AWS Certified Advanced Networking – Specialty
1) Two BGP border routers are advertising prefixes to internal BGP neighbors. Administration wants the internal routers to prefer the routes learned from one border router over routes learned from the other border router. Which BGP attribute or property should be modified to achieve the desired result?
Local Preference
AS Path
Weight
Correct Answer: Local Preference
2) You have decided to peer two VPCs that are located in the same region but in different accounts. VPC A and VPC B. A team of developers are using VPC A to perform heart beat checks on servers in VPC B. The servers in VPC B are being pinged by their public DNS name provided by the DHCP server in VPC B. The developers are having issues performing the heart beat checks. Which of the follow could be the reasons for the issues? (Choose 3)
The requestor DNS resolution has not been enabled for VPC B.
The NAT gateway security group has not been configured to allow traffic from VPC B into VPC A.
The accepter DNS resolution has not been enabled for VPC A.
The appropriate private routes in the route table in VPC B has not been setup properly. The appropriate private routes in the route table in VPC A has not been setup properly.
Either the enableDnsHostnames or the enableDnsSupport has not been enabled on one of the two VPCs.
Correct Answer: The requestor DNS resolution has not been enabled for VPC B.
.The accepter DNS resolution has not been enabled for VPC A.
.The appropriate private routes in the route table in VPC B has not been setup properly. The appropriate private routes in the route table in VPC A has not been setup properly..
3) What is the name of the AWS feature that allows VGWs to automatically advertise learned routes over all connections that support dynamic routing?
CloudRoute
CloudHub
Direct Connect
Correct Answer: CloudHub
4) You have recently been approached by another team member asking your advice on implement the DevOps practice of blue/green deployments. Which of the following strategies will allow you to have blue/green deployments?
Setup a single Route 53 record set with a weighted routing policy.
Setup multiple ENIs with round-robin routing enabled on each
Setup multiple Route 53 record sets with a weighted routing policy.
Correct Answer: Setup multiple Route 53 record sets with a weighted routing policy.
5) Your team is using an EC2 NAT instance for NAT translation in your VPC. The private subnet has a route table with the 0.0.0.0/0 routing to the NAT instance. Whenever packages are installed onto private instances, the traffic is extremely slow. What can be done to resolve this issue? (Choose 2)
Adding a second NAT instance and creating a second route to the route table routing to the newly created NAT instance.
Moving the NAT instance a larger instance family type
Migrating the NAT instance to a NAT gateway
Ensure the NAT instance is in the same AZ and private subnets as the instances, reducing the network latency.
Correct Answer: Moving the NAT instance a larger instance family type.Migrating the NAT instance to a NAT gateway.
6) Which of the following VPN solutions can support OpenVPN? (Choose 2)
AWS Client VPN Service
AWS VPN Connection
Software VPN
Virtual Private Gateway
Correct Answer: AWS Client VPN Service.Software VPN.
7) You have a launch a new web application in a VPC that requires SSL mutual client side authentication using embedded AES encrypted chips. You have setup a classic load balancer listener and have a requirement to support mutual authentication between the client and the application. Which of the following protocol must you setup on the load balancer listener?
HTTP
TSL
TCP
Correct Answer: TCP
8) True or false: Customers need to create two or more AWS VPN connections to ensure minimum availability.
FALSE
TRUE
Correct Answer: FALSE
9) You are launching a new EC2 instance into a VPC with a CIDR range of 10.10.0.0/16 with a single subnet using the 10.10.0.0/18 CIDR range. Which of the following private IP addresses are not valid IPv4 addresses that could be assigned by the DHCP server?
10.10.1.1
10.10.63.255
10.10.0.4
Correct Answer: 10.10.63.255
10) True or false: Virtual Private Networks require no additional network infrastructure.
TRUE
FALSE
Correct Answer: FALSE
11) You have created an application load balancer to host your team’s web facing application. The marketing team has recently purchased a domain name that they want you to use to serve out the application from. Both website links of awesome-guru.com and www.awesome-guru.com need to point to the same location. What can you do to properly make this work?
First, create an ALIAS record for awesome-guru.com and pointing it to the ALB as a target. Next, create a CNAME record for www.awesome-guru.com and point it to awesome-guru.com.
Create a single ALIAS record with two names: awesome-guru.com and www.awesome-guru.com. Point the ALIAS to the ALBs DNS name.
First, create a CNAME record for awesome-guru.com and pointing it to the ALBs DNS name. Next, create a second CNAME record for www.awesome-guru.com and point it to the ALBs DNS name.
Correct Answer: First, create an ALIAS record for awesome-guru.com and pointing it to the ALB as a target. Next, create a CNAME record for www.awesome-guru.com and point it to awesome-guru.com.
12) Which of the following is required when you are creating an Amazon Workspace?
A VPC with two subnets. One public and one private.
Amazon Workspaces client
A User directory.
Correct Answer: A User directory.
13) Each region consists of how many Availability Zones?
At least 1
Three
Two or more
Correct Answer: Two or more
14) What can you do to stop sending traffic to resources with a weighted routing policy?
Delete the resource record.
Change the weight of the resource record to 0.
Change the weight of the resource record to 100.
Correct Answer: Change the weight of the resource record to 0.
15) You are working in Route 53 and you need to create a record so your team can point at existing domain name to a CloudFront distribution. What type of record can be created to achieve this?
Create an PTR record that points to the CloudFront distribution.
Create an ALIAS record that points to the CloudFront distribution.
Create a private hosted zone in Route 53 then create an ALIAS record that points to the CloudFront distribution.
Correct Answer: Create an ALIAS record that points to the CloudFront distribution.
16) Whenever the enableDnsHostnames attribute is set to true, what will Amazon do for you?
Auto-assigned internal DNS hostnames to EC2 instances.
Auto-assign DNS hostnames to EC2 instances.
Gives you the ability to manually configure the DNS names for your EC2 instances in your VPC.
Correct Answer: Auto-assign DNS hostnames to EC2 instances.
17) The customers that you serve content to use many different types of devices. For example, laptops, mobile devices, tablets, etc. You need to find a way to optimize what users see and interact with depending on what type of device they are using. Which of the following strategies can be used to accomplish this? (Choose 2)
Using Path-based routing with an Application Load Balancer
Using CloudFront and Lambda@Edge
Using Host-based routing with a Network Load Balancer
Using Host-based routing with an Application Load Balancer
Correct Answer: Using CloudFront and Lambda@Edge.
Using Host-based routing with an Application Load Balancer.
18) Which is the correct size and source IP range for customized AWS Site-to-Site VPN Connection tunnel settings?
A size /30 block from the 192.168.1.0/24 range.
A size /24 block from the 192.168.0.0/16 range.
A size /30 block from the 169.254.0.0/16 range
Correct Answer: A size /30 block from the 169.254.0.0/16 range
19) Which of the following are default AWS routing behaviours?
VGW static routes are not advertised over connections using dynamic routing.
A VGW automatically updates VPC route tables with learned routes.
A VGW will learn all routes advertised over a Direct Connect association.
Correct Answer: A VGW will learn all routes advertised over a Direct Connect association.
20) How many client VPN tunnels can an AWS VPN Connection support?
0
50
25
Correct Answer: 0
21) You have a VPC with a CIDR range of 33.10.0.0/16 and you are running out of available IPv4 addresses. Which of the following IP ranges could you use to expand your VPCs by adding secondary IPv4 CIDR ranges? (Choose 2)
192.168.1.0/17
33.11.0.0/16
10.0.0.0/8
100.64.0.0/18
Correct Answer: 33.11.0.0/16.
100.64.0.0/18.
22) A BGP router has more than one prefix to the same destination network. The two prefixes also have the same “weight” value. Which attribute or property would be used to select the preferred prefix?
Local Preference
Length
Metric
Correct Answer: Local Preference
23) You work for an organization who has decided to move their existing architecture to AWS. As a solutions architect your job is to move the architecture into a VPC and determine the layout of that VPC. You’ll need to ensure the web server is in a public subnet and the database server is in a private subnet. Another requirement is that the architecture must be highly available, so this means there will be a minimum of two web servers and two database servers. How many subnets should you have to ensure high availability?
2
4
6
Correct Answer: 4
24) You are reviewing the architecture for a current setup where a VPC endpoint has been created to access S3 data privately within a VPC. The default endpoint policy is in place, and when trying to access the bucket, your access is denied. What can be done to solve this issue?
Add the VPC endpoint to the endpoint policy to allow access to the S3 bucket.
Add the VPC endpoint to the bucket ACL.
Add the VPC endpoint to the S3 bucket policy.
Correct Answer: Add the VPC endpoint to the S3 bucket policy.
25) You team runs an application that has multiple app servers who don’t share session information with each other. Your goal is to ensure each user who logs into the application has a consistent session for a specific period of time. What options do you have to ensure this?
Use an application load balancer and sticky sessions.
Setup the app servers to run in a cluster placement group.
Use a network load balancer and sticky sessions.
Correct Answer: FALSE
26) How many VIFs can a Hosted DX connection support.
Only a single VIF
Up to 50 Private VIFs, 25 Public VIFs, and only 1 Transit VIF
50 of each type
Correct Answer: Only a single VIF
27) True or false: Provided that the network session is secured, the data will remain encrypted in storage.
FALSE
TRUE
Correct Answer: FALSE
28) What should be used to gather a detailed list of the IP address ranges assigned to and used by AWS?
Use the ip-ranges.json file AWS maintains and publishes.
These IP addresses are not visible to the public.
Correct Answer: Use the ip-ranges.json file AWS maintains and publishes.
29) Which of the following can improve the resiliency of DX connectivity? (Choose 4)
Create multiple DX connections at the same DX location
Ensure that Bidirectional Forwarding Detection is disabled
Configure your BGP router to use alternate routes in the event of DX link failure
Define a LAG using multiple DX connections in a single DX location
Define a LAG using multiple DX connections across multiple DX locations
Configure BFD at your on-premises routers
Correct Answer: Create multiple DX connections at the same DX location.
Configure your BGP router to use alternate routes in the event of DX link failure.
Define a LAG using multiple DX connections in a single DX location.
Configure BFD at your on-premises routers.
30) What are the different types of deletion policies? (Choose 3)
Update Delete
Retain
FlagDelete
Delete
Update
Snapshot
Correct Answer: Retain.
Delete.
Snapshot.
31) The simplest way for an on-prem network to interconnect to a transit VPC architecture using VPN is to…
…connect to the EC2-hosted VPN systems in the transit VPC.
…connect to the VGW attached to the transit VPC.
…connect to a Client VPN endpoint in the transit VPC.
Correct Answer: …connect to the EC2-hosted VPN systems in the transit VPC.
32) You want to be notified when an AWS WAF ACL blocks connection attempts. Which AWS services should you employ to quickly accomplish your goals?
SMS
CloudTrail
CloudWatch
Correct Answer: CloudWatch
33) Which of the following intrinsic functions can be used to return an array of CIDR address blocks?
Fn::Cidr
There is no such intrinsic function
Fn::CidrArray
Correct Answer: Fn::Cidr
34) A Direct Connect connection requires that a customer provide their own hardware at the Direct Connect location.
False
True
Correct Answer: False
35) Generally, which network connections does AWS automatically encrypt?
Client to AWS service
None of the above.
AWS service to AWS service.
AWS service to data storage.
All of the above.
Correct Answer: None of the above.
36) Which of the following statements are true about the AWS Firewall Manager? (Choose 4)
It enforces deployment of AWS Shield Advanced protection policies.
It enforces deployment of Web Application Firewall ACLs.
It ensures compliance of newly deployed resources, but not existing resources.
It can report findings to AWS Security Hub.
It enforces deployment of VPC security groups.
It supports the configuration of VPC Security Groups and Network ACLs.
Correct Answer: It enforces deployment of AWS Shield Advanced protection policies..It enforces deployment of Web Application Firewall ACLs..It can report findings to AWS Security Hub..It enforces deployment of VPC security groups..
37) Which of the following format can we write CloudFormation templates in? (Choose 2)
YAML
JSON
Java
Javascript
Correct Answer: YAML
.JSON.
38) Which Direct Connect components cannot directly interact with Transit VPC architecture? (Choose 2)
Transit VIF
Private VIF
Public VIF
Direct Connect Gateway
Correct Answer: Public VIF.
Direct Connect Gateway.
39) Transit VPCs support transitive networking…
…by using dynamic routing to distribute VPC prefixes throughout the network.
…by hosting software VPN systems that connect to other VPCs using site-to-site VPN connections.
…by allowing other VPCs to establish site-to-site VPN connections with the transit VPC’s VGW.
Correct Answer: …by hosting software VPN systems that connect to other VPCs using site-to-site VPN connections.
40) You work for a company that regularly peers VPCs with other VPCs in the same AWS account for inter communication between various resources. It is your job to automate the peering connections between VPCs. What can you do to achieve this?
Create two CloudFormation templates each containing the VPCs information. Peer the VPCs with a third template using the AWS::EC2::VPCPeeringConnection resource.
Create a AWS::EC2::VPCPeeringConnection resource within CloudFormation. Use this to automate to VPC peering process.
It is not possible to peer VPCs in CloudFormation.
Correct Answer: Create a AWS::EC2::VPCPeeringConnection resource within CloudFormation. Use this to automate to VPC peering process.
41) True or false: spoke VPCs connected to a transit VPC can have direct communication by provisioning a fully operational peering connection between the two spoke VPCs.
TRUE
FALSE
Correct Answer: FALSE
42) After submitting a request for a new DX Dedicated connection, what must be done to complete the connection? (Choose 3)
Wait for AWS to supply the LOA-CFA
Have the DX Location provider establish a single-mode fiber cross-connect between the customer-managed hardware and AWS hardware
Have the DX Location provider establish a multi-mode fiber cross-connect between the on-prem router and customer-managed hardware
Contact the DX Location provider to give them the LOA-CFA
Create a Virtual Interface peered to your on-prem router
Correct Answer: Wait for AWS to supply the LOA-CFA.
Have the DX Location provider establish a single-mode fiber cross-connect between the customer-managed hardware and AWS hardware.
Contact the DX Location provider to give them the LOA-CFA.
43) Which of the following are benefits provided by a Link Aggregation Group? (Choose 2)
Greater throughput speeds
Resiliency in the event of link failure
Protection against regional Direct Connect failure
DX connectivity to multiple regions
Correct Answer: Greater throughput speeds.Resiliency in the event of link failure.
44) True or false: AWS is responsible for maintaining the EC2-hosted VPN services implemented in a transit VPC.
TRUE
FALSE
Correct Answer: FALSE
45) True or false: Configuring the cache behavior of a CloudFront distribution to require HTTPS ensures that your client requests to the data origin will be secured for the entire session.
TRUE
FALSE
Correct Answer: FALSE
46) After creating a Transit Gateway infrastructure with default settings, you realize that, while some networks must be accessible from all networks, other networks should be isolated from each other. Which steps must be performed to satisfy this? (Choose 3)
Delete the default route table.
Configure the shared networks to propagate routes to a new route table.
Disassociate the restricted networks from their current route table and associate them with a new route table.
Configure the restricted networks to propagate routes to a new route table.
Create additional route tables.
Correct Answer: Create additional route tables.
47) A Transit Gateway receives traffic destined for 192.168.1.34. Which of the following route table entries will be used?
192.168.1.0/24 propagated from a VPN
192.168.1.0/24 static route to a DX Gateway
192.168.1.0/24 propagated from a VPC
Correct Answer: 192.168.1.0/24 static route to a DX Gateway
48) Direct Connect port charges only accrue while your connections are being used, rounded to the next full hour.
True
False
Correct Answer: False
49) After creating a DX connection, what must be created to connect to a single VPC?
Transit VIF
Private VIF
Public VIF
Correct Answer: Private VIF
50) By default, each Transit Gateway attachment may propagate to how many TGW route tables?
10
20
1
Correct Answer: 20