A network engineer needs to provide dual-stack connectivity between a company's office location and an flaws account. The company's on-premises router supports dual-stack connectivity, and the VPC has been configured with dual-stack support. The company has set up two flaws Direct Connect connections to the office location. This connectivity must be highly available and must be reliable for latency-sensitive traffic.
Which solutions will meet these requirements? (Choose two.)

A. Configure a single private VIF on each Direct Connect connection. Add both IPv4 and IPv6 peering to each private VIF. Configure the on- premises equipment with the flaws provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

B. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the flaws provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

C. Configure a single private VIF and IPv4 peering on each Direct Connect connection. Configure the on-premises equipment with this peering to advertise the IPv6 routes in the same BGP neighbor configuration. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

D. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the flaws provided BGP neighbors to advertise all IPv4 routes and IPv6 routes on all peering sessions. Keep the Bidirectional Forwarding Detection (BFD) configuration unchanged.

E. Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the flaws provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Reduce the BGP hello timer to 5 seconds on both the on-premises equipment and the Direct Connect configuration.

A company uses a 1 Gbps flaws Direct Connect connection to connect its flaws environment to its on-premises data center. The connection provides employees with access to an application VPC that is hosted on flaws. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.
The company plans to build an additional application on flaws. On-site and remote employees will use the additional application. After the deployment of this additional application, the company will need 20% more bandwidth than the company currently uses. With the increased usage, the company wants to add resiliency to the flaws connectivity. A network engineer must review the current implementation and must make improvements within a limited budget.
What should the network engineer do to meet these requirements MOST cost-effectively?

A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application. Create a link aggregation group (LAG).

B. Deploy an flaws Site-to-Site VPN connection to the application VPC. Configure the on-premises routing for the remote employees to connect to the Site-to-Site VPN connection.

C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces.

D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections. Create an flaws Client VPN endpoint in the application VPC. Instruct the remote employees to connect to the Client VPN endpoint.

A company's flaws environment has two VPCs. VPC A has a CIDR block of 192.168.0.0/16. VPC B has a CIDR block of 10.0.0.0/16. Each VPC is deployed in a separate flaws Region. The company has remote users who work outside the company's offices. These users need to connect to an application that is running in the VPCs.
Traffic to and from the VPCs over the internet must be encrypted. A network engineer must set up connectivity between the remote users and the VPCs.
Which combination of steps should the network engineer take to meet these requirements with the LEAST management overhead? (Choose three.)

A. Establish an flaws Site-to-Site VPN connection between VPC A and VPC

B. Establish a VPC peering connection between VPC A and VPC

C. Create an flaws Client VPN endpoint in VPC A and VPC B Add an authorization rule to grant access to VPC A and VPC

D. Create an flaws Client VPN endpoint in VPC A Add an authorization rule to grant access to VPC A and VPC

E. Add a route to the flaws Client VPN endpoint’s route table to direct traffic to VPC

F. Add a route to the flaws Client VPN endpoint’s route table to direct traffic to VPC

G.

A company is deploying a web application into two flaws Regions. The company has one VPC in each Region. Each VPC has three Amazon EC2 instances as web servers behind an Application Load Balancer (ALB). The company already has configured an Amazon Route 53 public hosted zone for example.com. Users will access the application by using the fully qualified domain name (FQDN) of app.example.com.
The company needs a DNS solution that allows global users to access the application. The solution must route the users' requests to the Region that provides the lowest response time. The solution must fail over to the Region that provides the next-lowest response time if the application is unavailable in the initially intended Region.
Which solution will meet these requirements?

A. For each ALB, create an A record that has a geolocation routing policy to route app.example.com to the IP addresses of the ALB. Configure a Route 53 HTTP health check that monitors each ALB by IP address. Associate the health check with the A records.

B. Create an A record that has a geolocation routing policy to route app.example.com to the IP addresses for both ALBs. Configure a Route 53 health check that monitors TCP port 80 for each ALB by IP address. Associate the health check with the A records.

C. Create an A record that has a latency-based routing policy to route app.example.com as an alias to one of the ALBs. Configure a Route 53 health check that monitors TCP port 80 for each ALB by IP address. Associate the health check with the A records.

D. For each ALB, create an A record that has a latency-based routing policy to route app.example.com as an alias to the ALB. Set the value for Evaluate Target Health to Yes for the records.

A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to flaws and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy flaws Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from flaws workloads at a given time.
How should the network engineer configure routing to meet these requirements?

A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that are more specific to point to the primary SD-WAN virtual appliance.

B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.

C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.

D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

A company has multiple flaws accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?

A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.

B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.

C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.

D. Modify the transit gateway by selecting multicast support.

A company is deploying flaws Cloud WAN with edge locations in the us-east-1 Region and the ap-southeast-2 Region. Individual flaws Cloud WAN segments are configured for the development environment, the production environment, and the shared services environment at each edge location. Many new VPCs will be deployed for the environments and will be configured as attachments to the flaws Cloud WAN core network.
The company's network team wants to ensure that VPC attachments are configured for the correct segment. The network team will tag the VPC attachments by using the Environment key with a value of the corresponding environment segment name. The segment for the production environment in us-east-1 must require acceptance for attachment requests. All other attachment requests must not require acceptance.
Which solution will meet these requirements?

A. Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the “or” value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag:Environment values to their respective segments.

B. Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the “and” value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag.Environment values to their respective segments.

C. Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments. Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the “and” value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1.

D. Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments. Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the “or” value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1.

A company has an flaws Site-to-Site VPN connection between flaws and its branch office. A network engineer is troubleshooting connectivity issues that the connection is experiencing. The VPN connection terminates at a transit gateway and is statically routed. In the transit gateway route table, there are several static route entries that target specific subnets at the branch office.
The network engineer determines that the root cause of the issues was the expansion of underlying subnet ranges in the branch office during routine maintenance.
Which solution will solve this problem with the LEAST administrative overhead for future expansion efforts?

A. Determine a supernet for the branch office. In the transit gateway route table, add an aggregate route that targets the VPN attachment. Replace the specific subnet routes in the transit gateway route table with the new supernet route.

B. Create an flaws Direct Connect gateway and a transit VIF. Associate the Direct Connect gateway with the transit gateway. Create a propagation for the Direct Connect attachment to the transit gateway route table.

C. Create a dynamically routed VPN connection on the transit gateway. Connect the dynamically routed VPN connection to the branch office. Create a propagation for the VPN attachment to the transit gateway route table. Remove the existing static VPN connection.

D. Create a prefix list that contains the new subnets and the old subnets for the branch office. Remove the specific subnet routes in the transit gateway route table. Create a prefix list reference in the transit gateway route table.

A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on flaws.
The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application.
Which configuration will meet these requirements?

A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an flaws Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a default route to the NAT gateway. Add routes for the data center subnets to the virtual private gateway. Deploy the application to the private subnets.

B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an flaws Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.

C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an flaws Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.

D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an flaws Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the private subnets.

An application team for a startup company is deploying a new multi-tier application into the flaws Cloud. The application will be hosted on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind a publicly accessible Network Load Balancer (NLB). The application requires the clients to work with UDP traffic and TCP traffic.
In the near term, the application will serve only users within the same geographic location. The application team plans to extend the application to a global audience and will move the deployment to multiple flaws Regions around the world to bring the application closer to the end users. The application team wants to use the new Regions to deploy new versions of the application and wants to be able to control the amount of traffic that each Region receives during these rollouts. In addition, the application team must minimize first-byte latency and jitter (randomized delay) for the end users.
How should the application team design the network architecture for the application to meet these requirements?

A. Create an Amazon CloudFront distribution to align to each Regional deployment. Set the NLB for each Region as the origin for each CloudFront distribution. Use an Amazon Route 53 weighted routing policy to control traffic to the newer Regional deployments.

B. Create an flaws Global Accelerator accelerator and listeners for the required ports. Configure endpoint groups for each Region. Configure a traffic dial for the endpoint groups to control traffic to the newer Regional deployments. Register the NLBs with the endpoint groups.

C. Use Amazon S3 Transfer Acceleration for the application in each Region. Adjust the amount of traffic that each Region receives from the Transfer Acceleration endpoints to the Regional NLBs.

D. Create an Amazon CloudFront distribution that includes an origin group. Set the NLB for each Region as the origins for the origin group. Use an Amazon Route 53 latency routing policy to control traffic to the new Regional deployments.

A network engineer configures a second flaws Direct Connect connection to an existing network. The network engineer runs a test in the flaws Direct Connect Resiliency Toolkit on the connections. The test produces a failure. During the failover event, the network engineer observes a 90-second interruption before traffic shifts to the failover connection.
Which solution will reduce the time for failover?

A. Decrease the BGP hello timer to 5 seconds.

B. Add a VPN connection to the connectivity solution. Implement fast failover.

C. Configure Bidirectional Forwarding Detection (BFD) on the on-premises router.

D. Decrease the BGP hold-down timer to 5 seconds.

A company has developed a web service for language translation. The web service's application runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) and are deployed in a private subnet. The web service can process requests that contain hundreds of megabytes of data.
The company needs to give some customers the ability to access the web service. Each customer has its own flaws account. The company must make the web service accessible to approved customers without making the web service accessible to all customers.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

A. Create VPC peering connections with the approved customers only.

B. Create an flaws PrivateLink endpoint service. Configure the endpoint service to require acceptance that will be granted to approved customers only.

C. Configure an authentication action for the endpoint service’s load balancer to allow customers to log in by using their flaws credentials. Provide only approved customers with the URL.

D. Configure a Network Load Balancer (NLB) and a listener with the ALB as a target. Associate the NLB with the endpoint service.

E. Associate the ALB with the endpoint service.

A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses flaws Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users report that they can log in but that they cannot use the application. Every new web request restarts the login process.
What should a network engineer do to resolve this issue?

A. Modify the ALB listener configuration. Edit the rule that forwards traffic to the target group. Change the rule to enable group-level stickiness. Set the duration to the maximum application session length.

B. Replace the ALB with a Network Load Balancer. Create a TLS listener. Create a new target group with the protocol type set to TLS Register the EC2 instances. Modify the target group configuration by enabling the stickiness attribute.

C. Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the maximum application session length.

D. Remove the ALB. Create an Amazon Route 53 rule with a failover routing policy for the application name. Configure ACM to issue certificates for each EC2 instance.

A company is using a shared services VPC with two domain controllers. The domain controllers are deployed in the company's private subnets. The company is deploying a new application into a new VPC in the account. The application will be deployed onto an Amazon EC2 for Windows Server instance in the new VPC. The instance must join the existing Windows domain that is supported by the domain controllers in the shared services VPC.
A transit gateway is attached to both the shared services VPC and the new VPC. The company has updated the route tables for the transit gateway, the shared services VPC, and the new VPC. The security groups for the domain controllers and the instance are updated and allow traffic only on the ports that are necessary for domain operations. The instance is unable to join the domain that is hosted on the domain controllers.
Which combination of actions will help identify the cause of this issue with the LEAST operational overhead? (Choose two.)

A. Use flaws Network Manager to perform a route analysis for the transit gateway network. Specify the existing EC2 instance as the source. Specify the first domain controller as the destination. Repeat the route analysis for the second domain controller.

B. Use port mirroring with the existing EC2 instance as the source and another EC2 instance as the target to obtain packet captures of the connection attempts.

C. Review the VPC flow logs on the shared services VPC and the new VPC.

D. Issue a ping command from one of the domain controllers to the existing EC2 instance.

E. Ensure that route propagation is turned off on the shared services VPC.

A company has three VPCs in a single flaws Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between the VPCs.
The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A network engineer must implement connectivity between the VPCs.
Which solution will meet these requirements with the HIGHEST throughput?

A. Configure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transit gateway.

B. Configure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs.

C. Configure a transit VPConfigure a VPN gateway in each VPCreate an flaws Site-to-Site VPN tunnel from each VPC to the transit VPUse BGP routing to route traffic between the VPCs and the transit VPC.

D. Configure flaws Site-to-Site VPN connections between each VPC. Enable route propagation for each Site-to-Site VPN connection to route traffic between the VPCs.

A company has two on-premises data centers. The first data center is in the us-east-1 Region. The Second data canter is in the us-east-2 Region. Each data center connects to the closest flaws Direct Connect facility. The company uses Direct Connect connections, transit VIFs, and a single Direct Connect gateway to establish connectivity to VPCs in us-east-1 and us-east-2 from the company’s data centers. The company also has private connectivity from a telecommunications provider that connects the first data center to the second data center.
Recently, there have been multiple connection disruptions to the private connectivity between the data centers. The company needs a solution to improve the reliability of the connection between the two data centers.
Which solution will meet these requirements?

A. Create a new Direct Connect gateway. Enable the Direct Connect SiteLink feature on the transit VIF. Share the CIDR blocks from the first data center and the second data center with each other.

B. Create a new public VIF to both Regions. Enable the Direct Connect SiteLink feature on the new public VIF.

C. Enable the Direct Connect SiteLink feature on the existing Direct Connect connections.

D. Enable the Direct Connect SiteLink feature on the existing transit VIFS that are attached to the existing Direct Connect gateway.

A company recently experienced an IP address exhaustion event in its VPCs. The event affected service capacity. The VPCs hold two or more subnets in different Availability Zones.
A network engineer needs to develop a solution that monitors IP address usage across resources in the VPCs. The company needs to receive notification about possible issues so that the company can act before an incident happens.
Which solution will meet these requirements with the LEAST operational overhead?

A. Set up Amazon VPC IP Address Manager (IPAM) with a new top-level pool. In the top-level pool, create a pool for each VPC. In each VPC pool, create a pool for each subnet in that VPC. Turn on the auto-import option for the VPC pools and the subnet pools. Configure an Amazon CloudWatch alarm to send an Amazon Simple Notification Service (Amazon SNS) notification if the availability limit threshold is reached.

B. Set up a log group in Amazon CloudWatch Logs for each subnet. Create an flaws Lambda function that reads each subnet’s IP address usage and publishes metrics to the log group. Configure an Amazon CloudWatch alarm to send an Amazon Simple Notification Service (Amazon SNS) notification if the availability limit threshold is reached.

C. Set up a custom Amazon CloudWatch metric for IP address usage for each subnet. Create an flaws Lambda function that reads each subnet’s IP address usage and publishes a CloudWatch metric dimension. Schedule the Lambda function to run every 5 minutes. Configure a CloudWatch alarm to send an Amazon Simple Notification Service (Amazon SNS) notification if the availability limit threshold is reached.

D. Set up Amazon VPC IP Address Manager (IPAM) with a new top-level pool. In the top-level pool, create a pool for each VPC. In each VPC pool, create a pool for each subnet in that VPC. Turn on the auto-import option for the VPC pools and the subnet pools. Configure an Amazon EventBridge rule that monitors each pool availability limit threshold and sends an Amazon Simple Notification Service (Amazon SNS) notification if the limit threshold is reached.

A financial company offers investment forecasts and recommendations to authorized users through the internet. All the services are hosted in the flaws Cloud. A new compliance requirement states that all the internet service traffic from any host must be logged and retained for 2 years. In its development flaws accounts, the company has designed, tested, and verified a solution that uses Amazon VPC Traffic Mirroring with a Network Load Balancer (NLB) as the traffic mirror target. While the solution runs in one flaws account, the solution mirrors the traffic to another flaws account.
A network engineer notices that not all traffic is mirrored when the solution is deployed into the production environment. The network engineer also notices that this behavior is random.
Which statements are possible explanations for why not all the traffic is mirrored? (Choose two.)

A. The security groups are misconfigured on the production flaws account that hosts the company’s services.

B. The Amazon EC2 instance that is being monitored cannot handle the extra traffic that Traffic Mirroring has introduced.

C. The IAM policy that allows the creation of traffic mirror sessions is misconfigured

D. The mirrored traffic has a lower priority than the production traffic and is being dropped when network congestion occurs.

