Free Sample — 15 Practice Questions
Preview 15 of 268 questions from the ANS-C01 exam.
Try before you buy — purchase the full study guide for all 268 questions with answers and explanations.
Question 188
A company has a hybrid cloud environment. The company’s data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity.
The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a backend application in one of the VPCs.
The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages from other applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWS infrastructure.
Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interface endpoint? (Choose three.)
A. Create the interface endpoint for Amazon SQS with the option for private DNS names turned on.
B. Create the interface endpoint for Amazon SQS with the option for private DNS names turned off.
C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Add necessary records that point to the interface endpoint. Associate the private hosted zones with other VPCs.
D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.com with previously created necessary records that point to the interface endpoint. Associate the private hosted zones with other VPCs.
E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in VPCs and on premises.
F. Access the SQS endpoint by using the private DNS name of the interface endpoint .sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises.
Show Answer
Correct Answer: B, C, E
Explanation:
To allow on-premises and multiple VPCs to resolve the SQS interface endpoint DNS centrally, private DNS must be disabled on the interface endpoint so that AWS does not create a VPC-scoped private hosted zone that cannot be shared (B). The engineer must then manually create a Route 53 private hosted zone for the standard SQS service name (sqs.us-east-1.amazonaws.com), create records that alias to the interface endpoint, and associate that hosted zone with all required VPCs (C). Client applications must continue to use the standard service (public) DNS name, which now resolves to private IP addresses via the private hosted zone, ensuring private connectivity from VPCs and on premises (E).
Question 172
A company runs an application on Amazon EC2 instances. A network engineer implements a NAT gateway in the application's VPC to replace self-managed NAT instances. After the network engineer shifts traffic from the self-managed NAT instances to the NAT gateway, users begin to report issues.
During troubleshooting, the network engineer discovers that the connection to the application is closing after approximately 6 minutes of inactivity.
What should the network engineer do to resolve this issue?
A. Check for increases in the IdleTimeoutCount Amazon CloudWatch metric for the NAT gateway. Configure TCP keepalive on the application EC2 instances.
B. Check for increases in the ErrorPortAllocation Amazon CloudWatch metric for the NAT gateway. Configure an HTTP timeout value on the application EC2 instances.
C. Check for increases in the PacketsDropCount Amazon CloudWatch metric for the NAT gateway. Configure an HTTPS timeout value on the application EC2 instances.
D. Check for decreases in the ActiveConnectionCount Amazon CloudWatch metric for the NAT gateway. Configure UDP keepalive on the application EC2 instances.
Show Answer
Correct Answer: A
Explanation:
An AWS NAT gateway has a fixed idle timeout of about 350 seconds (~6 minutes) for TCP connections. After replacing NAT instances with a NAT gateway, idle connections will be closed if no traffic flows during this period. This matches the reported symptom of connections closing after ~6 minutes of inactivity. The correct approach is to verify idle timeouts via the IdleTimeoutCount CloudWatch metric and configure TCP keepalive on the EC2 instances with a value less than 350 seconds so the connection remains active.
Question 58
A company’s network engineer must implement a cloud-based networking environment for a network operations team to centrally manage. Other Teams will use the environment. Each team must be able to deploy infrastructure to the environment and must be able to manage its own resources. The environment must feature IPv4 and IPv6 support and must provide internet connectivity in a dual-stack configuration.
The company has an organization in AWS Organizations that contains a workload account for the teams. The network engineer creates a new networking account in the organization.
Which combination of steps should the network engineer take next to meet the requirements? (Choose three.)
A. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and specify an IPv6 block of 2001:db8:c5a:6000::/56. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPv6 CIDR blocks.
B. Create a new VPC. Associate an IPv4 CIDR block of 10.0.0.0/16 and use an Amazon-provided IPV6 CIDR block. Provision subnets by assigning /24 IPv4 CIDR blocks and /64 IPV6 CIDR blocks.
C. Enable sharing of resources within the organization by using AWS Resource Access Manager (AWS RAM). Create a resource share in the networking account, select the provisioned subnets, and share the provisioned subnets with the target workload account. Use the workload account to accept the resource share through AWS RAM.
