[Oct-2021] Verified Amazon Exam Dumps with ANS-C00 Exam Study Guide [Q76-Q95]

[Oct-2021] Verified Amazon Exam Dumps with ANS-C00 Exam Study Guide

Best Quality Amazon ANS-C00 Exam Questions Prep4King Realistic Practice Exams [2021]

NEW QUESTION 76
Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account.
Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Select two.)

• A. Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
• B. Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
• C. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.
• D. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.
• E. Update the Route 53 private hosted zone's VPC associations to include the new VPC.

Answer: B,E

 

NEW QUESTION 77
You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24x7 for this particular connection, as real-time data is passed continually backwards and forwards between your on- prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets. Select the correct network configuration that best facilitates your company's continued growth plans.

• A. Provision a Direct Connect connection - between your existing service provider's data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface
• B. Provision a Direct Connect connection - between your service provider's data center and the AWS region that your cloud compute resources exist in . Configure just a Private Virtual Interface.
  As this is a Direct Connection, a Virtual Private Gateway is not required
• C. Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option
• D. Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option

Answer: A

Explanation:
Answers A, B, and C all rely on an Internet connection. An Internet connection cannot guarantee QoS and will be subject to performance fluctuations - therefore they are all incorrect options. The only difference between these options is whether a Virtual Private Gateway is required - the answer is yes and therefore the correct answer is D.
Reference: https://aws.amazon.com/directconnect/faqs/

 

NEW QUESTION 78
Your network utilizes jumbo frames on its servers and your router. You are trying to access your AWS resources, and you are having issues with packet loss. What is the best solution? Choose the correct answer:

• A. Lower the MTU for your network.
• B. Call AWS support.
• C. Remove the "Do not Fragment" flag on the packets.
• D. You will have to upgrade to Direct Connect.

Answer: C

Explanation:
Remove the "Don't Fragment" Flag on your router. AWS will drop any data with an MTU of greater than 1500 if the "Do not Fragment" flag is set, so you need your router to indicate that data can be fragmented.

 

NEW QUESTION 79
A company has deployed a production environment in the AWS Cloud The environment is contained in a VPC and includes a virtual private gateway The company has established an AWS Direct Connect connection which includes a private virtual interface (VIF) and a VPN connection to the on-premises data center For traffic originating in the VPC what is the order of BGP path selection from MOST preferred to LEAST preferred?

• A. Direct Connect BGP routes static routes longest prefix match, VPN BGP routes
• B. Static routes longest prefix match Direct Connect BGP routes. VPN BGP routes
• C. Longest prefix match static routes Direct Connect BGP routes VPN BGP routes
• D. Longest prefix match VPN BGP routes, static routes. Direct Connect BGP routes

Answer: B

 

NEW QUESTION 80
You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?
Choose the correct answer:

• A. You need to add a deny rule outbound also since NACLs are stateful.
• B. You configured the rule number to be too low.
• C. The DDoS isn't a TCP attack.
• D. A NACL can't protect against a DDoS.

Answer: C

Explanation:
The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.

 

NEW QUESTION 81
You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to budget requirements, you can only provision a single Direct Connect port. You have two border gateway routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.
Which two design methodologies, in combination, will achieve this connectivity? (Select two.)

• A. Terminate the Direct Connect circuit on a L2 border switch, which in turn has trunk connections to the two routers.
• B. Create two Direct Connect private VIFs for the same VPC, each with a different peer IP.
• C. Terminate the Direct Connect circuit on any of the one routers, which in turn will have an IBGP session with the other router.
• D. Create one Direct Connect private VIF for the VPC with two customer peer IPs.
• E. Provision two VGWs for the VPC and create one Direct Connect private VIF per VGW.

Answer: A,D

Explanation:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/add-peer-to-vif.html (Adding a BGP Peer)

 

NEW QUESTION 82
A Network Engineer has enabled VPC Flow Logs to troubleshoot an ICMP reachability issue for an echo reply from an Amazon EC2 instance. The flow logs reveal an ACCEPT record for the request from the client to the EC2 instance, and a REJECT record for the response from the EC2 instance to the client.
What is the MOST likely reason for there to be a REJECT record?

• A. The network ACL is denying inbound ICMP.
• B. The security group is denying inbound ICMP.
• C. The security group is denying outbound ICMP.
• D. The network ACL is denying outbound ICMP.

Answer: D

 

NEW QUESTION 83
Refer to the image.

You have three VPCs: A, B, and C.
VPCs A and C are both peered with VPC B.
The IP address ranges are as follows:
* VPC A: 10.0.0.0/16
* VPC B: 192.168.0.0/16
* VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10.
Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24.
* i-3 must be able to communicate with i-1
* i-4 must be able to communicate with i-2
* i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Select two.)

• A. Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
• B. Create two route tables: one with a route for destination VPC A, and another for destination VPC C.
• C. Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
• D. Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
• E. Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.

Answer: B,E

 

NEW QUESTION 84
Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?

