Question 1

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application through a limited contiguous block of approved IP addresses (10.1.0.0/24). A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of 10.1.0.0/24. What should the network engineer do next to meet the requirements?

Options :

A : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a public NAT Sateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

public NAT gateway in the corresponding Availability

Zone. Add a route to the route table that is associated with the subnets of the public NAT gateways to

send traffic destined for the application to the transit

gateway.

B : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a private NAT gateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

private NAT gateway in the corresponding

Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT

gateways to send traffic destined for the application to

the transit gateway.

C : In the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the private NAT gateway. Add a route to the

route table that is associated with the subnet of the

private NAT gateway to send traffic destined for the application to the transit gateway.

D : In the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the public NAT gateway. Add a route to the

route table that is associated with the subnet of the

public NAT gateway to send traffic destined for the application to the transit gateway.

Answer: B

Question 2

A company has an application that runs on premises. The application needs to communicate with an application that runs in a VPC on AWS. The communication between the applications must be encrypted and must use private IP addresses. The communication cannot travel across the public internet. The company has established a 1 Gbps AWS Direct Connect connection between the on-premises location and AWS. Which solution will meet the connectivity requirements with the LEAST operational overhead?

Options :

A :

Configure a private VIF on the Direct Connect connection. Associate the private VIF with the VPC's virtual private gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the virtual private gateway.

B :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

C :

Configure a public VIF on the Direct Connect connection. Associate the public VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

D :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up a third-party firewall in a new VPC that is attached to the transit gateway. Set up a VPN connection to the third-party firewall.

Answer: D

Question 3

An analytics company uses Amazon QuickSight (Enterprise Edition) to easily create and publish interactive BI dashboards that can be accessed from any device. For a specific requirement, the company needs to create a private connection from Amazon QuickSight to an Amazon RDS DB instance that's in a private subnet to fetch data for analysis. Which of the following represents an optimal solution for configuring a private connection between QuickSight and Amazon RDS DB instance?

Options :

A :

Amazon QuickSight Enterprise edition is fully integrated with the Amazon VPC service. Create an ENI in QuickSight that points to the VPC that hosts the RDS DB instance. However, the subnet has to be a private subnet and not a public subnet

B :

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new security group with necessary inbound rules for QuickSight in the same VPC. Sign in to QuickSight as a QuickSight admin and create a new QuickSight VPC connection. Create a new dataset from the RDS DB instance

C :

Create a Private Virtual Interface between VPC that hosts Amazon RDS DB instance and QuickSight. Use this connection to privately access necessary data from RDS DB

D :

Create a new private subnet in the same VPC as the Amazon RDS DB instance. Create a new network Access Control List (ACL) with necessary inbound rules for QuickSight in the same VPC. Connect from QuckSight using VPC connector

Answer: B

Question 4

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?

Options :

A : Change the ALB security policy to a policy that supports TLS 1.2 protocol only

B : Use AWS Key Management Service (AWS KMS) to encrypt session keys

C :

Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)

D : Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer: D

Question 5

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements?

Options :

A :

Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

B :

Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

C :

Create a target group. Add the EKS managed node group-s Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.

D :

Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.

Answer: B

Higher Test Marks with Free Online ANS-C01 Exam Practice

Buying Options: