Free Test
Question: / 10
Quiz
Question 1/101/10
A company is planning to create a service that requires encryption in transit. The traffic must not be
decrypted between the client and the backend of the service. The company will implement the
service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of
simultaneous connections. The backend of the service will be hosted on an Amazon Elastic
Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal
Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication
between the client and the backend.
Which solution will meet these requirements?
decrypted between the client and the backend of the service. The company will implement the
service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of
simultaneous connections. The backend of the service will be hosted on an Amazon Elastic
Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal
Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication
between the client and the backend.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
B.
Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
C.
Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
D.
Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.
Quiz
Question 2/102/10
A company is deploying a new application in the AWS Cloud. The company wants a highly available
web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to
multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing
must be ofloaded to the load balancer. The web server must know the user’s IP address so that the
company can keep accurate logs for security purposes.
Which solution will meet these requirements?
web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to
multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing
must be ofloaded to the load balancer. The web server must know the user’s IP address so that the
company can keep accurate logs for security purposes.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.
B.
Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X- Forwarded-For request header with traffic to the targets.
C.
Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets.
D.
Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets.
Quiz
Question 3/103/10
A company has developed an application on AWS that will track inventory levels of vending machines
and initiate the restocking process automatically. The company plans to integrate this application
with vending machines and deploy the vending machines in several markets around the world. The
application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic
Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The
communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection over
the internet to the ALB endpoint.
Which solution will meet these requirements?
and initiate the restocking process automatically. The company plans to integrate this application
with vending machines and deploy the vending machines in several markets around the world. The
application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic
Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The
communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection over
the internet to the ALB endpoint.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
B.
Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
C.
Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
D.
Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
Quiz
Question 4/104/10
A global delivery company is modernizing its fleet management system. The company has several
business units. Each business unit designs and maintains applications that are hosted in its own AWS
account in separate application VPCs in the same AWS Region. Each business unit's applications are
designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The
architecture also must be able to scale as more business units consume data from the central shared
services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?
business units. Each business unit designs and maintains applications that are hosted in its own AWS
account in separate application VPCs in the same AWS Region. Each business unit's applications are
designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The
architecture also must be able to scale as more business units consume data from the central shared
services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?
Select the answer:Select the answer
1 correct answerA.
Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway.
B.
Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
C.
Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
D.
Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
Quiz
Question 5/105/10
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group
(LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a
different business unit and uses its own private VIF for connectivity to the on-premises environment.
Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect
connection becomes saturated at the same time for about an hour each business day. The company
wants to know which business unit is causing the sudden increase in throughput. The network
engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?
(LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a
different business unit and uses its own private VIF for connectivity to the on-premises environment.
Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect
connection becomes saturated at the same time for about an hour each business day. The company
wants to know which business unit is causing the sudden increase in throughput. The network
engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
B.
Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps.
C.
Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection.
D.
Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
Quiz
Question 6/106/10
A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in
the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's
AWS deployment. The customers have stated that they will not share their internal IP addresses and
that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's
AWS deployment. The customers have stated that they will not share their internal IP addresses and
that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
Select multiple answer: (Choose 2)Select the answer
2 correct answersA.
Deploy the SaaS service endpoint behind a Network Load Balancer.
B.
Configure an endpoint service, and grant the customers permission to create a connection to the
endpoint service.
endpoint service.
C.
Deploy the SaaS service endpoint behind an Application Load Balancer.
D.
Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
E.
Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the
customers. Configure routing on the transit gateway.
customers. Configure routing on the transit gateway.
Quiz
Question 7/107/10
A network engineer is designing the architecture for a healthcare company's workload that is moving
to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit.
All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and
travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve
appointments. The architecture must secure these components and protect them against DDoS
attacks. The architecture also must provide protection against financial liability for services that scale
out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the
workload? (Choose three.)
to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit.
All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and
travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve
appointments. The architecture must secure these components and protect them against DDoS
attacks. The architecture also must provide protection against financial liability for services that scale
out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the
workload? (Choose three.)
Select multiple answer: (Choose 3)Select the answer
3 correct answersA.
Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
B.
Set up AWS WAF on all network components.
C.
Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP
addresses.
addresses.
D.
Use AWS Direct Connect with MACsec support for connectivity to the cloud.
E.
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
F.
Configure AWS Shield Advanced and ensure that it is configured on all public assets.
