AWS Certified Advanced Networking – Specialty SET 1 Welcome to AWS Certified Advanced Networking - Specialty Set 1. Please enter your email details to get QUIZ Details on your email id. Click on Next Button to proceed. Email 1. You organization is using a single EC2 instance for a ticketing system and its related traffic. This custom application has been installed on a Linux based instance. Which of the following implementation can help achieve higher bandwidth for the ticketing system and its traffic? Put the EC2 instance inside of a placement group. Use a network load balancer in front of the EC2 instance. Enable Enhanced Networking on the instance.2. You have a launch a new web application in a VPC that requires SSL mutual client side authentication using embedded AES encrypted chips. You have setup a classic load balancer listener and have a requirement to support mutual authentication between the client and the application. Which of the following protocol must you setup on the load balancer listener? HTTP TSL TCP3. Which of the following are default AWS routing behaviours? VGW static routes are not advertised over connections using dynamic routing. A VGW automatically updates VPC route tables with learned routes. A VGW will learn all routes advertised over a Direct Connect association.4. Your team is planning to use a CloudFront distribution and use S3 as an origin. You want to ensure compliance by making sure the S3 bucket that the origin is associated with is not accessible from the public internet, but you still want to serve the content via CloudFront. How can you do this? Create an OAI (origin access identity) which has access via CloudFront policy. Create an OAI (origin access identity) which has access via the bucket policy. Create a separate IAM policy that gives CloudFront access to the S3 bucket and denies public access.5. How many client VPN tunnels can an AWS VPN Connection support? 0 50 256. Which of the following VPN solutions can support OpenVPN? (Choose 2) AWS Client VPN Service AWS VPN Connection Software VPN Virtual Private Gateway7. How many IPSec security associations can AWS VPN Connections support? 1 3 48. True or false: Customers need to create two or more AWS VPN connections to ensure minimum availability. FALSE TRUE9. You have recently been approached by another team member asking your advice on implement the DevOps practice of blue/green deployments. Which of the following strategies will allow you to have blue/green deployments? Setup a single Route 53 record set with a weighted routing policy. Setup multiple ENIs with round-robin routing enabled on each Setup multiple Route 53 record sets with a weighted routing policy.10. What ports should be open on a firewall to allow a Customer Gateway to establish VPN connectivity? (Choose 2) UDP 500 IP 50 TCP 500 IP 50011. As a network engineer you are in charge of adding and remove rules to a particular security group associated with some of the IPv4 resources your team is managing. You are making an API call to add a particular inbound rule and receiving the following error back: RulesPerSecurityGroupLimitExceeded. What is the reason and solution for this error? You have the maximum number of outbound rules for the security group already define at 60. Instead use Network Access Control Lists to add the inbound rule to deny the traffic. You have the maximum number of inbound rules for the security group already define at 60. Create another security group with the inbound rule and attach it to the ENI of the resource you are managing. You have the maximum number of outbound rules for the security group already define at 60. Create another security group with the outbound rule and attach it to the ENI of the resource you are managing.12. You have decided to peer two VPCs that are located in the same region but in different accounts. VPC A and VPC B. A team of developers are using VPC A to perform heart beat checks on servers in VPC B. The servers in VPC B are being pinged by their public DNS name provided by the DHCP server in VPC B. The developers are having issues performing the heart beat checks. Which of the follow could be the reasons for the issues? (Choose 3) The requestor DNS resolution has not been enabled for VPC B. The NAT gateway security group has not been configured to allow traffic from VPC B into VPC A. The accepter DNS resolution has not been enabled for VPC A. The appropriate private routes in the route table in VPC B has not been setup properly. The appropriate private routes in the route table in VPC A has not been setup properly. Either the enableDnsHostnames or the enableDnsSupport has not been enabled on one of the two VPCs.13. You work for a company who has a need to send large amounts of data that will be ingested by S3. The data that is ingested must be encrypted on transfer and this ingestion process will happen on a regular interval. What can we do to accomplish this? Use server-side encryption with Amazon S3-Managed Keys (SSE-S3). Use an AWS Direct Connection connection. Use HTTPS (TLS) for in transit encryption.14. You have multiple EC2 