AWS-Certified-Advanced-Networking-Specialty Free Practice Test

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a “backdoor”, and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

1. A. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.
2. B. Direct Connect customers with a Public VIF in the same region could directly reach the router.
3. C. EC2 instances in the same region with access to the Internet could directly reach the router.
4. D. The S3 service could reach the router through a pre-configured VPC Endpoint.

Correct Answer: C
https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/

A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity lo the company's on-premises environment
During a maintenance window, the networking team adds eight VPCs The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment Connectivity between all VPCs through the transit gateway is working as expected.
Which of the following are possible causes of the connectivity issues? (Choose TWO)

1. A. The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs
2. B. The route tables for the newly created
3. C. VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
4. D. The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
5. E. The route tables (or the newly created VPCs have only summary routes for (he on-premises environment (fiat point to the transit gateway attachment.
6. F. The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs

Correct Answer: AD

A company has an application running on Amazon EC2 instances in a VPC The application must publish custom metrics to Amazon CloudWatch in the same AWS Region The metrics include proprietary information All connectivity must be over private IP addresses.
Which solution will meet these requirements'?

1. A. Connect to CloudWatch through a NAT gateway
2. B. Connect to CloudWatch through a gateway endpoint
3. C. Connect to CloudWatch through an internet gateway
4. D. Connect to CloudWatch through an interface endpoint

Correct Answer: D

A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another. Which approach will meet the technical and security requirements while minimizing costs?

1. A. Use the AWS IPsec VPN for the mobile, desktop, and partner VPN connection
2. B. Use network access control lists (Network ACLs) and security groups to maintain routing separation.
3. C. Use the AWS IPsec VPN for the partner VPN connection
4. D. Use an Amazon EC2 instance VPN for the mobile and desktop device
5. E. Use Network ACLs and security groups to maintain routing separation.
6. F. Create an AWS Direct Connect connection between on-premises and AWS Use a public virtual interface to connect to the AWS IPsec VPN for the mobile, desktop, and partner VPN connections.
7. G. Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connection
8. H. Use features of the VPN instance to limit routing and connectivity.

Correct Answer: D

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC. Which of the following is the MOST reliable solution?

1. A. Create an inbound rule in the VPC's network ACL that matches the TCP por
2. B. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
3. C. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.
4. D. Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required por
5. E. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
6. F. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accesse
7. G. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

Correct Answer: A