You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL.
Which of the following solutions should you deploy? (Choose two.)

A. Include s3.amazonaws.com in the whitelist.

B. Create a VPC endpoint for S3.

C. Run Squid proxy on a NAT instance.

D. Deploy a NAT gateway into your VPC.

E. Utilize a security group to restrict access.

Non-compliant resources identified through the use of AWS Config Rules are automatically removed from operational service.

A. It depends on the Rule configuration

B. Only if it remains non-compliant for more than 6 hours

C. True

D. False

A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

A. The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests

B. The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests

C. The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests

D. The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests

You need to create a subnet in a VPC that supports 14 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

A. /28

B. /24

C. /25

D. /27

Your VPC has a DX connection that is advertising 99 routes. You have two more prefixes to add: 10.223.1.0/24 and 10.223.2.0/24. You have several locations, so you need to be as exact as possible with your routing.
How would you do this?

A. Add the prefixes; AWS allows for as many BGP routes as you need but not static.

B. Contact AWS to extend the number of prefixes you are allowed to advertise.

C. Summarize the routes into a 10.223.0.0/22 and advertise that route instead.

D. Summarize the routes into a 10.223.0.0/12 and advertise that route instead.

Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

A. Frames

B. Packets

C. Data

D. Segments

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS
65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

A. Site A: VPN 10.0.1.0/24 AS 65000 65000

B. Site B: VPN 10.0.1.252/30 AS 65000 65000 65000

C. Site C: DX 10.0.0.0/8 AS 65000

D. Site D: DX 10.0.0.0/16

Your company has decided to use AWS WorkSpaces for its hosted desktop solution. Your company has an existing AD of about 57,000 users, and you want to minimize authentication traffic from AWS to your datacenter. Your company has a lot of personnel changes, and it is crucial that these changes are reflected reliably.
What two steps should you take? (Choose two.)

A. Deploy Hosted AD in AWS.

B. Deploy an AD Connector in AWS.

C. Create a DX connection between the datacenter and AWS.

D. Create a VPN between the datacenter AWS.

You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?

A. Configure a single routing table with two default routes: one to the Internet via an IGW, the other to the on-premises network via the VGW. Use this routing table across all subnets in your VPC.

B. Configure two routing tables: one that has a default route via the IGW, and another that has a default route via the VGW. Associate both routing tables with each VPC subnet.

C. Configure a single routing table with a default route via the IGW. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnet.

D. Configure a single routing table with a default route via the IGW. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.

Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different
Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Choose two.)

A. Use BGP AS prepend attribute to prepend additional AS numbers while advertising routers from R1 to VGW.

B. Use BGP local preference attribute to assign R1 to a lower local preference number than R2.

C. Use BGP local preference attribute to assign R1 a higher local preference number than R2.

D. Use BGP MED attribute to assign a higher MED value to the routes advertised R1 to VGW.

E. Use BGP MED attribute to assign a higher MED value to the routes advertised from R2 to VGW.

You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly.
What could be the problem?

A. The CAT6 cable is frayed.

B. Autonegotiation is enabled.

C. You are using 802.1q VLANs instead of 802.1w.

D. BFD is disabled.

You wish to have a sub-1G connection to AWS to save on costs. How can you achieve this?

A. Just set your router to the speed you want and AWS will charge you based on the actual speed of the port.

B. Contact AWS, they will put you in contact with a technical account manager who can help you get this setup.

C. You can’t. The only speeds available for Direct Connect are 1G and 10G.

D. Contact an AWS partner, AWS does not provide sub-1G connection speeds.

A gaming company is running an online multiplayer game in multiple AWS Regions. The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically. When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end users.
Which solution will meet these requirements?

A. Create an Amazon CloudFront distribution in front of all the Regions.

B. Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region.

C. Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region.

D. Configure AWS Global Accelerator in front of all the Regions.

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route
(0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
The Network ACL for the subnet is configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80

B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535

C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80

D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active.
What two configuration changes should you implement? (Choose two.)

A. MPLS

B. BFD

C. AS_PATH Prepending

D. BGP

Which CloudWatch attributes are used for the statistics generation?

A. All the options are used

B. Dimension

C. Data point unit

D. NameSpace

An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance's CPU Utilization rate drops below the threshold John has set, what will happen and why?

A. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.

B. CloudWatch will stop the instance when the action is executed

C. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm

D. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.

Which statement about placement groups is incorrect?

A. A placement group is a logical grouping of instances in a single AZ.

B. If you stop an instance and restart it, it will always return to the same placement group.

C. To help ensure capacity in a placement group, deploy all instances at once.

D. There is no charge for creating a placement group.

A company hosts its application, example.com, behind Application Load Balancers in the us-east-1 and eu-west-1 Regions. Users should be routed to the resources geographically nearest to them. Users must not be routed to the application when it is considered unhealthy.
How should a network engineer configure Amazon Route 53 to route clients to example.com?

A. Configure latency.example.com to use a weighted routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

B. Configure latency.example.com CNAME latency-based records that point to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the setting used to evaluate target health. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

C. Configure latency.example.com to use a geoproximity routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

D. Configure latency.example.com alias latency-based records that point to the load balancers, enable the setting used to evaluate target health, and associate an HTTP health check. Configure failover records for example.com. Point the primary CNAME record to latency.example.com, and associate an HTTP health check. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

You need to quickly view inbound traffic to an instance to determine why it isn't reaching the instance properly. What is the best tool for this?

A. Wireshark

B. CloudWatch

C. CloudTrail

D. Flow Logs

You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit.
What ELB configuration complies with the corporate encryption policy?

A. Configure the ELB load balancer protocol as HTTP. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.

B. Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.

C. Configure the ELB load balancer protocol as HTTPS. Offload application instance encryption to the load balancer. Install your SSL certificate on Amazon RDS, and configure SSL.

D. Configure the ELB protocols in SSL mode. Offload application instance encryption to the load balancer. Install your SSL/TLS certificate on Amazon RDS, and configure SSL.

Select the VPC Peering statement below that is NOT true

A. VPC peering supports transitive peering relationships for IPv6 traffic but not IPv4

B. VPC peering can be performed between VPCs in different AWS accounts in the same region

C. TCP connections can be performed between peered VPCs

D. UDP connections can be performed between peered VPCs

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.
Which of the following is the MOST reliable solution?

A. Create an inbound rule in the VPC’s network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

B. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.

C. Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

D. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

Each custom AWS Config rule you create must be associated with a(n) AWS ____, which contains the logic that evaluates whether your AWS resources comply with the rule.

A. Lambda function

B. Configuration trigger

C. EC2 instance

D. S3 bucket

What value in a packet dictates the priority of the packet in a QoS enabled network?

A. BFD

B. IPv6

C. NAT

D. DSCP

Which AWS service is used within an AWS Config Rule to perform the logic evaluation of that rule?

A. Inspector

B. WAF

C. Lambda

D. SWF

Your company just acquired a new company. You have two VPCs ?one is 172.31.0.0/16 and one is 10.111.0.0/16. The acquired company uses 10.111.0.0/16 for their VPC. Your VPC "A" has a group of 12 servers in the range 10.111.2.101 ?10.111.2.112. Their VPC "B" has 20 servers from 10.111.2.171 ?10.111.2.190.
You need to access both VPCs from the 172.31.0.0/16 VPC "C".
What is the best way to approach this problem?

A. From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/27 and a route to VPC B’s peering connection for 10.111.2.0/24.

B. From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/28 and a route to VPC B’s peering connection for 10.111.2.0/24.

C. From VPC C, create a peering connection and adjust the route tables to direct traffic to the individual servers by exact IP address of the servers.

D. Invest the money and change the CIDR of one of the VPCs since one VPC cannot be peered to two VPCs with the same CIDR block.

What statement about LAGs is incorrect?

A. If you create a new connection, you will have to fill out another LOA-CFA.

B. You can pool connections with multiple speeds to create one faster speed.

C. You will receive 1 LOA-CFA with a page for each connection.

D. All connections in the LAG must terminate at the same DX endpoint.

Your company just deployed a WAF to protect its resources. You need to create a baseline before you start blocking traffic. How will you achieve this?

A. Set the WAF to Monitor mode.

B. Set the WAF to its defaults and let it do its job.

C. Setup a Lambda function to monitor Flow Logs and analyze the traffic using Elasticsearch.

D. A WAF is default deny and does not allow this. You need to use an IDS instead.

In AWS, which tool records API calls for a specific AWS account and also delivers the log files for that account?

A. CloudTrail

B. Redshift

C. Beanstalk

D. Cognito

An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information
(PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirements? (Choose two.)

A. Amazon Aurora in a private subnet

B. Amazon CloudFront using AWS Lambda@Edge

C. Customer-managed MySQL with Transparent Data Encryption

D. Application Load Balancer using HTTPS listeners and targets

E. AWS Key Management Services

Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company's concerns? (Choose two.)

A. Remove any rules allowing ::/0 inbound in the security group.

B. Block ::/0 inbound in the NACL.

C. Create an egress-only internet gateway.

D. Block 0.0.0.0/0 inbound in the NACL.

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.

D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

Which service parses large Flow Logs for consumption by other programs such as Kibana?

A. S3

B. ElasticSearch

C. Elastic Beanstalk

D. Kinesis

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.

B. Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

C. Use two /28 subnets for a Network Load Balancer in different Availability Zones.

D. Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs.
Why might this be?

A. You forgot to add a return route.

B. ICMP is not supported over peering connections.

C. You have to enable Source/Destination check in the VPCs.

D. You have to configure the peering connection to allow two way traffic.

Refer to the image.
 
You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows:
✑ VPC A: 10.0.0.0/16
✑ VPC B: 192.168.0.0/16
✑ VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i-4 in VPC B have the IP addresses
192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24.
✑ i-3 must be able to communicate with i-1
✑ i-4 must be able to communicate with i-2
✑ i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Choose two.)

A. Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.

B. Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.

C. Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.

D. Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.

E. Create two route tables: one with a route for destination VPC A, and another for destination VPC C.

You have just configured an Elastic Load Balancer. Assuming all settings are configured properly, about how long will it take an instance to become healthy with a
6 second HealthCheck Interval, an unhealthy threshold of 5 and a healthy threshold of 10?

A. 120 seconds

B. 30 seconds

C. 6 seconds

D. 60 seconds

You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to monitor your changes. What else is required to find out who made the change?

A. There is no information to find this. You will need to sign up for Config Premium.

B. Use the eventID of the change and reference it with your Flow Logs.

C. Use the eventId of the change and reference it with CloudTrail to find the culprit.

D. Use the eventID of the change and reference it with CloudWatch to find the culprit.

You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.
You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

A. Reboot the instance.

B. Move the ENI from one server to the other.

C. Associate the new ENI with the database security group.

D. Configure a secondary ENI on the standby instance.

A company installed an AWS Site-to-Site VPN and configured it to use two tunnels. The company has learned that the VPN connectivity is unstable. During a ping test from the on-premises data center to AWS, a network engineer notices that the first few ICMP replies time out but that subsequent requests are successful.
The AWS Management Console shows that the status for both tunnels last changed at the same time the ping responses were successfully received.
Which steps should the network engineer take to resolve the instability? (Choose two.)

A. Enable dead peer detection (DPD) on the customer gateway device.

B. Change the tunnel configuration to active/standby on the virtual private gateway.

C. Use AS PATH prepending on one path to cause all traffic to prefer that tunnel.

D. Send ICMP requests to an instance in the VPC every 5 seconds from the on-premises network.

E. Use a higher multi-exit discriminator (MED) value on the preferred path to prefer that tunnel.

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution.
The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?

A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

What is the IPv6 subnet CIDR used by a VPC?

A. /128

B. /56

C. /48

D. /16

What number does the binary number 11000000 correspond to?

A. 128

B. 192

C. 64

D. 117

You can use the ____ command of the AWS Config service CLI to see the compliance state for each AWS resource of a specific type.

A. describe-compliance-by-resource

B. get-compliance-details-by-config-rule

C. describe-compliance-by-config-rule

D. get-compliance-details-by-resource

You would like to automate the monitoring of changes in the configurations of your AWS resources and respond programmatically to configurations of only a certain type. To do this, you could use Amazon ____ as the endpoint for the Amazon SNS topics that generate messages from AWS Config.

A. Kinesis

B. Simple Email Service (SES)

C. Simple Storage Service (S3)

D. Simple Queue Service (SQS)

You can use the ____ page of the AWS Config console to look up resources that AWS Config has discovered, including deleted resources and resources that are not currently being recorded.

A. snapshot listing

B. configuration history

C. resource inventory

D. resource database

You are responsible for several EC2 instances deployed from Amazon AMIs that are required to upload information to an S3 bucket. This information must not traverse the public internet. You must also be able to update the instances. Which option is your best solution?

A. An S3 endpoint and a NAT

B. An S3 endpoint

C. A VPN to the IP addresses specified in the AWS official S3 prefix list

D. A NACL with the AWS prefix list added to it and a VPN.

What two items are required for all AWS VPNs? (Choose two.)

A. Virtual Private Gateway

B. ASN

C. A hardware router

D. Customer Gateway

Select the answer/s that correctly state how Jumbo Frames work

A. Jumbo Frames assist with application disk storage

B. Jumbo Frames can assist with application performance

C. Jumbo Frames are supported across Virtual Private Gateway connections

D. Jumbo Frames are enabled by increasing the MTU size to 9000 kilobytes