• Home
  • Blogs
  • New Amazon ANS-C00 Dumps & Questions Updated on 2023 [Q70-Q89]

New Amazon ANS-C00 Dumps & Questions Updated on 2023 [Q70-Q89]

Share

New Amazon ANS-C00 Dumps & Questions Updated on 2023

Dumps to Pass your ANS-C00 Exam with 100% Real Questions and Answers


Certification Path for AWS Certified Advanced Networking - Specialty

This is a fundamental exam and has no pre-requisites. The following is the minimum requirements:

  • Multi-region solutions for a global enterprise
  • CIDR and subnetting (IPv4 and IPv6)
  • Generic solutions for network security features, including WAF, IDS, IPS, DDoS protection, and Economic Denial of Service/Sustainability (EDoS)
  • Networking technologies within the OSI model, and how they affect implementation decisions
  • Development of automation scripts and tools
  • IPv6 transition challenges

 

NEW QUESTION 70
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location.
Which solution will meet this requirement, while minimizing downtime and costs?

  • A. Enable VPC Flow Logs on each VPC. Set up a stream of the flow logs to a central Amazon Elasticsearch cluster.
  • B. Deploy a third-party vendor solution to perform deep packet inspection in a transit VPC.
  • C. Enable Amazon GuardDuty on each account as members of a central account.
  • D. Enable Amazon Macie on each AWS account and configure central reporting.

Answer: C

Explanation:
Explanation
References:
https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-acc

 

NEW QUESTION 71
Your company uses an NTP server to synchronize time across systems. The company runs multiple versions of Linux and Windows systems. You discover that the NTP server has failed, and you need to add an alternate NTP server to your instances.
Where should you apply the NTP server update to propagate information without rebooting your running instances?

  • A. DHCP Options Set
  • B. instance user-data
  • C. instance meta-data
  • D. cfn-init scripts

Answer: A

Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-dhcp-options.html

 

NEW QUESTION 72
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2 To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses How should an engineer configure the network to meet these requirements?

  • A. Configure a VPN connection to the company's AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3
  • B. Configure a Direct Connect connection public virtual interface to us-west-2 Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection
  • C. Configure a VPN connection to the company's AWS VPC in us-west-2 Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3
  • D. Configure an AWS Direct Connect private virtual interface to the company's AWS VPC in us-west-2 Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3

Answer: D

Explanation:
S3 now can be provided by Private Link. The requirement is "without Public IPs"
-> only private IPs allowed to use
--> on-prems - DCX - Priv VIF - VGW - S3 IEP - S3
After routed from VGW, we need dns support to resolve S3, so a CNAME or a proxy can be used to send S3 traffic to S3 IEP.

 

NEW QUESTION 73
Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes.
Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Select three.)

  • A. AWS Simple Notification Service
  • B. AWS Identify and Access Management
  • C. AWS CloudWatch metrics
  • D. AWS CloudFormation
  • E. AWS Config
  • F. AWS Lambda

Answer: A,E,F

Explanation:
https://aws.amazon.com/about-aws/whats-new/2018/03/aws-config-notifications-are-now- integrated-with-amazon-cloudwatch-events/

 

NEW QUESTION 74
An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.
Which architecture will support this deployment while allowing for future expansion?

  • A. A VPC with a /20 CIDR and two /21 subnets
  • B. A VPC with a /20 CIDR and two /23 subnets
  • C. A VPC with a /16 CIDR and one /22 subnet
  • D. A VPC with a /16 CIDR and one /21 subnet

Answer: A

 

NEW QUESTION 75
A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

  • A. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
  • B. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
  • C. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
  • D. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.

Answer: B

Explanation:
Explanation/Reference:

 

NEW QUESTION 76
You are configuring a VPN to AWS for your company. You have configured the VGW and CGW.
You have created the VPN. You have also run the necessary commands on your router. You allowed all TCP and UDP traffic between your datacenter and your VPC. The tunnel still doesn't come up. What is the most likely reason?
Choose the correct answer:

  • A. You forgot to turn on route propagation in the route table.
  • B. You do not have a public ASN.
  • C. You haven't added protocol 50 to your firewall.
  • D. Your advertised subnet is too large.

Answer: C

Explanation:
You haven't allowed protocol 50 through the firewall. Protocol 50 is different from UDP (17) and TCP (6) and requires a rule in your firewall for your VPN tunnel to come up.

 

NEW QUESTION 77
You have just configured an Elastic Load Balancer. Assuming all settings are configured properly, about how long will it take an instance to become healthy with a 6 second HealthCheck Interval, an unhealthy threshold of 5 and a healthy threshold of 10? Choose the correct answer:

  • A. 6 seconds
  • B. 120 seconds
  • C. 30 seconds
  • D. 60 seconds

Answer: D

Explanation:
60 seconds. 10 healthcheck successes with 6 second intervals.

 

NEW QUESTION 78
A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

  • A. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
  • B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs, enable source/ destination NAT in the Management VPC.
  • C. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
  • D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

Answer: C

Explanation:
Explanation/Reference:

 

NEW QUESTION 79
A company is deploying a new web application that uses a three-tier model with a public-facing Network Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company's data center. There is an AWS Direct Connect connection between the VPC and the company's data center. Load testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are required to handle peak loads.
The Network Engineer needs to design a VPC that has a /24 CIDR assigned to it.
How should the Engineer allocate subnets across three Availability Zones for each tier?

  • A. Network Load Balancer: /29 per subnetWeb: /26 per subnet
  • B. Network Load Balancer: /28 per subnetWeb: /25 per subnet
  • C. Network Load Balancer: /28 per subnetWeb: /26 per subnet
  • D. Network Load Balancer: /28 per subnetWeb: /27 per subnet

Answer: C

 

NEW QUESTION 80
Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?

  • A. An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.
  • B. An AWS Direct Connect connection to us-east-1.
  • C. An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
  • D. An AWS Direct Connect connection to us-west-2.

Answer: D

 

NEW QUESTION 81
A department in your company has created a new account that is not part of the organization's consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?

  • A. The company pays AWS Direct Connect Data Out charges.
  • B. The department pays Internet Data Out charges.
  • C. The company pays Internet Data Out charges.
  • D. The department pays AWS Direct Connect Data Out charges.

Answer: D

Explanation:
- not in consolidated billing
- route to own VPC to a private IP address via own Private IF
"After creating a VIF, AWS Direct Connect data transfer charges then apply and are charged to the account that owns the VIF. The account that owns the VIF can be different from the account that owns the AWS Direct Connect connection." - Straight from the Study Guide.

 

NEW QUESTION 82
You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit. in front What ELB configuration complies with the corporate encryption policy?

  • A. Configure the ELB protocols in SSL mode. Offload application instance encryption to the load balancer.
    Install your SSL/TLS certificate on Amazon RDS, and configure SSL.
  • B. Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination.
    Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
  • C. Configure the ELB load balancer protocol as HTTP. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
  • D. Configure the ELB load balancer protocol as HTTPS. Offload application instance encryption to the load balancer. Install your SSL certificate on Amazon RDS, and configure SSL.

Answer: D

 

NEW QUESTION 83
An organization runs a consumer-facing website on AWS. The Amazon EC2-based web fleet is load balanced using the AWS Application Load Balancer, Amazon Route 53 is used to provide the public DNS services.
The following URLs need to server content to end users:
test.example.com
web.example.com
example.com
Based on this information, what combination of services must be used to meet the requirement? (Select two.)

  • A. Host condition a ALB listener to route example.com to appropriate target groups.
  • B. Path condition in ALB listener to route example.com to appropriate target groups.
  • C. Host condition in ALB listener to route *.example.com to appropriate target groups.
  • D. Host condition in ALB listener to route $$$$.example.com to appropriate target groups.
  • E. Path condition in ALB listener to route *.example.com to appropriate target groups.

Answer: A,B

 

NEW QUESTION 84
A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable -'app.example.com'.
Instances within the VPC should always connect to the private IP to minimize data transfer costs.
How should the engineer configure DNS to support these requirements?

  • A. Create a CNAME for `app' in the DNS zone `example.com' to the public DNS name for the Amazon EC2 instance.
  • B. Use Amazon Route 53 to create a geo-based routing entry for the hostname `app' in the DNS zone
    `example.com'.
  • C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.
  • D. Create two A record entries for `app' in the DNS zone `example.com' ?one for the public IP and one for the private IP.

Answer: A

 

NEW QUESTION 85
Which of the following statements is true of AWS Elastic Beanstalk?

  • A. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.
  • B. AWS Elastic Beanstalk has its own free-of-charge monitoring tool, and you are not charged for the alarm you set.
  • C. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, and both are free of charge.
  • D. AWS Elastic Beanstalk doesn't use CloudWatch for monitoring and alarms, but you pay extra for any AWS Elastic Beanstalk Alarm you set in the monitoring tool.

Answer: A

Explanation:
AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.
Reference:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.alarms.html

 

NEW QUESTION 86
You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?

  • A. Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
  • B. Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
  • C. Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
  • D. Update the on-premises forwarders with the four name servers assigned to the private hosted zone.

Answer: B

Explanation:
Explanation
References:
https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-by

 

NEW QUESTION 87
You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?

  • A. VPC Flow Logs
  • B. AWS CLI
  • C. CloudWatch Logs
  • D. Wireshark

Answer: D

Explanation:
Explanation
References: https://www.slideshare.net/TeriRadichel/packet-capture-on-aws

 

NEW QUESTION 88
A company runs a large-scale application on a feel of Amazon EC2 instances that ate distributed across several VPCs A Network Load Balancer (NLB) in a separate VPC routes traffic to the EC2 instances The NLB's VPC is peered to all the application VPCs The application must process millions of requests each minute during times of peak utilization Users are reporting that the connections to the application are failing during peak times Monitoring shows an increase in port allocation errors on the NLB.
Which action will solve this issue with the LEAST change to the architecture?

  • A. Change the target group type to 'instance"
  • B. Add a new target group to the same NLB listener
  • C. Create an Application Load Balancer for the target group
  • D. Increase the number of EC2 instances in the target group

Answer: B

 

NEW QUESTION 89
......

Updated Exam ANS-C00 Dumps with New Questions: https://ucertify.examprepaway.com/Amazon/braindumps.ANS-C00.ete.file.html

Related Blogs

more
Amazon ANS-C00 Certification Practice Exam