D. Enable sharing of resources within the organization by using AWS Resource Access Manager (AWS RAM). Create a resource share in the networking account, select the new VPC, and share the new VPC with the target workload account. Use the workload account to accept the resource share through AWS RAM.
E. Create an internet gateway and an egress-only internal gateway. Deploy NAT gateways to the public subnets. Associate the internet gateway with the new VPC. Update the route tables. Associate the route tables with the relevant subnets.
F. Create an internet gateway. Deploy NAT instances to public subnets. Update the route tables. Associate the route tables with the relevant subnets.
Show Answer
Correct Answer: B, C, E
Explanation:
The goal is a centrally managed, shared networking environment with dual-stack (IPv4/IPv6) internet connectivity for multiple teams.
B is correct because AWS requires using an Amazon-provided IPv6 CIDR block for standard VPC IPv6; subnets must be /64 for IPv6 and /24 is a valid IPv4 choice.
C is correct because AWS Resource Access Manager (RAM) is the supported way to share subnets from a central networking account to workload accounts while retaining centralized control. Sharing subnets (not the entire VPC) aligns with best practices.
E is correct because dual-stack internet connectivity requires an internet gateway for IPv4 and IPv6, an egress-only internet gateway for IPv6 outbound-only traffic, and NAT gateways for IPv4 private subnet egress. Proper route table associations are required.
A is incorrect because manually specifying an IPv6 CIDR block is not the standard or recommended approach for VPC IPv6.
D is incorrect because sharing an entire VPC reduces centralized control and is not the recommended multi-account pattern.
F is incorrect because NAT instances are legacy, less scalable, and higher operational overhead compared to NAT gateways.
Question 85
An education agency is preparing for its annual competition between schools. In the competition, students at schools from around the country solve math problems, complete puzzles, and write essays.
The IP addressing plan of all the schools is well-known and is administered centrally. The competition is hosted in the AWS Cloud and is not publicly available. All competition traffic must be encrypted in transit. Only authorized endpoints can access the competition. All the schools have firewall policies that block ICMP traffic.
A network engineer builds a solution in which all the schools access the competition through AWS Site-to-Site VPN connections. The network engineer uses BGP as the routing protocol. The network engineer must implement a solution that notifies schools when they lose connectivity and need to take action on their premises to address the issue.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)
A. Monitor the state of the VPN tunnels by using Amazon CloudWatch. Create a CloudWatch alarm that uses Amazon Simple Notification Service (Amazon SNS) to notify people at the affected school if the tunnels are down.
B. Create a scheduled AWS Lambda function that pings each school's on-premises customer gateway device. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if the ping fails.
C. Create a scheduled AWS Lambda function that uses the VPC Reachability Analyzer API to verify the connectivity. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if failure occurs.
D. Create an Amazon CloudWatch dashboard for each school to show all CloudWatch metrics for each school's Site-to-Site VPN connection. Share each dashboard with the appropriate school.
E. Create a scheduled AWS Lambda function to monitor the existence of each school's routes in the VPC route table where VPN routes are propagated. Configure the Lambda function to send an Amazon Simple Notification Service (Amazon SNS) notification to people at the affected school if failure occurs.
Show Answer
Correct Answer: A, E
Explanation:
Monitoring VPN tunnel state with CloudWatch provides a native, low-cost way to detect loss of connectivity and trigger SNS notifications when tunnels go down, directly meeting the notification requirement. Monitoring BGP route propagation by checking for the existence of VPN-propagated routes in the VPC route table detects loss of routing even if tunnels appear up, ensuring schools are notified when action is required. Other options are either infeasible (ICMP blocked), more expensive, or do not provide proactive notifications.
Question 36
A company is planning to host a secure web application across multiple Amazon EC2 instances. The application will have an associated DNS domain in an Amazon Route 53 hosted zone.
The company wants to protect the domain from DNS poisoning attacks. The company also wants to allow web browsers to authenticate into the application by using a trusted third party.
Which combination of actions will meet these requirements?
A. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install self-signed X.509 certificates on the EC2 instances.
B. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install X 509 certificates that are signed by a public certificate authority on the EC2 instances.
C. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509 certificates that are signed by a public certificate authority on the EC2 instances.
D. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install self-signed X.509 certificates on the EC2 instances.
Show Answer
Correct Answer: C
Explanation:
DNS poisoning attacks are mitigated by enabling DNS Security Extensions (DNSSEC) on the Amazon Route 53 public hosted zone, which provides integrity and origin authentication for DNS responses. Allowing web browsers to authenticate using a trusted third party requires X.509 certificates signed by a public certificate authority, not self-signed certificates. NAPTR records are unrelated to DNS security or browser authentication.
Question 235
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?
A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that are more specific to point to the primary SD-WAN virtual appliance.
B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.
Show Answer
Correct Answer: C
Explanation:
With AWS Transit Gateway Connect, routing between the transit gateway and SD-WAN appliances is learned dynamically via BGP. Because company policy requires that only one SD-WAN appliance handle traffic from AWS workloads at any given time, the correct approach is to influence BGP path selection so that one appliance is always preferred and the other is only used for failover. Configuring AS_PATH prepending on the secondary SD-WAN appliance makes its routes less preferred by the transit gateway, ensuring the primary appliance is used during normal operation and the secondary is selected only if the primary becomes unavailable. Other options either rely on unsupported or inappropriate mechanisms (static routes, BGP communities not applicable here, or ECMP behavior that could load-share traffic).
Question 79
An international company wants to implement a multi-site hybrid infrastructure. The company wants to deploy its cloud computing resources on AWS in the us-east-1 Region and in the eu-west-2 Region, and in on-premises data centers in the United States (US) and in the United Kingdom (UK). The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through BGP. The company wants to have two AWS Direct Connect connections, one each in the US and the UK.
The company expects to have 15 VPCs in each Region with CIDR blocks that do not overlap with each other or with CIDR blocks of the on-premises environment. The VPC CIDR blocks are planned so that the prefix aggregation can be performed both on a Regional level and across the entire AWS environment. The company will deploy a transit gateway in each Region to connect the VPCs. A network engineer plans to use a Direct Connect gateway in each Region. A transit VIF will attach the Direct Connect gateway in each Region to the transit gateway in that Region. The transit gateways will be peered with each other.
The network engineer wants to ensure that traffic follows the shortest geographical path from source to destination. Traffic between the on-premises data centers and AWS must travel across a local Direct Connect connection. Traffic between the US data center and eu-west-2 and traffic between the UK data center and us-east-1 must use the private WAN connection to reach the Direct Connect connection to the appropriate Region when the Direct Connect connection is available. The network must be resilient to failures in either the private WAN connection or with the Direct Connect connections. The network also must reroute traffic automatically in the event of any failure.
How should the network engineer configure the transit VIF associations on the Direct Connect gateways to meet these requirements?
A. Advertise only the aggregate route for the company's entire AWS environment.
B. Advertise VPC-specific CIDR prefixes from only the local Region. Additionally, advertise the aggregate route for the company’s entire AWS environment.
C. Advertise all the specific VPC CIDR blocks from both Regions.
D. Advertise both Regional aggregate prefixes. Configure custom BGP communities on the routes advertised toward the data center.
Show Answer
Correct Answer: B
Explanation:
Advertising VPC-specific CIDR prefixes only from the local Region ensures that on-premises traffic prefers the geographically closest Direct Connect and Region, achieving shortest-path routing. Advertising the aggregate route for the entire AWS environment provides a less-specific fallback that can be used automatically if the local Direct Connect or WAN path fails, enabling resilient failover via the private WAN or inter-Region transit gateway peering. This balances optimal path selection with resiliency without excessive route advertisement.
Question 24
A company uses AWS Site-to-Site VPN connections to encrypt traffic between the company's on-premises location and a single VPC. The Site-to-Site VPN connections use two 1 Gbps AWS Direct Connect connections with public VIFs. The company plans to add 15 additional VPCs in the same AWS Region.