E. The NLB is experiencing warm-up delay because of sudden and significant increases in traffic.

A network engineer is designing a hybrid architecture that uses a 1 Gbps flaws Direct Connect connection between the company's data center and two flaws Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

A. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding flaws Region along the path that has the lowest latency.

B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding flaws Region along the path that has the lowest latency.

C. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding flaws Region along the path that has the lowest latency.

D. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding flaws Region along the path that has the lowest latency.

A company is building its website on flaws in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website has static content such as images. The company is using Amazon S3 to store the content.
The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpages. The company is using flaws Direct Connect with a public VIF for on-premises connectivity to the S3 bucket.
A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing through a NAT gateway. As traffic increases, the company's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from the traffic between the EC2 instances and Amazon S3.
Which solution will meet these requirements?

A. Create a Direct Connect private VIF. Migrate the traffic from the public VIF to the private VIF.

B. Create an flaws Site-to-Site VPN tunnel over the existing public VIF.

C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table.

D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table.

A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company’s on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.
During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.
Which combination of steps will meet these requirements? (Choose three.)

A. Create an flaws WAF web ACL that includes rules to block SQL injection attacks.

B. Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.

C. Replace the NLB with an Application Load Balancer.

D. Associate the flaws WAF web ACL with the NLB.

E. Associate the flaws WAF web ACL with the Application Load Balancer.

F. Associate the flaws WAF web ACL with the Amazon CloudFront distribution.

A global company is designing a hybrid architecture to privately access flaws resources in the us-west-2 Region. The company's existing architecture includes a VPC that uses RFC 1918 IP address space. The VPC is connected to an on-premises data center over flaws Direct Connect Amazon Route 53 provides name resolution within the VPC. Locally managed DNS servers in the data center provide DNS services to the on-premises hosts.
The company has applications in the data center that need to download objects from an Amazon S3 bucket in us-west-2.
Which solution can the company use to access Amazon S3 without using the public IP address space?

A. Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.

B. Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.

C. Create an S3 gateway endpoint in the VPUpdate the on-premises application configuration to use the hostname that is mapped to the S3 gateway endpoint.

D. Create an S3 gateway endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.

A company is planning to host external websites on flaws. The websites will include multiple tiers such as web servers, application logic services, and databases. The company wants to use flaws Network Firewall, flaws WAF, and VPC security groups for network security.
The company must ensure that the Network Firewall firewalls are deployed appropriately within relevant VPCs. The company needs the ability tofficentrally manage policies that are deployed to Network Firewall and flaws WAF rules. The company also needs to allow application teams to manage their own security groups while ensuring that the security groups do not allow overly permissive access.
What is the MOST operationally efficient solution that meets these requirements?

A. Define Network Firewall firewalls, flaws WAFV2 web ACLs. Network Firewall policies, and VPC security groups in code. Use flaws CloudFormation to deploy the objects and initial policies and rule groups. Use CloudFormation to update the flaws WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.

B. Define Network Firewall firewalls. flaws WAFV2 web ACLs, Network Firewall policies, and VPC security groups in code. Use the flaws Management Console or the flaws CLI to manage the flaws WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuly to invoke an flaws Lambda function to evaluate the configured rules and remove any overly permissive rules.

C. Deploy flaws WAFv2 IP sets and flaws WAFv2 web ACLs with flaws CloudFormation. Use flaws Firewall Manager to deploy Network Firewall firewalls and VPC security groups where required and to manage the flaws WAFv2 web ACLs, Network Firewall policies, and VPC security groups.

D. Define Network Firewall firewalls, flaws WAFv2 web ACLS, Network Firewall policies, and VPC security groups in code. Use flaws CloudFarmation to deploy the objects and initial policies and rule groups. Use flaws Firewall Manager to manage the flaws WAFV2 web ACLS, Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.

A European car manufacturer wants to migrate its customer-facing services and its analytics platform from two on-premises data centers to the flaws Cloud. The company has a 50-mile (80.4 km) separation between its on-premises data centers and must maintain that separation between its two locations in the cloud. The company also needs failover capabilities between the two locations in the cloud.
The company's infrastructure team creates several accounts to separate workloads and responsibilities. The company provisions resources in the eu-west-3 Region and in the eu-central-1 Region. The company selects an flaws Direct Connect Partner in each Region and requests two resilient 1 Gbps fiber connections from each provider.
The company's network engineer must establish a connection between all VPCs in the accounts and between the on-premises network and the flaws Cloud. The solution must provide access to all services in both Regions in case of network issues.
Which solution will meet these requirements?

A. Create a Direct Connect gateway. Create a private VIF on each of the Direct Connect connections. Attach the private VIFs to the Direct Connect gateway. Use equal-cost multi-path (ECMP) routing to aggregate the four connections across the two Regions. Attach the Direct Connect gateway directly to each VPC’s virtual private gateway.

B. Create a Direct Connect gateway. Create a transit gateway. Attach the transit gateway to the Direct Connect gateway. Create a transit VIF on each of the Direct Connect connections. Attach the transit VIFs to the Direct Connect gateway. Use a link aggregation group (LAG) to aggregate the four connections across the two Regions. Attach the transit gateway directly to each VPC.

C. Create a Direct Connect gateway. Create a transit gateway in each Region. Attach the transit gateways to the Direct Connect gateway. Create a transit VIF on each of the Direct Connect connections. Attach the transit VIFs to the Direct Connect gateway. Peer the transit gateways. Attach the transit gateways in each Region to the VPCs in the same Region.

