AWS-Certified-Advanced-Networking-Specialty Free Practice Test

A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets.
The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zones and EC2 instances. All connections from the same client session must be connected to the same EC2 instance. The company must provide
end-to-end encryption for all connections between the clients and the application by using the application SSL certificate.
Which solution will meet these requirements?

1. A. Create a Network Load Balance
2. B. Create a target grou
3. C. Set the protocol to TCP and the port to 443 for the target grou
4. D. Turn on session affinity (sticky sessions). Register the EC2 instances as target
5. E. Create a listene
6. F. Set the protocol to TCP and the port to 443 for the listene
7. G. Deploy SSL certificates to the EC2 instances.
8. H. Create an Application Load Balance
9. I. Create a target grou
10. J. Set the protocol to HTTP and the port to 80 for the target grou
11. K. Turn on session affinity (sticky sessions) with an application-based cookie polic
12. L. Register the EC2 instances as target
13. M. Create an HTTPS listene
14. N. Set the default action to forward to the target grou
15. O. Use AWS Certificate Manager (ACM) to create a certificatefor the listener.
16. P. Create a Network Load Balance
17. Q. Create a target grou
18. R. Set the protocol to TLS and the port to 443 for the target grou
19. S. Turn on session affinity (sticky sessions). Register the EC2 instances as target
20. T. Create a listene
21. . Set the protocol to TLS and the port to 443 for the listene
22. . Use AWS Certificate Manager (ACM) to create a certificate for the application.
23. . Create an Application Load Balance
24. . Create a target grou
25. . Set the protocol to HTTPS and the port to 443 for the target grou
26. . Turn on session affinity (sticky sessions) with an application-based cookie polic
27. . Register the EC2 instances as target
28. . Create an HTTP listene
29. . Set the port to 443 for the listene
30. . Set the default action to forward to the target group.

Correct Answer: A

A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched a replacement EC2 instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware.
Which solution will meet this requirement with the LEAST operational effort?

1. A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.
2. B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
3. C. Set up a Gateway Load Balance
4. D. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for traffic inspection.
5. E. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.

Correct Answer: A
This solution involves using Amazon GuardDuty to monitor network traffic and analyze DNS requests and VPC flow logs for suspicious activity. This will allow the company to identify when an application is spreading malware by monitoring the network traffic patterns associated with the instance. GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. It requires minimal setup and configuration and can be integrated with other AWS services for automated remediation. This solution requires the least operational effort compared to the other options

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create a central egress VPC that has private NAT gateway
2. B. Connect all the VPCs to the central egress VPC by using AWS Transit Gatewa
3. C. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.
4. D. Create a central shared services VP
5. E. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
6. F. Ensure that private DNS is turned of
7. G. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
8. H. Create an Amazon Route 53 forwarding rule for each interface VPC endpoin
9. I. Associate the forwarding rules with all the VPC
10. J. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
11. K. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
12. L. Ensure that private DNS is turned of
13. M. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
14. N. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manage
15. O. Associate the private hosted zones with all the VPC
16. P. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to the interface VPC endpoint in the shared services VPC.
17. Q. Create a central shared services VP
18. R. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
19. S. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
20. T. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.

Correct Answer: B
Interface VPC endpoints enable private connectivity between VPCs and supported AWS serviceswithout requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection2. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private access to AWS services2. Amazon S3 and AWS Systems Manager support interface VPC endpoin2ts. By turning off private DNS, the interface VPC endpoints can be accessed by using their private IP addresses2. By using Amazon Route 53 forwarding rules, DNS queries can be resolved to the interface VPC endpoints in the shared services VPC3.

A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring.
Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB.
What should the network engineer do next to determine which errors the ALB is receiving?

1. A. Send the logs to Amazon CloudWatch Log
2. B. Review the ALB logs in CloudWatch Insights to determine which error messages the ALB is receiving.
3. C. Configure the Amazon S3 bucket destinatio
4. D. Use Amazon Athena to determine which error messages the ALB is receiving.
5. E. Configure the Amazon S3 bucket destinatio
6. F. After Amazon CloudWatch Logs pulls the ALB logs from the S3 bucket automatically, review the logs in CloudWatch Logs to determine which error messages the ALB is receiving.
7. G. Send the logs to Amazon CloudWatch Log
8. H. Use the Amazon Athena CloudWatch Connector todetermine which error messages the ALB is receiving.

Correct Answer: B
Access logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logs for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logs at any time.https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

1. A. Use an internet connection.
2. B. Set up an AWS VPN connection.
3. C. Provision an AWS Direct Connection private virtual interface.
4. D. Provision a Direct Connect public virtual interface.

Correct Answer: A