Question 1

A company wants to implement a distributed architecture on AWS that uses a Gateway Load Balancer (GWLB) and GWLB endpoints. The company has chosen a hub-and-spoke model. The model includes a GWLB and virtual appliances that are deployed into a centralized appliance VPC and GWLB endpoints. The model also includes internet gateways that are configured in spoke VPCs. Which sequence of traffic flow to the internet from the spoke VPC is correct?

Options :

A : 1.An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

B : 1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

C :

1. An application in a spoke VPC sends traffic to the GWLB endpoint.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

D : 1. An application in a spoke VPC sends traffic to the GWLB.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

Answer: A

Question 2

Two companies are merging. The companies have a large AWS presence with multiple VPCs and are designing connectivity between their AWS networks. Both companies are using AWS Direct Connect with a Direct Connect gateway. Each company also has a transit gateway and multiple AWS Site-to-Site VPN connections from its transit gateway to on-premises resources. The new solution must optimize network visibility, throughput, logging, and monitoring. Which solution will meet these requirements?

Options :

A :

Configure a Site-to-Site VPN connection between each company-s transit gateway to establish reachability between the respective networks. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitor connectivity.

B :

Configure a Site-to-Site VPN connection between each company-s transit gateway to establish reachability between the respective networks. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use AWS Transit Gateway Network Manager to monitor the transit gateways and their respective connections.

C :

Configure transit gateway peering between each company-s transit gateway Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use VPC Reachability Analyzer to monitor connectivity.

D :

Configure transit gateway peering between each company-s transit gateway. Configure VPC Flow Logs for all VPCs. Publish the flow logs to Amazon CloudWatch. Use AWS Transit Gateway Network Manager to monitor the transit gateways, their respective connections, and the transit gateway peering link.

Answer: D

Question 3

A company's AWS infrastructure is spread across more than 50 accounts and across five AWS Regions. The company needs to manage its security posture with simplified administration and maintenance for all the AWS accounts. The company wants to use AWS Firewall Manager to manage the firewall rules and requirements. The company creates an organization with all features enabled in AWS Organizations. Which combination of steps should the company take next to meet the requirements? (Select THREE.)

Options :

A : Configure only the Firewall Manager administrator account to join the organization.

B : Configure all the accounts to join the organization.

C : Set an account as the Firewall Manager administrator account.

D : Set an account as the Firewall Manager child account.

E : Set up AWS Config for all the accounts and all the Regions where the company has resources.

F : Set up AWS Config for only the organization-s management account.

Answer: B,C,E

Question 4

Consider a scenario where an EC2 instance in a private subnet reaches out to the internet via a NAT gateway in a public subnet. The EC2 instance sends a 1 GB file to one of the Amazon Simple Storage Service (Amazon S3) buckets via the NAT gateway. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS region. The NAT gateway and EC2 instance are in the same Availability Zone. Which costs should be included when the total cost of this file transfer is calculated?

Options :

A :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

B :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway

C :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

D :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket

Answer: B

Question 5

An application's EC2 instances are located in a private subnet and these instances access sensitive data in S3 via a NAT gateway deployed in a public subnet. The S3 bucket is located in the same AWS Region as the EC2 instances. The development team at the company wants to ensure that this bucket can be accessed only from the VPC where the application resides. As an AWS Certified Networking Specialist, which of the following solutions would you suggest to meet these requirements?

Options :

A : Create an S3 bucket policy and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range and deny all other IP address ranges

B : Create a new IAM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances. Set up an S3 bucket policy to allow access only from the role

C : Set up an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint

D : Set up an Origin Access Identity (OAI) for the S3 bucket and allow access only from within the VPC

Answer: C

Free ANS-C01 Mock Exam – Practice Online Confidently

Buying Options: