Add: one more question

README.md

@@ -39,7 +39,7 @@
 4. Questions are similar to the actual exam, without duplications (like in other courses ;-)).
 5. The Practice Tests Exams simulate the actual exam's content, timing, and percentage required to pass the exam.
 6. This course is **not** an Amazon Web Services Certified (AWS Certified) Advanced Networking Specialty (ANS-C01) Exam Dump. Some people use brain dumps or exam dumps, but that's absurd, which we don't practice.
-7. 90 **unique** questions.
+7. 91 **unique** questions.
 
 ## ☝️ Course Updates
 
@@ -174,6 +174,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n
 | 88  | [A company is migrating many applications from two on-premises data centers to AWS. The company's network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2. The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in each Region. All traffic to and from AWS must travel through the first data center. In the event of failure, the second data center must take over the traffic. How should the network team configure BGP to meet these requirements?](#a-company-is-migrating-many-applications-from-two-on-premises-data-centers-to-aws-the-companys-network-team-is-setting-up-connectivity-to-the-aws-environment-the-migration-will-involve-spreading-the-applications-across-two-aws-regions-us-east-1-and-us-west-2-the-company-has-set-up-aws-direct-connect-connections-at-two-different-locations-direct-connect-connection-1-is-to-the-first-data-center-and-is-at-a-location-in-us-east-1-direct-connect-connection-2-is-to-the-second-data-center-and-is-at-a-location-in-us-west-2-the-company-has-connected-both-direct-connect-connections-to-a-single-direct-connect-gateway-by-using-transit-vifs-the-direct-connect-gateway-is-associated-with-transit-gateways-that-are-deployed-in-each-region-all-traffic-to-and-from-aws-must-travel-through-the-first-data-center-in-the-event-of-failure-the-second-data-center-must-take-over-the-traffic-how-should-the-network-team-configure-bgp-to-meet-these-requirements)
 | 89  | [An ecommerce company has a business-critical application that runs on Amazon EC2 instances in a VPC. The company's development team has been testing a new version of the application on test EC2 instances. The development team wants to test the new application version against production traffic to address any problems that might occur before the company releases the new version across all servers. Which solution will meet this requirement with no impact on the end user's experience?](#an-ecommerce-company-has-a-business-critical-application-that-runs-on-amazon-ec2-instances-in-a-vpc-the-companys-development-team-has-been-testing-a-new-version-of-the-application-on-test-ec2-instances-the-development-team-wants-to-test-the-new-application-version-against-production-traffic-to-address-any-problems-that-might-occur-before-the-company-releases-the-new-version-across-all-servers-which-solution-will-meet-this-requirement-with-no-impact-on-the-end-users-experience)
 | 90  | [A company hosts its ecommerce application on Amazon EC2 instances behind an Application Load Balancer. The EC2 instances are in a private subnet with the default DHCP options set. Internet connectivity is through a NAT gateway that is configured in the public subnet. A third-party audit of the security infrastructure identifies a DNS exfiltration vulnerability. The company must implement a highly available solution that protects against this vulnerability. Which solution will meet these requirements MOST cost-effectively?](#a-company-hosts-its-ecommerce-application-on-amazon-ec2-instances-behind-an-application-load-balancer-the-ec2-instances-are-in-a-private-subnet-with-the-default-dhcp-options-set-internet-connectivity-is-through-a-nat-gateway-that-is-configured-in-the-public-subnet-a-third-party-audit-of-the-security-infrastructure-identifies-a-dns-exfiltration-vulnerability-the-company-must-implement-a-highly-available-solution-that-protects-against-this-vulnerability-which-solution-will-meet-these-requirements-most-cost-effectively)
+| 91  | [A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2 instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and the first 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points. Which solution will meet these requirements?](#a-company-wants-to-analyze-tcp-traffic-to-the-internet-the-traffic-originates-from-amazon-ec2-instances-in-the-companys-vpc-the-ec2-instances-initiate-connections-through-a-nat-gateway-the-required-information-includes-source-and-destination-ip-addresses-ports-and-the-first-8-bytes-of-payload-of-tcp-segments-the-company-needs-to-collect-store-and-analyze-all-the-required-data-points-which-solution-will-meet-these-requirements)
 
 ### A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements?
 
@@ -1009,3 +1010,12 @@ We are so thankful for every contribution, which makes sure we can deliver top-n
 - [ ] Configure an Amazon Route 53 Resolver outbound endpoint with rules to filter and block suspicious traffic.
 
 **[⬆ Back to Top](#table-of-contents)**
+
+### A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2 instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and the first 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points. Which solution will meet these requirements?
+
+- [x] Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.
+- [ ] Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an Amazon OpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.
+- [ ] Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyze the flow log data by using CloudWatch Logs Insights.
+- [ ] Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data by using Amazon Athena.
+
+**[⬆ Back to Top](#table-of-contents)**