AWS-Certified-Advanced-Networking-Specialty Free Practice Test

A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.
A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.
Which solution will meet these requirements?

1. A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
2. B. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
3. C. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
4. D. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
5. E. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
6. F. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
7. G. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
8. H. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

Correct Answer: D
Configuring an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration would enable evaluation of the compliance status of the security groups based on predefined or custom rules3. Creating an AWS Systems Manager Automation runbook to remediate noncompliant security groups would enable automation of the remediation process2. Additionally, configuring AWS Config to trigger the runbook when a noncompliant change is detected would enable timely and consistent remediation of security group changes.

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

1. A. Use an internet connection.
2. B. Set up an AWS VPN connection.
3. C. Provision an AWS Direct Connection private virtual interface.
4. D. Provision a Direct Connect public virtual interface.

Correct Answer: A

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?

1. A. Deploy an Application Load Balancer with an HTTPS listene
2. B. Use path-based routing rules to forward the traffic to the correct target grou
3. C. Include the X-Forwarded-For request header with traffic to the targets.
4. D. Deploy an Application Load Balancer with an HTTPS listener for each domai
5. E. Use host-based routing rules to forward the traffic to the correct target group for each domai
6. F. Include the X-Forwarded-For request header with traffic to the targets.
7. G. Deploy a Network Load Balancer with a TLS listene
8. H. Use path-based routing rules to forward the traffic to the correct target grou
9. I. Configure client IP address preservation for traffic to the targets.
10. J. Deploy a Network Load Balancer with a TLS listener for each domai
11. K. Use host-based routing rules to forward the traffic to the correct target group for each domai
12. L. Configure client IP address preservation for traffic to the targets.

Correct Answer: A
An Application Load Balancer (ALB) can be used to route traffic to multiple target groups based on the URL in the request. The ALB can be configured with an HTTPS listener to ensure all traffic uses HTTPS. TLS processing can be offloaded to the ALB, which reduces the load on the web server. Path-based routing rules can be used to route traffic to the correct target group based on the URL in the request. The X-Forwarded-For request header can be included with traffic to the targets, which will allow the web server to know the user's IP address and keep accurate logs for security purposes.

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

1. A. The NAT gateway does not support UDP traffic.
2. B. The authentication server is not accepting traffic.
3. C. The NAT gateway cannot allocate more ports.
4. D. The NAT gateway is launched in a private subnet.

Correct Answer: C
Ref:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
"A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch."

A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the
authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application within the application's VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements? (Choose three.)

1. A. Add a geoproximity routing policy in Route 53.
2. B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.
3. C. Enable DNS hostnames for the application's VPC.
4. D. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.
5. E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the public hosted zon
6. F. Create an AWS Lambda function as the target of the rul
7. G. Configure the function to use the event information to update the privatehosted zone.
8. H. Add the private IP addresses in the existing Route 53 public hosted zone.

Correct Answer: BCD