Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Pass the Amazon Web Services AWS Certified Specialty ANS-C01 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam ANS-C01 Premium Access

View all detail and faqs for the ANS-C01 exam

Go to Exam

857 Students Passed

87% Average Score

92% Same Questions

Viewing page 4 out of 9 pages

Viewing questions 31-40 out of questions

Questions # 31:

A company securely connects resources that are in its VPC to a software as a service (SaaS) solution from a SaaS provider. The SaaS solution is hosted in the AWS Cloud and is powered by AWS PrivateLink. The company uses a PrivateLink endpoint to access the SaaS solution behind the SaaS provider's Network Load Balancer (NLB).

The company recently added a new Availability Zone and new subnets to its VPC. A network engineer is unable to deploy a new interface VPC endpoint for the SaaS solution in the new Availability Zone.

What is the cause of this problem?

Options:

The CIDR block of the new subnets conflicts with the SaaS provider's CIDR block.

The enableDnsHostnames attribute and enableDnsSupport attribute were not configured on the new subnets in the new Availability Zone.

The SaaS provider does not offer the solution in the new Availability Zone and has not configured cross-zone load balancing for the NLB.

The new subnets are missing a route to the VPC internet gateway.

Questions # 32:

A company has an AWS Site-to-Site VPN connection between AWS and its branch office. A network engineer is troubleshooting connectivity issues that the connection is experiencing. The VPN connection terminates at a transit gateway and is statically routed. In the transit gateway route table, there are several static route entries that target specific subnets at the branch office.

The network engineer determines that the root cause of the issues was the expansion of underlying subnet ranges in the branch office during routine maintenance.

Which solution will solve this problem with the LEAST administrative overhead for future expansion efforts?

Options:

Determine a supernet for the branch office. In the transit gateway route table, add an aggregate route that targets the VPN attachment. Replace the specific subnet routes in the transit gateway route table with the new supernet route.

Create an AWS Direct Connect gateway and a transit VIF. Associate the Direct Connect gateway with the transit gateway. Create a propagation for the Direct Connect attachment to the transit gateway route table.

Create a dynamically routed VPN connection on the transit gateway. Connect the dynamically routed VPN connection to the branch office. Create a propagation for the VPN attachment to the transit gateway route table. Remove the existing static VPN connection.

Create a prefix list that contains the new subnets and the old subnets for the branch office. Remove the specific subnet routes in the transit gateway route table. Create a prefix list reference in the transit gateway route table.

Questions # 33:

A company is using a shared services VPC with two domain controllers. The domain controllers are deployed in the company's private subnets. The company is deploying a new application into a new VPC in the account. The application will be deployed onto an Amazon EC2 for Windows Server instance in the new VPC. The instance must join the existing Windows domain that is supported by the domain controllers in the shared services VPC.

A transit gateway is attached to both the shared services VPC and the new VPC. The company has updated the route tables for the transit gateway, the shared services VPC, and the new VPC. The security groups for the domain controllers and the instance are updated and allow traffic only on the ports that are necessary for domain operations. The instance is unable to join the domain that is hosted on the domain controllers.

Which combination of actions will help identify the cause of this issue with the LEAST operational overhead? (Choose two.)

Options:

Use AWS Network Manager to perform a route analysis for the transit gateway network. Specify the existing EC2 instance as the source. Specify the first domain controller as the destination. Repeat the route analysis for the second domain controller.\

Use port mirroring with the existing EC2 instance as the source and another EC2 instance as the target to obtain packet captures of the connection attempts.

Review the VPC flow logs on the shared services VPC and the new VPC.

Issue a ping command from one of the domain controllers to the existing EC2 instance.

Ensure that route propagation is turned off on the shared services VPC.

Questions # 34:

Two companies are merging. The companies have a large AWS presence with multiple VPCs and are designing connectivity between their AWS networks. Both companies are using AWS Direct Connect with a Direct Connect gateway. Each company also has a transit gateway and multiple AWS Site-to-Site VPN connections from its transit gateway to on-premises resources. The new solution must optimize network visibility, throughput, logging, and monitoring.

Which solution will meet these requirements?

Options:

Configure a Site-to-Site VPN connection between each company's transit gateway to establish reachability between the respective networks. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitor connectivity.

Configure transit gateway peering between each company's transit gateway Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitor connectivity.