The company must maintain the same level of encryption that the Site-to-Site VPN connections currently provide for each connection between the on-premises location and the new VPCs. The new connections must not use public IP addresses. The bandwidth of the Site-to-Site VPN connections will remain less than the current provisioned speed.
Which combination of steps will meet these requirements with LEAST operational overhead? (Choose three.)
A. Create a transit gateway and a Direct Connect gateway. Associate the transit gateway with the Direct Connect gateway. Attach all the new VPCs to the transit gateway.
B. For each new VPC, create a new Direct Connect private VIF to a Direct Connect gateway. Associate all VPCs with the Direct Connect gateway.
C. Assign a private IP CIDR block to the transit gateway.
D. Assign a public IP CIDR block to the transit gateway.
E. Create a transit VIF to the Direct Connect gateway. Create a Site-to-Site VPN private IP VPN connection.
F. Create a public VICreate a Site-to-Site VPN public IP VPN connection.
Show Answer
Correct Answer: A, C, E
Explanation:
To extend encrypted connectivity to many VPCs with the least operational overhead, the company should centralize routing and VPN termination. Creating an AWS Transit Gateway and associating it with a Direct Connect gateway (A) allows all existing and new VPCs to connect through a single hub. Assigning a private IP CIDR block to the transit gateway (C) enables private IP routing and avoids public IP usage. Creating a transit VIF to the Direct Connect gateway and establishing a Site-to-Site VPN using private IP addresses (E) preserves the same level of IPsec encryption while running over Direct Connect, scales efficiently to multiple VPCs, and avoids managing separate VPNs or VIFs per VPC.
Question 186
A company’s network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources.
Which solution will meet these requirements?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes. Configure the rule to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
C. Record the current state of network resources by using AWS Config. Create rules that reflect the desired configuration settings. Set remediation for noncompliant resources.
D. Record the current state of network resources by using AWS Systems Manager Inventory. Use Systems Manager State Manager to enforce the desired configuration settings and to carry out remediation for noncompliant resources.
Show Answer
Correct Answer: C
Explanation:
AWS Config continuously records configuration changes to network resources, maintains a history of configurations, and evaluates compliance against defined rules. It directly supports monitoring changes, enforcing network security policies, and providing historical configuration timelines, which the other options do not natively provide.
Question 67
A company is planning to host external websites on AWS. The websites will include multiple tiers such as web servers, application logic services, and databases. The company wants to use AWS Network Firewall, AWS WAF, and VPC security groups for network security.
The company must ensure that the Network Firewall firewalls are deployed appropriately within relevant VPCs. The company needs the ability to centrally manage policies that are deployed to Network Firewall and AWS WAF rules. The company also needs to allow application teams to manage their own security groups while ensuring that the security groups do not allow overly permissive access.
What is the MOST operationally efficient solution that meets these requirements?
A. Define Network Firewall firewalls, AWS WAFV2 web ACLs. Network Firewall policies, and VPC security groups in code. Use AWS CloudFormation to deploy the objects and initial policies and rule groups. Use CloudFormation to update the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.
B. Define Network Firewall firewalls. AWS WAFV2 web ACLs, Network Firewall policies, and VPC security groups in code. Use the AWS Management Console or the AWS CLI to manage the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuly to invoke an AWS Lambda function to evaluate the configured rules and remove any overly permissive rules.
C. Deploy AWS WAFv2 IP sets and AWS WAFv2 web ACLs with AWS CloudFormation. Use AWS Firewall Manager to deploy Network Firewall firewalls and VPC security groups where required and to manage the AWS WAFv2 web ACLs, Network Firewall policies, and VPC security groups.
D. Define Network Firewall firewalls, AWS WAFv2 web ACLS, Network Firewall policies, and VPC security groups in code. Use AWS CloudFarmation to deploy the objects and initial policies and rule groups. Use AWS Firewall Manager to manage the AWS WAFV2 web ACLS, Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.
