Amazon ANS-C00 Exam Dumps

A gaming company is running an online multiplayer game in multiple AWS Regions The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end users Which solution will meet these requirements?

A. Create an Amazon CloudFront distribution in front of all the Regions  
B. Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region
C. Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region 
D. Configure AWS Global Accelerator in front of all the Regions  

Answer: A

A company is deploying a critical application on two Amazon EC2 instances in a VPC Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements'?

A. Move the EC2 instances to a dedicated VPC Enable VPC Flow Logs with a filter on the deny action Publish the flow logs to Amazon CloudWatch Logs 
B. Move the EC2 instances to a dedicated VPC subnet Enable VPC Flow Logs for the subnet with a filter on the reject action Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket
C. Enable VPC Flow Logs, filtered for rejected traffic for the elastic network interfaces associated with the instances Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket 
D. Enable VPC Flow Logs, filtered for rejected traffic for the elastic network interfaces associated with the instances Publish the flow logs to Amazon CloudWatch Logs 

Answer: D

A company has a hybrid environment across its on-premises network and the AWS Cloud The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between on-premises services that are required to resolve DNS queries through onpremises DNS servers The company wants to use a custom domain name to connect to Amazon EFS The company also wants to avoid using the Amazon EFS target IP address. What should a network engineer do to meet these requirements?

A. Create an Amazon Route 53 Resolver outbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone
B. Create an Amazon Route 53 Resolver inbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver
C. Create an Amazon Route 53 Resolver outbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver
D. Create an Amazon Route 53 Resolver inbound endpoint and configure it for the VPC where Amazon EFS resides Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name Configure forwarding rules on the onpremises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone 

Answer: A

A company has a VPC in the us-west-1 Region and another VPC in the ap-southeast-2 Region Network engineers set up an AWS Direct Connect connection from their data center to the us-east-1 Region They create a private virtual interface (VIF) that references a Direct Connect gateway, which is then connected to virtual private gateways in both VPCs When the setup is complete, the engineers cannot access resources in us-west-1 from ap-southeast-2 What should the network engineers do to resolve this issued

A. Add the subnet range for the VPCs in us-west-1 and ap-southeast-2 to the route tables for both VPCs Add the Direct Connect gateway as a target 
B. Configure the Direct Connect gateway to route traffic between the VPCs in apsoutheast-2 and us-west-2 
C. Establish a VPC peering connection between the VPCs in ap-southeast-2 and us-west-2 Add the subnet ranges to the routing tables
D. Create static routes in each VPC that point to the destination VPC with the virtual private gateway as the route target 

Answer: A

A company's network engineer needs to evaluate and monitor DNS traffic The companyuses Amazon Route 53 as the DNS service for its public hosted zone All DNS queries mustbe captured for future analysisWhat should the network engineer do to meet these requirements?

A. Use AWS WAF to log information to Amazon CloudWatch Logs about the queries that Route 53 receives
B. Use VPC Flow Logs to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives 
C. Use Route 53 query logging to log information to Amazon CloudWatch Logs about the queries that Route 53 receives
D. Use AWS CloudTrail to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives 

Answer: A

A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers The company does not want to implement an access management solution that requires additional costs or effort. Which solution meets these requirements?

A. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC. and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
B. Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN endpoints at the same time to gain access to the resources.
C. Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP. 
D. Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC. and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources

Answer: B

An organization processes consumer information submitted through its website. The organization’s security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an iAM role. Which combination of services will support these requirement? (Select two.) 

A. Amazon Aurora in a private subnet
B. Amazon CloudFront using AWS Lambda@Edge
C. Customer-managed MySQL with Transparent Data Encryption
D. Application Load Balancer using HTTPS listeners and targets
E. AWS Key Management Services

Answer: B,E

A company wants to migrate its workloads to the AWS Cloud. The company has two web applications and wants to run them in separate, isolated VPCs. The company needs to use Elastic Load Balancing to distribute requests between application instances. For security reasons, internet gateways must not be attached to the application VPCs. Inbound HTTP requests to the application must be routed through a centralized VPC. and the application VPCs must not be exposed to any other inbound traffic The application VPCs cannot be allowed to initiate any outbound connections What should a network engineer do to meet these requirements?

A. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private DNS names of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB. 
B. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private IP addresses of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB. 
C. Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Create VPC peering connections between the application VPCs and the centralized VPC. Create a public Application Load Balancer (ALB) in the centralized VPC. Create target groups for the private DNS names of the NLBs. Configure host-based routing to route application traffic between individual applications though the ALB
D. Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Configure each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC Create target groups that include the private IP addresses of each endpoint. Create a public Application Load Balancer (ALB) in the centralized VPC. Configure host-based routing to route application traffic to the corresponding target group through the ALB.

Answer: D

A company uses an AWS Site-to-Site VPN to connect its corporate network The company recently added an AWS Direct Connect connection A network engineer wants all traffic to use the Direct Connect connection and for the VPN to be used as backup However after the Direct Connect connection was added traffic continued to pass through the VPN connection What should the network engineer do to route the traffic through the Direct Connect connection'?

A. Add routes to the VPC route tables that specify the Direct Connect connection  
B. Set local preference BGP community tags on the on-premises router  
C. Advertise the same network routes over the Direct Connect connection and VPN connection 
D. Ensure the Direct Connect connection AS_PATH is longer than the VPN connection AS_PATH 

Answer: C

A company has deployed a production environment in the AWS Cloud The environment is contained in a VPC and includes a virtual private gateway The company has established an AWS Direct Connect connection which includes a private virtual interface (VIF) and a VPN connection to the on-premises data center For traffic originating in the VPC what is the order of BGP path selection from MOST preferred to LEAST preferred?

A. Direct Connect BGP routes static routes longest prefix match, VPN BGP routes
B. Static routes longest prefix match Direct Connect BGP routes. VPN BGP routes
C. Longest prefix match static routes Direct Connect BGP routes VPN BGP routes
D. Longest prefix match VPN BGP routes, static routes. Direct Connect BGP routes

Answer: B

A company's application runs in a VPC and stores sensitive data in Amazon S3 The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3 The S3 bucket is located in the same AWS Region as the EC2 instances The company wants to ensure that this bucket can be accessed only from the VPC where the application resides Which changes should a network engineer make to the architecture to meet these requirements?

A. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet Configure the S3 security group to allow only the application instances to access the bucket
B. Deploy an S3 VPC endpoint in the VPC where the application resides Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint
C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket Allow access only from the VPC CIDR range, and deny all other IP address ranges
D. Create a new 1AM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances Configure an S3 bucket policy to allow access only from the role

Answer: B