You are responsible for several EC2 instances deployed from Amazon AMIs that are required to upload information to an S3 bucket. This information must not traverse the public internet. You must also be able to update the instances. Which option is your best solution?

A. An S3 endpoint and a NAT

B. An S3 endpoint

C. A VPN to the IP addresses specified in the AWS official S3 prefix list

D. A NACL with the AWS prefix list added to it and a VPN.

A customer is using ABC Telecom as a network provider. The customer has 10 different offices connected to ABC Telecom's MPLS backbone. The customer is setting up an AWS Direct Connect connection to AWS and has provided the LOA-CFA to ABC Telecom. ABC Telecom has terminated the Direct Connect circuit into their MPLS backbone. To uniquely identify the customer's traffic over the MPLS backbone, the customer must encapsulate all traffic with VLAN tag 100. The customer wants to send traffic to multiple VPCs.
Which two steps should be taken to meet the customer's requirement? (Choose two.)

A. The customer performs Q-in-Q tunneling, with the AWS-required VLAN tag in the inside and VLAN 100 as the outside tag.

B. Create a support ticket with AWS to request the removal of the outer VLAN tag 100 as the traffic reaches AWS routers.

C. Send the traffic for all VPCs with the same VLAN tag 100 and use BGP to ensure that proper routing takes place to the appropriate VPC.

D. ABC Telecom removes the outer tag before sending the packet to AWS.

E. ABC Telecom creates a support ticket with AWS to exchange MPLS labels and include the AWS port as part of their MPLS network.

Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client's IP address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?

A. Modify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic Restriction.

B. Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.

C. Use X-Forwarded-For with security groups to apply the Geographic Restriction.

D. Modify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.

DNS name resolution must be provided for services in the following four zones:
 
The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region.
Each VPC should resolve the names in all zones.
How can you use Amazon route 53 to meet these requirements?

A. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.

B. Create a single Route 53 Private Hosted Zone for the zone company.private. and associate it with the three VPCs.

C. Create a Route Public 53 Hosted Zone for each of the four zones and configure the VPC DNS Resolver to forward

D. Create a single Route 53 Public Hosted Zone for the zone company.private. and configure the VPC DNS Resolver to forward

What value in a packet dictates the priority of the packet in a QoS enabled network?

A. BFD

B. IPv6

C. NAT

D. DSCP

You can use the ____ command of the AWS Config service CLI to see the compliance state for each AWS resource of a specific type.

A. describe-compliance-by-resource

B. get-compliance-details-by-config-rule

C. describe-compliance-by-config-rule

D. get-compliance-details-by-resource

Which service is used by default to store the CloudTrail log files?

A. Elastic Block Store (EBS)

B. Redshift

C. Simple Storage Service (S3)

D. Glacier

You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

A. get-compliance-details-by-resource

B. describe-compliance-by-config-rule

C. get-compliance-details-by-config-rule

D. describe-compliance-by-resource

You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.
How should you configure your on-premises BGP peer to meet these requirements?

A. Configure AS-Prepending on your BGP session

B. Summarize your prefix announcement to less than 100

C. Announce a default route to the VPC over the BGP session

D. Enable route propagation on the VPC route table

You have several VPCs that are peered. Each VPC has several routes to different subnets. Over the years, your company has acquired many companies. You find that traffic destined for one VPC ends up going to another.
What is the best way to remedy this?

A. Move the route table entry for the proper VPC higher in the list.

B. Adjust your routes so the proper VPC has a higher CIDR.

C. Move the route table entry for the proper VPC lower in the list.

D. Adjust your routes so the proper VPC has a lower CIDR.

Which of the following physical layer standards is required for connection to AWS Direct Connect over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable?

A. Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet

B. Multi mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet

C. Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-LR for 10 gigabit Ethernet

D. Multi mode fiber, 1000BASE-SX for 1 gigabit Ethernet, or 10GBASE-SR for 10 gigabit Ethernet

A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another.
Which approach will meet the technical and security requirements while minimizing costs?

A. Use the AWS IPsec VPN for the mobile, desktop, and partner VPN connections. Use network access control lists (Network ACLs) and security groups to maintain routing separation.

