AWS-Certified-Advanced-Networking-Specialty Free Practice Test

A company’s web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.
Which action should be taken to block more IP addresses, without compromising the existing security requirements?

1. A. Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.
2. B. Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.
3. C. Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.
4. D. Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

Correct Answer: C

A company’s Network Engineering team is solely responsible for deploying VPC infrastructure using AWS CloudFormation. The company wants to give its Developers the ability to launch applications using CloudFormation templates so that subnets can be created using available CIDR ranges.
What should be done to meet these requirements?

1. A. Create a CloudFormation templates with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.
2. B. Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.
3. C. Create a CloudFormation template that references the Fn::Cidr intrinsic function within a subnet resource to select an available CIDR range.
4. D. Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.

Correct Answer: D

An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address
What could cause this connectivity issue? (Choose two.)

1. A. The VGW is not advertising the correct CIDR range back on-premises.
2. B. The instance security group does not allow ICMP traffic.
3. C. A public virtual interface must be configured for Amazon EC2 connectivity.
4. D. The on-premises router is not advertising the correct CIDR range to AWS.
5. E. There is a misconfiguration of the bi-directional forwarding detection.

Correct Answer: BD

An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?

1. A. Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned.Create private VIFs in each accoun
2. B. Attach one private VIF per VPC.
3. C. Create a public VIF on the Direct Connect connectio
4. D. Leverage the public VIF to create a VPN connection to each VPC.
5. E. Create hosted private VIFs in the existing accoun
6. F. Connect a private VIF to an AWS Direct Connect gateway in each accoun
7. G. Connect the gateway in each account to the VPCs.
8. H. Create a transit VPC in the existing account that consists of two routers in separate Availability Zones.Connect each VPC to the two routers in the transit VPC by using VPN.

Correct Answer: D
https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

A logistics company has deployed a hybrid environment that has multiple VPCs in both the us-east-1 Region and the af-south-1 Region The on-premises data center is connected to us-east-1 through an AWS Direct Connect connection The Direct Connect connection is connected to a Direct Connect gateway that is associated with a transit gateway The transit gateway is attached to all the VPCs in us-east-1
An application that is deployed in af-south-1 requires access to a database in the data center The application also requires access to file storage in a VPC in us-east-1
Which solution will meet these requirements with the LOWEST latency?

1. A. Create a transit gateway in af-south-1, and attach the VPCs Create a transit gateway peering connection between the transit gateways
2. B. Create a Direct Connect connection in af-south-1, and attach the VPCs with a Direct Connect gateway and a transit gateway Create an AWS Site-to-Site VPN connection over the internet between the Direct Connect connections.
3. C. Create a transit gateway in af-south-1 and attach the VPCs Associate the transit gateway in af-south-1 with the Direct Connect gateway tn us-east-1
4. D. Create inter-Region VPC peering connections between the VPCs in each Region Use the transit gateway attachments in us-east-1 to access the database in the data center

Correct Answer: A