Show Answer
Correct Answer: D
Explanation:
The requirements call for centralized, organization-wide management of AWS Network Firewall, AWS WAF, and VPC security group policies, while still allowing application teams to manage their own security groups with guardrails. AWS Firewall Manager is specifically designed for this purpose: it centrally manages AWS WAF web ACLs, Network Firewall policies, and VPC security group policies across multiple accounts and VPCs. Using AWS CloudFormation to define and deploy the baseline resources and initial policies ensures consistent, repeatable infrastructure provisioning. Firewall Manager then enforces and manages those policies centrally, while GuardDuty provides continuous monitoring and detection of overly permissive or risky configurations. This combination is the most operationally efficient and best aligned with AWS best practices.
Question 117
A company is using a shared services VPC with two domain controllers. The domain controllers are deployed in the company's private subnets. The company is deploying a new application into a new VPC in the account. The application will be deployed onto an Amazon EC2 for Windows Server instance in the new VPC. The instance must join the existing Windows domain that is supported by the domain controllers in the shared services VPC.
A transit gateway is attached to both the shared services VPC and the new VPC. The company has updated the route tables for the transit gateway, the shared services VPC, and the new VPC. The security groups for the domain controllers and the instance are updated and allow traffic only on the ports that are necessary for domain operations. The instance is unable to join the domain that is hosted on the domain controllers.
Which combination of actions will help identify the cause of this issue with the LEAST operational overhead? (Choose two.)
A. Use AWS Network Manager to perform a route analysis for the transit gateway network. Specify the existing EC2 instance as the source. Specify the first domain controller as the destination. Repeat the route analysis for the second domain controller.
B. Use port mirroring with the existing EC2 instance as the source and another EC2 instance as the target to obtain packet captures of the connection attempts.
C. Review the VPC flow logs on the shared services VPC and the new VP
D. Issue a ping command from one of the domain controllers to the existing EC2 instance.
E. Ensure that route propagation is turned off on the shared services VPC.
Show Answer
Correct Answer: A, C
Explanation:
The problem is a connectivity or routing issue between two VPCs connected by a transit gateway. Using AWS Network Manager route analysis directly validates whether traffic from the EC2 instance can reach each domain controller through the transit gateway without deploying or modifying resources, making it very low overhead. Reviewing VPC flow logs in both the shared services VPC and the new VPC provides visibility into accepted and rejected traffic, helping identify security group, NACL, or routing problems. Other options either add higher operational overhead (packet mirroring), provide limited diagnostic value (ping), or are configuration changes rather than diagnostic steps.
Question 258
A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.
The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams.
The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
A. Create a record for each service in its local private hosted zone (serviceaccount1.aws.example.internal). Provide this DNS record to the employees who need access.
B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created.
C. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers.
D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain.
E. Launch two Amazon EC2 instances in the shared AWS account. Install BIND on each instance. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS account. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the IP addresses of the BIND servers.
F. Create a private hosted zone in the shared AWS account for each account that runs the service. Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC.
Show Answer
Correct Answer: B, D, F
Explanation:
The goal is to let service owners self-manage DNS while keeping on‑premises users resolving names with minimal cost and changes. Creating a Route 53 Resolver inbound endpoint and conditional forwarding (B) enables on‑premises DNS to resolve AWS private DNS. A shared private hosted zone for aws.example.internal (D) provides a central namespace. Creating delegated private hosted zones per account (F), associated with the service VPCs and the shared VPC, allows service creators in each account to manage their own records without involving central teams, avoiding costly EC2-based DNS or unnecessary resolver rules.
Question 136
A company uses Amazon Route 53 to host a public hosted zone for example.com. A network engineer recently reduced the TTL on several records to 60 seconds. The network engineer wants to assess whether the change has increased the number of queries to Route 53 beyond the expected levels that the company identified before the change. The network engineer must obtain the number of queries that have been made to the example.com public hosted zone.
Which solution will provide this information?
A. Create a new trail in AWS CloudTrail to include Route 53 data events. Send logs to Amazon CloudWatch Logs. Set up a CloudWatch metric filter to count the number of queries and create graphs.