B. Use the AWS IPsec VPN for the partner VPN connections. Use an Amazon EC2 instance VPN for the mobile and desktop devices. Use Network ACLs and security groups to maintain routing separation.

C. Create an AWS Direct Connect connection between on-premises and AWS Use a public virtual interface to connect to the AWS IPsec VPN for the mobile, desktop, and partner VPN connections.

D. Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing and connectivity.

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
A team will migrate the PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol Policy to ‘Match Viewer’.

B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.

C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.

D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

An AWS CloudTrail log file provides the identity and source IP address of the API caller, and a time of the API call, request parameters, and ____.

A. response elements

B. event selectors

C. port alarms

D. destination buckets

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS
65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

A. Site A: VPN 10.0.1.0/24 AS 65000 65000

B. Site B: VPN 10.0.1.252/30 AS 65000 65000 65000

C. Site C: DX 10.0.0.0/8 AS 65000

D. Site D: DX 10.0.0.0/16

An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance's CPU Utilization rate drops below the threshold John has set, what will happen and why?

A. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.

B. CloudWatch will stop the instance when the action is executed

C. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm

D. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.

What are 2 possible ALIAS records? (Choose two.)

A. DynamoDB

B. Elastic Beanstalk

C. CloudFront

D. EC2 Instance

Which service would you use to see the DSCP value in a packet header?

A. CloudTrail

B. Config

C. Flow Logs

D. None of the above

Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

A. 8 subnets and 30 hosts per subnet

B. 16 subnets and 14 hosts per subnet

C. 32 subnets and 30 hosts per subnet

D. 8 subnets and 14 hosts per subnet

What service is used to store the log files generated by CloudTrail?

A. EC2

B. EBS

C. S3

D. VPC

You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.
You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

A. Reboot the instance.

B. Move the ENI from one server to the other.

C. Associate the new ENI with the database security group.

D. Configure a secondary ENI on the standby instance.

A company hosts its application, example.com, behind Application Load Balancers in the us-east-1 and eu-west-1 Regions. Users should be routed to the resources geographically nearest to them. Users must not be routed to the application when it is considered unhealthy.
How should a network engineer configure Amazon Route 53 to route clients to example.com?

A. Configure latency.example.com to use a weighted routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

B. Configure latency.example.com CNAME latency-based records that point to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the setting used to evaluate target health. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

C. Configure latency.example.com to use a geoproximity routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

D. Configure latency.example.com alias latency-based records that point to the load balancers, enable the setting used to evaluate target health, and associate an HTTP health check. Configure failover records for example.com. Point the primary CNAME record to latency.example.com, and associate an HTTP health check. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

Your company currently has a LAG to AWS with two 1Gbps connections. What is the best way to increase throughput on this LAG?

A. Add three 1Gbps connections to the LAG.

B. Add one 10Gbps connections to the LAG.

C. Configure your router to use “jumbo frames” with an MTU of 9001.

D. Add two 1Gbps connections to the LAG.

A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

A. SNS cannot provide data every minute

B. There is no need to enable since SNS provides data every minute

C. SNS will send data every minute after configuration

D. AWS CloudWatch does not support monitoring for SNS

You have a hybrid infrastructure, and you need AWS resources to be able to resolve your on-premises DNS names. You have configured a DNS server on an
EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. What step should you take to accomplish this?

A. Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.

B. Configure the DHCP option set in the VPC to point to the EC2 DNS server.

C. Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.

D. Disable the source/destination check flag for the DNS instance.

In AWS Direct Connect, which of the following is true of configuring your router to connect to the AWS Direct Connect router?

A. After creating a virtual interface for your AWS Direct Connect connection, you can download the router configuration file from the available link

B. After Completing the Cross Connect step, the download link for router configuration will be available

C. After submitting your AWS Direct Connect connection request, you will receive the router configuration details by email within 72 hours

D. In Create a Virtual Interface step, the general configuration of your router would be available for downloading.

Your company has a high-availability hybrid solution that utilizes a two Direct Connect connections and a backup VPN connection. For some reason, traffic is preferring the VPN connection instead of the direct connection. You have prepended a longer AS_PATH on the VPN connection, but AWS still prefers it over the
Direct Connect connections.
What might you be able to do to fix this issue?

