A company is planning to create a service that requires encryption in transit. The traffic must not be
decrypted between the client and the backend of the service. The company will implement the
service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of
simultaneous connections. The backend of the service will be hosted on an Amazon Elastic
Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal
Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication
between the client and the backend.
Which solution will meet these requirements?
B
Explanation:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-protocol-version
https://docs.aws.amazon.com/prescriptive-
guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html
A company is deploying a new application in the AWS Cloud. The company wants a highly available
web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to
multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing
must be offloaded to the load balancer. The web server must know the user’s IP address so that the
company can keep accurate logs for security purposes.
Which solution will meet these requirements?
A
Explanation:
An Application Load Balancer (ALB) can be used to route traffic to multiple target groups based on
the URL in the request. The ALB can be configured with an HTTPS listener to ensure all traffic uses
HTTPS. TLS processing can be offloaded to the ALB, which reduces the load on the web server. Path-
based routing rules can be used to route traffic to the correct target group based on the URL in the
request. The X-Forwarded-For request header can be included with traffic to the targets, which will
allow the web server to know the user's IP address and keep accurate logs for security purposes.
A company has developed an application on AWS that will track inventory levels of vending machines
and initiate the restocking process automatically. The company plans to integrate this application
with vending machines and deploy the vending machines in several markets around the world. The
application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic
Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The
communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection over
the internet to the ALB endpoint.
Which solution will meet these requirements?
A
Explanation:
Please read the below link typically describing ELB integration with AWS Global accelator (and the
last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html"WhenyouaddaninternalApplicationLoadBalanceroranAmazonEC2instance
endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the
endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains
the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the
VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2
instance. You also don't need an associated internet gateway route for the subnet."
A global delivery company is modernizing its fleet management system. The company has several
business units. Each business unit designs and maintains applications that are hosted in its own AWS
account in separate application VPCs in the same AWS Region. Each business unit's applications are
designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The
architecture also must be able to scale as more business units consume data from the central shared
services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?
C
Explanation:
Option C provides a secure and scalable solution using VPC endpoint services powered by AWS
PrivateLink. AWS PrivateLink enables private connectivity between VPCs and services without
exposing the data to the public internet or using a VPN connection. By creating VPC endpoints in
each application VPC, the company can securely access the central shared services VPC without the
need for complex network configurations. Furthermore, PrivateLink supports cross-account
connectivity, which makes it a scalable solution as more business units consume data from the
central shared services VPC in the future.
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group
(LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a
different business unit and uses its own private VIF for connectivity to the on-premises environment.
Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect
connection becomes saturated at the same time for about an hour each business day. The company
wants to know which business unit is causing the sudden increase in throughput. The network
engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?
A
Explanation:
To meet the requirements of finding out which business unit is causing the sudden increase in
throughput and resolving the problem, the network engineer should review the Amazon CloudWatch
metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is
sending the highest throughput during the period in which slowness is observed (Option B). After
identifying the VIF that is causing the issue, they can upgrade the bandwidth of the existing
dedicated connection to 10 Gbps to resolve the problem (Option B).
A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in
the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's
AWS deployment. The customers have stated that they will not share their internal IP addresses and
that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)
AB
Explanation:
NLB for creating the private link which solves the overlapping IP address issue and the SaaS service
endpoint behind it. (the SaaS endpoint could be an ALB)
https://aws.amazon.com/about-aws/whats-
new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/
A network engineer is designing the architecture for a healthcare company's workload that is moving
to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit.
All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and
travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve
appointments. The architecture must secure these components and protect them against DDoS
attacks. The architecture also must provide protection against financial liability for services that scale
out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the
workload? (Choose three.)
DEF
Explanation:
To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud,
the network engineer should take the following steps:
Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to
and from the on-premises environment is encrypted in transit (Option D).
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all
traffic in the cloud before it is allowed to leave (Option E).
Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure
components exposed to the internet against DDoS attacks and provide protection against financial
liability for services that scale out during a DDoS event (Option F).
These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving
the cloud, and components exposed to the internet are secured against DDoS attacks.
A retail company is running its service on AWS. The company’s architecture includes Application Load
Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend
Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted
services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network
engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway?
(Choose two.)
AD
Explanation:
To investigate the increased usage of a NAT gateway in a VPC architecture with ALBs and backend EC2
instances, a network engineer can use the following options:
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to a log
group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
(Option A)
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to an
Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log
structure and use Athena to query and analyze the logs. (Option D)
These options allow for detailed analysis of traffic through the NAT gateway to identify the source of
increased usage.
