will provide the LARGEST reduction in the BGP failover time?

Options:

A.

Reduce the BGP hold-down timer that is configured on the BGP sessions on the Direct Connect connection VIFs.

B.

Configure an Amazon CloudWatch alarm for the Direct Connect connection state to invoke an AWS Lambda function to fail over the traffic.

C.

Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the AWS side.

D.

Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the on-premises router.

Question 35

A company has an AWS Site-to-Site VPN connection between AWS and its branch office. A network engineer is troubleshooting connectivity issues that the connection is experiencing. The VPN connection terminates at a transit gateway and is statically routed. In the transit gateway route table, there are several static route entries that target specific subnets at the branch office.

The network engineer determines that the root cause of the issues was the expansion of underlying subnet ranges in the branch office during routine maintenance.

Which solution will solve this problem with the LEAST administrative overhead for future expansion efforts?

Options:

A.

Determine a supernet for the branch office. In the transit gateway route table, add an aggregate route that targets the VPN attachment. Replace the specific subnet routes in the transit gateway route table with the new supernet route.

B.

Create an AWS Direct Connect gateway and a transit VIF. Associate the Direct Connect gateway with the transit gateway. Create a propagation for the Direct Connect attachment to the transit gateway route table.

C.

Create a dynamically routed VPN connection on the transit gateway. Connect the dynamically routed VPN connection to the branch office. Create a propagation for the VPN attachment to the transit gateway route table. Remove the existing static VPN connection.

D.

Create a prefix list that contains the new subnets and the old subnets for the branch office. Remove the specific subnet routes in the transit gateway route table. Create a prefix list reference in the transit gateway route table.

Question 36

A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company's on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.

During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.

Which combination of steps will meet these requirements? (Select THREE.)

Options:

A.

Create an AWS WAF web ACL that includes rules to block SQL injection attacks

B.

Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.

C.

Replace the NLB with an Application Load Balancer

D.

Associate the AWS WAF web ACL with the NLB.

E.

Associate the AWS WAF web ACL with the Application Load Balancer.

F.

Associate the AWS WAF web ACL with the Amazon CloudFront distribution.

Page: 9 / 21
Total 288 questions
Get ANS-C01 Full Access Download ANS-C01 PDF