最新的Amazon ANS-C00免費考試真題

問題1

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the 'Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

A. Resources:newVPCPeeringConnection:Type: 'AWS::EC2VPCPeeringConnection'PeerRoleArn: !Ref PeerRoleArn

B. Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup

C. Resources:VPCGatewayToRemoteVPC:Type: "AWS::EC2::VPCGatewayAttachment"

D. Resources:NetworkInterfaceToRemoteVPC:Type: "AWS::EC2NetworkInterface"

E. Resources:newEC2Route:Type: AWS::EC2::Route

正確答案: A,E

說明：（僅 Fast2test 成員可見）

問題2

You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to budget requirements, you can only provision a single Direct Connect port. You have two border gateway routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.
Which two design methodologies, in combination, will achieve this connectivity? (Select two.)

A. Terminate the Direct Connect circuit on a L2 border switch, which in turn has trunk connections to the two routers.

B. Create one Direct Connect private VIF for the VPC with two customer peer IPs.

C. Create two Direct Connect private VIFs for the same VPC, each with a different peer IP.

D. Terminate the Direct Connect circuit on any of the one routers, which in turn will have an IBGP session with the other router.

E. Provision two VGWs for the VPC and create one Direct Connect private VIF per VGW.

正確答案: A,B

說明：（僅 Fast2test 成員可見）

問題3

A company wants to migrate its workloads to the AWS Cloud. The company has two web applications and wants to run them in separate, isolated VPCs. The company needs to use Elastic Load Balancing to distribute requests between application instances.
For security reasons, internet gateways must not be attached to the application VPCs. Inbound HTTP requests to the application must be routed through a centralized VPC. and the application VPCs must not be exposed to any other inbound traffic The application VPCs cannot be allowed to initiate any outbound connections What should a network engineer do to meet these requirements?

A. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private IP addresses of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB.

B. Run the applications behind private Network Load Balancers (NLBs) in

C. Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private DNS names of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB.

D. Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Create VPC peering connections between the application VPCs and the centralized VPC. Create a public Application Load Balancer (ALB) in the centralized VPC. Create target groups for the private DNS names of the NLBs. Configure host-based routing to route application traffic between individual applications though the ALB.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題4

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a "backdoor", and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

A. The S3 service could reach the router through a pre-configured VPC Endpoint.

B. EC2 instances in the same region with access to the Internet could directly reach the router.

C. Direct Connect customers with a Public VIF in the same region could directly reach the router.

D. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題5

Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone "awscloud:internal" from the corporate network. An AWS Direct Connect connection with a private virtual interface is configured to provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS Resolver has standard root server hints configured and conditional forwarding for "awscloud.internal" to the IP address 192.168.0.2.
From your PC on the corporate network, you query the DNS server at 192.168.10.5 for www.amazon.com. The query is successful and returns the appropriate response. When you query for "server.awscloud.internal", the query times out. You receive no response.
How should you enable successful queries for "server.awscloud.internal"?

A. Update the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.

B. Attach an internet gateway to the VPC and create a default route.

C. Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True

D. Relocate the BIND DNS Resolver to the corporate network.

正確答案: C

說明：（僅 Fast2test 成員可見）

問題6

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.
Which of the following is the MOST reliable solution?

A. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

B. Create an inbound rule in the VPC's network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

C. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.

D. Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

正確答案: D

說明：（僅 Fast2test 成員可見）

問題7

An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: "There are not enough free addresses in subnet 'subnet-12345677' to satisfy the requested number of instances." What action will resolve the availability problem?

A. Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.

B. Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.

C. Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.

D. Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.

正確答案: D

問題8

A legacy, on-premises web application cannot be load balances effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?

A. Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.

B. Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.

C. Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.

D. Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.

正確答案: B

說明：（僅 Fast2test 成員可見）

問題9

An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address What could cause this connectivity issue? (Choose two.)

A. The on-premises router is not advertising the correct CIDR range to AWS.

B. A public virtual interface must be configured for Amazon EC2 connectivity.

C. The VGW is not advertising the correct CIDR range back on-premises.

D. The instance security group does not allow ICMP traffic.

E. There is a misconfiguration of the bi-directional forwarding detection.

正確答案: A,D

問題10

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Select two.)

A. IP prefixes to advertise

B. Direct Connect location

C. Virtual private gateway

D. VLAN ID

E. Public AS number

正確答案: C,D

問題11

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone What is the MOST reliable way to implement DNS in this scenario?

A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

B. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

D. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

正確答案: C

問題12

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

A. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.

B. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.

C. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.

D. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.

正確答案: D

問題13

A company has two AWS accounts: one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which sot of stops should the network engineer follow in each AWS account to meet those requirements?

A. 1. In the Connectivity account Create a resource share in AWS Resource Access Manager for the transit gateway Provide the Production account ID Enable the feature to allow external accounts
2. In the Production account Accept the resource.
3 In the Production account Create an attachment to the VPC subnets
4. In the Connectivity account Accept the attachment. Associate a route tab e win toe attachment

B. 1. In the Production account Create a resource share In AWS Resource Access Manager for the transit gateway Provide the Connectivity account ID Enable the feature to allow external accounts
2. In the Connectivity account Accept the resource
3. In the Connectivity account Create an attachment to the VPC subnets
4. In the Production account: Accept the attachment. Associate a route table with the attachment.

C. 1. In the Production account Create a resource share In AWS Resource Access Manager for the VPC subnets Provide the Connectivity account ID Enable the feature to allow external accounts.
2. In the Connectivity account Accept the resource
3. In the Production account Create an attachment on the transit gateway to the VPC subnets
4. In the Connectivity account Accept the attachment Associate a route table will the attachment.

D. 1. In the Connectivity account Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID Enable the feature lo allow external accounts.
2. In the Production account Accept the resource
3. In the Connectivity account Create an attachment on the transit gateway to the VPC subnets A In the Production account Accept the attachment Associate a route table with the attachment.

正確答案: A

說明：（僅 Fast2test 成員可見）

最新的Amazon AWS Certified Advanced Networking Specialty (ANS-C00) - ANS-C00免費考試真題

聯系我們

站內鏈接

最新更新