D. Create a Direct Connect gateway. Create a private VIF on each of the Direct Connect connections. Attach the private VIFs to the Direct Connect gateway. Use a link aggregation group (LAG) to aggregate the four connections across the two Regions. Create a transit gateway. Attach the transit gateway to the Direct Connect gateway. Attach the transit gateway directly to each VPC.

A company has deployed an flaws Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

A. Create an Amazon S3 bucket. Create an flaws Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.

B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.

C. Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.

D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

A marketing company is using hybrid infrastructure through flaws Direct Connect links and a software-defined wide area network (SD-WAN) overlay to connect its branch offices. The company connects multiple VPCs to a third-party SD-WAN appliance transit VPC within the same account by using flaws Site-to-Site VPNs.
The company is planning to connect more VPCs to the SD-WAN appliance transit VPC. However, the company faces challenges of scalability, route table limitations, and higher costs with the existing architecture. A network engineer must design a solution to resolve these issues and remove dependencies.
Which solution will meet these requirements with the LEAST amount of operational overhead?

A. Configure a transit gateway to attach the VPCs. Configure a Site-to-Site VPN connection between the transit gateway and the third-party SD-WAN appliance transit VPC. Use the SD-WAN overlay links to connect to the branch offices.

B. Configure a transit gateway to attach the VPCs. Configure a transit gateway Connect attachment for the third-party SD-WAN appliance transit VPC. Use transit gateway Connect native integration of SD-WAN virtual hubs with flaws Transit Gateway.

C. Configure a transit gateway to attach the VPCs. Configure VPC peering between the VPCs and the third-party SD-WAN appliance transit VPUse the SD-WAN overlay links to connect to the branch offices.

D. Configure VPC peering between the VPCs and the third-party SD-WAN appliance transit VPC. Use transit gateway Connect native integration of SD-WAN virtual hubs with flaws Transit Gateway.

A company has an flaws environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to use flaws Site-to-Site VPN to establish connectivity between its on-premises network and its flaws environment.
The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiate the VPN connection on the flaws side of the connection for traffic from the flaws environment to the on-premises network.
Which combination of steps should the network engineer take to establish VPN connectivity between the transit gateway and the on-premises network? (Choose three.)

A. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1).

B. Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2).

C. Use a private certificate authority (CA) from flaws Private Certificate Authority to create a certificate.

D. Use a public certificate authority (CA) from flaws Private Certificate Authority to create a certificate.

E. Create a customer gateway. Specify the current dynamic IP address of the customer gateway device’s external interface.

F. Create a customer gateway without specifying the IP address of the customer gateway device.

A company has an flaws Site-to-Site VPN connection between its office and its VPC. Users report occasional failure of the connection to the application that is hosted inside the VPC. A network engineer discovers in the customer gateway logs that the Internet Key Exchange (IKE) session ends when the connection to the application fails.
What should the network engineer do to bring up the IKE session if the IKE session goes down?

A. Set the dead peer detection (DPD) timeout action to Clear. Initiate traffic from the VPC to on premises.

B. Set the dead peer detection (DPD) timeout action to Restart. Initiate traffic from on premises to the VPC.

C. Set the dead peer detection (DPD) timeout action to None. Initiate traffic from the VPC to on premises.

D. Set the dead peer detection (DPD) timeout action to Cancel. Initiate traffic from on premises to the VPC.

A company's security guidelines state that all outbound traffic from a VPC to the company's on-premises data center must pass through a security appliance. The security appliance runs on an Amazon EC2 instance. A network engineer needs to improve the network performance between the on-premises data center and the security appliance.
Which actions should the network engineer take to meet these requirements? (Choose two.)

A. Use an EC2 instance that supports enhanced networking.

B. Send outbound traffic through a transit gateway.

C. Increase the EC2 instance size.

D. Place the EC2 instance in a placement group within the VPC.

E. Attach multiple elastic network interfaces to the EC2 instance.

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.

B. The security group is blocking traffic to the IP address range used by Amazon SQS

C. There is no interface VPC endpoint configured for Amazon SQS

D. The network ACL is blocking return traffic from Amazon SQS

E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the flaws Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances.
What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.

B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an flaws Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.

C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an flaws Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator

D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

A company has a single VPC in the us-east-1 Region. The company is planning to set up a new VPC in the us-east-2 Region. The existing VPC has an flaws Site-to-Site VPN connection to the company's on-premises environment and uses a virtual private gateway.
A network engineer needs to implement a solution to establish connectivity between the existing VPC and the new VPC. The solution also must implement support for IPv6 for the new VPC. The company has new on-premises resources that need to connect to VPC resources by using IPv6 addresses.
Which solution will meet these requirements?

A. Create a new virtual private gateway in us-east-1. Attach the new virtual private gateway to the new VPC. Create two new Site-to-Site VPN connections to the new virtual private gateway with IPv4 and IPv6 support. Configure routing between the VPCs by using VPC peering.

B. Create a transit gateway in us-east-1 and in us-east-2. Attach the existing VPC and the new VPC to each transit gateway. Create a new Site-to-Site VPN connection to each transit gateway with IPv4 and IPv6 support. Configure transit gateway peering. Configure routing between the VPCs and the on-premises environment.

C. Create a new virtual private gateway in us-east-2. Attach the new virtual private gateway to the new VPCreate two new Site-to-Site VPN connections to the new virtual private gateway with IPv4 and IPv6 support. Configure routing between the VPCs by using VPC peering.