Configure transit gateway peering between each company's transit gateway. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use AWS Transit Gateway Network Manager to monitor the transit gateways, their respective connections, and the transit gateway peering link.

Questions # 35:

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.

Which configuration change should a network engineer implement to resolve this issue?

Options:

Configure the NAT gateway timeout to allow connections for up to 600 seconds.

Enable enhanced networking on the client EC2 instances.

Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.

Close idle TCP connections through the NAT gateway.

Questions # 36:

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

Options:

Use a Network Load Balancer to automatically preserve the source IP address.

Use a Network Load Balancer and enable the X-Forwarded-For attribute.

Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.

Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Questions # 37:

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.

The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.

Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

Options:

Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.

Set up AWS WAF on all network components.

Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.

Use AWS Direct Connect with MACsec support for connectivity to the cloud.

Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.

Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Questions # 38:

A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment

has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS

Organizations through AWS Resource Access Manager (AWS RAM).

A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.

The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a

VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

Options:

Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts

to provision the necessary network infrastructure.

Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.

Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS

Service Catalog product to the shared services account.

Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower

CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.

Create an AWSControlTowerBlueprintAccess role in the shared services account.

Create an AWSControlTowerBlueprintAccess role in each member account.

Answer

A, C, D

Explanation

The correct answer is A, C, and D. These steps will meet the requirements with the least operational overhead because:

•Step A will deploy an AWS Lambda function to the shared services account that can automate the network infrastructure provisioning in each member account by assuming a role with the necessary permissions.

•Step C will create an AWS CloudFormation template that describes the VPC and the transit gateway attachment for each account. This template can be uploaded as an AWS Service Catalog product to the shared services account, which can be used by the AWS Lambda function to create the network resources in each member account.

•Step D will deploy an Amazon EventBridge rule on a default event bus in the shared services account that can react to AWS Control Tower lifecycle events, such as creating a new managed account. This rule can invoke the AWS Lambda function to provision the network infrastructure in the new account.

The other steps are incorrect because:

•Step B will update the existing accounts with an Account Factory Customization (AFC), which is a feature of AWS Control Tower that allows you to customize the account creation process with AWS CloudFormation templates. However, this step will not automate the network infrastructure provisioning for the existing accounts, as it only applies to the new accounts created through the Account Factory. Moreover, this step will require additional operational overhead to maintain the AFC templates and products.

•Step E will create an AWSControlTowerBlueprintAccess role in the shared services account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the shared services account. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products directly without using this role.

•Step F will create an AWSControlTowerBlueprintAccess role in each member account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the member accounts. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products in the shared services account without using this role.

A company ran out of IP address space in one of the Availability Zones in an AWS Region that the company uses. The Availability Zone that is out of space is assigned the

10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWS CloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDR

block and has available capacity in the 10.10.1.0/22 CIDR block.

How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?

A.Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.

B.Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.

C.Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22 for the Availability Zone.

D.Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.

Answer: D

Questions # 39:

A company hosts application servers on premises and on Amazon EC2 instances in a VPC. The application servers access data that is hosted in an Amazon S3 bucket through the public internet. The EC2 instances in the VPC use an AWS Site-to-Site VPN for connectivity with the on-premises application servers.

New company regulations state that all traffic between the application servers and the S3 bucket must remain private and must not use public IP addresses.

Which solution will meet these requirements MOST cost-effectively?

Options:

Configure an S3 gateway endpoint Modify the route table with the appropriate route for the endpoint. Access the S3 bucket through the gateway endpoint from the EC2 instances.

Configure an S3 interface endpoint. Update the on-premises servers and EC2 instances to use the interface endpoint DNS name to access the S3 bucket.

Configure an S3 interface endpoint. Update the on-premises servers to use the interface endpoint DNS name to access the S3 bucket. Configure an S3 gateway endpoint. Modify the route table so that the EC2 instances use the gateway endpoint.

Configure an S3 gateway endpoint. Modify the route table with the appropriate route for the endpoint. Use an S3 bucket policy to restrict access to the gateway endpoint. Configure a proxy server fleet behind a Network Load Balancer in the VPC so that the on-premises servers can access the S3 bucket.

Questions # 40:

A company is building a new workload on AWS that uses an Application Load Balancer (ALB) The company has configured a new ALB target group that uses slow start mode. A team begins registering Amazon EC2 Instances as targets in the new target group. During testing, the team observes that the targets did not enter slow start mode.

What caused the targets to not enter slow start mode?