Amazon AWS Certified Advanced Networking - Specialty ANS-C01 Exam Practice Questions

1. A company is planning to create a service that requires encryption in transit. The traffic must not
be decrypted between the client and the backend of the service. The company will implement
the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands
of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic
Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the
Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way
authentication between the client and the backend.
Which solution will meet these requirements?
a. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure
a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP
addresses of the backend service Pods

2. A company is deploying a new application in the AWS Cloud. The company wants a highly
available web server that will sit behind an Elastic Load Balancer. The load balancer will route
requests to multiple target groups based on the URL in the request. All traffic must use HTTPS.
TLS processing must be offloaded to the load balancer. The web server must know the user’s IP
address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?
a. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing
rules to forward the traffic to the correct target group. Include the X-Forwarded-For
request header with traffic to the targets.

3. A company has developed an application on AWS that will track inventory levels of vending
machines and initiate the restocking process automatically. The company plans to integrate this
application with vending machines and deploy the vending machines in several markets around
the world. The application resides in a VPC in the us-east-1 Region. The application consists of an
Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer
(ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection
over the internet to the ALB endpoint.
Which solution will meet these requirements?
a. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without
adding routes in the subnet route tables to point to the internet gateway. Configure the
accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s
security group to only allow inbound traffic from the internet on the ALB listener port.
4. A retail company is running its service on AWS. The company’s architecture includes Application
Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to
backend Amazon EC2 instances in private subnets. These backend EC2 instances can call
externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A
network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway?
(Choose two.)
a. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to
a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and
analyze the logs
b. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to
an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to
describe the log structure. Use Athena to query and analyze the logs

5. A banking company is successfully operating its public mobile banking stack on AWS. The mobile
banking stack is deployed in a VPC that includes private subnets and public subnets. The
company is using IPv4 networking and has not deployed or supported IPv6 in the environment.
The company has decided to adopt a third-party service provider's API and must integrate the
API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in
a private subnet. The company does not want to permit IPv6 traffic from the public internet and
mandates that the company's servers must initiate all IPv6 connectivity. The network engineer
turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
a. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route
tables to point IPv6 traffic to the egress-only internet gateway.

6. A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer
needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon
OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
a. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon
OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure
flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination
for the Network Firewall flow logs

7. A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs
are deployed across multiple AWS accounts that are part of the same organization in AWS
Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a
central VPC and are configured to forward all queries for an on-premises DNS domain to DNS
servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom
DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that
specifies the custom DNS servers to be used as domain name servers.
 Multiple development teams in the company want to use Amazon Elastic File System (Amazon
EFS). A development team has created a new EFS file system but cannot mount the file system to
one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot
resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The
network engineer needs to implement a solution so that development teams throughout the
organization can mount EFS file systems.
Which combination of steps will meet these requirements? (Choose two.)
a. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all
the VPC DHCP options sets to use AmazonProvidedDNS for name resolution
b. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises
domain to the on-premises DNS servers. Share the rule with the organization by using
AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs

8. A company has multiple AWS accounts. Each account contains one or more VPCs. A new security
guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The
company also has deployed a shared services VPC with Amazon EC2 instances that include IDS
services for stateful inspection. The EC2 instances are deployed across three Availability Zones.
The company has set up VPC associations and routing on the transit gateway. The company has
migrated a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent
connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?
a. Modify the transit gateway VPC attachment on the shared services VPC by enabling
appliance mode Support

9. A company operates its IT services through a multi-site hybrid infrastructure. The company
deploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. The company
also deploys resources in its own data centers that are located in the United States (US) and in
the United Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect
15 VPCs to each other. The company has created a transit gateway peering connection between
the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP
addresses used within the data centers. The VPC CIDR prefixes can also be aggregated either on
a Regional level or for the company's entire AWS environment.
The data centers are connected to each other by a private WAN connection. IP routing
information is exchanged dynamically through Interior BGP (iBGP) sessions. The data centers
maintain connectivity to AWS through one AWS Direct Connect connection in the US and one
Direct Connect connection in the UK. Each Direct Connect connection is terminated on a Direct
Connect gateway and is associated with a local transit gateway through a transit VIF.
Traffic follows the shortest geographical path from source to destination. For example, packets
from the UK data center that are targeted to resources in eu-west-2 travel across the local Direct
Connect connection. In cases of cross-Region data transfers, such as from the UK data center to
VPCs in us-east-1, the private WAN connection must be used to minimize costs on AWS. A
network engineer has configured each transit gateway association on the Direct Connect
 gateway to advertise VPC-specific CIDR IP prefixes only from the local Region. The routes toward
the other Region must be learned through BGP from the routers in the other data center in the
original, non-aggregated form.
The company recently experienced a problem with cross-Region data transfers because of issues
with its private WAN connection. The network engineer needs to modify the routing setup to
prevent similar interruptions in the future. The solution cannot modify the original traffic routing
goal when the network is operating normally.
Which modifications will meet these requirements? (Choose two.)
a. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list
of subnets advertised through the local Direct Connect connection.
b. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local
Direct Connect connection. Add both Regional aggregate IP prefixes to the list of subnets
advertised through the Direct Connect connection on both sides of the network.
Configure data center routers to make routing decisions based on the BGP communities
received.
10. A company’s network engineer needs to design a new solution to help troubleshoot and detect
network anomalies. The network engineer has configured Traffic Mirroring. However, the
mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The
EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The
network engineer needs to design a highly available solution that can scale to meet the demand
of the mirrored traffic.
Which solution will meet these requirements?
a. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB.
deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as
necessary.
11. A company uses a hybrid architecture and has an AWS Direct Connect connection between its
on-premises data center and AWS. The company has production applications that run in the on-
premises data center. The company also has production applications that run in a VPC. The
applications that run in the on-premises data center need to communicate with the applications
that run in the VPC. The company is using corp.example.com as the domain name for the on-
premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com
to host the VPC resources.
The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS
resolver in the on-premises data center. The company's on-premises DNS resolver has a
forwarder that directs requests for the aws.example.com domain name to the DNS resolver in
the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the
corp.example.com domain name to the DNS resolver in the on-premises data center. The
company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53
Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement? (Choose
three.)
a. Configure the on-premises DNS resolver to forward aws.example.com domain queries to
the IP addresses of the inbound endpoint
 b. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound
endpoint.
c. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP
address of the on-premises DNS resolver
12. A government contractor is designing a multi-account environment with multiple VPCs for a
customer. A network security policy requires all traffic between any two VPCs to be transparently
inspected by a third-party appliance.
The customer wants a solution that features AWS Transit Gateway. The setup must be highly
available across multiple Availability Zones, and the solution needs to support automated
failover. Furthermore, asymmetric routing is not supported by the inspection appliances.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
a. Deploy two clusters that consist of multiple appliances across multiple Availability Zones
in a designated inspection VPC. Connect the inspection VPC to the transit gateway by
using a VPC attachment. Create a target group, and register the appliances with the
target group. Create a Gateway Load Balancer, and set it up to forward to the newly
created target group. Configure a default route in the inspection VPC’s transit gateway
subnet toward the Gateway Load Balancer endpoint.
b. Configure two route tables on the transit gateway. Associate one route table with all the
attachments of the application VPCs. Associate the other route table with the inspection
VPC’s attachment. Propagate all VPC attachments into the inspection route table. Define
a static default route in the application route table. Enable appliance mode on the
attachment that connects the inspection VPC
13. A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances
must initiate any requests that leave the VPC, including requests to the company's on-premises
data center over an AWS Direct Connect connection. No resources outside the VPC can be
allowed to open communications directly to the EC2 instances.
The on-premises data center's customer gateway is configured with a stateful firewall device that
filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company
wants to use a single IP match rule to allow all the communications from the EC2 instances to its
data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?
a. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are
deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to
allow connections from the IP address that is assigned to the NAT gateway.
14. A global company operates all its non-production environments out of three AWS Regions: eu-
west-1, us-east-1, and us-west-1. The company hosts all its production workloads in two on-
premises data centers. The company has 60 AWS accounts and each account has two VPCs in
each Region. Each VPC has a virtual private gateway where two VPN connections terminate for
resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center,
resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.
The company wants to migrate the production environments to AWS. The company needs a
solution that will simplify the network architecture and allow for future growth. The production
environments will generate an additional 2 Gbps of traffic per Region back to the data centers.
 This traffic will increase over time.
Which solution will meet these requirements?
a. Create a transit gateway in each Region with multiple newly commissioned VPN
connections from each data center. Share the transit gateways with each account by
using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit
gateway to each VPRemove the existing VPN connections that are attached directly to
the virtual private gateways.
15. A company is building its website on AWS in a single VPC. The VPC has public subnets and private
subnets in two Availability Zones. The website has static content such as images. The company is
using Amazon S3 to store the content.
The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet.
The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. The EC2
instances will serve traffic, and they must pull content from an S3 bucket to render the
webpages. The company is using AWS Direct Connect with a public VIF for on-premises
connectivity to the S3 bucket.
A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing
through a NAT gateway. As traffic increases, the company's costs are increasing. The network
engineer needs to change the connectivity to reduce the NAT gateway costs that result from the
traffic between the EC2 instances and Amazon S3.
Which solution will meet these requirements?
a. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table
16. A company wants to improve visibility into its AWS environment. The AWS environment consists
of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-
premises data center through an AWS Direct Connect gateway and a pair of redundant Direct
Connect connections that use transit VIFs. The company must receive notification each time a
new route is advertised to AWS from on premises over Direct Connect.
What should a network engineer do to meet these requirements?
a. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use
Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes
change.
17. A software company offers a software-as-a-service (SaaS) accounting application that is hosted in
the AWS Cloud The application requires connectivity to the company's on-premises network. The
company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-
premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The
company needs to encrypt traffic between AWS and the edge routers in the colocation within
the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational
overhead?
a. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Configure MACsec
on the edge routers. Reroute traffic to the new Direct Connect connections.
Decommission the original Direct Connect connections
18. A company hosts an application on Amazon EC2 instances behind an Application Load Balancer
(ALB). The company recently experienced a network security breach. A network engineer must
 collect and analyze logs that include the client IP address, target IP address, target port, and user
agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?
a. Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze
the logs in Amazon S3
19. A media company is implementing a news website for a global audience. The website uses
Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows
instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling
group. The company's customers access the website by using service example com as the
CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-
alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between
the users and the backend.
Which combination of changes must the company make to meet this security requirement?
(Choose three.)
a. Create a certificate for service.example.com by using AWS Certificate Manager (ACM).
Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior
to redirect HTTP to HTTPS.
b. Create a public certificate from a third-party certificate provider with any domain name
for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener.
Specify the instance target type during the creation of a new target group that uses the
HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target
group.
c. Create a certificate for service-alb.example.com by using AWS Certificate Manager
(ACM). On the ALB add a new HTTPS listener that uses the new target group and the
service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS
protocol only. Delete the HTTP listener on the ALB.
20. A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer
(NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the
availability of the application. The solutions architect added the instances to the NLB target
group.
The company's operations team notices that traffic is being routed only to the instances in the
first Availability Zone.
What is the MOST operationally efficient solution to resolve this issue?
a. Enable the new Availability Zone on the NLB
21. A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based
network appliance in a highly available architecture. The network engineer is configuring the
new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network
interface that will be used exclusively by the application to exchange traffic with hosts over the
internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP
address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?
 a. During creation of the Auto Scaling group, select subnets for the primary network
interface. Use the user data option to run a cloud-init script to allocate a second network
interface and to associate an Elastic IP address from the BYOIP pool.
22. A company delivers applications over the internet. An Amazon Route 53 public hosted zone is
the authoritative DNS service for the company and its internet applications, all of which are
offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application's
components are hosted in the AWS Cloud. The application has a three-tier design. The front end
is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP
addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application
within the application's VPC by using the same host names as the host names that are used over
the public internet. The network engineer also needs to accommodate future DNS changes, such
as the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements? (Choose three.)
a. Create a Route 53 private hosted zone for the same domain name Associate the
application’s VPC with the new private hosted zone.
b. Enable DNS hostnames for the application's VPC.
c. Create entries in the private hosted zone for each name in the public hosted zone by
using the corresponding private IP addresses
23. A company is deploying an application. The application is implemented in a series of containers
in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate
launch type for its tasks. The containers will run workloads that require connectivity initiated
over an SSL connection. Traffic must be able to flow to the application from other AWS accounts
over private connectivity. The application must scale in a manageable way as more consumers
use the application.
Which solution will meet these requirements?
a. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service.
Specify the NLB in the service definition. Create a VPC endpoint service for the NLB.
Share the VPC endpoint service with other AWS accounts.
24. A company's development team has created a new product recommendation web service. The
web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has
deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as
the target of a Network Load Balancer (NLB).
The company wants to perform testing to determine whether users who receive product
recommendations spend more money than users who do not receive product recommendations.
The company has a big sales event in 5 days and needs to integrate its existing production
environment with the recommendation engine by then. The existing production environment is
hosted in a VPC with a CIDR block of 192.168.128 0/17.
A network engineer must integrate the systems by designing a solution that results in the least
possible disruption to the existing environments.
Which solution will meet these requirements?
 a. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the
web service. Create an interface VPC endpoint for the web service in the existing
production VPC.
25. A network engineer needs to update a company's hybrid network to support IPv6 for the
upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The
company's current AWS infrastructure includes VPCs that are connected by a transit gateway.
The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS
Site-to-Site VPN. The company's on-premises devices have been updated to support the new
IPv6 requirements.
The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the
VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new
Amazon EC2 instances for the new application in the updated subnets.
When updating the hybrid network to support IPv6 the network engineer must avoid making any
changes to the current infrastructure. The network engineer also must block direct access to the
instances' new IPv6 addresses from the internet. However, the network engineer must allow
outbound internet access from the instances.
What is the MOST operationally efficient solution that meets these requirements?
a. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned
IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add
an egress-only internet gateway. Update any affected VPC security groups and route
tables to provide connectivity within the VPC and between the VPC and the on-premises
devices
26. A network engineer must provide additional safeguards to protect encrypted data at Application
Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?
a. Change the ALB security policy to a policy that supports forward secrecy (FS)
27. A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its
offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to
support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual
appliances to provide this connectivity. According to company policies, only a single SD-WAN
virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?
a. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance
for BGP routes toward the transit gateway.
28. A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is
using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A
network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is
connected to the transit gateway. The solution must support at least 5 Gbps of throughput from
the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?
a. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub
virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Add
a transit gateway Connect attachment. Create a Connect peer and specify the GRE and
 BGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual
appliance to route to the transit gateway.
29. A company is deploying a new application on AWS. The application uses dynamic multicasting.
The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in
each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer configure the AWS resources to meet these requirements?
a. reate an Internet Group Management Protocol (IGMP) multicast domain within the
transit gateway. Associate the VPCs and applicable subnets with the multicast domain.
Register the multicast senders' network interface with the multicast domain. Adjust the
network ACLs to allow UDP traffic from the source to all receivers and to allow UDP
traffic that is sent to the multicast group address.
30. A company is creating new features for its ecommerce website. These features will use several
microservices that are accessed through different paths. The microservices will run on Amazon
Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its
public websites. The application requires the customer’s source IP addresses.
A network engineer must implement a load balancing strategy that meets these requirements.
Which combination of actions should the network engineer take to accomplish this goal?
(Choose two.)
a. Retrieve client IP addresses by using the X-Forwarded-For header
b. Use an Application Load Balancer.
31. A company is migrating its containerized application to AWS. For the architecture the company
will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end
pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the
application will determine which user is requesting access and will send traffic to 1 of 10 services
VPCs. Each services VPC will include an NLB that distributes traffic to the services pods in an EKS
cluster.
The company is concerned about overall cost. User traffic will be responsible for more than 10
TB of data transfer from the ingress VPC to services VPCs every month. A network engineer
needs to recommend how to design the communication between the VPCs.
Which solution will meet these requirements at the LOWEST cost?
a. Create a VPC peering connection between the ingress VPC and each of the 10 services
VPCs. Use zonal DNS names for the NLB in the services VPCs to minimize cross-AZ traffic
from the ingress VPC to the services VPCs.
32. A company has stateful security appliances that are deployed to multiple Availability Zones in a
centralized shared services VPC. The AWS environment includes a transit gateway that is
attached to application VPCs and the shared services VPC. The application VPCs have workloads
that are deployed in private subnets across multiple Availability Zones. The stateful appliances in
the shared services VPC inspect all east west (VPC-to-VPC) traffic.
Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer
verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads
in different Availability Zones across the application VPCs. The network engineer has ruled out
security groups, stateful device configurations and network ACLs as the cause of the dropped
traffic.
What is causing the traffic to drop?
 a. Appliance mode is not enabled on the transit gateway attachment to the shared services
VPC
33. A company has hundreds of Amazon EC2 instances that are running in two production VPCs
across all Availability Zones in the us-east-1 Region. The production VPCs are named
VPC A and VPC B.
A new security regulation requires all traffic between production VPCs to be inspected before
the traffic is routed to its final destination. The company deploys a new shared VPC that contains
a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCs to route
traffic between VPC A and VPC B through the firewall appliance for inspection. During testing,
the company notices that the transit gateway is dropping the traffic whenever the traffic is
between two Availability Zones.
What should a network engineer do to fix this issue with the LEAST management overhead?
a. Enable transit gateway appliance mode on the VPC attachment in the shared VPC.
34. A company has deployed a critical application on a fleet of Amazon EC2 instances behind an
Application Load Balancer. The application must always be reachable on port 443 from the public
internet. The application recently had an outage that resulted from an incorrect change to the
EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the
public internet and the EC2 instances whenever a change is made to the security group. The
solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?
a. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the
VPC as the source. Specify the EC2 instances as the destination. Create an Amazon
Simple Notification Service (Amazon SNS) topic to notify the network engineer when a
change to the security group affects the connection. Create an AWS Lambda function to
start Reachability Analyzer and to publish a message to the SNS topic in case the
analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke
the Lambda function when a change to the security group occurs
35. A security team is performing an audit of a company's AWS deployment. The security team is
concerned that two applications might be accessing resources that should be blocked by
network ACLs and security groups. The applications are deployed across two Amazon Elastic
Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface
(CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a
Cluster Autoscaler configured.
The security team needs to determine which POD IP addresses are communicating with which
services throughout the VPC. The security team wants to limit the number of flow logs and
wants to examine the traffic from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?
a. Create VPC flow logs in a custom format. Set the application subnets as resources.
Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs
36. A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC
cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data
processing workflow, the HPC cluster needs to perform several DNS queries to resolve and
connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are
 accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven
times during the company’s peak event at the end of the year.
The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2
instances are configured to forward queries to the default VPC resolver for Amazon Route 53
hosted domains and to the on-premises DNS servers for other on-premises hosted domain
names. The company notices job failures and finds that DNS queries from the HPC cluster nodes
failed when the nodes tried to resolve RDS and S3 bucket endpoints.
Which architectural change should a network engineer implement to provide the DNS service in
the MOST scalable way?
a. Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to
forward queries to on-premises DNS servers for on premises hosted domain names.
Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2
instance-based DNS servers. Terminate the EC2 instances
37. A company's network engineer is designing an active-passive connection to AWS from two on-
premises data centers. The company has set up AWS Direct Connect connections between the
on-premises data centers and AWS. From each location, the company is using a transit VIF that
connects to a Direct Connect gateway that is associated with a transit gateway.
The network engineer must ensure that traffic from AWS to the data centers is routed first to the
primary data center. The traffic should be routed to the failover data center only in the case of
an outage.
Which solution will meet these requirements?