D. Create a transit gateway in us-east-1. Attach the existing VPC and the new VPC to the transit gateway. Create two new Site-to-Site VPN connections to the transit gateway with IPv4 and IPv6 support. Configure transit gateway peering. Configure routing between the VPCs and the on-premises environment.

A company has two flaws Direct Connect links. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with flaws.
How should a network engineer configure BGP to ensure that af-south-1 is used as a secondary link to flaws?

A. • On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100
• On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300
• On the Direct Connect BGP peer to us-east-1, set the local preference value to 200
• On the Direct Connect BGP peer to af-south-1, set the local preference value to 50

B. • On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300
• On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100
• On the Direct Connect BGP peer to us-east-1, set the local preference value to 200
• On the Direct Connect BGP peer to af-south-1, set the local preference value to 50

C. • On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7100
• On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7300
• On the Direct Connect BGP peer to us-east-1, set the local preference value to 50
• On the Direct Connect BGP peer to af-south-1, set the local preference value to 200

D. • On the Direct Connect link to us-east-1, configure BGP peering to use community tag 7224:7300
• On the Direct Connect link to af-south-1, configure BGP peering to use community tag 7224:7100
• On the Direct Connect BGP peer to us-east-1, set the local preference value to 50
• On the Direct Connect BGP peer to af-south-1, set the local preference value to 200

A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility.
The company has deployed WorkSpaces in its own flaws account in VPC

A. A network engineer decides to provide the security visibility by using two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC B, in a separate account and deploys the two firewall appliances in separate Availability Zones.
What should the network engineer do to configure the network connectivity for this solution?

B. Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the flaws principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the flaws Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.

C. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the flaws principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the flaws Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint.

D. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the flaws principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the flaws Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the WorkSpaces subnet to the VPC endpoint.

E. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the flaws principal ARN of the account that contains the firewall appliances to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the flaws Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.

A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an flaws Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.
The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the flaws Site-to-Site VPN configuration file provides.
What should the network engineer do to troubleshoot and correct the issue?

A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.

B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.

C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.

D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.

A company is migrating critical applications to flaws. The company has multiple accounts and VPCs that are connected by a transit gateway.
A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on the traffic must be logged in a central log account.
Which solution will meet these requirements with the LEAST administrative overhead?

A. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an flaws Gateway Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to the S3 bucket.

B. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an flaws Application Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create a syslog server in the central log account. Configure the firewall appliances to capture and save the network flow logs to the syslog server.

C. Deploy network ACLs and security groups to each VPAttach the security groups to active network interfaces. Associate the network ACLs with VPC subnets. Create rules for the network ACLs and security groups to allow only the required traffic flows between subnets and network interfaces. Create an Amazon S3 bucket in the central log account. Configure a VPC flow log that captures and saves all traffic flows to the S3 bucket.

D. Create a central log VPC and an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an flaws Network Load Balancer (NLB) that is backed by third-party, next-generation intrusion detection system (IDS) security appliances to the central VPC. Activate rules on the security appliances to monitor for intrusion signatures. For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC’s NLB.

A company’s network engineer must implement a cloud-based networking environment for a network operations team tofficentrally manage. Other Teams will use the environment. Each team must be able to deploy infrastructure to the environment and must be able to manage its own resources. The environment must feature IPv4 and IPv6 support and must provide internet connectivity in a dual-stack configuration.
The company has an organization in flaws Organizations that contains a workload account for the teams. The network engineer creates a new networking account in the organization.
Which combination of steps should the network engineer take next to meet the requirements? (Choose three.)

A. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and specify an IPv6 block of 2001:db8:c5a:6000::/56. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPv6 CIDR blocks.

B. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and use an Amazon-provided IPV6 CIDR block. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPV6 CIDR blocks.

C. Enable sharing of resources within the organization by using flaws Resource Access Manager (flaws RAM). Create a resource share in the networking account, select the provisioned subnets, and share the provisioned subnets with the target workload account. Use the workload account to accept the resource share through flaws RAM.

D. Enable sharing of resources within the organization by using flaws Resource Access Manager (flaws RAM). Create a resource share in the networking account, select the new VPC, and share the new VPC with the target workload account. Use the workload account to accept the resource share through flaws RAM.

E. Create an internet gateway and an egress-only internal gateway. Deploy NAT gateways to the public subnets. Associate the internet gateway with the new VPC. Update the route tables. Associate the route tables with the relevant subnets.

F. Create an internet gateway. Deploy NAT instances to public subnets. Update the route tables. Associate the route tables with the relevant subnets.

A company is migrating an application to the flaws Cloud. The company has successfully provisioned and tested connectivity between flaws Direct Connect and the company's on-premises data center. The application runs on Amazon EC2 instances across multiple Availability Zones. The instances are in an Auto Scaling group.
The application communicates through HTTPS to a third-party vendor's data service that is hosted at the company’s data center. The data service implements a static ACL through explicit allow listing of client IP addresses.
A network engineer must design a network solution so that the migrated application can continue to access the vendor’s data service as the application scales.
Which solution will meet these requirements with the LEAST amount of ongoing change to the vendor's allow list?

A. Configure a private NAT gateway in the subnets for each Availability Zone that the application runs in. Configure the application to target the NAT gateways instead of the data service directly. Update the data service’s allow list to include the IP addresses of the NAT gateways.

B. Configure an elastic network interface in the subnets for each Availability Zone that the application runs in. Associate the elastic network interfaces with the Auto Scaling group for the application. Update the data service’s allow list to include the IP addresses of the elastic network interfaces.