A. Advertise a less specific prefix on the VPN.

B. Remove the prepended AS_PATH.

C. Reconfigure the VPN as a static VPN instead of dynamic.

D. Increase the MED on the VPN.

Which AWS service is used within an AWS Config Rule to perform the logic evaluation of that rule?

A. Inspector

B. WAF

C. Lambda

D. SWF

A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with
CloudWatch?

A. AWS Route53

B. AWS EMR

C. AWS ELB

D. AWS RDS

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.

A. trusted signers

B. optimistic locking

C. integrity validation

D. root credentialing

You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

A. You configured the rule number to be too low.

B. A NACL can’t protect against a DDoS.

C. The DDoS isn’t a TCP attack.

D. You need to add a deny rule outbound also since NACLs are stateful.

Your company is building a new data center. You currently have an on-premises data center that accesses your single VPC via VPN. You need to provide access to your single VPC to your new data center. Since your new data center build is already over budget, you need to keep costs low.
How should you accomplish this?

A. Add a Private VIF and create a Direct Connect connection.

B. Create a new Customer Gateway and add it to your VPN using a CloudHub infrastructure model.

C. Add a Public VIF and create a Direct Connect connection.

D. Create a new Virtual Gateway and add it to your VPN using a CloudHub infrastructure model.

An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in
24hrs. This business critical application is dependent a very large set of routes `" required for integration with other system. You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re`"home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

A. Within the new VPC ג€” establish a Direct Connect connection with max 10Gbps port speed for data replication. Establish a 802.1Q VLAN and configure a Virtual Private Gateway and Private Virtual Interface, and ensure Jumbo Frames is enabled.

B. Within the new VPC ג€” deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with BGP dynamic routing

C. Within the new VPC ג€” deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with static routing, and ensure Jumbo Frames is enabled.

D. Within the new VPC ג€” deploy a software based virtual router (for example a Cisco CSR). Configure with dual ENIs (external and internal), create and attach an EIP to the external ENI, Configure and setup IPsec VPN tunnels, and ensure Jumbo Frames is enabled.

A company's web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further requests for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.
Which action should be taken to block more IP addresses, without compromising the existing security requirements?

A. Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.

B. Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.

C. Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.

D. Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

A. The inbound network access control list is blocking the traffic

B. The outbound network access control list is blocking the traffic

C. The inbound security group is blocking the traffic.

D. The outbound security group is blocking the traffic.

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs.
Why might this be?

A. You forgot to add a return route.

B. ICMP is not supported over peering connections.

C. You have to enable Source/Destination check in the VPCs.

D. You have to configure the peering connection to allow two way traffic.

An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.
What changes should be made to meet this requirement while continuing to support the existing application requirements?

A. Modify the existing DHCP option set and specify the different domain name for the specified subnet.

B. Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

C. Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.

D. Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.

Which of the following characters is not allowed while creating a Namespace for a CloudWatch metric?

A. /

B. :

C. #

D. @

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven't yet upgraded.
What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

A. Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.

B. Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.

C. Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.

D. Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header- based routing to route traffic based on the application version.

You are your company's AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.
Select the correct option from the list below.

A. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been disabled.

B. Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication

C. All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.

D. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been enabled.

Your company just acquired a new company. You have two VPCs ?one is 172.31.0.0/16 and one is 10.111.0.0/16. The acquired company uses 10.111.0.0/16 for their VPC. Your VPC "A" has a group of 12 servers in the range 10.111.2.101 ?10.111.2.112. Their VPC "B" has 20 servers from 10.111.2.171 ?10.111.2.190.
You need to access both VPCs from the 172.31.0.0/16 VPC "C".
What is the best way to approach this problem?

A. From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/27 and a route to VPC B’s peering connection for 10.111.2.0/24.

B. From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/28 and a route to VPC B’s peering connection for 10.111.2.0/24.

C. From VPC C, create a peering connection and adjust the route tables to direct traffic to the individual servers by exact IP address of the servers.