• A. AWS CloudFormation custom resource using an AWS Lambda invocation.
• B. CloudFormation::OpsWorks::Stack with custom Chef configuration.
• C. AWS CloudFormation parameters using the "Fn::FindInMap" intrinsic function.
• D. AWS CloudFormation parameters using the "Ref::" intrinsic function

Answer: A

Explanation:
Cloudformation chapter under exam essentials it says "custom resources in an AWS cloudformation template allows you to configure non-aws resources not supported by AWS. You can use custom resources to make calls to an IPAM"

 

NEW QUESTION 85
Which of these addresses cannot be given to an EC2 instance in your VPC? Choose the correct answer:

• A. 10.0.0.253
• B. 10.0.0.4
• C. 10.0.0.157
• D. 10.0.0.3

Answer: D

Explanation:
10.0.0.3 is reserved by AWS for future use.

 

NEW QUESTION 86
You are configuring a CloudFront distribution, and when you try to attach an SSL, you do not see your SSL listed. What is the most likely reason for this? Choose the correct answer:

• A. Sometimes, it won't show, and you need to retrieve the ARN for the SSL and enter it manually.
• B. You didn't wait 48 hours after approving the SSL.
• C. You must configure an https record in Route 53 first.
• D. You requested an SSL for the wrong region.

Answer: D

 

NEW QUESTION 87
Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC.
The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.
Which step should you take to enable access to Amazon S3?

• A. Update the S3 bucket policy with the private IP address of the instance.
• B. Exclude 169.254.169.0/24 from the instance's proxy configuration.
• C. Update the CORS configuration for Amazon S3 to allow traffic from the proxy.
• D. Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.

Answer: C

 

NEW QUESTION 88
The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.
Which of the following maximizes network performance on AWS? (Choose two.)

• A. Support for placement groups within the VPC
• B. Security appliance support for multiple elastic network interfaces
• C. Support for the enhanced networking drivers
• D. Support for sending traffic over the Direct Connect connection
• E. The instance sizes and families supported by the security appliance

Answer: D,E

 

NEW QUESTION 89
A company uses AWS Direct Connect lo connect its corporate network to multiple VPCs in the same AWS account and the same AVVS Region Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection What is the MOST scalable way to add VPCs with on-premises connectivity?

• A. Provision a new Direct Connect connection to handle the additional VPCs Use the new connection to connect additional VPCs.
• B. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to the corporate network
• C. Create virtual private gateways for each VPC that is over the service quota Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network
• D. Create a transit gateway and attach the VPCs Create a Direct Connect gateway, and associate it with the transit gateway Create a transit VIF to the Direct Connect gateway

Answer: D

 

NEW QUESTION 90
A company is using AWS to host all of its applications. Each application is isolated in its own Amazon VPC.
Different environments such as Development, Test, and Production are also isolated in their own VPCs. The Network Engineer needs to automate VPC creation to enforce the company's network and security standards.
Additionally, the CIDR range used in each VPC needs to be unique.
Which solution meets all of these requirements?

• A. Use AWS CloudFormation to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.
• B. Create the VPCs using AWS CLI and use the dry-run flag to validate if the current CIDR range is in use.
• C. Use the VPC wizard in the AWS Management Console. Type in the CIDR blocks for the VPC and subnets.
• D. Use AWS OpsWorks to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.

Answer: A

 

NEW QUESTION 91
Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account.
Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Select two.)

• A. Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
• B. Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
• C. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.
• D. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.
• E. Update the Route 53 private hosted zone's VPC associations to include the new VPC.

Answer: B,E

 

NEW QUESTION 92
You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible.
You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.
Which design should you choose?

• A. Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
• B. Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.
• C. Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
• D. Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.

Answer: D

 

NEW QUESTION 93
You need to find the public IP address of an instance that you're logged in to. What command would you use?
Choose the correct answer:

• A. scp localhost/latest/meta-data/public-ipv4
• B. curl http://169.254.169.254/latest/meta-data/public-ipv4
• C. curl http://127.0.0.1/latest/meta-data/public-ipv4
• D. curl ftp://169.254.169.254/latest/meta-data/public-ipv4

Answer: B

Explanation:
curl http://169.254.169.254/latest/meta-data/public-ipv4

 

NEW QUESTION 94
A company's application runs in a VPC and stores sensitive data in Amazon S3 The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3 The S3 bucket is located in the same AWS Region as the EC2 instances The company wants to ensure that this bucket can be accessed only from the VPC where the application resides Which changes should a network engineer make to the architecture to meet these requirements?

• A. Deploy an S3 VPC endpoint in the VPC where the application resides Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint
• B. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet Configure the S3 security group to allow only the application instances to access the bucket
• C. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket Allow access only from the VPC CIDR range, and deny all other IP address ranges
• D. Create a new 1AM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances Configure an S3 bucket policy to allow access only from the role

Answer: A

 

NEW QUESTION 95
......

Authentic Best resources for ANS-C00: https://www.prep4king.com/ANS-C00-exam-prep-material.html

ANS-C00 Test Engine Practice Exam: https://drive.google.com/open?id=1MS-12Vv71lfc8EpjU2LByzouh_OYGeJk