AWS Certified Advanced Networking – Specialty Set 2 Welcome to AWS Certified Advanced Networking - Specialty Set 2. Please enter your email details to get QUIZ Details on your email id. Click on Next Button to proceed. Email 1. What must be setup before we can peer with another VPC in another account using CloudFormation? We must setup an IAM role that allows a requestor to make a peering connection. This is the PeerRoleArn used in the template. This is not possible in CloudFormation. The VPCs must be in the same AWS account. An LOA/CFA must be setup between the two accounts. Once this is setup each account will be able to peer to one another.2. By default, each Transit Gateway attachment may propagate to how many TGW route tables? 10 20 13. A Transit Gateway receives traffic destined for 192.168.1.34. Which of the following route table entries will be used? 192.168.1.0/24 propagated from a VPN 192.168.1.0/24 static route to a DX Gateway 192.168.1.0/24 propagated from a VPC4. You are using CloudFormation to create a VPC with a CIDR range of 192.168.0.0/16. You have been instructed to create subnets and dynamically fetch CIDR block ranges for the subnets that are available in the newly create VPC. What can you use to help fetch the available CIDR ranges? Use the Fn::Cidr intrinsic function to return an array of CIDR ranges. Select whatever CIDR range you want to use when creating subnets. Use the AWS::EC2::Subnet resource to create the subnets. Use the ip-ranges.json to dynamically fetch the CIDR ranges to use for the subnet. Dynamically creating CIDR ranges is not possible in a CloudFormation template. Use the Cloud Development Kit (CDK) instead.5. Which of the following is the AWS managed DDoS mitigation service? AWS Macie AWS Web Application Firewall AWS Shield6. What AWS service or feature can capture packet level details of VPC traffic? VPC Traffic Mirroring CloudWatch metrics VPC Flow Logs7. How many VIFs can a Hosted DX connection support. Only a single VIF Up to 50 Private VIFs, 25 Public VIFs, and only 1 Transit VIF 50 of each type8. By default, each Transit Gateway attachment may be associated with how many TGW route tables? 1 10 209. Why might an AWS customer choose a Hosted DX connection instead of a Dedicated DX connection. (Choose 2) More throughput speed options Customer needs faster speeds than what a Dedicated DX connection supports Customer does not have access to hardware at a DX location Support for a larger number of VIFs10. True or false: spoke VPCs connected to a transit VPC can have direct communication by provisioning a fully operational peering connection between the two spoke VPCs. TRUE FALSE11. The simplest way for an on-prem network to interconnect to a transit VPC architecture using VPN is to... ...connect to the EC2-hosted VPN systems in the transit VPC. ...connect to the VGW attached to the transit VPC. ...connect to a Client VPN endpoint in the transit VPC.12. What should be used to gather a detailed list of the IP address ranges assigned to and used by AWS? Use the ip-ranges.json file AWS maintains and publishes. These IP addresses are not visible to the public.13. Which of the following can be implemented by a single AWS account? (Choose 3) Transit VPCs VPC Peering VPC Endpoint Services VPC Sharing14. How can you ensure that an S3 CloudFront origin is accessed via the CloudFront distribution, and is not accessed directly? (Choose 2) Apply an IAM role allowing read only access to the CloudFront distribution. At the S3 bucket, grant read-only access to an Origin Access Identity. Disable public access to the S3 bucket. Configure the S3 bucket policy to deny unencrypted access.15. After creating a DX connection, what must be created to connect to a single VPC? Transit VIF Private VIF Public VIF16. Which of the following are true statements about AWS GuardDuty? (Choose 2) Managed threat detection service. Is a free service. Can analyze multiple accounts. Automatically responds to severe findings.17. Direct Connect port charges only accrue while your connections are being used, rounded to the next full hour. True False18. After submitting a request for a new DX Dedicated connection, what must be done to complete the connection? (Choose 3) Wait for AWS to supply the LOA-CFA Have the DX Location provider establish a single-mode fiber cross-connect between the customer-managed hardware and AWS hardware Have the DX Location provider establish a multi-mode fiber cross-connect between the on-prem router and customer-managed hardware Contact the DX Location provider to give them the LOA-CFA Create a Virtual Interface peered to your on-prem router19. Which of the following can improve the security of data transferred over DX connections? Enable SSL/TLS encryption at your Virtual Interfaces by referencing a private certificate in AWS Certificate Manager Nothing. AWS is responsible for securing data transfer over all DX connections Establish a secured tunnel using an EC2-hosted VPN service20. What AWS service could be used to ensure that VPC configuration changes are in compliance with organizational policies? AWS Service Catalog CloudWatch AWS Config21. Which of the following parameters are required when setting up a VPC peering connection with another account in CloudFormation? (Choose 4) VPCId PeerRoleArn PeerVPCCidr PeerIAMRole PeerOwnerId PeerVPCId22. Which of the following helps protect your web applications or APIs against common web exploits? AWS Web Application Firewall AWS Security Hub AWS Inspector23. What is the maximum number of customer BGP prefixes that may be advertised to AWS? 100 for Private and Transit VIFs, 1000 for Public VIFs 100 100024. Which of the following intrinsic functions can be used to return an array that lists Availability Zones for a specified region? Fn::GetAZs Fn::GetSubnets Fn::GetAvailabilityZones25. True or false: Configuring the cache behavior of a CloudFront distribution to require HTTPS ensures that your client requests to the data origin will be secured for the entire session. TRUE FALSE26 out of 3Please fill in the comment box below.