Question 1

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers. The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

Options :

A :

Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.

B :

Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the onpremises network with Global Accelerator.

C :

Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator

D :

Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

Question 2

Consider a scenario where an EC2 instance in a private subnet reaches out to the internet via a NAT gateway in a public subnet. The EC2 instance sends a 1 GB file to one of the Amazon Simple Storage Service (Amazon S3) buckets via the NAT gateway. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS region. The NAT gateway and EC2 instance are in the same Availability Zone. Which costs should be included when the total cost of this file transfer is calculated?

Options :

A :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

B :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway

C :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

D :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket

Answer: B

Question 3

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application through a limited contiguous block of approved IP addresses (10.1.0.0/24). A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of 10.1.0.0/24. What should the network engineer do next to meet the requirements?

Options :

A : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a public NAT Sateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

public NAT gateway in the corresponding Availability

Zone. Add a route to the route table that is associated with the subnets of the public NAT gateways to

send traffic destined for the application to the transit

gateway.

B : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a private NAT gateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

private NAT gateway in the corresponding

Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT

gateways to send traffic destined for the application to

the transit gateway.

C : In the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the private NAT gateway. Add a route to the

route table that is associated with the subnet of the

private NAT gateway to send traffic destined for the application to the transit gateway.

D : In the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the public NAT gateway. Add a route to the

route table that is associated with the subnet of the

public NAT gateway to send traffic destined for the application to the transit gateway.

Answer: B

Question 4

The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH. How would you define the security rule for SSH?

Options :

A :

Allow Inbound traffic on port 80 and port 22 to allow the user to connect to a private subnet over the internet

B : Allow Inbound traffic on port 22 from the public subnet having a bastion host

C : Allow Inbound traffic on port 22 from the on-premises network

D : Allow Inbound traffic on port 80 and port 22 from the public subnet having a bastion host

Answer: C

Question 5

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?

Options :

A : Change the ALB security policy to a policy that supports TLS 1.2 protocol only

B : Use AWS Key Management Service (AWS KMS) to encrypt session keys

C :

Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)

D : Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer: D

Higher Test Marks with Free Online ANS-C01 Exam Practice

Buying Options: