Amazon ANS-C01 Exam Dumps

Question 6 of 201

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.

A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.

Which combination of steps is part of a solution that meets these requirements? (Choose two.)

Deploy the SaaS service endpoint behind a Network Load Balancer.

Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.

Deploy the SaaS service endpoint behind an Application Load Balancer.

Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.

Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.

Correct Answer: A, B

To meet the requirements of not having to share internal IP addresses and avoid connecting over the internet despite IP address overlap, deploying the SaaS service endpoint behind a Network Load Balancer (NLB) allows for highly available, scalable architecture and presents a single IP address to customers. Configuring an endpoint service and granting customers permission to create a connection allows them to securely and privately connect to the SaaS service using their own private IP addresses without traversing the internet.

Question 7 of 201

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.

The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.

Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.

Set up AWS WAF on all network components.

Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.

Use AWS Direct Connect with MACsec support for connectivity to the cloud.

Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.

Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct Answer: D, E, F

To meet all the requirements for the workload, the network engineer should take the following steps: AWS Direct Connect with MACsec support ensures that all data to and from the on-premises environment is encrypted in transit, satisfying the requirement for encryption. Using Gateway Load Balancers to insert third-party firewalls allows for the inspection of all traffic in the cloud before it leaves the cloud, fulfilling the need for inline traffic inspection. Lastly, configuring AWS Shield Advanced provides protection against DDoS attacks and also offers financial protection for services that scale out during a DDoS event.

Question 8 of 201

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.

The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.

Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.

Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.

Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.

Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Correct Answer: A, D

To investigate the increased usage of a NAT gateway, enabling VPC flow logs on the NAT gateway's elastic network interface and publishing the logs to either Amazon CloudWatch Logs or an Amazon S3 bucket are both effective solutions. Publishing to CloudWatch Logs allows for the use of CloudWatch Logs Insights to query and analyze the logs directly. Alternatively, publishing to an S3 bucket and using Amazon Athena to create a custom table for querying and analyzing the logs can also provide detailed insights. These methods allow tracking and analyzing the traffic passing through the NAT gateway, helping identify the sources of increased usage.

Question 9 of 201

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.

A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.

Which solution will meet these requirements?

Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.

Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.

Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

Correct Answer: C

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, while preventing inbound IPv6 traffic from the internet to your instances. This solution meets the requirement of not permitting IPv6 traffic from the public internet and ensures that the company's servers initiate all IPv6 connectivity. The other options either do not support IPv6 or do not align with the requirement to block inbound IPv6 traffic from the internet.

Question 10 of 201

A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.

Which solution will meet these requirements?

Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.

Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.

Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.

Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

Correct Answer: B

To deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time, the best solution is to create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service cluster as the destination. Kinesis Data Firehose can stream data in near real-time, ensuring that the logs are delivered to the Elasticsearch cluster efficiently and quickly compared to other methods. This makes it the most effective and streamlined option for the required task.