instances within a VPC that is located in us-west-2. You have been notified by another team member that these instances need to have optimal networking performance. These instance are communicating with other instances in other VPCs located in us-east-1 through VPC peering. Which of the following options are appropriate when ensuring the maximum network performance? (Choose 2) Setting the MTU on the instances to 9001. Making sure the instance types OS support Enhanced Networking. Creating multiple availability zones for the instances in each VPC and placing them in a placement group. Enabling Enhanced Networking on the instances.15. You have been tasked with investigating and congregating all of the requests that are dropped when users try to access your EC2 application. What is the most cost effective and least effort solution your can use to gather this information? Enable VPC Flow Logs on the ENI attached to the EC2 instance capturing all traffic. Create a log group in CloudWatch to congregate all of the records. Enable VPC Flow Logs on the ENI attached to the EC2 instance capturing only the reject traffic. Create a log group in CloudWatch to congregate all of the records. Enable VPC Flow Logs on the subnet the EC2 instance resides in and capture only the reject traffic. Create a log group in CloudWatch to congregate all of the records.16. A VGW is peered to two BGP border routers in the same autonomous system. The AS administration wants to configure BGP prefixes so that traffic from AWS to on-prem will be sent to only one of the two border routers instead the other router. The AS administration also wants these configuration changes to be passed on to other BGP autonomous systems that are also peered to the VGW. Which BGP attribute or property should be modified to achieve the desired result? AS Path Weight Metric17. Which of the following are true about Network Access Control Lists? (Choose 4) They are stateless meaning return traffic must be explicitly allowed by rules. Supports allow rules only. Operates at the network interface level. Rules are evaluated in a defined numbered order. Operate at the subnet level. Supports allow rules and deny rules.18. You are working in Route 53 and you need to create a record so your team can point at existing domain name to a CloudFront distribution. What type of record can be created to achieve this? Create an PTR record that points to the CloudFront distribution. Create an ALIAS record that points to the CloudFront distribution. Create a private hosted zone in Route 53 then create an ALIAS record that points to the CloudFront distribution.19. What is the name of the AWS feature that allows VGWs to automatically advertise learned routes over all connections that support dynamic routing? CloudRoute CloudHub Direct Connect20. You have created an application load balancer to host your team's web facing application. The marketing team has recently purchased a domain name that they want you to use to serve out the application from. Both website links of awesome-guru.com and www.awesome-guru.com need to point to the same location. What can you do to properly make this work? First, create an ALIAS record for awesome-guru.com and pointing it to the ALB as a target. Next, create a CNAME record for www.awesome-guru.com and point it to awesome-guru.com. Create a single ALIAS record with two names: awesome-guru.com and www.awesome-guru.com. Point the ALIAS to the ALBs DNS name. First, create a CNAME record for awesome-guru.com and pointing it to the ALBs DNS name. Next, create a second CNAME record for www.awesome-guru.com and point it to the ALBs DNS name.21. You are reviewing the architecture for a current setup where a VPC endpoint has been created to access S3 data privately within a VPC. The default endpoint policy is in place, and when trying to access the bucket, your access is denied. What can be done to solve this issue? Add the VPC endpoint to the endpoint policy to allow access to the S3 bucket. Add the VPC endpoint to the bucket ACL. Add the VPC endpoint to the S3 bucket policy.22. What can you do to stop sending traffic to resources with a weighted routing policy? Delete the resource record. Change the weight of the resource record to 0. Change the weight of the resource record to 100.23. You are setting up an target group for a network load balancer with a target type of instances. Which type of health check protocols are supported when the load balancer is performance health checks on the target instances? (Choose 3) TCP_UDP TCP TLS HTTPS HTTP24. Which of the following are true about Security Groups? (Choose 4) They are stateless meaning return traffic must be explicitly allowed by rules. They are stateful meaning return traffic is automatically allowed. Operate at the subnet level. Operates at the network interface level. All rules are evaluated to decide what traffic is allowed. Supports allow rules only.25. The global BGP system is divided into different administrative units called _______ . Areas Administrative Systems Autonomous Systems26 out of 3Please fill in the comment box below.