| PDF + Test Engine |
|
||
| Test Engine |
|
||
|
|
Here are Amazon ANS-C01 PDF available features:
| 290 questions with answers | Updation Date : 16 Jul, 2026 |
| 1 day study required to pass exam | 100% Passing Assurance |
| 100% Money Back Guarantee | Free 3 Months Updates |
A company is replatforming a legacy data processing solution to AWS. The company deploys the solution on Amazon EC2 Instances in private subnets that are in one VPC. The solution uses Amazon S3 for abject storage. Both the data that the solution processes and the data the solution produces are stored in Amazon S3. The solution uses Amazon DynamoDB to save its own state. The company collects flow logs for the VPC. The solution uses one NAT gateway to register its license through the internet. A software vendor provides a specific hostname so the solution can register its license. The company notices that the AWS bill exceeds the projected budget for the solution. A network engineer uses AWS Cost Explorer to investigate the bill. The network engineer notices that the USE2- NatGateway-Bytes($) usage type is the root cause of the higher than expected bill. What should the network engineer do to resolve the issue? (Choose two.)
A.Set up Amazon VPC Traffic Mirroring. Analyze the traffic to identify the traffic that the NAT gatewayprocesses.
B.Examine the VPC flow logs to identity the traffic that traverses the NAT gateway.
C.Set up an AWS Cost and Usage Report in the AWS Billing and Cost Management console. Examinethe report to find more details about the NAT gateway charges.
D.Verify that the security groups attached to the EC2 instances allow outgoing traffic only to the IPaddresses that the hostname resolves to, the VPC CIDR block, and the AWS IP address ranges forAmazon S3 and DynamoDB
E.Verify that the gateway VPC endpoints for Amazon S3 and DynamoDB are both set up andassociated with the route tables of the private subnets.
A company has VPCs across 50 AWS accounts and is using AWS Organizations. The company wants to implement web filtering. The requirements for how the traffic must be filtered are the same for all the VPCs. A network engineer plans to use AWS Network Firewall. The network engineer needs to implement a solution that minimizes the number of firewall policies and rule groups that are necessary for this web filtering. Which combination of steps will meet these requirements? (Choose three.)
A.Create a firewall policy or rule group in each account.
B.Use SCPs to share the firewall policy or rule group.
C.Create a firewall policy or rule group in the management account
D.Use AWS Resource Access Manager (AWS RAM) to share the firewall policy or rule group.
E.Enable sharing within Organizations.
F.Create OUs to share the firewall policy or rule group.
A company has two on-premises data centers. The first data center is in the us-east-1 Region. The Second data canter is in the us-east-2 Region. Each data center connects to the closest AWS Direct
Connect facility. The company uses Direct Connect connections, transit VIFs, and a single Direct Connect gateway to establish connectivity to VPCs in us-east-1 and us-east-2 from the companys data centers. The company also has private connectivity from a telecommunications provider that connects the first data center to the second data center. Recently, there have been multiple connection disruptions to the private connectivity between the data centers. The company needs a solution to improve the reliability of the connection between the two data centers. Which solution will meet these requirements?
A.Create a new Direct Connect gateway. Enable the Direct Connect SiteLink feature on the transitVIF. Share the CIDR blocks from the first data center and the second data center with each other.
B.Create a new public VIF to both Regions. Enable the Direct Connect SiteLink feature on the newpublic VIF.
C.Enable the Direct Connect SiteLink feature on the existing Direct Connect connections.
D.Enable the Direct Connect SiteLink feature on the existing transit VIFS that are attached to theexisting Direct Connect gateway.
A company needs to protect against potential botnet command and control traffic from any Amazon EC2 instances that is in in the companys AWS Environment. Which solution will meet these requirements?
A.Use AWS Shield Advanced. Activate Shield Advanced protections on the EC2 instances to filter andblock botnet traffic.
B.Use Amazon Route 53 Resolver DNS Firewall. Add a rule to a rule group to use theAWSManagedDomainsBotnetCommandandControl managed domain list with an action to blockbotnet traffic
C.Use AWS WAF Bot Control. Configure a managed rule group that uses an AWS managed rule set toblock botnet traffic.
C.Use AWS WAF Bot Control. Configure a managed rule group that uses an AWS managed rule set toblock botnet traffic.
A company has deployed an application in which the front end of the application communicates with the backend instances through a Network Load Balancer (NLB) in the same VPC. The application is highly available across two Availability Zones. The company wants to limit the amount of traffic that travels across the Availability Zones. Traffic from the front end of the application must stay in the same Availability Zone unless there is no healthy target in that Availability Zone behind the NLB. If there is no healthy target in the same Availability Zone, traffic must be sent to the other Availability Zone. Which solution will meet these requirements
A.Create a private hosted zone with weighted routing for each Availability Zone. Point the primaryrecord to the local Availability Zone NLB DNS record. Point the secondary record to the Regional NLBDNS record. Configure the front end of the application to perform DNS lookups on the local privatehosted zone records.
B.Turn off cross-zone load balancing on the NLB. Configure the front end of the application toperform DNS lookups on the local Availability Zone NLB DNS record.
C.Create a private hosted zone. Create a failover record for each Availability Zone. For eachfailover record, point the primary record to the local Availability Zone NLB DNS record and pointthe secondary record to the Regional NLB DNS record. Configure the front end of the application toperform DNS lookups on the local private hosted zone records.
D.Enable sticky sessions (session affinity) so that the NLB can bind a users session to targets in thesame Availability Zone.
A company has a highly available application that is hosted in multiple VPCs and in two on-premises data centers. All the VPCs reside in the same AWS Region. All the VPCs require access to each other and to the on-premises data centers for the transfer of files that are multiple gigabytes in size. A network engineer is designing an AWS Direct Connect solution to connect the on-premises data centers to each VPC.
Which architecture will meet the company's requirements with the LEAST operational overhead?
A.Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a DirectConnect gateway. Associate the VIF of every VPC with the Direct Connect gateway. Create a newprivate VIF that connects the Direct Connect gateway to each on-premises data center. Configure thenew private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of9001. Use VPC peering between each VPC. Configure static routing in each VPC to provide inter-VPCrouting.
B.Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a DirectConnect gateway. Associate the VIF of every VPC with the Direct Connect gateway. Create a newprivate VIF that connects the Direct Connect gateway to each on-premises data center. Configure thenew private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of8500. Use VPC peering between each VPC. Configure static routing in each VPC to provide inter-VPCrouting.
C.Configure a transit gateway in the same Region of each VPC. Attach each VPC to the transitgateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transitgateway. Associate a new transit VIF with each Direct Connect connection. Configure the new transitVIF to exchange BGP routes and to have an MTU of 9001. Configure route propagation betweeneach VPC and the transit gateway.
D.Configure a transit gateway in the same Region of each VPC. Attach each VPC to the transitgateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transitgateway. Associate a new transit VIF with each Direct Connect connection. Configure the new transitVIF to exchange BGP routes and to have an MTU of 8500. Configure route propagation between eachVPC and the transit gateway.
A company is migrating an application to the AWS Cloud. The company has successfully provisioned and tested connectivity between AWS Direct Connect and the company's on-premises data center. The application runs on Amazon EC2 instances across multiple Availability Zones. The instances are in an Auto Scaling group. The application communicates through HTTPS to a third-party vendor's data service that is hosted at the companys data center. The data service implements a static ACL through explicit allow listing of client IP addresses. A network engineer must design a network solution so that the migrated application can continue to access the vendors data service as the application scales. Which solution will meet these requirements with the LEAST amount of ongoing change to the vendor's allow list?
A.Configure a private NAT gateway in the subnets for each Availability Zone that the application runsin. Configure the application to target the NAT gateways instead of the data service directly. Updatethe data service's allow list to include the IP addresses of the NAT gateways.
B.Configure an elastic network interface in the subnets for each Availability Zone that the applicationruns in. Associate the elastic network interfaces with the Auto Scaling group for the application.Update the data service's allow list to include the IP addresses of the elastic network interfaces.
C.Configure an elastic network interface in the subnets for each Availability Zone that the applicationruns in. Launch an EC2 instance into each subnet. Attach the respective elastic network interfaces tothe new EC2 instances. In the application subnet route tables, configure the new EC2 instances as thenext destination for the data service. Update the data services allow list to include the IP addressesof the elastic network interfaces.