D. Invest the money and change the CIDR of one of the VPCs since one VPC cannot be peered to two VPCs with the same CIDR block.

A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.
What steps must be taken to order the cross-connect at the Direct Connect location?

A. Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.

B. Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.

C. Obtain one LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The facility operator will ensure that the cross-connect is installed.

D. Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.

When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains another JSON string in its ____ parameter, which describes the event that triggered the rule.

A. resultToken

B. eventLeftScope

C. invokingEvent

D. configRuleName

Your company has placement groups in two different availability zones. There is a large project coming up and, although resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able to achieve the highest speed possible.
How can this be achieved?

A. Create AMIs from all of the instances, terminate them, and deploy them all into one placement group.

B. In the CLI, run the command “aws ec2 set-placement-group 1 ” for all of the instances.

C. Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.

D. Peer the two placement groups using AWS PG Peering.

An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account).
There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?

A. Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.

B. Create a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.

C. Create hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.

D. Create a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.

A space exploration company owns a series of telescopes that capture a large number of images and data of the night sky. The images and data are processed on an application hosted on AWS Fargate in a target group assigned to an Application Load Balancer (ALB). The application is made available through the address https://space.example.com.
Scientists require another custom-built application hosted on several Amazon EC2 instances within an Auto Scaling group. This application will be made available from the address https://space.example.com/meteor. The company needs a solution that can automatically scale from a small number of requests overnight to a large number of requests for a future meteor shower.
What is the MOST operationally efficient solution that meets these requirements?

A. Update the existing target group with the new EC2 instances. Update the application’s ALB by adding a listener rule that redirects /meteor to the newly added EC2 instances.

B. Create a new target group. Configure the Auto Scaling group of the EC2 instances to use the target group. Update the ALB by adding a listener rule that redirects /meteor to the new target group.

C. Create a Network Load Balancer (NLB). Configure the NLB to listen on two ports. Configure a target group for one port to deliver all IP traffic to the Auto Scaling group to process the custom images. Configure a target group for the second port to deliver all IP traffic to Fargate. Use path-based routing in the ALB to route traffic for the URL prefix /meteor to the first target group. Route all other paths to the second target group.

D. Place the ALB behind an Amazon CloudFront distribution. Create a Lambda@Edge function that parses the request URI and adds the path-pattern header with the IP addresses of the EC2 instances to any request for /meteor. Add a listener rule to the ALB that looks for the HTTP header and uses the IP addresses of the EC2 instances to forward the traffic.

What number does the binary number 10101000 correspond to?

A. 168

B. 128

C. 192

D. 160

An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.
What is the MOST simple and secure architecture that will achieve the organization's goal?

A. Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

B. Use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.

C. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.

D. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.

A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25 customers. The company creates a unique hostname for each customer to use to access the application. Hostnames use the format customer-name.example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer- name.example.com, the ALB should route the request to the correct group of EC2 instances. The company requires a highly available solution that is easy to maintain.
Which solution meets these requirements at the LOWEST cost?

A. Create one ALB for all customers. Create a listener rule that includes an HTTP header condition to match the URL. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.

B. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Configure an NGINX proxy server to manage connections to each ALB. Use Amazon Route 53 to create a CNAME record for each customer-name.example.com hostname that points to the NGINX proxy server.

C. Create one ALB for all customers. Create a listener rule that includes a Host header condition to match the hostname. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.

D. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Create an Amazon CloudFront distribution. Add each ALB to the distribution as a custom origin. Use Amazon Route 53 to create an alias for each customer-name.example.com hostname that points to the CloudFront distribution.

You have a web application (app.mycompany.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. Because of a network redesign, you need to move the web application to a different subnet in the same Availability Zone.
Which of the following migration strategies meets the requirements?

A. Create an elastic network interface in the new subnet. Attach this interface to the instance, and detach the old interface.

B. Launch a new instance in the subnet via an AMI created from the instance, and redirect new connections to this new instance using DNS. Decommission the old instance.

C. Make an API call to change the subnet association of the elastic network interface.

D. Change the IP addresses manually to another subnet within the server operating system.