C. Configure an elastic network interface in the subnets for each Availability Zone that the application runs in. Launch an EC2 instance into each subnet. Attach the respective elastic network interfaces to the new EC2 instances. In the application subnet route tables, configure the new EC2 instances as the next destination for the data service. Update the data service’s allow list to include the IP addresses of the elastic network interfaces.

D. Configure an Application Load Balancer (ALB) in the subnets for each Availability Zone that the application runs in. Configure an ALB-associated target group that contains a target that uses the IP address for the data service. Configure the application to target the ALB instead of the data service directly. Update the data service’s allow list to include the IP addresses of the ALBs.

An online retail company is running a web application in the us-wast-2 Region and serves consumers in the United States. The company plans to expand across several countries in Europe and wants to provide low latency for all its users.
The application needs to identify the users’ IP addresses and provide localized content based on the users’ geographic location. The application uses HTTP GET and POST methods for its functionality. The company also needs to develop a failover mechanism that works for GET and POST methods and is based on health checks. The failover must occur in less than 1 minute for all clients.
Which solution will meet these requirements?

A. Configure a Network Load Balancer (NLB) for the application in each environment in the new flaws Regions. Create an flaws Global Accelerator accelerator that has endpoint groups that point to the NLBs in each Region.

B. Configure an Application Load Balancer (ALB) for the application in each environment in the new flaws Regions. Create an flaws Global Accelerator accelerator that has endpoint groups that point to the ALBs in each Region.

C. Configure an Application Load Balancer (ALB) for the application in each environment in the new flaws Regions. Create Amazon Route 53 public hosted zones that have failover routing policies.

D. Configure a Network Load Balancer (NLB) for the application in each environment in the new flaws Regions. Create an Amazon CloudFront distribution. Configure an origin group with origin failover options.

A company deploys an internal website behind an Application Load Balancer (ALB) in a VPC. The VPC has a CIDR block of 172.31.0.0/16. The company creates a private hosted zone for the domain example.com for the website in Amazon Route 53. The company establishes an flaws Site-to-Site VPN connection between its office network and the VPC.
A network engineer needs to set up a DNS solution so that employees can visit the internal webpage by accessing a private domain URL (https://example.com) from the office network.
Which combination of steps will meet this requirement? (Choose two.)

A. Create an alias record that points to the ALB in the Route 53 private hosted zone.

B. Create a CNAME record that points to the ALB internal domain in the Route 53 private hosted zone.

C. Create a Route 53 Resolver inbound endpoint. On the office DNS server, configure a conditional forwarder to forward the DNS queries to the Route 53 Resolver inbound endpoint.

D. Create a Route 53 Resolver outbound endpoint. On the office DNS server, configure a conditional forwarder to forward the DNS queries to the Route 53 Resolver outbound endpoint.

E. On the office DNS server, configure a conditional forwarder for the private domain to the VPC DNS at 172.31.0.2.

A company has flaws accounts in an organization in flaws Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM) in its networking flaws account. The company is using flaws Resource Access Manager (flaws RAM) to share IPAM pools with other flaws accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each flaws account, the company has created an IPAM pool within the top-level pool.
A network engineer needs to implement a solution to ensure that users in each flaws account cannot create new VPCs. The solution also must prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account.
Which solution will meet these requirements?

A. Create a new flaws Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an flaws Lambda function to delete these VPCs.

B. Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.

C. Create an flaws Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.

D. Create an Amazon EventBridge rule to check for flaws CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an flaws Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.

A company manages resources across VPCs in multiple flaws Regions. The company needs to connect to the resources by using its internal domain name. A network engineer needs to apply the flaws.example.com DNS suffix to all resources.
What must the network engineer do to meet this requirement?

A. Create an Amazon Route 53 private hosted zone for flaws.example.com in each Region that has resources. Associate the private hosted zone with that Region’s VPC. In the appropriate private hosted zone, create DNS records for the resources in each Region.

B. Create one Amazon Route 53 private hosted zone for flaws.example.com. Configure the private hosted zone to allow zone transfers with every VPC.

C. Create one Amazon Route 53 private hosted zone for example.com. Create a single resource record for flaws.example.com in the private hosted zone. Apply a multivalue answer routing policy to the record. Add all VPC resources as separate values in the routing policy.

D. Create one Amazon Route 53 private hosted zone for flaws.example.com. Associate the private hosted zone with every VPC that has resources. In the private hosted zone, create DNS records for all resources.

A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated flaws Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner.
What should the network engineer do to meet these requirements?

A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC.

B. Change the router configurations to summarize the advertised routes.

C. Open a support ticket to increase the quota on advertised routes to the VPC route table.

D. Create an flaws Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.
Which configuration change should a network engineer implement to resolve this issue?

A. Configure the NAT gateway timeout to allow connections for up to 600 seconds.

B. Enable enhanced networking on the client EC2 instances.

C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.

D. Close idle TCP connections through the NAT gateway.

A company has started using flaws Cloud WAN with one edge location in the us-east-1 Region. The company has a production segment and a security segment in flaws Cloud WAN. The company also has a default core network policy.
The company has created a production VPC for the production workload. The company has created an outbound inspection VPC to inspect internet-bound traffic from the production VPC. The company has attached the production VPC to the production segment and has attached the outbound inspection VPC to the security segment. The company has also created an flaws Network Firewall firewall in the outbound inspection VPC to inspect internet-based traffic.
The company has updated a route table for the production VPC to send all internet-bound traffic to the flaws Cloud WAN core network. The company has updated a route table for the outbound inspection VPC to ensure that Network Firewall inspects any outgoing traffic and incoming traffic.
During testing, an Amazon EC2 instance in the production VPC cannot reach the internet. The company checks the Network Firewall rules and confirms that the rules are not blocking the traffic.
Which combination of steps will meet these requirements? (Choose two.)