B. Use Amazon CloudWatch to access the AWS/Route 53 namespace and to check the DNSQueries metric for the public hosted zone.
C. Use Amazon CloudWatch to access the AWS/Route 53 Resolver namespace and to check the InboundQueryVolume metric for a specific endpoint.
D. Configure logging to Amazon CloudWatch for the public hosted zone. Set up a CloudWatch metric filter to count the number of queries and create graphs.
Show Answer
Correct Answer: B
Explanation:
Amazon Route 53 automatically publishes query metrics for public hosted zones to Amazon CloudWatch. The AWS/Route53 namespace includes the DNSQueries metric, which shows the number of DNS queries received for a specific hosted zone. This directly provides the required information without additional configuration. The other options either involve unnecessary logging setups or apply to Route 53 Resolver endpoints rather than public hosted zones.
Question 230
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic.
Users report that inter-VPC traffic to different Availability Zones is dropping. A network engineer verified this claim by issuing Internet Control Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled out security groups, stateful device configurations and network ACLs as the cause of the dropped traffic.
What is causing the traffic to drop?
A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.
B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.
C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VP
D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.
Show Answer
Correct Answer: B
Explanation:
Inter-VPC traffic that traverses stateful inspection appliances via a transit gateway can be asymmetrically routed across Availability Zones. Without appliance mode enabled on the transit gateway attachment for the shared services (appliance) VPC, return traffic may bypass the same appliance instance that saw the initial flow, causing stateful inspection to drop the traffic. Enabling appliance mode ensures traffic is pinned to the same AZ and appliance, preventing drops.
Question 133
A company has an AWS account with four VPCs in the us-east-1 Region. The VPCs consist of a development VPC and three production VPCs that host various workloads.
The company has extended its on-premises data center to AWS with AWS Direct Connect by using a Direct Connect gateway. The company now wants to establish connectivity to its production VPCs and development VPC from on premises. The production VPCs are allowed to route data to each other. However, the development VPC must be isolated from the production VPCs. No data can flow between the development VPC and the production VPCs.
In preparation to implement this solution, a network engineer creates a transit gateway with a single transit gateway route table. Default route table association and default route table propagation are turned off. The network engineer attaches the production VPCs, the development VPC, and the Direct Connect gateway to the transit gateway. For each VPC route table, the network engineer adds a route to 0.0.0.0/0 with the transit gateway as the next destination.
Which combination of steps should the network engineer take next to complete this solution? (Choose three.)
A. Associate the production VPC attachments with the existing transit gateway route table. Propagate the routes from these attachments.
B. Associate all the attachments with the existing transit gateway route table. Propagate the routes from these attachments.
C. Associate the Direct Connect gateway attachment with the existing transit gateway route table. Propagate the Direct Connect gateway attachment to this route table.
D. Change the security group inbound rules on the existing transit gateway network interfaces in the development VPC to allow connections to and from the on-premises CIDR range only.
E. Create a new transit gateway route table. Associate the new route table with the development VPC attachment. Propagate the Direct Connect gateway and development VPC attachment to the new route table.
F. Create a new transit gateway with default route table association and default route table propagation turned on. Attach the Direct Connect gateway and development VPC to the new transit gateway.
Show Answer
Correct Answer: A, C, E
Explanation:
The goal is to allow on-premises connectivity to all VPCs, allow intercommunication among production VPCs, and strictly isolate the development VPC from production VPCs using a single transit gateway.
A: Associating the production VPC attachments with the existing transit gateway route table and propagating their routes allows the production VPCs to learn routes to each other and to on premises.
C: Associating and propagating the Direct Connect gateway attachment to the existing transit gateway route table enables on-premises networks to reach the production VPCs through the transit gateway.
E: Creating a separate transit gateway route table for the development VPC and associating only the development VPC and the Direct Connect gateway with it allows on-premises-to-development connectivity while preventing any routing between development and production VPCs.
Other options either break the required isolation (B), rely on security groups instead of routing control (D), or introduce an unnecessary second transit gateway (F).