Quiz
Question 8/108/10
A retail company is running its service on AWS. The company’s architecture includes Application Load
Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend
Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted
services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network
engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway?
(Choose two.)
Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend
Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted
services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network
engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway?
(Choose two.)
Select multiple answer: (Choose 2)Select the answer
2 correct answersA.
Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
B.
Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
C.
Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
D.
Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
E.
Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
Quiz
Question 9/109/10
A banking company is successfully operating its public mobile banking stack on AWS. The mobile
banking stack is deployed in a VPC that includes private subnets and public subnets. The company is
using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has
decided to adopt a third-party service provider's API and must integrate the API with the existing
environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a
private subnet. The company does not want to permit IPv6 traffic from the public internet and
mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns
on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
banking stack is deployed in a VPC that includes private subnets and public subnets. The company is
using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has
decided to adopt a third-party service provider's API and must integrate the API with the existing
environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a
private subnet. The company does not want to permit IPv6 traffic from the public internet and
mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns
on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
B.
Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
C.
Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
D.
Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.
Quiz
Question 10/1010/10
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to
implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch
Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch
Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
Select the answer:Select the answer
1 correct answerA.
Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.
B.
Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
C.
Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
D.
Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.
Looking for more questions?Buy now
Amazon AWS Certified Advanced Networking - Specialty Practice test unlocks all online simulator questions
Thank you for choosing the free version of the Amazon AWS Certified Advanced Networking - Specialty practice test! Further deepen your knowledge on Amazon Simulator; by unlocking the full version of our Amazon AWS Certified Advanced Networking - Specialty Simulator you will be able to take tests with over 291 constantly updated questions and easily pass your exam. 98% of people pass the exam in the first attempt after preparing with our 291 questions.
BUY NOWWhat to expect from our Amazon AWS Certified Advanced Networking - Specialty practice tests and how to prepare for any exam?
The Amazon AWS Certified Advanced Networking - Specialty Simulator Practice Tests are part of the Amazon Database and are the best way to prepare for any Amazon AWS Certified Advanced Networking - Specialty exam. The Amazon AWS Certified Advanced Networking - Specialty practice tests consist of 291 questions and are written by experts to help you and prepare you to pass the exam on the first attempt. The Amazon AWS Certified Advanced Networking - Specialty database includes questions from previous and other exams, which means you will be able to practice simulating past and future questions. Preparation with Amazon AWS Certified Advanced Networking - Specialty Simulator will also give you an idea of the time it will take to complete each section of the Amazon AWS Certified Advanced Networking - Specialty practice test . It is important to note that the Amazon AWS Certified Advanced Networking - Specialty Simulator does not replace the classic Amazon AWS Certified Advanced Networking - Specialty study guides; however, the Simulator provides valuable insights into what to expect and how much work needs to be done to prepare for the Amazon AWS Certified Advanced Networking - Specialty exam.
BUY NOWAmazon AWS Certified Advanced Networking - Specialty Practice test therefore represents an excellent tool to prepare for the actual exam together with our Amazon practice test . Our Amazon AWS Certified Advanced Networking - Specialty Simulator will help you assess your level of preparation and understand your strengths and weaknesses. Below you can read all the quizzes you will find in our Amazon AWS Certified Advanced Networking - Specialty Simulator and how our unique Amazon AWS Certified Advanced Networking - Specialty Database made up of real questions:
Info quiz:
- Quiz name:Amazon AWS Certified Advanced Networking - Specialty
- Total number of questions:291
- Number of questions for the test:50
- Pass score:80%
You can prepare for the Amazon AWS Certified Advanced Networking - Specialty exams with our mobile app. It is very easy to use and even works offline in case of network failure, with all the functions you need to study and practice with our Amazon AWS Certified Advanced Networking - Specialty Simulator.
Use our Mobile App, available for both Android and iOS devices, with our Amazon AWS Certified Advanced Networking - Specialty Simulator . You can use it anywhere and always remember that our mobile app is free and available on all stores.
Our Mobile App contains all Amazon AWS Certified Advanced Networking - Specialty practice tests which consist of 291 questions and also provide study material to pass the final Amazon AWS Certified Advanced Networking - Specialty exam with guaranteed success. Our Amazon AWS Certified Advanced Networking - Specialty database contain hundreds of questions and Amazon Tests related to Amazon AWS Certified Advanced Networking - Specialty Exam. This way you can practice anywhere you want, even offline without the internet.
BUY NOW