AWS Certified Advanced Networking Specialty (ANS-C00) Exam (ANS-C00) Free Practice Test

Question 1

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

A. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

B. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.

C. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.

D. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

A. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.

B. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.

C. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.

D. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.

Correct Answer: D

Question 3

A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25 customers The company creates a unique hostname for each customer to use to access the application Hostnames use the format customer-name example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name example com, the ALB should route the request to the correct group of EC2 instances The company requires a highly available solution that is easy to maintain Which solution meets these requirements at the LOWEST cost?

A. Create one ALB for each customer Configure the listener to route requests to the customer target group Configure an NGINX proxy server to manage connections to each ALB Use Amazon Route 53 to create a CNAME record for each customer-name example com hostname that points to the NGINX proxy server

B. Create one ALB for all customers Create a listener rule that includes an HTTP header condition to match the URL Add a forward action to route the request to the customer target group Use Amazon Route 53 to create an alias record for each customer-name example com hostname that points to the ALB

C. Create one ALB for ail customers Create a listener rule that includes a Host header condition to match the hostname Add a forward action to route the request to the customer target group Use Amazon Route 53 to create an alias record for each customer-name example com hostname that points to the ALB

D. Create one ALB for each customer Configure the listener to route requests to the customer target group Create an Amazon CloudFront distribution Add each ALB to the distribution as a custom origin Use Amazon Route 53 to create an alias for each customer-name example com hostname that points to the CloudFront distribution

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

A. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.

B. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

C. Update the application server's outbound security group to use the prefix-list for Amazon S3 in the same region.

D. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

A. Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254

B. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80

C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

D. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?

A. CloudWatch Logs

B. VPC Flow Logs

C. AWS CLI

D. Wireshark

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed The interim solution has worked for several weeks However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache Error from cloudfront" Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests What is the likely cause of the error and what is the solution?

A. The origin access identity is not correct Edit the CloudFront distribution and update the identity in the origins settings

B. The SSL certificate on the legacy web application server has expired Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA) Install the full certificate chain onto the legacy web application server

C. The SSL certificate on the CloudFront distribution has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate

D. The SSL certificate on the legacy web application server has expired Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate Export the public and private keys and install the certificate on the legacy web application

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3 Which configuration values is the network engineer required to provide? (Select TWO.)

A. IP prefixes to advertise

B. Connection speed

C. Direct Connect location

D. VLAN ID

E. Virtual private gateway

Correct Answer: D,E

Question 9

You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.
Which two of the following components should be part of the design? (Select two.)

A. Select an instance with support for single root I/O virtualization.

B. Ensure that proper OS drivers are installed.

C. Select an instance that has support for multiple ENIs.

D. Select an instance with Amazon Elastic Block Store (EBS)-optimization.

E. Ensure that the instance supports jumbo frames and set 9001 MTU.

Correct Answer: A,B

Question 10

A company has a hybrid architecture with dual AWS Direct Connect connections and applications running in the AWS Cloud and on premises The company uses its on-premises DNS servers to provide name resolution tor its internal domain company com The company uses an Amazon Route 53 private hosted zone, aws company com for resolution of AWS resource records A new application that runs on Amazon EC2 in the company's VPC needs to resolve records in the company.com domain and on other AWS resources What should the company do to meet these requirements?

A. Create a new DHCP options set Configure the DHCP options set name servers to be the on-premises DNS servers, and configure the domain name to be company com Assign the DHCP options set to the VPC with the EC2 instances

B. Create Route 53 Resolver outbound endpoints in each subnet in the VPC Configure a Route 53 forwarding rule with a rule type of Forward for company com that points to the on-premises DNS servers Configure a Route 53 forwarding rule with a rule type of System for aws company com

C. Create Route 53 Resolver outbound endpoints in each subnet in the VPC Configure conditional forwarding rules on the on-premises DNS servers to forward queries for the domain aws company com to the Route 53 Resolver endpoints Modify the DHCP options set to configure instances to resolve hostnames using the on-premises DNS servers D. Create a private hosted zone for company com within the AWS account Create Route 53 Resolver inbound endpoints in each subnet in the VPC Configure the on-premises DNS servers to send outbound zone transfers for company com to the Route 53 Resolver endpoints

Correct Answer: C

Welcome to TestSimulate

Amazon AWS Certified Advanced Networking Specialty (ANS-C00) (ANS-C00) Free Practice Test