Updated Dec-2023 Premium AWS-Advanced-Networking-Specialty Exam Engine pdf - Download Free Updated 156 Questions [Q22-Q47]

Updated Dec-2023 Premium AWS-Advanced-Networking-Specialty Exam Engine pdf - Download Free Updated 156 Questions

Authentic AWS-Advanced-Networking-Specialty Dumps With 100% Passing Rate Practice Tests Dumps

The AWS-Advanced-Networking-Specialty certification exam covers a wide range of topics that are essential for advanced networking professionals. These topics include designing and implementing hybrid IT network architectures, designing and implementing AWS Direct Connect and VPN connections, designing and implementing network segmentation using VPCs, designing and implementing network security, and designing and implementing network performance optimization. AWS Certified Advanced Networking Specialty (ANS-C00) Exam certification exam is designed to test the knowledge and skills of candidates in these areas.

Holding an AWS-Advanced-Networking-Specialty certification can be beneficial for networking professionals who want to advance their careers and demonstrate their expertise in designing and implementing complex networking solutions on the AWS platform. AWS Certified Advanced Networking Specialty (ANS-C00) Exam certification can also be useful for organizations that want to ensure that their networking professionals have the skills and knowledge required to design and manage advanced AWS networking environments.

 

NEW QUESTION # 22
A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?

• A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.
• B. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.
• C. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.
• D. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

Answer: C

Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

NEW QUESTION # 23
You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

• A. The inbound security group is blocking the traffic.
• B. The outbound network access control list is blocking the traffic
• C. The inbound network access control list is blocking the traffic
• D. The outbound security group is blocking the traffic.

Answer: D

NEW QUESTION # 24
Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?

• A. AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
• B. AWS Direct Connect neither provides BGP nor provides the failover.
• C. AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
• D. AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.

Answer: D

Explanation:
When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS.
There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections.
Reference:
http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantCo nnections

NEW QUESTION # 25
A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor. A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed.
The interim solution has worked for several weeks. However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from cloudfront." Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
What is the likely cause of the error, and what is the solution?

• A. The SSL certificate on the legacy web application server has expired.
  Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA).
  Install the full certificate chain onto the legacy web application server.
• B. The SSL certificate on the CloudFront distribution has expired.
  Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate.
• C. The SSL certificate on the legacy web application server has expired.
  Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate.
  Export the public and private keys, and install the certificate on the legacy web application.
• D. The origin access identity is not correct.
  Edit the CloudFront distribution and update the identity in the origins settings.

Answer: A

Explanation:
https://forums.aws.amazon.com/thread.jspa?threadID=156568

NEW QUESTION # 26
You are deploying a web application in a VPC that requires SSL mutual authentication with a client- side, smartcard-stored certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.
Which load balancer protocol should you select for this application?

• A. TCP
• B. HTTP
• C. HTTPS
• D. SSL

Answer: A

Explanation:
An ELB Classic Load Balancer cannot validate a client side certificate, so it must be passed through as standard TCP on port 443 to let the EC2 instance handle the validation.

NEW QUESTION # 27
The Web Application Development team is worried about malicious activity from 200 random IP addresses.
Which action will ensure security and scalability from this type of threat?

• A. Use inbound network ACL rules to block the IP addresses.
• B. Write iptables rules on the instance to block the IP addresses.
• C. Use AWS WAF to block the IP addresses.
• D. Use inbound security group rules to block the IP addresses.

Answer: C

Explanation:
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html

NEW QUESTION # 28
A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

• A. Attach the virtual private gateway to a VPC and enable route propagation.
• B. Change the BGP advertisements from the corporate network to only be a default route.
• C. Filter the public IP prefixes on the corporate network from the private virtual interface.
• D. Attach the second virtual interface to an alternative virtual private gateway.

Answer: B

Explanation:
https://aws.amazon.com/es/premiumsupport/knowledge-center/virtual-interface-bgp-down/

NEW QUESTION # 29
An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the
'Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.) Resources:

• A. newEC2Route:
  Type: AWS::EC2::Route
  Resources:
• B. NetworkInterfaceToRemoteVPC:
  Type: "AWS::EC2NetworkInterface"
  Resources:
• C. newVPCPeeringConnection:
  Type: 'AWS::EC2VPCPeeringConnection'
  PeerRoleArn: !Ref PeerRoleArn
• D. NewEC2SecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Resources:
• E. VPCGatewayToRemoteVPC:
  Type: "AWS::EC2::VPCGatewayAttachment"
  Resources:

Answer: C,E

NEW QUESTION # 30
You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible.
You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.
Which design should you choose?

