A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company's Reliability
Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection. During the resiliency tests, traffic failed to switch over to the backup VPN connection.
How can this failure be troubleshot?

A. Ensure that Bidirectional Forwarding Detection is enabled on the Direct Connect connection

B. Confirm that the same routes are being advertised over both the VPN and Direct Connect.

C. Reconfigure the Direct Connect session from static routes to Border Gateway Protocol (BGP) peering.

D. Configure a virtual private gateway for the VPN and another virtual private gateway for Direct Connect.

Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company's concerns? (Choose two.)

A. Remove any rules allowing ::/0 inbound in the security group.

B. Block ::/0 inbound in the NACL.

C. Create an egress-only internet gateway.

D. Block 0.0.0.0/0 inbound in the NACL.

You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and
NACL rules. Which protocol do you need to allow to access your instance to remedy this?

A. Protocol 6: TCP

B. Protocol 47: GRE

C. Protocol 17: UDP

D. Protocol 1: ICMP

Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.
What are the minimum requirements for your router?

A. 1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

B. 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.

C. IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5

D. BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel

To allow all traffic to access an instance in "Subnet 1" that uses "Security Group 1", what two options need to be configured? (Choose two.)

A. NACL rule allowing 0.0.0.0/0 to access “Subnet 1”

B. Security Group rule in “Security Group 1” that allows 0.0.0.0/0 inbound

C. Security Group rule in “Security Group 1” that allows outbound traffic to 0.0.0.0/0

D. NACL rule allowing 0.0.0.0/0 to access “Security Group 1”

You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?

A. Set all MTU to 1500 as that is the best way to ensure compatibility.

B. Leave everything as is.

C. Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.

D. Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.

For web distributions in Amazon CloudFront, your origin can be either an Amazon S3 bucket or _______ .

A. a DNS server

B. a proxy server

C. an FTP server

D. an HTTP server

A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy.
What is the MOST cost-effective solution to meet these requirements?

A. Move the EC2 instances to a dedicated VPC. Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.

B. Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.

C. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.

D. Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.

In order to change the name of the AWS Config ____, you must stop the configuration recorder, delete the current one, and create a new one with a new name, since there can only be one of these per AWS account.

A. SNS topic

B. configuration history

C. delivery channel

D. S3 bucket path

You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.
You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

A. Reboot the instance.

B. Move the ENI from one server to the other.

C. Associate the new ENI with the database security group.

D. Configure a secondary ENI on the standby instance.

DNS name resolution must be provided for services in the following four zones:
 
The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region.
Each VPC should resolve the names in all zones.
How can you use Amazon route 53 to meet these requirements?

A. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.

B. Create a single Route 53 Private Hosted Zone for the zone company.private. and associate it with the three VPCs.

C. Create a Route Public 53 Hosted Zone for each of the four zones and configure the VPC DNS Resolver to forward

D. Create a single Route 53 Public Hosted Zone for the zone company.private. and configure the VPC DNS Resolver to forward

Select the answer/s that correctly state how Jumbo Frames work

A. Jumbo Frames assist with application disk storage

B. Jumbo Frames can assist with application performance

C. Jumbo Frames are supported across Virtual Private Gateway connections

D. Jumbo Frames are enabled by increasing the MTU size to 9000 kilobytes

A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable `"`˜app.example.com'.
Instances within the VPC should always connect to the private IP to minimize data transfer costs.
How should the engineer configure DNS to support these requirements?

A. Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

B. Create two A record entries for ‘app’ in the DNS zone ‘example.com’ ג€” one for the public IP and one for the private IP.

C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.

D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

A company has a hybrid IT architecture with two AWS Direct Connect connections to provide high availability. The services hosted on-premises are accessible using public IPs, and are also on the 172.16.0.0/16 range. The AWS resources are on the 192.168.0.0/18 range. The company wants to use Amazon Elastic Load
Balancing for SSL offloading, health checks, and sticky sessions.
What should be done to meet these requirements?

A. Create a Network Load Balancer pointing to the on-premises server’s private IP address.

B. Create an Amazon CloudFront distribution for the on-premises service and use the public IPs of the on-premises servers as the origin.

C. Create a Network Load Balancer pointing to the on-premises server’s public IP address.

D. Create an Application Load Balancer pointing to the on-premises server’s private IP address.

You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to monitor your changes. What else is required to find out who made the change?

A. There is no information to find this. You will need to sign up for Config Premium.

B. Use the eventID of the change and reference it with your Flow Logs.

C. Use the eventId of the change and reference it with CloudTrail to find the culprit.

D. Use the eventID of the change and reference it with CloudWatch to find the culprit.

Your organization has placed a project on hold and has stopped 30 public EC2 instances. These instances use instance store volumes and do not have custom
AMIs associated. You are still being charged every month.
What is the charge probably for?