A banking company is successfully operating its public mobile banking stack on AWS. The mobile
banking stack is deployed in a VPC that includes private subnets and public subnets. The company is
using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has
decided to adopt a third-party service provider's API and must integrate the API with the existing
environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a
private subnet. The company does not want to permit IPv6 traffic from the public internet and
mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns
on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?
C
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to
implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch
Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
B
Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-
firewall-logs-using-amazon-opensearch-service-part-1/
A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are
deployed across multiple AWS accounts that are part of the same organization in AWS Organizations.
All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and
are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted
in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network
engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers
to be used as domain name servers.
Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS).
A development team has created a new EFS file system but cannot mount the file system to one of its
Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP
address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer
needs to implement a solution so that development teams throughout the organization can mount
EFS file systems.
Which combination of steps will meet these requirements? (Choose two.)
BD
Explanation:
Option B suggests using Amazon Route 53 Resolver outbound endpoint, which would replace the
existing BIND DNS servers with the AmazonProvidedDNS for name resolution. However, the scenario
specifically mentions that the company is using custom DNS servers that run BIND for name
resolution in its VPCs, so this solution would not work. Option D suggests creating a Route 53
Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers, which
would not address the issue of resolving the EFS mount point. The problem is not with resolving
queries for the on-premises domain, but rather with resolving the IP address for the EFS mount
point.
An ecommerce company is hosting a web application on Amazon EC2 instances to handle
continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The
company wants to implement a solution to distribute traffic from customers to the EC2 instances.
The company must encrypt all traffic at all stages between the customers and the application servers.
No decryption at intermediate points is allowed.
Which solution will meet these requirements?
C
Explanation:
To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at
all stages between the customers and the application servers without decryption at intermediate
points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure
the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution
allows for end-to-end encryption of traffic without decryption at intermediate points.
A company has two on-premises data center locations. There is a company-managed router at each
data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect
gateway through a private virtual interface. The router for the first location is advertising 110 routes
to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60
routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a
company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various
locations in either data center. The network engineer checks the VPC route table and sees that the
routes from the first data center location are not being populated into the route table. The network
engineer must resolve this issue in the most operationally efficient manner.
What should the network engineer do to meet these requirements?
B
Explanation:
"If you advertise more than 100 routes each for IPv4 and IPv6 over the BGP session, the BGP session
will go into an idle state with the BGP session DOWN."
https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html
A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple
AWS accounts. The company has set up a shared AWS account for the connection to its on-premises
data centers and the company offices. The workloads consist of private web-based services for
internal use. These services run in different AWS accounts. Office-based employees consume these
services by using a DNS name in an on-premises DNS zone that is named example.internal.
The process to register a new service that runs on AWS requires a manual and complicated change
request to the internal DNS. The process involves many teams.
The company wants to update the DNS registration process by giving the service creators access that
will allow them to register their DNS records. A network engineer must design a solution that will
achieve this goal. The solution must maximize cost-effectiveness and must require the least possible
number of configuration changes.
Which combination of steps should the network engineer take to meet these requirements? (Choose
three.)
ABD
Explanation:
To meet the requirements of updating the DNS registration process while maximizing cost-
effectiveness and minimizing configuration changes, the network engineer should take the following
steps:
Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a
conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers.
Set the forwarding IP addresses to the inbound endpoint’s IP addresses that were created (Option B).
Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS
account to resolve queries for this domain (Option D).
Create a record for each service in its local private hosted zone
(serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need
access (Option A).
These steps will allow service creators to register their DNS records while keeping costs low and
minimizing configuration changes.
A company has multiple AWS accounts. Each account contains one or more VPCs. A new security
guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The
company also has deployed a shared services VPC with Amazon EC2 instances that include IDS
services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The
company has set up VPC associations and routing on the transit gateway. The company has migrated
a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent connections for
traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?
B
Explanation:
To resolve the issue of intermittent connections for traffic that crosses Availability Zones after
configuring routing for traffic inspection between VPCs using a transit gateway and EC2 instances
with IDS services in a shared services VPC, a network engineer should modify the transit gateway
VPC attachment on the shared services VPC by enabling appliance mode support (Option B). This will
ensure that traffic is routed to the same EC2 instance for stateful inspection and prevent intermittent
connections.