From 74b999be2936eb9e4fcb658a9152c3a9a480349f Mon Sep 17 00:00:00 2001 From: Daniel Danielecki Date: Tue, 15 Oct 2024 13:54:08 +0200 Subject: [PATCH] Add: v1.0.2 --- README.md | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 546d22c..e508615 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,24 @@ ![Promotional image](images/promotional.png) -## Udemy & Etsy +## ❣ Support -❣️ Please support us by purchasing this course on Udemy in an interactive version with the [discounted link](https://www.udemy.com/course/aws-certified-advanced-networking-specialty-ans-c01-exams-g/?referralCode=95249F04A0CC6E73492D). If you're working for a company, you could most probably easily claim this expense during preparation for your exam. For us, it's to be, or not to be, in the game. +There are many ways to support us; in exchange, you'll get this material in a proper format: -πŸ›οΈ Alternatively, you can buy the PDF with those questions on [Etsy](https://ditectrev.etsy.com/listing/1654633115). +- ❀️ [shop.ditectrev.com, in EPUB or PDF formats, with answers marked](https://shop.ditectrev.com/product/amazon-web-services-certified-aws-certified-advanced-networking-specialty-ans-c01-practice-tests-exams-questions-answers), +- ❀️ [shop.ditectrev.com, in EPUB or PDF formats, without answers marked](https://shop.ditectrev.com/product/amazon-web-services-certified-aws-certified-advanced-networking-specialty-ans-c01-practice-tests-exams-questions-no-answers), +- πŸ“– [Udemy is the only one to have explanations for questions](https://www.udemy.com/course/aws-certified-advanced-networking-specialty-ans-c01-exams-g/?referralCode=95249F04A0CC6E73492D), +- πŸ“š [Google Play Books, in PDF format, with answers marked](https://play.google.com/store/books/details?id=hMAYEQAAQBAJ), +- πŸ“š [Google Play Books, in PDF format, without answers marked](https://play.google.com/store/books/details?id=hsAYEQAAQBAJ), +- πŸ›οΈ [Etsy, in PDF format, with answers marked](https://ditectrev.etsy.com/listing/1654633115), +- πŸ›οΈ [Etsy, in PDF format, without answers marked](https://ditectrev.etsy.com/listing/1654636773), +- πŸ›’ [eBay, in PDF format, with answers marked](https://www.ebay.com/itm/405287577708?mkcid=16&mkevt=1&mkrid=711-127632-2357-0&ssspo=_ptbuk3gqdw&sssrc=2524149&ssuid=_ptbuk3gqdw&widget_ver=artemis&media=COPY), +- πŸ›’ [eBay, in PDF format, without answers marked](https://www.ebay.com/itm/405287577639?mkcid=16&mkevt=1&mkrid=711-127632-2357-0&ssspo=_ptbuk3gqdw&sssrc=2524149&ssuid=_ptbuk3gqdw&widget_ver=artemis&media=COPY), +- πŸ”„ [Patreon subscription allows you to get access to all of the materials in EPUB and PDF formats. You can also buy separate items on Patreon, but the subscription technically allows us to include all updates for EPUB and PDF formats. Hence, you get EPUB and PDF updates when you subscribe to Patreon](https://patreon.com/Ditectrev?utm_medium=unknown&utm_source=join_link&utm_campaign=creatorshare_creator&utm_content=copyLink). + +πŸ’° If you work for a company, you could probably easily claim this expense while preparing for your exam. For us, it's about being in the game or not. + +⭐ Good ratings & reviews help us to survive. Please don't forget to leave a nice one when you purchase an item. ## ✨ This course is unlike any Amazon Web Services Certified (AWS Certified) Advanced Networking Specialty (ANS-C01) course you will find online @@ -55,6 +68,10 @@ - AI-generated explanations (only paid [Udemy](https://www.udemy.com/course/aws-certified-advanced-networking-specialty-ans-c01-exams-g/?referralCode=95249F04A0CC6E73492D)). +**[v1.0.2](../../releases/tag/v1.0.2): October 15, 2024.** + +- Add 1 new question. + ## πŸ™‹β€β™€οΈ & πŸ™‹β€β™‚οΈ Contribution We are so thankful for every contribution, which makes sure we can deliver top-notch content. Whenever you find a missing resource, broken link in a [Table of Contents](#table-of-contents), the wrong answer, please submit an [issue](../../issues). Even better would be a [Pull Request (PR)](../../pulls). @@ -94,12 +111,12 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 8 | [A retail company is running its service on AWS. The company's architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway. The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage. Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)](#a-retail-company-is-running-its-service-on-aws-the-companys-architecture-includes-application-load-balancers-albs-in-public-subnets-the-alb-target-groups-are-configured-to-send-traffic-to-backend-amazon-ec2-instances-in-private-subnets-these-backend-ec2-instances-can-call-externally-hosted-services-over-the-internet-by-using-a-nat-gateway-the-company-has-noticed-in-its-billing-that-nat-gateway-usage-has-increased-significantly-a-network-engineer-needs-to-find-out-the-source-of-this-increased-usage-which-options-can-the-network-engineer-use-to-investigate-the-traffic-through-the-nat-gateway-choose-two) | 9 | [A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider's API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?](#a-banking-company-is-successfully-operating-its-public-mobile-banking-stack-on-aws-the-mobile-banking-stack-is-deployed-in-a-vpc-that-includes-private-subnets-and-public-subnets-the-company-is-using-ipv4-networking-and-has-not-deployed-or-supported-ipv6-in-the-environment-the-company-has-decided-to-adopt-a-third-party-service-providers-api-and-must-integrate-the-api-with-the-existing-environment-the-service-providers-api-requires-the-use-of-ipv6-a-network-engineer-must-turn-on-ipv6-connectivity-for-the-existing-workload-that-is-deployed-in-a-private-subnet-the-company-does-not-want-to-permit-ipv6-traffic-from-the-public-internet-and-mandates-that-the-companys-servers-must-initiate-all-ipv6-connectivity-the-network-engineer-turns-on-ipv6-in-the-vpc-and-in-the-private-subnets-which-solution-will-meet-these-requirements) | 10 | [A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company's Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time. Which solution will meet these requirements?](#a-company-has-deployed-an-aws-network-firewall-firewall-into-a-vpc-a-network-engineer-needs-to-implement-a-solution-to-deliver-network-firewall-flow-logs-to-the-companys-amazon-opensearch-service-amazon-elasticsearch-service-cluster-in-the-shortest-possible-time-which-solution-will-meet-these-requirements) -| 11 | [A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1. Amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.)](#a-company-is-using-custom-dns-servers-that-run-bind-for-name-resolution-in-its-vpcs-the-vpcs-are-deployed-across-multiple-aws-accounts-that-are-part-of-the-same-organization-in-aws-organizations-all-the-vpcs-are-connected-to-a-transit-gateway-the-bind-servers-are-running-in-a-central-vpc-and-are-configured-to-forward-all-queries-for-an-on-premises-dns-domain-to-dns-servers-that-are-hosted-in-an-on-premises-data-center-to-ensure-that-all-the-vpcs-use-the-custom-dns-servers-a-network-engineer-has-configured-a-vpc-dhcp-options-set-in-all-the-vpcs-that-specifies-the-custom-dns-servers-to-be-used-as-domain-name-serversmultiple-development-teams-in-the-company-want-to-use-amazon-elastic-file-system-amazon-efs-a-development-team-has-created-a-new-efs-file-system-but-cannot-mount-the-file-system-to-one-of-its-amazon-ec2-instances-the-network-engineer-discovers-that-the-ec2-instance-cannot-resolve-the-ip-address-for-the-efs-mount-point-fs-33444567defsus-east-1-amazonawscom-the-network-engineer-needs-to-implement-a-solution-so-that-development-teams-throughout-the-organization-can-mount-efs-file-systems-which-combination-of-steps-will-meet-these-requirements-choose-two) +| 11 | [A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1. Amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.)](#a-company-is-using-custom-dns-servers-that-run-bind-for-name-resolution-in-its-vpcs-the-vpcs-are-deployed-across-multiple-aws-accounts-that-are-part-of-the-same-organization-in-aws-organizations-all-the-vpcs-are-connected-to-a-transit-gateway-the-bind-servers-are-running-in-a-central-vpc-and-are-configured-to-forward-all-queries-for-an-on-premises-dns-domain-to-dns-servers-that-are-hosted-in-an-on-premises-data-center-to-ensure-that-all-the-vpcs-use-the-custom-dns-servers-a-network-engineer-has-configured-a-vpc-dhcp-options-set-in-all-the-vpcs-that-specifies-the-custom-dns-servers-to-be-used-as-domain-name-servers-multiple-development-teams-in-the-company-want-to-use-amazon-elastic-file-system-amazon-efs-a-development-team-has-created-a-new-efs-file-system-but-cannot-mount-the-file-system-to-one-of-its-amazon-ec2-instances-the-network-engineer-discovers-that-the-ec2-instance-cannot-resolve-the-ip-address-for-the-efs-mount-point-fs-33444567defsus-east-1-amazonawscom-the-network-engineer-needs-to-implement-a-solution-so-that-development-teams-throughout-the-organization-can-mount-efs-file-systems-which-combination-of-steps-will-meet-these-requirements-choose-two) | 12 | [An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed. Which solution will meet these requirements?](#an-ecommerce-company-is-hosting-a-web-application-on-amazon-ec2-instances-to-handle-continuously-changing-customer-demand-the-ec2-instances-are-part-of-an-auto-scaling-group-the-company-wants-to-implement-a-solution-to-distribute-traffic-from-customers-to-the-ec2-instances-the-company-must-encrypt-all-traffic-at-all-stages-between-the-customers-and-the-application-servers-no-decryption-at-intermediate-points-is-allowed-which-solution-will-meet-these-requirements) | 13 | [A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway. A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner. What should the network engineer do to meet these requirements?](#a-company-has-two-on-premises-data-center-locations-there-is-a-company-managed-router-at-each-data-center-each-data-center-has-a-dedicated-aws-direct-connect-connection-to-a-direct-connect-gateway-through-a-private-virtual-interface-the-router-for-the-first-location-is-advertising-110-routes-to-the-direct-connect-gateway-by-using-bgp-and-the-router-for-the-second-location-is-advertising-60-routes-to-the-direct-connect-gateway-by-using-bgp-the-direct-connect-gateway-is-attached-to-a-company-vpc-through-a-virtual-private-gateway-a-network-engineer-receives-reports-that-resources-in-the-vpc-are-not-reachable-from-various-locations-in-either-data-center-the-network-engineer-checks-the-vpc-route-table-and-sees-that-the-routes-from-the-first-data-center-location-are-not-being-populated-into-the-route-table-the-network-engineer-must-resolve-this-issue-in-the-most-operationally-efficient-manner-what-should-the-network-engineer-do-to-meet-these-requirements) | 14 | [A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal. The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams. The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)](#a-company-has-expanded-its-network-to-the-aws-cloud-by-using-a-hybrid-architecture-with-multiple-aws-accounts-the-company-has-set-up-a-shared-aws-account-for-the-connection-to-its-on-premises-data-centers-and-the-company-offices-the-workloads-consist-of-private-web-based-services-for-internal-use-these-services-run-in-different-aws-accounts-office-based-employees-consume-these-services-by-using-a-dns-name-in-an-on-premises-dns-zone-that-is-named-exampleinternal-the-process-to-register-a-new-service-that-runs-on-aws-requires-a-manual-and-complicated-change-request-to-the-internal-dns-the-process-involves-many-teams-the-company-wants-to-update-the-dns-registration-process-by-giving-the-service-creators-access-that-will-allow-them-to-register-their-dns-records-a-network-engineer-must-design-a-solution-that-will-achieve-this-goal-the-solution-must-maximize-cost-effectiveness-and-must-require-the-least-possible-number-of-configuration-changes-which-combination-of-steps-should-the-network-engineer-take-to-meet-these-requirements-choose-three) | 15 | [A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs. The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection. Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones. What should a network engineer do to resolve this issue?](#a-company-has-multiple-aws-accounts-each-account-contains-one-or-more-vpcs-a-new-security-guideline-requires-the-inspection-of-all-traffic-between-vpcs-the-company-has-deployed-a-transit-gateway-that-provides-connectivity-between-all-vpcs-the-company-also-has-deployed-a-shared-services-vpc-with-amazon-ec2-instances-that-include-ids-services-for-stateful-inspection-the-ec2-instances-are-deployed-across-three-availability-zones-the-company-has-set-up-vpc-associations-and-routing-on-the-transit-gateway-the-company-has-migrated-a-few-test-vpcs-to-the-new-solution-for-traffic-inspection-soon-after-the-configuration-of-routing-the-company-receives-reports-of-intermittent-connections-for-traffic-that-crosses-availability-zones-what-should-a-network-engineer-do-to-resolve-this-issue) -| 16 | [A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway. In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)](#a-company-is-using-a-nat-gateway-to-allow-internet-connectivity-for-private-subnets-in-a-vpc-in-the-us-west-2-region-after-a-security-audit-the-company-needs-to-remove-the-nat-gatewayin-the-private-subnets-the-company-has-resources-that-use-the-unified-amazon-cloudwatch-agent-a-network-engineer-must-create-a-solution-to-ensure-that-the-unified-cloudwatch-agent-continues-to-work-after-the-removal-of-the-nat-gateway-which-combination-of-steps-should-the-network-engineer-take-to-meet-these-requirements-choose-three) +| 16 | [A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway. In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)](#a-company-is-using-a-nat-gateway-to-allow-internet-connectivity-for-private-subnets-in-a-vpc-in-the-us-west-2-region-after-a-security-audit-the-company-needs-to-remove-the-nat-gateway-in-the-private-subnets-the-company-has-resources-that-use-the-unified-amazon-cloudwatch-agent-a-network-engineer-must-create-a-solution-to-ensure-that-the-unified-cloudwatch-agent-continues-to-work-after-the-removal-of-the-nat-gateway-which-combination-of-steps-should-the-network-engineer-take-to-meet-these-requirements-choose-three) | 17 | [An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company's infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers. The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services. A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud. Which solution will meet these requirements with the HIGHEST availability?](#an-international-company-provides-early-warning-about-tsunamis-the-company-plans-to-use-iot-devices-to-monitor-sea-waves-around-the-world-the-data-that-is-collected-by-the-iot-devices-must-reach-the-companys-infrastructure-on-aws-as-quickly-as-possible-the-company-is-using-three-operation-centers-around-the-world-each-operation-center-is-connected-to-aws-through-its-own-aws-direct-connect-connection-each-operation-center-is-connected-to-the-internet-through-at-least-two-upstream-internet-service-providers-the-company-has-its-own-provider-independent-pi-address-space-the-iot-devices-use-tcp-protocols-for-reliable-transmission-of-the-data-they-collect-the-iot-devices-have-both-landline-and-mobile-internet-connectivity-the-infrastructure-and-the-solution-will-be-deployed-in-multiple-aws-regions-the-company-will-use-amazon-route-53-for-dns-services-a-network-engineer-needs-to-design-connectivity-between-the-iot-devices-and-the-services-that-run-in-the-aws-cloud-which-solution-will-meet-these-requirements-with-the-highest-availability) | 18 | [A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud. Which solution will meet these requirements while providing the HIGHEST throughput?](#a-company-is-planning-a-migration-of-its-critical-workloads-from-an-on-premises-data-center-to-amazon-ec2-instances-the-plan-includes-a-new-10-gbps-aws-direct-connect-dedicated-connection-from-the-on-premises-data-center-to-a-vpc-that-is-attached-to-a-transit-gateway-the-migration-must-occur-over-encrypted-paths-between-the-on-premises-data-center-and-the-aws-cloud-which-solution-will-meet-these-requirements-while-providing-the-highest-throughput) | 19 | [A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back. What should the network engineer do to resolve the error?](#a-network-engineer-must-develop-an-aws-cloudformation-template-that-can-create-a-virtual-private-gateway-a-customer-gateway-a-vpn-connection-and-static-routes-in-a-route-table-during-testing-of-the-template-the-network-engineer-notes-that-the-cloudformation-template-has-encountered-an-error-and-is-rolling-back-what-should-the-network-engineer-do-to-resolve-the-error) @@ -116,7 +133,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 30 | [A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name. The company's security policy requires the traffic to be encrypted in transit at all times between the users and the backend. Which combination of changes must the company make to meet this security requirement? (Choose three.)](#a-media-company-is-implementing-a-news-website-for-a-global-audience-the-website-uses-amazon-cloudfront-as-its-content-delivery-network-the-backend-runs-on-amazon-ec2-windows-instances-behind-an-application-load-balancer-alb-the-instances-are-part-of-an-auto-scaling-group-the-companys-customers-access-the-website-by-using-service-example-com-as-the-cloudfront-custom-domain-name-the-cloudfront-origin-points-to-an-alb-that-uses-service-albexamplecom-as-the-domain-name-the-companys-security-policy-requires-the-traffic-to-be-encrypted-in-transit-at-all-times-between-the-users-and-the-backend-which-combination-of-changes-must-the-company-make-to-meet-this-security-requirement-choose-three) | 31 | [A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group. The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone. What is the MOST operationally efficient solution to resolve this issue?](#a-company-is-hosting-an-application-on-amazon-ec2-instances-behind-a-network-load-balancer-nlb-a-solutions-architect-added-ec2-instances-in-a-second-availability-zone-to-improve-the-availability-of-the-application-the-solutions-architect-added-the-instances-to-the-nlb-target-group-the-companys-operations-team-notices-that-traffic-is-being-routed-only-to-the-instances-in-the-first-availability-zone-what-is-the-most-operationally-efficient-solution-to-resolve-this-issue) | 32 | [A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group. In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface. How can the network engineer implement the required architecture?](#a-network-engineer-needs-to-set-up-an-amazon-ec2-auto-scaling-group-to-run-a-linux-based-network-appliance-in-a-highly-available-architecture-the-network-engineer-is-configuring-the-new-launch-template-for-the-auto-scaling-group-in-addition-to-the-primary-network-interface-the-network-appliance-requires-a-second-network-interface-that-will-be-used-exclusively-by-the-application-to-exchange-traffic-with-hosts-over-the-internet-the-company-has-set-up-a-bring-your-own-ip-byoip-pool-that-includes-an-elastic-ip-address-that-should-be-used-as-the-public-ip-address-for-the-second-network-interface-how-can-the-network-engineer-implement-the-required-architecture) -| 33 | [A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name. A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918. Components of the application need to be able to access other components of the application within the application's VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries. Which combination of steps will meet these requirements? (Choose