A. AWS charges for dormant accounts.

B. You have Elastic IPs associated with those instances.

C. There is a “stopped instance” fee that AWS charges every month.

D. You are being charged for the EBS volumes.

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.

D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.

D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

Which of these addresses cannot be given to an EC2 instance in your VPC?

A. 10.0.0.157

B. 10.0.0.3

C. 10.0.0.4

D. 10.0.0.253

You are your company's AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.
Select the correct option from the list below.

A. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been disabled.

B. Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication

C. All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.

D. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been enabled.

What are 2 possible ALIAS records? (Choose two.)

A. DynamoDB

B. Elastic Beanstalk

C. CloudFront

D. EC2 Instance

You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Choose two.)

A. Internet gateway

B. VPC Flow Logs

C. AWS CloudTrail

D. Lambda

E. AWS Inspector

A company with several VPCs in the us-east-1 Region wants to reduce the cost of its workloads. A network engineer has identified that all traffic bound to Amazon services is flowing through a NAT gateway. Additionally, all the VPCs are peered to a hub VPC for access to common services.
What should the network engineer do to reduce data transfer costs to Amazon Simple Queue Service (Amazon SQS)?

A. Disable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.

B. Disable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com. Create an alias record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.

C. Enable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.

D. Enable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com. Create an alias record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.

Does Amazon VPC support multicast or broadcast?

A. Yes, both.

B. It doesn’t support any of them.

C. Multicast yes, Broadcast no.

D. Both, but only outside Amazon VPC.

Which other AWS service is used to track `Related Events' within the Configuration Item?

A. AWS WAF

B. SQS

C. AWS CloudTrail

D. S3

The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity.
Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

A. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5

B. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES

C. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

D. The following protocols may be used to configure IPsec confidentiality, PSK, MD5

E. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs.
Why might this be?

A. You forgot to add a return route.

B. ICMP is not supported over peering connections.

C. You have to enable Source/Destination check in the VPCs.

D. You have to configure the peering connection to allow two way traffic.

A company has a VPC in the us-west-1 Region and another VPC in the ap-southeast-2 Region. Network engineers set up an AWS Direct Connect connection from their data center to the us-east-1 Region. They create a private virtual interface (VIF) that references a Direct Connect gateway, which is then connected to virtual private gateways in both VPCs. When the setup is complete, the engineers cannot access resources in us-west-1 from ap-southeast-2.
What should the network engineers do to resolve this issue?

A. Add the subnet range for the VPCs in us-west-1 and ap-southeast-2 to the route tables for both VPCs. Add the Direct Connect gateway as a target.

B. Configure the Direct Connect gateway to route traffic between the VPCs in ap-southeast-2 and us-west-2.

C. Establish a VPC peering connection between the VPCs in ap-southeast-2 and us-west-2. Add the subnet ranges to the routing tables.

D. Create static routes in each VPC that point to the destination VPC with the virtual private gateway as the route target.

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
A team will migrate the PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol Policy to ‘Match Viewer’.

B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.

C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.

D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

Your boss decides to assign an Elastic IP to a production instance. Once he does this, access to the URL for that website fails. What happened?

A. The original IP address was released back to AWS when the Elastic IP was assigned.

B. Your boss only needs to restart the Apache service.

C. Your boss should have turned off the server before assigning the IP address.

D. Your boss needs to restart the server.

In AWS, which service provides a reliable and inexpensive way to backup and archive CloudTrail log files?

A. Amazon Archiver

B. Amazon Glacier

C. AWS Storage Gateway

D. Amazon Elastic Block Store

Which two methods can be used to ensure items are distributed only to the correct parties? (Choose two.)

A. Signed URLs

B. Signed cookies

C. Signed biscuits

D. Signed SSLs

You have two placement groups in a VPC. What communication speed can be expected between the two placement groups?

A. 5Gbps

B. 10Gbps

C. 20Gbps

D. You cannot communicate between two placement groups.

You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

A. get-compliance-details-by-resource

B. describe-compliance-by-config-rule

C. get-compliance-details-by-config-rule

D. describe-compliance-by-resource

Which of the following is true when you don't configure Amazon CloudFront to forward cookies to your origin?

A. CloudFront removes the Cookie header from requests that it forwards to your origin.

B. CloudFront disables viewer requests to your origin, including all cookies.

C. CloudFront caches your objects based on cookie values.

D. CloudFront automates code deployments to any instance.

Which of the following does not configure Amazon CloudFront cache behaviors to forward cookies to an origin for web distributions?

A. Origin server

B. AWS CLI

C. Amazon EMR

D. Amazon S3

From the following options, select the answer that correctly describes the implementation of the HTTP protocol

A. By definition, HTTP is a connection-less oriented protocol and therefore utilises TCP

B. By definition, HTTP is a connection orientated protocol and therefore utilises TCP

C. By definition, HTTP is a connection-less oriented protocol and therefore utilises UDP

D. By definition, HTTP can be configured to be either connection or connection-less oriented ג€” by specifying the appropriate HTTP header.

You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached.
What is the first part of the command you would use?

A. aws ec2 describe-network-acl

B. aws ec2 describe-instances

C. aws vpc describe-all

D. aws ec2 describe-security-groups

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?

A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.

B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.

C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.

D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.

A network engineer has configured a private hosted zone using Amazon Route 53. The engineer needs to configure health checks for record sets within the zone that are associated with instances.
How can the engineer meet the requirements?

A. Configure a Route 53 health check to a private IP associated with the instances inside the VPC to be checked.

B. Configure a Route 53 health check pointing to an Amazon SNS topic that notifies an Amazon CloudWatch alarm when the Amazon EC2 StatusCheckFailed metric fails.

C. Create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm.

D. Create a CloudWatch alarm for the StatusCheckFailed metric and choose Recover this instance, selecting a threshold value of 1.

Your company just purchased a domain using another registrar and wants to use the same nameservers as your current domain hosted with AWS. How would this be achieved?

A. Every domain must have different nameservers.

B. In the API, create a Reusable Delegation Set.

C. Import the domain to your account and it will automatically set the same nameservers.

D. In the console, create a Reusable Delegation Set.

An organization delivers high-resolution, dynamic web content. Internet users access the content from a variety of platforms, including mobile, tablet and desktop.
Each platform receives a customized experience to account for the differences in viewing modes. A dedicated, automatic-scaling fleet of Amazon EC2 instances is used for each platform to server content based on path-based headers.
Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Choose two.)

A. Amazon CloudFront with Lambda@Edge

B. Network Load Balancer

C. Amazon S3 static websites

D. Amazon Route 53 with traffic flow policies

E. Application Load Balancer

An AWS Config rule can be set to be evaluated if a certain set of resources undergoes a configuration change. The set of resources to which the rule applies can be restricted by the rule's ____, which can include a combination of a resource type and a resource ID, for example.

A. trigger

B. domain

C. manifest

D. scope

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints (VPC-E) for Amazon S3 and remove the
NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?

A. Add the CIDR address range of the private subnet to the S3 bucket policy.

B. Add the VPC-E identifier to the S3 bucket policy.

C. Add the VPC identifier for the production VPC to the S3 bucket policy.

D. Add the VPC-E identifier for the production VPC to endpoint policy.

To get started using AWS Direct Connect, in which of the following steps do you configure Border Gateway Protocol (BGP)?

A. Complete the Cross Connect

B. Verify your Virtual Interface

C. Create a Virtual Interface

D. Submit AWS Direct Connect Connection Request

You have a website hosted on EC2 that is not serving web pages. You have ensured that the server is running and the site is configured properly. What could be the problem?

A. Your NACL does not allow port 80 outbound.

B. Your NACL does not allow ports 1024 גˆ’ 65535 outbound.

C. Your NACL does not allow ports 1024 גˆ’ 65535 inbound. D. Your security group does not allow outbound traffic.

You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 ֳ— 7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud.
Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets.
Select the correct network configuration that best facilitates your company's continued growth plans.

A. Provision a Direct Connect connection – between your service provider’s data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required

B. Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option

C. Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option

D. Provision a Direct Connect connection ג€” between your existing service provider’s data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface

Your company has decided to deploy AWS WorkSpaces for its hosted desktop solution. Your manager is very concerned with security and cost, as well as reliability.
What two things should be deployed? (Choose two.)

A. VPN

B. AWS Hosted AD

C. Direct Connect

D. AD Connector

A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?

A. Configure an AWS Direct Connect private virtual interface to the company’s AWS VPC in us-west-2. Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.

B. Configure a VPN connection to the company’s AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3.

C. Configure a Direct Connect connection public virtual interface to us-west-2. Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection.

D. Configure a VPN connection to the company’s AWS VPC in us-west-2. Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.

A gaming company is running an online multiplayer game in multiple AWS Regions. The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically. When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end users.
Which solution will meet these requirements?

A. Create an Amazon CloudFront distribution in front of all the Regions.

B. Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region.

C. Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region.

D. Configure AWS Global Accelerator in front of all the Regions.