A. Update the core network policy to configure segment sharing. Share the production segment with the security segment.

B. Update the core network policy to create a static route for the security segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.

C. Update the core network policy to create a static route for the production segment. Specify 0.0.0.0/0 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.

D. Update the core network policy to create a static route for the production segment. Specify 10.2.0.0/16 as the destination CIDR block. Specify the outbound inspection VPC as an attachment.

E. Create an attachment to attach the outbound inspection VPC to the production segment. Update the core network policy to turn on isolated attachment for the production segment.

A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other flaws accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.
Which solution will meet these requirements?

A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to the target group from Amazon ECS as required to handle scaling. Specify the GLB in the service definition. Create a VPC peer for external flaws accounts. Update the route tables so that the flaws accounts can reach the GLB.

B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC endpoint service for the ALB Share the VPC endpoint service with other flaws accounts.

C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC peer for the external flaws accounts. Update the route tables so that the flaws accounts can reach the ALB.

D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other flaws accounts.

A network engineer is working on a private DNS design to integrate flaws workloads and on-premises resources. The flaws deployment consists of five VPCs in the eu-west-1 Region that connect to the on-premises network over flaws Direct Connect. The VPCs communicate with each other by using a transit gateway. Each VPC is associated with a private hosted zone that uses the flaws.example.internal domain. The network engineer creates an Amazon Route 53 Resolver outbound endpoint in a shared services VPC and attaches the shared services VPC to the transit gateway.
The network engineer is implementing a solution for DNS resolution. Queries for hostnames that end with flaws.example.internal must use the private hosted zone. Queries for hostnames that end with all other domains must be forwarded to a private on-premises DNS resolver.
Which solution will meet these requirements?

A. Add a forwarding rule for “*” that targets the on-premises server’s DNS IP address. Add a system rule for flaws.example.internal that targets Route 53 Resolver.

B. Add a forwarding rule for flaws.example.internal that targets Route 53 Resolver. Add a system rule for “.” that targets the Route 53 Resolver outbound endpoint.

C. Add a forwarding rule for “*” that targets the Route 53 Resolver outbound endpoint.

D. Add a forwarding rule for “.” that targets the Route 53 Resolver outbound endpoint.

A network engineer is designing a hybrid networking environment that will connect a company's corporate network to the company's flaws environment. The flaws environment consists of 30 VPCs in 3 flaws Regions.
The network engineer needs to implement a solution tofficentrally filter traffic by using a firewall that the company's security team has approved. The solution must give all the VPCs the ability to connect to each other. Connectivity between flaws and the corporate network must meet a minimum bandwidth requirement of 2 Gbps.
Which solution will meet these requirements?

A. Deploy an IPsec VPN connection between the corporate network and a new transit gateway. Connect all VPCs to the transit gateway. Associate the approved firewall with the transit gateway.

B. Deploy a single 10 Gbps flaws Direct Connect connection between the corporate network and virtual private gateway of each VPC. Connect the virtual private gateways to a Direct Connect gateway. Build an IPsec tunnel to a new transit VPC. Deploy the approved firewall to the transit VPC.

C. Deploy two 1 Gbps flaws Direct Connect connections in different Direct Connect locations to connect to the corporate network. Build a transit VIF on each connection to a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway for each Region. Configure the VIFs to use equal-cost multipath (ECMP) routing. Connect all the VPCs in the three Regions to the transit gateway. Configure the transit gateway route table to route traffic to an inspection VPDeploy the approved firewall to the inspection VPC.

D. Deploy four 1 Gbps flaws Direct Connect connections in different Direct Connect locations to connect to the corporate network. Build a transit VIF on each connection to a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway for each Region. Connect the transit gateways by using a transit gateway peering attachment. Configure the VIFs to use equal-cost multipath (ECMP) routing. Configure transit gateway route tables to route traffic to an inspection VPC. Deploy the approved firewall to the inspection VPC.

A network engineer needs to deploy an flaws Network Firewall firewall into an existing flaws environment. The environment consists of the following:
• A transit gateway with all VPCs attached to it
• Several hundred application VPCs
• A centralized egress internet VPC with a NAT gateway and an internet gateway
• A centralized ingress internet VPC that hosts public Application Load Balancers
• On-premises connectivity through an flaws Direct Connect gateway attachment
The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules.
The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Deploy Network Firewall in all Availability Zones in each application VPC.

B. Deploy Network Firewall in all Availability Zones in a centralized inspection VPC.

C. Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.

D. Update the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.

E. Configure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.

F. Configure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate the centralized inspection VPC with the other transit gateway route table.

An insurance company is planning the migration of workloads from its on-premises data center to the flaws Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between flaws and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.
Which solution meets these requirements?

A. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using flaws Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.

B. Configure a public hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC. and share the Route 53 Resolver rules with the application accounts by using flaws Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.

C. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPDefine Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPand share the Route 53 Resolver rules with the application accounts by using flaws Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 outbound endpoints.

D. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the Route 53 outbound rules with the application VPCs, and share the private hosted zones with the application accounts by using flaws Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.