• A. Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.
• B. Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
• C. Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
• D. Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.

Answer: C

Explanation:
Explanation
https://aws.amazon.com/blogs/aws/aws-direct-connect-access-to-multiple-us-regions/

NEW QUESTION # 31
An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

• A. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.
• B. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.
• C. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
• D. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

Answer: B

NEW QUESTION # 32
A company has recently established an AWS Direct Connect connection from its on-premises data center to AWS. A Network Engineer has blocked all traffic destined for Amazon S3 over the company's gateway to the internet from its on-premises firewall. S3 traffic should only traverse the Direct Connect connection.
Currently, no one in the on-premises data center can access Amazon S3.
Which solution will resolve this connectivity issue?

• A. Configure a public virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
• B. Establish an S3 VPC endpoint for the company's Amazon VPC. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop
• C. Configure a public virtual interface on the Direct Connect connection. Establish an AWS managed VPN over the connection. Update the on-premises routing tables to choose the VPN connection as the preferred next hop.
• D. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.

Answer: D

NEW QUESTION # 33
You work for an international corporation that uses AWS. Due to regulations, you are now required to route the US and China to two different websites. You set up the records and now no other countries can access your site. Why is this? Choose the correct answer:

• A. You forgot to set a default geolocation record.
• B. You probably broke your DNS.
• C. Geolocation features are only available in CloudFront.
• D. You must have a geolocation in place for every country.

Answer: A

Explanation:
A default record is required for traffic that does not match a geolocation criteria to follow.

NEW QUESTION # 34
Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC.
The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.
Which step should you take to enable access to Amazon S3?

• A. Exclude 169.254.169.0/24 from the instance's proxy configuration.
• B. Update the CORS configuration for Amazon S3 to allow traffic from the proxy.
• C. Update the S3 bucket policy with the private IP address of the instance.
• D. Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.

Answer: D

NEW QUESTION # 35
You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to monitor your changes. What else is required to find out who made the change? Choose the correct answer:

• A. Use the eventId of the change and reference it with CloudTrail to find the culprit.
• B. Use the eventID of the change and reference it with your Flow Logs.
• C. Use the eventID of the change and reference it with CloudWatch to find the culprit.
• D. There is no information to find this. You will need to sign up for Config Premium.

Answer: A

Explanation:
CloudTrail is for finding "who" performed an action.

NEW QUESTION # 36
You need to find the public IP address of an instance that you're logged in to. What command would you use?
Choose the correct answer:

• A. curl http://169.254.169.254/latest/meta-data/public-ipv4
• B. curl ftp://169.254.169.254/latest/meta-data/public-ipv4
• C. curl http://127.0.0.1/latest/meta-data/public-ipv4
• D. scp localhost/latest/meta-data/public-ipv4

Answer: A

Explanation:
curl http://169.254.169.254/latest/meta-data/public-ipv4

NEW QUESTION # 37
Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution.
The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?

• A. CloudFormation::OpsWorks::Stack with custom Chef configuration.
• B. AWS CloudFormation parameters using the "Ref::" intrinsic function
• C. AWS CloudFormation parameters using the "Fn::FindInMap" intrinsic function.
• D. AWS CloudFormation custom resource using an AWS Lambda invocation.

Answer: B

NEW QUESTION # 38
Your company just purchased a domain using another registrar and wants to use the same nameservers as your current domain hosted with AWS. How would this be achieved? Choose the correct answer:

• A. Import the domain to your account and it will automatically set the same nameservers.
• B. Every domain must have different nameservers.
• C. In the API, create a Reusable Delegation Set.
• D. In the console, create a Reusable Delegation Set.

Answer: C

Explanation:
You can't create a reusable delegation set in the console. AWS does not provide the same nameservers to new domains, but a reusable delegation set can be used with as many domains as you like.

NEW QUESTION # 39
Your company uses an NTP server to synchronize time across systems. The company runs multiple versions of Linux and Windows systems. You discover that the NTP server has failed, and you need to add an alternate NTP server to your instances.
Where should you apply the NTP server update to propagate information without rebooting your running instances?

• A. DHCP Options Set
• B. instance meta-data
• C. cfn-init scripts
• D. instance user-data

Answer: A

Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-dhcp-options.html

NEW QUESTION # 40
You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

• A. The inbound security group is blocking the traffic.
• B. The outbound network access control list is blocking the traffic
• C. The inbound network access control list is blocking the traffic
• D. The outbound security group is blocking the traffic.