a. Set the BGP community tag for all prefixes from the primary data center to 7224:7300.
Set the BGP community tag for all prefixes from the failover data center to 7224:7100
38. A real estate company is building an internal application so that real estate agents can upload
photos and videos of various properties. The application will store these photos and videos in an
Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata.
The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon
Simple Queue Service (Amazon SQS) queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly
uploaded objects. The cluster will retrieve new objects, perform proprietary image and video
recognition and classification update metadata in DynamoDB and replace the objects with new
watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as
application usage increases?
a. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for
Amazon SQS. Create gateway VPC endpoints for Amazon S3 and DynamoDB.
39. A company has an AWS Direct Connect connection between its on-premises data center in the
United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to
connect the data center to a transit gateway in us-east-1.
The company is opening a new office in Europe with a new on-premises data center in England.
A Direct Connect connection will connect the new data center with some workloads that are
running in a single VPC in the eu-west-2 Region. The company needs to connect the US data
center and us-east-1 with the Europe data center and eu-west-2. A network engineer must
establish full connectivity between the data centers and Regions with the lowest possible
 latency.
How should the network engineer design the network architecture to meet these requirements?
a. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center
to the new transit gateway by using a Direct Connect gateway and a new transit VIF.
Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable
SiteLink for both transit VIFs. Peer the two transit gateways.
40. A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC
has no public subnet. The EC2 instance hosts application code that sends messages to an
Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL
with no modification applied. The EC2 instance has the default security group with no
modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)
a. The EC2 instance is not attached to an IAM role that allows write operations to Amazon
SQS.
b. There is no interface VPC endpoint configured for Amazon SQS
41. A network engineer needs to standardize a company's approach to centralizing and managing
interface VPC endpoints for private communication with AWS services. The company uses AWS
Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke
model. The company's network services team must manage all Amazon Route 53 zones and
interface endpoints within a shared services AWS account. The company wants to use this
centralized model to provide AWS resources with access to AWS Key Management Service (AWS
KMS) without sending traffic over the public internet.
What should the network engineer do to meet these requirements?
a. In the shared services account, create an interface endpoint for AWS KMS. Modify the
interface endpoint by disabling the private DNS name. Create a private hosted zone in
the shared services account with an alias record that points to the interface endpoint.
Associate the private hosted zone with the spoke VPCs in each AWS account.
42. A development team is building a new web application in the AWS Cloud. The main company
domain, example.com, is currently hosted in an Amazon Route 53 public hosted zone in one of
the company's production AWS accounts.
The developers want to test the web application in the company's staging AWS account by using
publicly resolvable subdomains under the example.com domain with the ability to create and
delete DNS records as needed. Developers have full access to Route 53 hosted zones within the
staging account, but they are prohibited from accessing resources in any of the production AWS
accounts.
Which combination of steps should a network engineer take to allow the developers to create
records under the example com domain? (Choose two.)
a. Create a staging example.com NS record in the example.com domain. Populate the value
with the name servers from the staging.example.com domain. Set the routing policy
type to simple routing
b. Create a public hosted zone for staging.example.com in the staging account.
43. A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The
company has configured the VPC with an internet gateway and four subnets. Two of the subnets
 are public and have default routes that point to the internet gateway. Two of the subnets are
private and share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an
external Application Load Balancer. The EC2 instances must not be directly accessible from the
internet. The application will use an Amazon S3 bucket in the same Region to store data. The
application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances.
A network engineer must design a VPC architecture that minimizes data transfer cost.
Which solution will meet these requirements?
a. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the
VPSpecify die route table of the private subnets during endpoint creation to create
routes to Amazon S3.
44. A company has two AWS accounts one for Production and one for Connectivity. A network
engineer needs to connect the Production account VPC to a transit gateway in the Connectivity
account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these
requirements?
a. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager
for the transit gateway. Provide the Production account ID Enable the feature to allow
external accounts.
2. In the Production account: Accept the resource.
3. In the Production account: Create an attachment to the VPC subnets.
4. In the Connectivity account: Accept the attachment. Associate a route table with the
attachment
45. A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent
incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain
access to the instance. The company fixed the application and launched a replacement EC2
instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The
company became aware of the compromise through a notification from AWS. The company
needs the ability to identify when an application that is deployed on an EC2 instance is spreading
malware.
Which solution will meet this requirement with the LEAST operational effort?
a. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC
flow logs.
46. A company deploys a new web application on Amazon EC2 instances. The application runs in
private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security
auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and
uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS
connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any
problems. However, after production deployment, users report that they can log in but that they
cannot use the application. Every new web request restarts the login process.
What should a network engineer do to resolve this issue?
 a. Modify the ALB target group configuration by enabling the stickiness attribute. Use an
application-based cookie. Set the duration to the maximum application session length.
47. A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a
security compliance requirement. The EC2 instances now use a NAT gateway for internet access.
After the migration, some long-running database queries from private EC2 instances to a publicly
accessible third-party database no longer receive responses. The database query logs reveal that
the queries successfully completed after 7 minutes but that the client EC2 instances never
received the response.
Which configuration change should a network engineer implement to resolve this issue?
a. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.
48. A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the
same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own
virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the
limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?
a. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and
associate it with the transit gateway. Create a transit VIF to the Direct Connect Gateway
49. A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect
connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1.
The VPCs in us-east-1 are connected by a transit gateway and need to access several on-
premises databases. According to company policy, only one VPC in eu-west-1 can be connected
to one on-premises server. The on-premises network segments the traffic between the
databases and the server.
How should the network engineer set up the Direct Connect connection to meet these
requirements?
a. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in
us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect
gateways, one for each VIF, to route from the Direct Connect locations to the
corresponding AWS Region along the path that has the lowest latency.
50. A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to
the internet. A network engineer notices a large quantity of suspicious network traffic that is
traveling from the VPC over the internet to IP addresses that are included on a deny list. The
network engineer must implement a solution to determine which AWS resources are generating
the suspicious traffic. The solution must minimize cost and administrative overhead.
Which solution will meet these requirements?
a. use VPC flow logs. Publish the flow logs to a log group in Amazon CloudWatch Logs. Use
CloudWatch Logs Insights to query the flow logs to identify the AWS resources that are
generating the suspicious traffic.
51. A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is
attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin,
Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect
gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway
(TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data
 center in Dublin.
Which solutions will meet these requirements? (Choose two.)
a. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block
under the allowed prefixes
b. Configure inter-Region transit gateway peering between TGW-A and TGW-B. Add the
peering routes in the transit gateway route tables. Add both the VPC-A and the VPC-B
CIDR block under the allowed prefix list in the Direct Connect gateway association
52. A company’s network engineer is designing a hybrid DNS solution for an AWS Cloud workload.
Individual teams want to manage their own DNS hostnames for their applications in their
development environment. The solution must integrate the application-specific hostnames with
the centrally managed DNS hostnames from the on-premises network and must provide
bidirectional name resolution. The solution also must minimize management overhead.
Which combination of steps should the network engineer take to meet these requirements?
(Choose three.)
a. Use an Amazon Route 53 Resolver inbound endpoint.
b. Use an Amazon Route 53 Resolver outbound endpoint.
c. Create Amazon Route 53 private hosted zones.
53. A company hosts a web application on Amazon EC2 instances behind an Application Load
Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants
to implement a custom authentication system that will provide a token for its authenticated
customers.
The web application must ensure that the GET/POST requests come from authenticated
customers before it delivers the content. A network engineer must design a solution that gives
the web application the ability to identify authorized customers.
What is the MOST operationally efficient solution that meets these requirements?
a. Use an AWS Lambda@Edge function to inspect the authorized token inside the
GET/POST request payload. Use the Lambda@Edge function also to insert a customized
header to inform the web application of an authenticated customer request
54. A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared
services VPC. The production VPC and the nonproduction VPC must each have communication
with the shared services VPC. There must be no communication between the production VPC
and the nonproduction VPC. A transit gateway is deployed to facilitate communication between
VPCs.
Which route table configurations on the transit gateway will meet these requirements?
a. Configure a route table with the production and nonproduction VPC attachments
associated with propagated routes for only the shared services VPC. Create an additional
route table with only the shared services VPC attachment associated with propagated
routes from the production and nonproduction VPCs.
55. A company is using an AWS Site-to-Site VPN connection from the company's on-premises data
center to a virtual private gateway in the AWS Cloud Because of congestion, the company is
experiencing availability and performance issues as traffic travels across the internet before the
traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly
as possible with minimum administration effort.
Which solution will meet these requirements?
 a. Configure a transit gateway in the same AWS Region as the existing virtual private
gateway. Create a new accelerated Site-to-Site VPN connection. Connect the new
connection to the transit gateway by using a VPN attachment. Update the customer
gateway device to use the new Site to Site VPN connection. Delete the existing Site-to-
Site VPN connection
56. An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to
expand its customer base to the United States (US). The company is targeting the western US for
the expansion.
The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs
deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-
southeast-2. There are dedicated VPCs for each application service. The company also has VPCs
for centralized security features such as proxies, firewalls, and logging.
The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region.
A network engineer must establish connectivity between the various applications in the two
Regions. The solution must maximize bandwidth, minimize latency and minimize operational
overhead.
Which solution will meet these requirements?
a. Peer the transit gateways in each Region. Configure routing between the two transit
gateways for each Region's IP addresses
57. An IoT company sells hardware sensor modules that periodically send out temperature,
humidity, pressure, and location data through the MQTT messaging protocol. The hardware
sensor modules send this data to the company's on-premises MQTT brokers that run on Linux
servers behind a load balancer. The hardware sensor modules have been hardcoded with public
IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can
no longer scale and is introducing additional latency because of the company's global presence.
As a result, the company decides to migrate its entire infrastructure from on premises to the
AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules
that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances.
What should the company do next to meet these requirements?
a. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners.
Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP
(BYOIP) from the on-premises network with Global Accelerator.
58. A company has deployed a web application on AWS. The web application uses an Application
Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda
functions. The web application also uses Amazon CloudWatch metrics for monitoring.
Users report that parts of the web application are not loading properly. A network engineer
needs to troubleshoot the problem. The network engineer enables access logging for the ALB.
What should the network engineer do next to determine which errors the ALB is receiving?
a. Configure the Amazon S3 bucket destination. Use Amazon Athena to determine which
error messages the ALB is receiving
59. A company is planning to use Amazon S3 to archive financial data. The data is currently stored in
an on-premises data center. The company uses AWS Direct Connect with a Direct Connect
 gateway and a transit gateway to connect to the on-premises data center. The data cannot be
transported over the public internet and must be encrypted in transit.
Which solution will meet these requirements?
a. Create an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to
the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use
HTTPS for communication.
60. A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except
domains that are on an approved list. The company is concerned that if DNS Firewall is
unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS
queries. To maintain application service level agreements, the company needs DNS queries to
continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.
Which change should a network engineer implement to meet these requirements?
a. Update the DNS Firewall VPC configuration to enable fail open for the VPC
61. A company is migrating an existing application to a new AWS account. The company will deploy
the application in a single AWS Region by using one VPC and multiple Availability Zones. The
application will run on Amazon EC2 instances. Each Availability Zone will have several EC2
instances. The EC2 instances will be deployed in private subnets.

