A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway. In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames
VPC attribute and the enableDnsSupport VPC attribute to true.
B. Create a new security group with an entry to allow outbound traffic that uses the TCP
protocol on port 443 to destination 0.0.0.0/0
C. Create a new security group with entries to allow inbound traffic that uses the TCP
protocol on port 443 from the IP prefixes of the private subnets.
D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west 2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with
the endpoint network interfaces.
E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west2.cloudwatch. Associate the new security group with the endpoint network interfaces.
F. Associate the VPC endpoint or endpoints with route tables that the private subnets use.
A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud. Which solution will meet these requirements with the HIGHEST availability?
A. Set up an Amazon CloudFront distribution with origin failover. Create an origin group for
each Region where the solution is deployed.
B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to Yes.
C. Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups andhealth checks.
D. Set up Bring Your Own IP (BYOIP) addresses. Use the same PI addresses for each Region where the solution is deployed.
A company has multiple AWS accounts. Each account contains one or more VPCs. A new
security guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs.
The company also has deployed a shared services VPC with Amazon EC2 instances that
include IDS services for stateful inspection. The EC2 instances are deployed across three
Availability Zones. The company has set up VPC associations and routing on the transit
gateway. The company has migrated a few test VPCs to the new solution for traffic
inspection.
Soon after the configuration of routing, the company receives reports of intermittent
connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?
A. Modify the transit gateway VPC attachment on the shared services VPC by enabling
cross-Availability Zone load balancing.
B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.
C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.
D. Modify the transit gateway by selecting multicast support.
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied. The SQS queue is not receiving messages. Which of the following are possible causes of this problem? (Choose two.)
A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon
SQS.
B. The security group is blocking traffic to the IP address range used by Amazon SQS
C. There is no interface VPC endpoint configured for Amazon SQS
D. The network ACL is blocking return traffic from Amazon SQS
E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com to host the VPC resources. The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The company's on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints. Which combination of steps should a network engineer take to make this replacement? (Choose three.)
A. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP
addresses of the outbound endpoint.
B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
D. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
F. Configure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB). The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17. A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments. Which solution will meet these requirements?
A. Create a VPC peering connection between the web service VPC and the existing
production VPC. Add a routing rule to the appropriate route table to allow data to flow to
192.168.224.0/19 from the existing production environment and to flow to 192.168.128.0/17
from the web service environment. Configure the relevant security groups and ACLs to
allow the systems tocommunicate.
B. Ask the development team of the web service to redeploy the web service into the
production VPC and integrate the systems there.
C. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for
the web service. Create an interface VPC endpoint for the web service in the existing
production VPC.
D. Create a transit gateway in the existing production environment. Create attachments to
the production VPC and the web service VPC. Configure appropriate routing rules in the
transit gateway and VPC route tables for 192.168.224.0/19 and 192.168.128.0/17.Configure the relevant security groups and ACLs to allow the systems to communicate.
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway. The instance has a security group configured to allow as follows: Protocol: TCP Port: 80 inbound, nothing outbound The Network ACL for the subnet is configured to allow as follows: Protocol: TCP Port: 80 inbound, nothing outbound When you try to browse to the web server, you receive no response. Which additional step should you take to receive a successful response?
A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-
65535
C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-
65535
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link
aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1
Region. Each VPC serves a different business unit and uses its own private VIF for
connectivity to the on-premises environment. Users are reporting slowness when they
access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct
Connect connection becomes saturated at the same time for about an hour each business
day. The company wants to know which business unit is causing the sudden increase in
throughput. The network engineer must find out this information and implement a solution
to resolve the problem.
Which solution will meet these requirements?
A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and
VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during
the period in which slowness is observed. Create a new 10 Gbps dedicated connection.
Shift traffic from the existing dedicated connection to the new dedicated connection.
B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and
VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during
the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated
connection to 10 Gbps.
C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and
ConnectionPpsEgress to determine which VIF is sending the highest throughput during the
period in which slowness is observed. Upgrade the existing dedicated connection to a 5
Gbps hosted connection.
D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and
ConnectionPpsEgress to determine which VIF is sending the highest throughput during the
period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes. Which solution will meet these requirements?
A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing
rules to forward the traffic to the correct target group. Include the X-Forwarded-For request
header with traffic to the targets.
B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use
host-based routing rules to forward the traffic to the correct target group for each domain.
Include the X-Forwarded-For request header with traffic to the targets.
C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to
forward the traffic to the correct target group. Configure client IP address preservation for
traffic to the targets.
D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based
routing rules to forward the traffic to the correct target group for each domain. Configure
client IP address preservation for traffic to the targets.
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?
A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
D. Change the ALB security policy to a policy that supports forward secrecy (FS)