Answer: D

NEW QUESTION # 41
A company is deploying a non-web application on an AWS load balancer. All targets are servers located on- premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

• A. Use a Network Load Balancer and enable the X-Forwarded-Forattribute.
• B. Use a Network Load Balancer and enable the ProxyProtocolv2 attribute.
• C. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded- Forheader.
• D. Use a Network Load Balancer to automatically preserve the source IP address.

Answer: C

NEW QUESTION # 42
An organization is migrating its on-premises applications to AWS by using a lift-and-shift approach, taking advantage of managed AWS services wherever possible. The company must be able to edit the application code during the migration phase. One application is a traditional three- tier application, consisting of a web presentation tier, an application tier, and a database tier. The external calling client applications need their sessions to remain sticky to both the web and application nodes that they initially connect to.
Which load balancing solution would allow the web and application tiers to scale horizontally independent from one another other?

• A. Use an Application Load Balancer at the web tier and a Classic Load Balancer at the application tier.
  Set session stickiness on both, but update the application code to create an application-controlled cookie on the Classic Load Balancer.
• B. Use a Network Load Balancer at the web tier, and an Application Load Balancer at the application tier.
  Enable session stickiness on the Application Load Balancer, but take advantage of the native WebSockets protocols available to the Network Load Balancer.
• C. Use an Application Load Balancer at both the web and application tiers, setting session stickiness at the target group level for both tiers.
• D. Deploy a web node and an application node as separate containers on the same host, using task linking to create a relationship between the pair. Add an Application Load Balancer with session stickiness in front of all web node containers.

Answer: C

NEW QUESTION # 43
A company with several VPCs in the us-east-1 Region wants to reduce the cost of its workloads.
A network engineer has identified that all traffic bound to Amazon services is flowing through a NAT gateway. Additionally, all the VPCs are peered to a hub VPC for access to common services.
What should the network engineer do to reduce data transfer costs to Amazon Simple Queue Service (Amazon SQS)?

• A. Disable the private DNS name for the SQS endpoint.
  Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com.
  Create an alias record to the DNS name of the SQS endpoint.
  Share the private hosted zone with all other VPCs.
• B. Enable the private DNS name for the SQS endpoint.
  Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com.
  Create a CNAME record to the DNS name of the SQS endpoint.
  Share the private hosted zone with all other VPCs.
• C. Disable the private DNS name for the SQS endpoint.
  Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com.
  Create a CNAME record to the DNS name of the SQS endpoint.
  Share the private hosted zone with all other VPCs.
• D. Enable the private DNS name for the SQS endpoint.
  Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com.
  Create an alias record to the DNS name of the SQS endpoint.
  Share the private hosted zone with all other VPCs.

Answer: B

Explanation:
You can use Amazon Virtual Private Cloud only with HTTPS Amazon SQS endpoints.
When you configure Amazon SQS to send messages from Amazon VPC, you must enable private DNS and specify endpoints in the format sqs.us-east-2.amazonaws.com.
Private DNS doesn't support legacy endpoints such as queue.amazonaws.com or us-east-
2.queue.amazonaws.com.
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html

NEW QUESTION # 44
You need to ensure the files served by your CloudFront distribution are only accessible to authorized users. You hope to serve thousands of users. What two steps should you take?
Choose the 2 correct answers:

• A. Configure a WAF.
• B. Configure signed cookies.
• C. Configure an SSL on the distribution.
• D. Configure a bucket policy restricting the bucket to only CloudFront OAI.

Answer: B,D

Explanation:
A WAF can block users from accessing the site and CloudFront, but that's not the best option since you have so many users. An SSL will encrypt, but not prevent a user from viewing the content.

NEW QUESTION # 45
An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address What could cause this connectivity issue? (Choose two.)

• A. A public virtual interface must be configured for Amazon EC2 connectivity.
• B. The on-premises router is not advertising the correct CIDR range to AWS.
• C. There is a misconfiguration of the bi-directional forwarding detection.
• D. The instance security group does not allow ICMP traffic.
• E. The VGW is not advertising the correct CIDR range back on-premises.

Answer: B,D

NEW QUESTION # 46
A company's web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.
Which action should be taken to block more IP addresses, without compromising the existing security requirements?

• A. Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.
• B. Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.
• C. Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.
• D. Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

Answer: D

NEW QUESTION # 47
......

Verified Pass AWS-Advanced-Networking-Specialty Exam in First Attempt Guaranteed: https://freedumps.actual4exams.com/AWS-Advanced-Networking-Specialty-real-braindumps.html