amazon AWS Certified Advanced Networking - Specialty - ANS-C00 online exam

What students need to know about the aws-certified-advanced-networking-specialty-ans-c00 exam

  • Total 407 Questions & Answers

Question 1

A company has a VPC in the us-west-1 Region and another VPC in the ap-southeast-2 Region. Network engineers set up an
AWS Direct Connect connection from their data center to the us-east-1 Region. They create a private virtual interface (VIF)
that references a Direct Connect gateway, which is then connected to virtual private gateways in both VPCs. When the setup
is complete, the engineers cannot access resources in us-west-1 from ap-southeast-2.
What should the network engineers do to resolve this issue?

  • A. Add the subnet range for the VPCs in us-west-1 and ap-southeast-2 to the route tables for both VPCs. Add the Direct Connect gateway as a target.
  • B. Configure the Direct Connect gateway to route traffic between the VPCs in ap-southeast-2 and us-west-2.
  • C. Establish a VPC peering connection between the VPCs in ap-southeast-2 and us-west-2. Add the subnet ranges to the routing tables.
  • D. Create static routes in each VPC that point to the destination VPC with the virtual private gateway as the route target.
Answer:

B

Discussions

Question 2

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content
caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP
addresses for the applications origin and then attack the origin despite it being served by CloudFront. Which of the following
solutions provides the strongest level of protection to the origin?

  • A. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
  • B. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origins Application Load Balancer to accept only traffic that contains that header.
  • C. Configure an AWS [email protected] function to validate that the traffic to the Application Load Balancer originates from CloudFront.
  • D. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
Answer:

A

Discussions

Question 3

You are architecting an HPC solution in AWS. The system consists of a cluster of EC2 instances that require low-latency
communications between them.
Which method should you use to set up a cluster to meet these requirements?

  • A. Create a VPC with one subnet in a single Availability Zone. Keep the size of the subnet equal to the number of instances required in the cluster. Launch instances for the cluster in this small subnet to guarantee low-latency network performance.
  • B. Create a placement group. Choose an EC2 instance type compatible with placement groups for the cluster. Launch instances for the cluster in the placement group.
  • C. Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach all instances to an Amazon EBS PIOPS volume. Implement a shared memory system across all instances in the cluster, using this shared EBS volume to minimize latency of communication.
  • D. Choose an EC2 instance type that offers enhanced networking. Attach a 10-Gbps non-blocking elastic network interface to the instances. Configure the elastic network interface to optimize network performance to reduce latency.
Answer:

B

Explanation:
Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both.
A is incorrect because the size of a subnet has no impact on network performance. C is incorrect because an EBS volume
cannot be shared between EC2 instances. D is only half the solution because the enhanced networking affects the network
behavior of an EC2 instance but not the network infrastructure between instances.

Discussions

Question 4

To allow all traffic to access an instance in "Subnet 1" that uses "Security Group 1", what two options need to be configured?
(Choose two.)

  • A. NACL rule allowing 0.0.0.0/0 to access "Subnet 1"
  • B. Security Group rule in "Security Group 1" that allows 0.0.0.0/0 inbound
  • C. Security Group rule in "Security Group 1" that allows outbound traffic to 0.0.0.0/0
  • D. NACL rule allowing 0.0.0.0/0 to access "Security Group 1"
Answer:

A B

Explanation:
You must allow traffic through the NACL and through the Security Group to access the instance. If there is not an Outbound
allow setup in the NACL, you may need to set that, but an outbound rule for Security Group 1 is not necessary as security
groups are stateful.

Discussions

Question 5

You have a web application (app.mycompany.com) running on an EC2 instance with a single elastic network interface in a
subnet in a VPC. Because of a network redesign, you need to move the web application to a different subnet in the same
Availability Zone.
Which of the following migration strategies meets the requirements?

  • A. Create an elastic network interface in the new subnet. Attach this interface to the instance, and detach the old interface.
  • B. Launch a new instance in the subnet via an AMI created from the instance, and redirect new connections to this new instance using DNS. Decommission the old instance.
  • C. Make an API call to change the subnet association of the elastic network interface.
  • D. Change the IP addresses manually to another subnet within the server operating system.
Answer:

B

Explanation:
Instances cannot change subnets, so a new instance must be created (Response B). A is wrong because you cannot
remove the original elastic network interface. C is not possible. D is wrong because the OS has no ability to affect the AWS
assigned IP addresses.

Discussions

Question 6

You want to send a broadcast message to your 10.0.0.0/24 subnet, which one of these addresses should you use?

  • A. 10.0.0.255
  • B. 10.0.0.1
  • C. 10.0.0.2
  • D. You cannot send a broadcast in an AWS VPC.
Answer:

D

Explanation:
You cannot send a broadcast in an AWS VPC, but the address is still reserved.

Discussions

Question 7

Your company has placement groups in two different availability zones. There is a large project coming up and, although
resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able
to achieve the highest speed possible.
How can this be achieved?

  • A. Create AMIs from all of the instances, terminate them, and deploy them all into one placement group.
  • B. In the CLI, run the command "aws ec2 set-placement-group 1 " for all of the instances.
  • C. Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.
  • D. Peer the two placement groups using AWS PG Peering.
Answer:

A

Explanation:
There is no AWS PG Peering option, Duplicating the VPC does not align with the cost concern, there is no "aws ec2 set-
placement-group" command.

Discussions

Question 8

A company has two AWS accounts: one for Production and one for Connectivity. A network engineer needs to connect the
Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is
not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

  • A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts. 2. In the Connectivity account: Accept the resource. 3. In the Connectivity account: Create an attachment to the VPC subnets. 4. In the Production account: Accept the attachment. Associate a route table with the attachment.
  • B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts. 2. In the Connectivity account: Accept the resource. 3. In the Production account: Create an attachment on the transit gateway to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
  • C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets. 4. In the Production account: Accept the attachment. Associate a route table with the attachment.
  • D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account IEnable the feature to allow external accounts. 2. In the Production account: Accept the resource. 3. In the Production account: Create an attachment to the VPC subnets. 4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
Answer:

A

Explanation:
Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/automating-aws-transit-gateway-attachments-to-
a-transit-gateway-in-a-central-account/

Discussions

Question 9

You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to
monitor your changes. What else is required to find out who made the change?

  • A. There is no information to find this. You will need to sign up for Config Premium.
  • B. Use the eventID of the change and reference it with your Flow Logs.
  • C. Use the eventId of the change and reference it with CloudTrail to find the culprit.
  • D. Use the eventID of the change and reference it with CloudWatch to find the culprit.
Answer:

C

Explanation:
CloudTrail is for finding "who" performed an action.

Discussions

Question 10

A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2001:db8:1:100::1.
Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 012345678912 eni-0596e500123456789 2001:db8:2:200::2 2001:db8:1:100::1 0 0 58 234 24336 1551299195
1551299434 ACCEPT OK 2 012345678912 eni-0596e500123456789 2001:db8:1:100::1 2001:db8:2:200::2 0 0 58 234
24336 1551299195 1551299434 REJECT OK
Which action will restore network reachability to the EC2 instance?

  • A. Update the security group associated with eni-0596e500123456789 to permit inbound traffic.
  • B. Update the security group associated with eni-0596e500123456789 to permit outbound traffic.
  • C. Update the network ACL associated with the subnet to permit inbound traffic.
  • D. Update the network ACL associated with the subnet to permit outbound traffic.
Answer:

C

Discussions
To page 2