The company's clients will connect to the application by using a web browser with the HTTPS
protocol. Inbound connections must be distributed across the Availability Zones and EC2
instances. All connections from the same client session must be connected to the same EC2
instance. The company must provide end-to-end encryption for all connections between the
clients and the application by using the application SSL certificate.

Which solution will meet these requirements?

a. Create a Network Load Balancer. Create a target group. Set the protocol to TCP and the
port to 443 for the target group. Turn on session affinity (sticky sessions). Register the
EC2 instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for
the listener. Deploy SSL certificates to the EC2 instances.
62. A company is developing an application in which IoT devices will report measurements to the
AWS Cloud. The application will have millions of end users. The company observes that the IoT
devices cannot support DNS resolution. The company needs to implement an Amazon EC2 Auto
Scaling solution so that the IoT devices can connect to an application endpoint without using
DNS.

Which solution will meet these requirements MOST cost-effectively?

a. Use a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach the Auto
Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses of the
NLB.
63. A company has deployed a new web application on Amazon EC2 instances behind an Application
Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Enterprise
customers from around the world will use the application. Employees of these enterprise
customers will connect to the application over HTTPS from office locations.
 The company must configure firewalls to allow outbound traffic to only approved IP addresses.
The employees of the enterprise customers must be able to access the application with the least
amount of latency.

Which change should a network engineer make in the infrastructure to meet these
requirements?
a. Create a new accelerator in AWS Global Accelerator. Add the ALB as an accelerator
endpoint
64. A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon
S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3
and Systems Manager travels through the NAT gateways. The company's network engineer must
centralize access to these services and must eliminate the need to use public endpoints.

Which solution will meet these requirements with the LEAST operational overhead?
a. Create a central shared services VPIn the central shared services VPC, create interface
VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS
is turned off. Connect all the VPCs to the central shared services VPC by using AWS
Transit Gateway. Create an Amazon Route 53 private hosted zone with a full service
endpoint name for Amazon S3 and Systems Manager. Associate the private hosted zones
with all the VPCs. Create an alias record in each private hosted zone with the full AWS
service endpoint pointing to the interface VPC endpoint in the shared services VPC.
65. A company manages resources across VPCs in multiple AWS Regions. The company needs to
connect to the resources by using its internal domain name. A network engineer needs to apply
the aws.example.com DNS suffix to all resources.

What must the network engineer do to meet this requirement?

a. Create one Amazon Route 53 private hosted zone for aws.example.com. Associate the
private hosted zone with every VPC that has resources. In the private hosted zone,
create DNS records for all resources
66. An insurance company is planning the migration of workloads from its on-premises data center
to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional
DNS resolution between AWS and the existing on-premises environments must be established.
The workloads will be migrated into multiple VPCs. The workloads also have dependencies on
each other, and not all the workloads will be migrated at the same time.

Which solution meets these requirements?

a. Configure a private hosted zone for each application VPC, and create the requisite
records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in
an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises
domains to the on-premises DNS resolver. Associate the application VPC private hosted
zones with the egress VPC, and share the Route 53 Resolver rules with the application
accounts by using AWS Resource Access Manager. Configure the on-premises DNS
servers to forward the cloud domains to the Route 53 inbound endpoints
67. A global company runs business applications in the us-east-1 Region inside a VPC. One of the
company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN
connection tom the VPC. The company has configured a transit gateway and has set up peering
between the VPC and other VPCs that various departments in the company use.

Employees at the London office are experiencing latency issues when they connect to the
business applications.

What should a network engineer do to reduce this latency?

a. Create a new Site-to-Site VPN connection. Set the transit gateway as the target gateway.
Enable acceleration on the new Site-to-Site VPN connection. Update the VPN device in
the London office with the new connection details.
68. A company has a hybrid cloud environment. The company’s data center is connected to the AWS
Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are
connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a
transit VIF with a Direct Connect gateway for on-premises connectivity.

The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver
endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a
backend application in one of the VPCs.

The company uses a message-oriented architecture and employs Amazon Simple Queue Service
(Amazon SQS) to receive messages from other applications over a private network. A network
engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client
services must be able to access the endpoint service from on premises and from multiple VPCs
within the company's AWS infrastructure.

Which combination of steps should the network engineer take to ensure that the client
applications can resolve DNS for the interface endpoint? (Choose three.)
a. Create the interface endpoint for Amazon SQS with the option for private DNS names
turned off
b. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Add necessary
records that point to the interface endpoint. Associate the private hosted zones with
other VPCs
c. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in
VPCs and on premises
69. A company’s network engineer builds and tests network designs for VPCs in a development
account. The company needs to monitor the changes that are made to network resources and
must ensure strict compliance with network security policies. The company also needs access to
the historical configurations of network resources.

Which solution will meet these requirements?

a. Record the current state of network resources by using AWS Config. Create rules that
reflect the desired configuration settings. Set remediation for noncompliant resources.