three.)](#a-company-delivers-applications-over-the-internet-an-amazon-route-53-public-hosted-zone-is-the-authoritative-dns-service-for-the-company-and-its-internet-applications-all-of-which-are-offered-from-the-same-domain-name-a-network-engineer-is-working-on-a-new-version-of-one-of-the-applications-all-the-applications-components-are-hosted-in-the-aws-cloud-the-application-has-a-three-tier-design-the-front-end-is-delivered-through-amazon-ec2-instances-that-are-deployed-in-public-subnets-with-elastic-ip-addresses-assigned-the-backend-components-are-deployed-in-private-subnets-from-rfc1918components-of-the-application-need-to-be-able-to-access-other-components-of-the-application-within-the-applications-vpc-by-using-the-same-host-names-as-the-host-names-that-are-used-over-the-public-internet-the-network-engineer-also-needs-to-accommodate-future-dns-changes-such-as-the-introduction-of-new-host-names-or-the-retirement-of-dns-entries-which-combination-of-steps-will-meet-these-requirements-choose-three) +| 33 | [A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name. A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addresses assigned. The backend components are deployed in private subnets from RFC1918. Components of the application need to be able to access other components of the application within the application's VPC by using the same host names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as the introduction of new host names or the retirement of DNS entries. Which combination of steps will meet these requirements? (Choose three.)](#a-company-delivers-applications-over-the-internet-an-amazon-route-53-public-hosted-zone-is-the-authoritative-dns-service-for-the-company-and-its-internet-applications-all-of-which-are-offered-from-the-same-domain-name-a-network-engineer-is-working-on-a-new-version-of-one-of-the-applications-all-the-applications-components-are-hosted-in-the-aws-cloud-the-application-has-a-three-tier-design-the-front-end-is-delivered-through-amazon-ec2-instances-that-are-deployed-in-public-subnets-with-elastic-ip-addresses-assigned-the-backend-components-are-deployed-in-private-subnets-from-rfc1918-components-of-the-application-need-to-be-able-to-access-other-components-of-the-application-within-the-applications-vpc-by-using-the-same-host-names-as-the-host-names-that-are-used-over-the-public-internet-the-network-engineer-also-needs-to-accommodate-future-dns-changes-such-as-the-introduction-of-new-host-names-or-the-retirement-of-dns-entries-which-combination-of-steps-will-meet-these-requirements-choose-three) | 34 | [A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application. Which solution will meet these requirements?](#a-company-is-deploying-an-application-the-application-is-implemented-in-a-series-of-containers-in-an-amazon-elastic-container-service-amazon-ecs-cluster-the-company-will-use-the-fargate-launch-type-for-its-tasks-the-containers-will-run-workloads-that-require-connectivity-initiated-over-an-ssl-connection-traffic-must-be-able-to-flow-to-the-application-from-other-aws-accounts-over-private-connectivity-the-application-must-scale-in-a-manageable-way-as-more-consumers-use-the-application-which-solution-will-meet-these-requirements) | 35 | [A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB). The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17. A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments. Which solution will meet these requirements?](#a-companys-development-team-has-created-a-new-product-recommendation-web-service-the-web-service-is-hosted-in-a-vpc-with-a-cidr-block-of-192168224019-the-company-has-deployed-the-web-service-on-amazon-ec2-instances-and-has-configured-an-auto-scaling-group-as-the-target-of-a-network-load-balancer-nlb-the-company-wants-to-perform-testing-to-determine-whether-users-who-receive-product-recommendations-spend-more-money-than-users-who-do-not-receive-product-recommendations-the-company-has-a-big-sales-event-in-5-days-and-needs-to-integrate-its-existing-production-environment-with-the-recommendation-engine-by-then-the-existing-production-environment-is-hosted-in-a-vpc-with-a-cidr-block-of-192168128-017-a-network-engineer-must-integrate-the-systems-by-designing-a-solution-that-results-in-the-least-possible-disruption-to-the-existing-environments-which-solution-will-meet-these-requirements) | 36 | [A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have been updated to support the new IPv6 requirements. The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets. When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer must allow outbound internet access from the instances. What is the MOST operationally efficient solution that meets these requirements?](#a-network-engineer-needs-to-update-a-companys-hybrid-network-to-support-ipv6-for-the-upcoming-release-of-a-new-application-the-application-is-hosted-in-a-vpc-in-the-aws-cloud-the-companys-current-aws-infrastructure-includes-vpcs-that-are-connected-by-a-transit-gateway-the-transit-gateway-is-connected-to-the-on-premises-network-by-aws-direct-connect-and-aws-site-to-site-vpn-the-companys-on-premises-devices-have-been-updated-to-support-the-new-ipv6-requirements-the-company-has-enabled-ipv6-for-the-existing-vpc-by-assigning-a-new-ipv6-cidr-block-to-the-vpc-and-by-assigning-ipv6-to-the-subnets-for-dual-stack-support-the-company-has-launched-new-amazon-ec2-instances-for-the-new-application-in-the-updated-subnets-when-updating-the-hybrid-network-to-support-ipv6-the-network-engineer-must-avoid-making-any-changes-to-the-current-infrastructure-the-network-engineer-also-must-block-direct-access-to-the-instances-new-ipv6-addresses-from-the-internet-however-the-network-engineer-must-allow-outbound-internet-access-from-the-instances-what-is-the-most-operationally-efficient-solution-that-meets-these-requirements) @@ -126,12 +143,12 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 40 | [A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission. How should a network engineer configure the AWS resources to meet these requirements?](#a-company-is-deploying-a-new-application-on-aws-the-application-uses-dynamic-multicasting-the-company-has-five-vpcs-that-are-all-attached-to-a-transit-gateway-amazon-ec2-instances-in-each-vpc-need-to-be-able-to-register-dynamically-to-receive-a-multicast-transmission-how-should-a-network-engineer-configure-the-aws-resources-to-meet-these-requirements) | 41 | [A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public websites. The application requires the customer's source IP addresses. A network engineer must implement a load balancing strategy that meets these requirements. Which combination of actions should the network engineer take to accomplish this goal? (Choose two.)](#a-company-is-creating-new-features-for-its-ecommerce-website-these-features-will-use-several-microservices-that-are-accessed-through-different-paths-the-microservices-will-run-on-amazon-elastic-container-service-amazon-ecs-the-company-requires-the-use-of-https-for-all-of-its-public-websites-the-application-requires-the-customers-source-ip-addresses-a-network-engineer-must-implement-a-load-balancing-strategy-that-meets-these-requirements-which-combination-of-actions-should-the-network-engineer-take-to-accomplish-this-goal-choose-two) | 42 | [A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the application will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include an NLB that distributes traffic to the services pods in an EKS cluster. The company is concerned about overall cost. User traffic will be responsible for more than 10 TB of data transfer from the ingress VPC to services VPCs every month. A network engineer needs to recommend how to design the communication between the VPCs. Which solution will meet these requirements at the LOWEST cost?](#a-company-is-migrating-its-containerized-application-to-aws-for-the-architecture-the-company-will-have-an-ingress-vpc-with-a-network-load-balancer-nlb-to-distribute-the-traffic-to-front-end-pods-in-an-amazon-elastic-kubernetes-service-amazon-eks-cluster-the-front-end-of-the-application-will-determine-which-user-is-requesting-access-and-will-send-traffic-to-1-of-10-services-vpcs-each-services-vpc-will-include-an-nlb-that-distributes-traffic-to-the-services-pods-in-an-eks-cluster-the-company-is-concerned-about-overall-cost-user-traffic-will-be-responsible-for-more-than-10-tb-of-data-transfer-from-the-ingress-vpc-to-services-vpcs-every-month-a-network-engineer-needs-to-recommend-how-to-design-the-communication-between-the-vpcs-which-solution-will-meet-these-requirements-at-the-lowest-cost) -| 43 | [A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic. Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic. What is causing the traffic to drop?](#a-company-has-stateful-security-appliances-that-are-deployed-to-multiple-availability-zones-in-a-centralized-shared-services-vpc-the-aws-environment-includes-a-transit-gateway-that-is-attached-to-application-vpcs-and-the-shared-services-vpc-the-application-vpcs-have-workloads-that-are-deployed-in-private-subnets-across-multiple-availability-zones-the-stateful-appliances-in-the-shared-services-vpc-inspect-all-east-west-vpc-to-vpc-trafficusers-report-that-inter-vpc-traffic-to-different-availability-zones-is-dropping-a-network-engineer-verified-this-claim-by-issuing-internet-control-message-protocol-icmp-pings-between-workloads-in-different-availability-zones-across-the-application-vpcs-the-network-engineer-has-ruled-out-security-groups-stateful-device-configurations-and-network-acls-as-the-cause-of-the-dropped-traffic-what-is-causing-the-traffic-to-drop) +| 43 | [A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic. Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic. What is causing the traffic to drop?](#a-company-has-stateful-security-appliances-that-are-deployed-to-multiple-availability-zones-in-a-centralized-shared-services-vpc-the-aws-environment-includes-a-transit-gateway-that-is-attached-to-application-vpcs-and-the-shared-services-vpc-the-application-vpcs-have-workloads-that-are-deployed-in-private-subnets-across-multiple-availability-zones-the-stateful-appliances-in-the-shared-services-vpc-inspect-all-east-west-vpc-to-vpc-traffic-users-report-that-inter-vpc-traffic-to-different-availability-zones-is-dropping-a-network-engineer-verified-this-claim-by-issuing-internet-control-message-protocol-icmp-pings-between-workloads-in-different-availability-zones-across-the-application-vpcs-the-network-engineer-has-ruled-out-security-groups-stateful-device-configurations-and-network-acls-as-the-cause-of-the-dropped-traffic-what-is-causing-the-traffic-to-drop) | 44 | [A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1 Region. The production VPCs are named VPC A and VPC B. A new security regulation requires all traffic between production VPCs to be inspected before the traffic is routed to its final destination. The company deploys a new shared VPC that contains a stateful firewall appliance and a transit gateway with a VPC attachment across all VPCs to route traffic between VPC A and VPC B through the firewall appliance for inspection. During testing, the company notices that the transit gateway is dropping the traffic whenever the traffic is between two Availability Zones. What should a network engineer do to fix this issue with the LEAST management overhead?](#a-company-has-hundreds-of-amazon-ec2-instances-that-are-running-in-two-production-vpcs-across-all-availability-zones-in-the-us-east-1-region-the-production-vpcs-are-named-vpc-a-and-vpc-b-a-new-security-regulation-requires-all-traffic-between-production-vpcs-to-be-inspected-before-the-traffic-is-routed-to-its-final-destination-the-company-deploys-a-new-shared-vpc-that-contains-a-stateful-firewall-appliance-and-a-transit-gateway-with-a-vpc-attachment-across-all-vpcs-to-route-traffic-between-vpc-a-and-vpc-b-through-the-firewall-appliance-for-inspection-during-testing-the-company-notices-that-the-transit-gateway-is-dropping-the-traffic-whenever-the-traffic-is-between-two-availability-zones-what-should-a-network-engineer-do-to-fix-this-issue-with-the-least-management-overhead) | 45 | [A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group. A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?](#a-company-has-deployed-a-critical-application-on-a-fleet-of-amazon-ec2-instances-behind-an-application-load-balancer-the-application-must-always-be-reachable-on-port-443-from-the-public-internet-the-application-recently-had-an-outage-that-resulted-from-an-incorrect-change-to-the-ec2-security-group-a-network-engineer-needs-to-automate-a-way-to-verify-the-network-connectivity-between-the-public-internet-and-the-ec2-instances-whenever-a-change-is-made-to-the-security-group-the-solution-also-must-notify-the-network-engineer-when-the-change-affects-the-connection-which-solution-will-meet-these-requirements) | 46 | [A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured. The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications. Which solution will meet these requirements with the LEAST operational overhead?](#a-security-team-is-performing-an-audit-of-a-companys-aws-deployment-the-security-team-is-concerned-that-two-applications-might-be-accessing-resources-that-should-be-blocked-by-network-acls-and-security-groups-the-applications-are-deployed-across-two-amazon-elastic-kubernetes-service-amazon-eks-clusters-that-use-the-amazon-vpc-container-network-interface-cni-plugin-for-kubernetes-the-clusters-are-in-separate-subnets-within-the-same-vpc-and-have-a-cluster-autoscaler-configured-the-security-team-needs-to-determine-which-pod-ip-addresses-are-communicating-with-which-services-throughout-the-vpc-the-security-team-wants-to-limit-the-number-of-flow-logs-and-wants-to-examine-the-traffic-from-only-the-two-applications-which-solution-will-meet-these-requirements-with-the-least-operational-overhead) | 47 | [A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company's peak event at the end of the year. The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries to the default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domain names. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDS and S3 bucket endpoints. Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?](#a-data-analytics-company-has-a-100-node-high-performance-computing-hpc-cluster-the-hpc-cluster-is-for-parallel-data-processing-and-is-hosted-in-a-vpc-in-the-aws-cloud-as-part-of-the-data-processing-workflow-the-hpc-cluster-needs-to-perform-several-dns-queries-to-resolve-and-connect-to-amazon-rds-databases-amazon-s3-buckets-and-on-premises-data-stores-that-are-accessible-through-aws-direct-connect-the-hpc-cluster-can-increase-in-size-by-five-to-seven-times-during-the-companys-peak-event-at-the-end-of-the-year-the-company-is-using-two-amazon-ec2-instances-as-primary-dns-servers-for-the-vpc-the-ec2-instances-are-configured-to-forward-queries-to-the-default-vpc-resolver-for-amazon-route-53-hosted-domains-and-to-the-on-premises-dns-servers-for-other-on-premises-hosted-domain-names-the-company-notices-job-failures-and-finds-that-dns-queries-from-the-hpc-cluster-nodes-failed-when-the-nodes-tried-to-resolve-rds-and-s3-bucket-endpoints-which-architectural-change-should-a-network-engineer-implement-to-provide-the-dns-service-in-the-most-scalable-way) -| 48 | [A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.Β The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failover data center only in the case of an outage. Which solution will meet these requirements?](#a-companys-network-engineer-is-designing-an-active-passive-connection-to-aws-from-two-on-premises-data-centers-the-company-has-set-up-aws-direct-connect-connections-between-the-on-premises-data-centers-and-aws-from-each-location-the-company-is-using-a-transit-vif-that-connects-to-a-direct-connect-gateway-that-is-associated-with-a-transit-gateway%C2%A0the-network-engineer-must-ensure-that-traffic-from-aws-to-the-data-centers-is-routed-first-to-the-primary-data-center-the-traffic-should-be-routed-to-the-failover-data-center-only-in-the-case-of-an-outage-which-solution-will-meet-these-requirements) +| 48 | [A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.Β The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failover data center only in the case of an outage. Which solution will meet these requirements?](#a-companys-network-engineer-is-designing-an-active-passive-connection-to-aws-from-two-on-premises-data-centers-the-company-has-set-up-aws-direct-connect-connections-between-the-on-premises-data-centers-and-aws-from-each-location-the-company-is-using-a-transit-vif-that-connects-to-a-direct-connect-gateway-that-is-associated-with-a-transit-gatewaythe-network-engineer-must-ensure-that-traffic-from-aws-to-the-data-centers-is-routed-first-to-the-primary-data-center-the-traffic-should-be-routed-to-the-failover-data-center-only-in-the-case-of-an-outage-which-solution-will-meet-these-requirements) | 49 | [A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue. A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve new objects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with new watermarked objects. The company does not want public IP addresses on the EC2 instances. Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?](#a-real-estate-company-is-building-an-internal-application-so-that-real-estate-agents-can-upload-photos-and-videos-of-various-properties-the-application-will-store-these-photos-and-videos-in-an-amazon-s3-bucket-as-objects-and-will-use-amazon-dynamodb-to-store-corresponding-metadata-the-s3-bucket-will-be-configured-to-publish-all-put-events-for-new-object-uploads-to-an-amazon-simple-queue-service-amazon-sqs-queue-a-compute-cluster-of-amazon-ec2-instances-will-poll-the-sqs-queue-to-find-out-about-newly-uploaded-objects-the-cluster-will-retrieve-new-objects-perform-proprietary-image-and-video-recognition-and-classification-update-metadata-in-dynamodb-and-replace-the-objects-with-new-watermarked-objects-the-company-does-not-want-public-ip-addresses-on-the-ec2-instances-which-networking-design-solution-will-meet-these-requirements-most-cost-effectively-as-application-usage-increases) | 50 | [A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1. The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency. How should the network engineer design the network architecture to meet these requirements?](#a-company-has-an-aws-direct-connect-connection-between-its-on-premises-data-center-in-the-united-states-us-and-workloads-in-the-us-east-1-region-the-connection-uses-a-transit-vif-to-connect-the-data-center-to-a-transit-gateway-in-us-east-1-the-company-is-opening-a-new-office-in-europe-with-a-new-on-premises-data-center-in-england-a-direct-connect-connection-will-connect-the-new-data-center-with-some-workloads-that-are-running-in-a-single-vpc-in-the-eu-west-2-region-the-company-needs-to-connect-the-us-data-center-and-us-east-1-with-the-europe-data-center-and-eu-west-2-a-network-engineer-must-establish-full-connectivity-between-the-data-centers-and-regions-with-the-lowest-possible-latency-how-should-the-network-engineer-design-the-network-architecture-to-meet-these-requirements) | 51 | [A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied. The SQS queue is not receiving messages. Which of the following are possible causes of this problem? (Choose two.)](#a-network-engineer-has-deployed-an-amazon-ec2-instance-in-a-private-subnet-in-a-vpc-the-vpc-has-no-public-subnet-the-ec2-instance-hosts-application-code-that-sends-messages-to-an-amazon-simple-queue-service-amazon-sqs-queue-the-subnet-has-the-default-network-acl-with-no-modification-applied-the-ec2-instance-has-the-default-security-group-with-no-modification-applied-the-sqs-queue-is-not-receiving-messages-which-of-the-following-are-possible-causes-of-this-problem-choose-two) @@ -153,7 +170,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 67 | [A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort. Which solution will meet these requirements?](#a-company-is-using-an-aws-site-to-site-vpn-connection-from-the-companys-on-premises-data-center-to-a-virtual-private-gateway-in-the-aws-cloud-because-of-congestion-the-company-is-experiencing-availability-and-performance-issues-as-traffic-travels-across-the-internet-before-the-traffic-reaches-aws-a-network-engineer-must-reduce-these-issues-for-the-connection-as-quickly-as-possible-with-minimum-administration-effort-which-solution-will-meet-these-requirements) | 68 | [An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion. The company's existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as proxies, firewalls, and logging. The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region. A network engineer must establish connectivity between the various applications in the two Regions. The solution must maximize bandwidth, minimize latency and minimize operational overhead. Which solution will meet these requirements?](#an-australian-ecommerce-company-hosts-all-of-its-services-in-the-aws-cloud-and-wants-to-expand-its-customer-base-to-the-united-states-us-the-company-is-targeting-the-western-us-for-the-expansion-the-companys-existing-aws-architecture-consists-of-four-aws-accounts-with-multiple-vpcs-deployed-in-the-ap-southeast-2-region-all-vpcs-are-attached-to-a-transit-gateway-in-ap-southeast-2-there-are-dedicated-vpcs-for-each-application-service-the-company-also-has-vpcs-for-centralized-security-features-such-as-proxies-firewalls-and-logging-the-company-plans-to-duplicate-the-infrastructure-from-ap-southeast-2-to-the-us-west-1-region-a-network-engineer-must-establish-connectivity-between-the-various-applications-in-the-two-regions-the-solution-must-maximize-bandwidth-minimize-latency-and-minimize-operational-overhead-which-solution-will-meet-these-requirements) | 69 | [An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?](#an-iot-company-sells-hardware-sensor-modules-that-periodically-send-out-temperature-humidity-pressure-and-location-data-through-the-mqtt-messaging-protocol-the-hardware-sensor-modules-send-this-data-to-the-companys-on-premises-mqtt-brokers-that-run-on-linux-servers-behind-a-load-balancer-the-hardware-sensor-modules-have-been-hardcoded-with-public-ip-addresses-to-reach-the-brokers-the-company-is-growing-and-is-acquiring-customers-across-the-world-the-existing-solution-can-no-longer-scale-and-is-introducing-additional-latency-because-of-the-companys-global-presence-as-a-result-the-company-decides-to-migrate-its-entire-infrastructure-from-on-premises-to-the-aws-cloud-the-company-needs-to-migrate-without-reconfiguring-the-hardware-sensor-modules-that-are-already-deployed-across-the-world-the-solution-also-must-minimize-latency-the-company-migrates-the-mqtt-brokers-to-run-on-amazon-ec2-instances-what-should-the-company-do-next-to-meet-these-requirements) -| 70 | [A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring. Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB. What should the network engineer do next to determine which errors the ALB is receiving?](#a-company-has-deployed-a-web-application-on-aws-the-web-application-uses-an-application-load-balancer-alb-across-multiple-availability-zones-the-targets-of-the-alb-are-aws-lambda-functions-the-web-application-also-uses-amazon-cloudwatch-metrics-for-monitoringusers-report-that-parts-of-the-web-application-are-not-loading-properly-a-network-engineer-needs-to-troubleshoot-the-problem-the-network-engineer-enables-access-logging-for-the-alb-what-should-the-network-engineer-do-next-to-determine-which-errors-the-alb-is-receiving) +| 70 | [A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring. Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB. What should the network engineer do next to determine which errors the ALB is receiving?](#a-company-has-deployed-a-web-application-on-aws-the-web-application-uses-an-application-load-balancer-alb-across-multiple-availability-zones-the-targets-of-the-alb-are-aws-lambda-functions-the-web-application-also-uses-amazon-cloudwatch-metrics-for-monitoring-users-report-that-parts-of-the-web-application-are-not-loading-properly-a-network-engineer-needs-to-troubleshoot-the-problem-the-network-engineer-enables-access-logging-for-the-alb-what-should-the-network-engineer-do-next-to-determine-which-errors-the-alb-is-receiving) | 71 | [A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit. Which solution will meet these requirements?](#a-company-is-planning-to-use-amazon-s3-to-archive-financial-data-the-data-is-currently-stored-in-an-on-premises-data-center-the-company-uses-aws-direct-connect-with-a-direct-connect-gateway-and-a-transit-gateway-to-connect-to-the-on-premises-data-center-the-data-cannot-be-transported-over-the-public-internet-and-must-be-encrypted-in-transit-which-solution-will-meet-these-requirements) | 72 | [A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall. Which change should a network engineer implement to meet these requirements?](#a-company-is-using-amazon-route-53-resolver-dns-firewall-in-a-vpc-to-block-all-domains-except-domains-that-are-on-an-approved-list-the-company-is-concerned-that-if-dns-firewall-is-unresponsive-resources-in-the-vpc-might-be-affected-if-the-network-cannot-resolve-any-dns-queries-to-maintain-application-service-level-agreements-the-company-needs-dns-queries-to-continue-to-resolve-even-if-route-53-resolver-does-not-receive-a-response-from-dns-firewall-which-change-should-a-network-engineer-implement-to-meet-these-requirements) | 73 | [A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets. The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zones and EC2 instances. All connections from the same client session must be connected to the same EC2 instance. The company must provide end-to-end encryption for all connections between the clients and the application by using the application SSL certificate. Which solution will meet these requirements?](#a-company-is-migrating-an-existing-application-to-a-new-aws-account-the-company-will-deploy-the-application-in-a-single-aws-region-by-using-one-vpc-and-multiple-availability-zones-the-application-will-run-on-amazon-ec2-instances-each-availability-zone-will-have-several-ec2-instances-the-ec2-instances-will-be-deployed-in-private-subnets-the-companys-clients-will-connect-to-the-application-by-using-a-web-browser-with-the-https-protocol-inbound-connections-must-be-distributed-across-the-availability-zones-and-ec2-instances-all-connections-from-the-same-client-session-must-be-connected-to-the-same-ec2-instance-the-company-must-provide-end-to-end-encryption-for-all-connections-between-the-clients-and-the-application-by-using-the-application-ssl-certificate-which-solution-will-meet-these-requirements) @@ -162,7 +179,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 76 | [A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints. Which solution will meet these requirements with the LEAST operational overhead?](#a-company-has-hundreds-of-vpcs-on-aws-all-the-vpcs-access-the-public-endpoints-of-amazon-s3-and-aws-systems-manager-through-nat-gateways-all-the-traffic-from-the-vpcs-to-amazon-s3-and-systems-manager-travels-through-the-nat-gateways-the-companys-network-engineer-must-centralize-access-to-these-services-and-must-eliminate-the-need-to-use-public-endpoints-which-solution-will-meet-these-requirements-with-the-least-operational-overhead) | 77 | [A company manages resources across VPCs in multiple AWS Regions. The company needs to connect to the resources by using its internal domain name. A network engineer needs to apply the aws.example.com DNS suffix to all resources. What must the network engineer do to meet this requirement?](#a-company-manages-resources-across-vpcs-in-multiple-aws-regions-the-company-needs-to-connect-to-the-resources-by-using-its-internal-domain-name-a-network-engineer-needs-to-apply-the-awsexamplecom-dns-suffix-to-all-resources-what-must-the-network-engineer-do-to-meet-this-requirement) | 78 | [An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time. Which solution meets these requirements?](#an-insurance-company-is-planning-the-migration-of-workloads-from-its-on-premises-data-center-to-the-aws-cloud-the-company-requires-end-to-end-domain-name-resolution-bi-directional-dns-resolution-between-aws-and-the-existing-on-premises-environments-must-be-established-the-workloads-will-be-migrated-into-multiple-vpcs-the-workloads-also-have-dependencies-on-each-other-and-not-all-the-workloads-will-be-migrated-at-the-same-time-which-solution-meets-these-requirements) -| 79 | [A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use. Employees at the London office are experiencing latency issues when they connect to the business applications. What should a network engineer do to reduce this latency?](#a-global-company-runs-business-applications-in-the-us-east-1-region-inside-a-vpc-one-of-the-companys-regional-offices-in-london-uses-a-virtual-private-gateway-for-an-aws-site-to-site-vpn-connection-tom-the-vpc-the-company-has-configured-a-transit-gateway-and-has-set-up-peering-between-the-vpc-and-other-vpcs-that-various-departments-in-the-company-useemployees-at-the-london-office-are-experiencing-latency-issues-when-they-connect-to-the-business-applications-what-should-a-network-engineer-do-to-reduce-this-latency) +| 79 | [A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use. Employees at the London office are experiencing latency issues when they connect to the business applications. What should a network engineer do to reduce this latency?](#a-global-company-runs-business-applications-in-the-us-east-1-region-inside-a-vpc-one-of-the-companys-regional-offices-in-london-uses-a-virtual-private-gateway-for-an-aws-site-to-site-vpn-connection-tom-the-vpc-the-company-has-configured-a-transit-gateway-and-has-set-up-peering-between-the-vpc-and-other-vpcs-that-various-departments-in-the-company-use-employees-at-the-london-office-are-experiencing-latency-issues-when-they-connect-to-the-business-applications-what-should-a-network-engineer-do-to-reduce-this-latency) | 80 | [A company has a hybrid cloud environment. The company's data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity. The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a backend application in one of the VPCs. The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages from other applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWS infrastructure. Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interface endpoint? (Choose three.)](#a-company-has-a-hybrid-cloud-environment-the-companys-data-center-is-connected-to-the-aws-cloud-by-an-aws-direct-connect-connection-the-aws-environment-includes-vpcs-that-are-connected-together-in-a-hub-and-spoke-model-by-a-transit-gateway-the-aws-environment-has-a-transit-vif-with-a-direct-connect-gateway-for-on-premises-connectivity-the-company-has-a-hybrid-dns-model-the-company-has-configured-amazon-route-53-resolver-endpoints-in-the-hub-vpc-to-allow-bidirectional-dns-traffic-flow-the-company-is-running-a-backend-application-in-one-of-the-vpcs-the-company-uses-a-message-oriented-architecture-and-employs-amazon-simple-queue-service-amazon-sqs-to-receive-messages-from-other-applications-over-a-private-network-a-network-engineer-wants-to-use-an-interface-vpc-endpoint-for-amazon-sqs-for-this-architecture-client-services-must-be-able-to-access-the-endpoint-service-from-on-premises-and-from-multiple-vpcs-within-the-companys-aws-infrastructure-which-combination-of-steps-should-the-network-engineer-take-to-ensure-that-the-client-applications-can-resolve-dns-for-the-interface-endpoint-choose-three) | 81 | [A company's network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources. Which solution will meet these requirements?](#a-companys-network-engineer-builds-and-tests-network-designs-for-vpcs-in-a-development-account-the-company-needs-to-monitor-the-changes-that-are-made-to-network-resources-and-must-ensure-strict-compliance-with-network-security-policies-the-company-also-needs-access-to-the-historical-configurations-of-network-resources-which-solution-will-meet-these-requirements) | 82 | [A gaming company is planning to launch a globally available game that is hosted in one AWS Region. The game backend is hosted on Amazon EC2 instances that are part of an Auto Scaling group. The game uses the gRPC protocol for bidirectional streaming between game clients and the backend. The company needs to filter incoming traffic based on the source IP address to protect the game. Which solution will meet these requirements?](#a-gaming-company-is-planning-to-launch-a-globally-available-game-that-is-hosted-in-one-aws-region-the-game-backend-is-hosted-on-amazon-ec2-instances-that-are-part-of-an-auto-scaling-group-the-game-uses-the-grpc-protocol-for-bidirectional-streaming-between-game-clients-and-the-backend-the-company-needs-to-filter-incoming-traffic-based-on-the-source-ip-address-to-protect-the-game-which-solution-will-meet-these-requirements)