AWS-Certified-Advanced-Networking-Specialty Free Practice Test

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

1. A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
2. B. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
3. C. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
4. D. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
5. E. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listener
6. F. Create an AWS Global Accelerator accelerator in front of the AL
7. G. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
8. H. Place the EC2 instances behind an Amazon CloudFront distributio
9. I. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Correct Answer: B

A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway.
In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

1. A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true.
2. B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0
3. C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets.
4. D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitorin
5. E. Associate the new security group with the endpoint network interfaces.
6. F. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch.Associate the new security group with the endpoint network interfaces.
7. G. Associate the VPC endpoint or endpoints with route tables that the private subnets use.

Correct Answer: BDF

A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.
Which architecture will meet these requirements MOST cost-effectively?

1. A. Deploy a Gateway Load Balancer with the firewall appliances as target
2. B. Configure the firewall appliances with a single network interface in a private subne
3. C. Use a NAT gateway to send the traffic to the internet after inspection.
4. D. Deploy a Gateway Load Balancer with the firewall appliances as target
5. E. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
6. F. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
7. G. Deploy a Network Load Balancer with the firewall appliances as target
8. H. Configure the firewall appliances with a single network interface in a private subne
9. I. Use a NAT gateway to send the traffic to the internet after inspection.
10. J. Deploy a Network Load Balancer with the firewall appliances as target
11. K. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
12. L. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.

Correct Answer: B

A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve new objects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with new watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?

1. A. Place the EC2 instances in a public subne
2. B. Disable the Auto-assign Public IP option while launching the EC2 instance
3. C. Create an internet gatewa
4. D. Attach the internet gateway to the VP
5. E. In the public subnet's route table, add a default route that points to the internet gateway.
6. F. Place the EC2 instances in a private subne
7. G. Create a NAT gateway in a public subnet in the same Availability Zon
8. H. Create an internet gatewa
9. I. Attach the internet gateway to the VP
10. J. In the public subnet's route table, add a default route that points to the internet gateway
11. K. Place the EC2 instances in a private subne
12. L. Create an interface VPC endpoint for Amazon SQ
13. M. Create gateway VPC endpoints for Amazon S3 and DynamoDB.
14. N. Place the EC2 instances in a private subne
15. O. Create a gateway VPC endpoint for Amazon SQS.Create interface VPC endpoints for Amazon S3 and DynamoDB.

Correct Answer: C

A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Region only. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an Auto Scaling group behind an Application
Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.
When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that is associated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP address ranges.
Which solution will meet these requirements in the MOST operationally efficient manner?

1. A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be update
2. B. Update the DynamoDB table with the new IP address range when the company adds a new partne
3. C. Invoke an AWS Lambda function to read new IP address ranges and security groups from the DynamoDB table to update the security group
4. D. Deploy this solution in all accounts.
5. E. Create a new prefix lis
6. F. Add all allowed IP address ranges to the prefix lis
7. G. Use Amazon EventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix lis
8. H. Deploy this solution in all accounts.
9. I. Create a new prefix lis
10. J. Add all allowed IP address ranges to the prefix lis
11. K. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address rang
12. L. Update the prefix list with the new IP address range when the company adds a new partner.
13. M. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be update
14. N. Update the S3 bucket with the new IP address range when the company adds a new partne
15. O. Invoke an AWS Lambda function to read new IP address ranges and security groups from the S3 bucket to update the security group
16. P. Deploy this solution in all accounts.

Correct Answer: C
Creating a new prefix list and adding all allowed IP address ranges to the prefix list would enable grouping of CIDR blocks that can be referenced in security group rules3. Sharing the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM)would enable central management of the partner network IP address ranges5. Updating security groups to use the prefix list instead of the partner IP address range would enable simplification of security group rules3. Updating the prefix list with the new IP address range when the company adds a new partner would enable automatic propagation of the changes to all security groups that use the prefix list3.