D.Configure an Application Load Balancer (ALB) in the subnets for each Availability Zone that theapplication runs in. Configure an ALB-associated target group that contains a target that uses the IPaddress for the data service. Configure the application to target the ALB instead of the data servicedirectly. Update the data service's allow list to include the IP addresses of the ALBs.
A company has developed a web service for language translation. The web service's application runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) and are deployed in a private subnet. The web service can process requests that contain hundreds of megabytes of data. The company needs to give some customers the ability to access the web service. Each customer has its own AWS account. The company must make the web service accessible to approved customers without making the web service accessible to all customers. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)
A.Create VPC peering connections with the approved customers only.
B.Create an AWS PrivateLink endpoint service. Configure the endpoint service to require acceptancethat will be granted to approved customers only.
C.Configure an authentication action for the endpoint service's load balancer to allow customers tolog in by using their AWS credentials. Provide only approved customers with the URL.
D.Configure a Network Load Balancer (NLB) and a listener with the ALB as a target. Associate theNLB with the endpoint service.
E.Associate the ALB with the endpoint service.
Company A recently acquired Company B. Company A has a hybrid AWS and on-premises environment that uses a hosted AWS Direct Connect connection, a Direct Connect gateway, and a transit gateway. Company A has a transit VIF to access the resources in its production environment in the us-east-1 Region. Company B has applications that run across multiple VPCs in the us-west-2 Region in a single AWS account. A transit gateway connects all Company B's application VPCs. The CIDR blocks for both companies do not overlap. Company A needs to use the existing Direct Connect connection to access Company Bs applications from the on-premises environment. Which solution will meet these requirements?
A.Create a new Direct Connect gateway in the Company B account. Associate the Company B transitgateway with the new Direct Connect gateway. Create a transit VIF on the existing hosted connectionfor Company B.
B.Create an association proposal from the Company B account to associate the Company B transitgateway with the Company A Direct Connect gateway. Accept the transit gateway associationproposal by logging into the Company A account
C.Create multiple virtual private gateways. Attach the virtual private gateways to each of CompanyB's application VPCs. Create a hosted private VIF for each virtual private gateway.
D.Create a new Direct Connect gateway in the Company B account. Associate the Company B transitgateway with the new Direct Connect gateway. Create a hosted private VIF for Company B.
An international company wants to implement a multi-site hybrid infrastructure. The company wants to deploy its cloud computing resources on AWS in the us-east-1 Region and in the eu-west-2 Region, and in on-premises data centers in the United States (US) and in the United Kingdom (UK). The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through BGP. The company wants to have two AWS Direct Connect connections, one each in the US and the UK. The company expects to have 15 VPCs in each Region with CIDR blocks that do not overlap with each other or with CIDR blocks of the on-premises environment. The VPC CIDR blocks are planned so that the prefix aggregation can be performed both on a Regional level and across the entire AWS environment. The company will deploy a transit gateway in each Region to connect the VPCs. A network engineer plans to use a Direct Connect gateway in each Region. A transit VIF will attach the Direct Connect gateway in each Region to the transit gateway in that Region. The transit gateways will be peered with each other. The network engineer wants to ensure that traffic follows the shortest geographical path from source to destination. Traffic between the on-premises data centers and AWS must travel across a local Direct Connect connection. Traffic between the US data center and eu-west-2 and traffic between the UK data center and us-east-1 must use the private WAN connection to reach the Direct Connect connection to the appropriate Region when the Direct Connect connection is available. The network must be resilient to failures in either the private WAN connection or with the Direct Connect connections. The network also must reroute traffic automatically in the event of any failure. How should the network engineer configure the transit VIF associations on the Direct Connect gateways to meet these requirements?
A.Advertise only the aggregate route for the company's entire AWS environment.
B.Advertise VPC-specific CIDR prefixes from only the local Region. Additionally, advertise theaggregate route for the companys entire AWS environment.
C.Advertise all the specific VPC CIDR blocks from both Regions.
D.Advertise both Regional aggregate prefixes. Configure custom BGP communities on the routesadvertised toward the data center.