Exam ANS-C01 All QuestionsBrowse all questions from this exam
Go to Exam
Question 16

A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway.

In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.

Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

    Correct Answer: A, D, F

    To ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway, the following steps are necessary: First, validate that private DNS is enabled on the VPC by setting the enableDnsHostnames and enableDnsSupport VPC attributes to true. This is essential because the CloudWatch agent relies on DNS resolution to connect to AWS services. Second, create the necessary interface VPC endpoints in the VPC, specifically for CloudWatch Logs and Monitoring (com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring), and associate the new security group with the endpoint network interfaces. This allows your private subnet resources to use these services without requiring internet access. Third, associate the VPC endpoint or endpoints with the route tables that the private subnets use. This ensures that the traffic from your private subnets to the CloudWatch service is properly routed through the VPC endpoints. Together, these steps will allow the CloudWatch agent to send monitoring data to AWS services without needing the NAT gateway.

Discussion
slackbotOptions: ACD

A,C and D

UntamablesOptions: ACD

A, C, and D An interface VPC endpoint provides reliable, scalable connectivity to CloudWatch without requiring a NAT gateway. https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-and-interface-VPC.html https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html To use private DNS, you must enable DNS hostnames and DNS resolution for your VPC. The security group for the interface endpoint must allow communication between the endpoint network interface and the resources in your VPC that must communicate with the service. https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

ddtn

D) would be correct if the URL are not messed up: monitoring.eu-west-2.amazonaws.com and logs.eu-west-2.amazonaws.com

JoellaLi

No. The URL are correct. https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

emmanuelodenyireOptions: ADF

There seems to be some disagreement among different individuals about the answer to this question. However, based on the requirements provided and the skills being tested, I believe the correct answer is A, D, and F. F is correct because associating the VPC endpoint with the route tables that the private subnets use is necessary to ensure that traffic is routed through the VPC endpoint. Option C is incorrect because it suggests creating inbound rules for the TCP protocol on port 443 from the IP prefixes of the private subnets. However, this is not necessary to allow the unified CloudWatch agent to continue working after the removal of the NAT gateway. In fact, creating inbound rules for port 443 is not related to the problem statement, since the issue is about ensuring the CloudWatch agent can communicate with AWS services without using a NAT gateway. Creating inbound rules would only be necessary if you wanted to allow external traffic to access resources within your VPC over HTTPS on port 443.

TravelKo

I think it is other way round. If you need to route external traffic you need an entry in the route table. For external or internal you need an entry in the Security group.

task_7

I agree A enableDnsSupport Determines whether the VPC supports DNS resolution through the Amazon provided DNS server. If this attribute is true, queries to the Amazon provided DNS server succeed. For more information, see Amazon DNS server. D VPC end points for logs and CW Metrics F Subnet can route traffic to VPC endpoint Since NAT was running SG rule for 443 would be in place

study_aws1

F) will not work. Route table is applicable for gateway endpoints (S3 and DynamoDB), not interface endpoints (controlled through Security Group).

navi7Options: ACD

B is incorrect as we don't need to create outbound rules for interface endpoint. "Note: You don't need to create a rule in the outbound direction of the security group associated with the interface endpoint." https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint A is also partially correct as normally CloudWatch Agent uses public endpoints but it can be overridden. But since other options are incorrect so A is a right choice here.

Cappy46789Options: ABD

ABD - https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html

siiiww

for sure A,B,D dont need inbound rules .... I tested 3 yrs ago. NEED ONLY OUTBOUND

hedglin

A,B and D. Option C is not needed because we're not concerned with inbound traffic for this scenario.

[Removed]

I would go for ABD and here is why. The VPC used to have access via NAT and this was removed so there must have been a security group rule for 0.0.0.0/0 via NAT and now we need a new one. Option B is the best we get in the scenario. As the traffic will be triggered outbound, no need for an new inbound rule as SGs are stateful. Option A makes sense always everytime and D is correct as there is no endpoint named "cloudwatch". Option F only makes sense for gateway endpoints but with interface endpoints what we get is an internally created private hosted zone that will resolve "public" endpoint names (like cloudwatch) to internal IP addresses (that of our interface endpoints) so no routes are needed and hence no updates to route tables.

RaphaelloOptions: ACD

ACD are the correct answers. Service PrivateLink endpoints https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

patanjaliOptions: ACD

https://repost.aws/knowledge-center/cloudwatch-unified-agent-metrics-issues Confirm connectivity to the CloudWatch endpoints When traffic to CloudWatch should not transit the public internet, you can use VPC endpoints instead. If you are using VPC endpoints, check the following: If you are using private nameservers, confirm that DNS resolution provided accurate responses. Confirm that the CloudWatch endpoints resolve to private IP addresses. Confirm the security group associated with the VPC endpoint allows inbound traffic from the host.

Marfee400704

I think that it's correct answer is ACF according to SPOTO products.

marfee

I think that it's correcty answer is A & B & D.

AmSpOkEOptions: ACD

Answers are A, C and D 100% sure.

WMF0187

The Unified CloudWatch Agent uses port 443, which is the default port for HTTPS traffic, for secure communication with CloudWatch. The endpoint name associated with CloudWatch is "monitoring.us-east-1.amazonaws.com" (for the US East region). The endpoint may vary depending on the AWS region where you are operating.

sp237

How is A a valid option for private subnet? enableDnsHostname (= DNS Hostname setting) Indicates whether instances with public IP addresses get corresponding public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true .

ILOVEVODKA

https://repost.aws/knowledge-center/cloudwatch-unified-agent-metrics-issues ACD