Prepare-se para a certificação AWS Certified Advanced Networking – Specialty (ANS-C01) com simulados completos, questões atualizadas, respostas comentadas e uma experiência semelhante ao exame oficial da AWS.
Pagamento seguro Acesso imediato PC, tablet e celular Foco em certificações de TI
Questões 1–10 de 15 (com resposta)
Clique em "Ver resposta" para revelar o gabarito e a explicação, e participe da discussão da comunidade em cada questão.
Quer praticar como na prova? Use o teste gratuito (15 questões após cadastro rápido).
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements?
AInstall the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
BInstall the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.Correta
CCreate a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
DCreate a target group. Add the EKS managed node group's Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.
A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS Organizations through AWS Resource Access Manager (AWS RAM). A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization. The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)
ADeploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in th existing member accounts to provision the necessary network infrastructure.Correta
BUpdate the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.
CCreate an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.Correta
DDeploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.Correta
ECreate an AWSControlTowerBlueprintAccess role in the shared services account.
FCreate an AWSControlTowerBlueprintAccess role in each member account.
Resposta correta:A, C, D
Explicação
Explanation: The correct answer is A, C, and D. These steps will meet the requirements with the least operational overhead because: · Step A will deploy an AWS Lambda function to the shared services account that can automate the network infrastructure provisioning in each member account by assuming a role with the necessary permissions. · Step C will create an AWS CloudFormation template that describes the VPC and the transit gateway attachment for each account. This template can be uploaded as an AWS Service Catalog product to the shared services account, which can be used by the AWS Lambda function to create the network resources in each member account. · Step D will deploy an Amazon EventBridge rule on a default event bus in the shared services account that can react to AWS Control Tower lifecycle events, such as creating a new managed account. This rule can invoke the AWS Lambda function to provision the network infrastructure in the new account. The other steps are incorrect because: · Step B will update the existing accounts with an Account Factory Customization (AFC), which is a feature of AWS Control Tower that allows you to customize the account creation process with AWS CloudFormation templates. However, this step will not automate the network infrastructure provisioning for the existing accounts, as it only applies to the new accounts created through the Account Factory. Moreover, this step will require additional operational overhead to maintain the AFC templates and products. · Step E will create an AWSControlTowerBlueprintAccess role in the shared services account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the shared services account. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products directly without using this role. · Step F will create an AWSControlTowerBlueprintAccess role in each member account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the member accounts. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products in the shared services account without using this role.
A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between the VPCs. The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A network engineer must implement connectivity between the VPCs. Which solution will meet these requirements with the HIGHEST throughput?
AConfigure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transit gateway.
BConfigure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs.Correta
CConfigure a transit VPC. Configure a VPN gateway in each VPC. Create an AWS Site-to-Site VPN tunnel from each VPC to the transit VPC. Use BGP routing to route traffic between the VPCs and the transit VPC.
DConfigure AWS Site-to-Site VPN connections between each VPC. Enable route propagation for each Site-to-Site VPN connection to route traffic between the VPCs.
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user's IP address so that the company can keep accurate logs for security purposes. Which solution will meet these requirements?
ADeploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.Correta
BDeploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X- Forwarded-For request header with traffic to the targets.
CDeploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets.
DDeploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets.
Resposta correta:A
Explicação
Explanation: An Application Load Balancer (ALB) can be used to route traffic to multiple target groups based on the URL in the request. The ALB can be configured with an HTTPS listener to ensure all traffic uses HTTPS. TLS processing can be offloaded to the ALB, which reduces the load on the web server. Path- based routing rules can be used to route traffic to the correct target group based on the URL in the request. The X- Forwarded-For request header can be included with traffic to the targets, which will allow the web server to know the user's IP address and keep accurate logs for security purposes.
A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. The company has attached the VPCs in each Region to a transit gateway in that Region. The company also has set up inter-Region peering connections between the transit gateways. The company wants to use AWS Direct Connect to provide access from its on-premises location for only four VPCs across the three Regions. The company has provisioned four Direct Connect connections at two Direct Connect locations. Which combination of steps will meet these requirements MOST cost-effectively? (Select THREE.)
ACreate four virtual private gateways. Attach the virtual private gateways to the four VPCs.
BCreate a Direct Connect gateway. Associate the four virtual private gateways with the Direct Connect gateway.Correta
CCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the Direct Connect gateway.Correta
DCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the four virtual private gateways.
ECreate four private VIFs on each Direct Connect connection to the Direct Connect gateway.
FCreate an association between the Direct Connect gateway and the transit gateways.Correta
Resposta correta:B, C, F
Explicação
Explanation: To connect to multiple VPCs across different Regions using Direct Connect, the best option is to use a Direct Connect gateway and transit gateways. A Direct Connect gateway allows you to associate multiple virtual private gateways and transit gateways with the same Direct Connect connection. A transit gateway acts as a network hub that connects multiple VPCs and on-premises networks. By creating inter-Region peering connections between the transit gateways, you can enable cross- Region communication. Therefore, the steps are: · Create four virtual private gateways and attach them to the four VPCs that need access from the on- premises location. · Create a Direct Connect gateway and associate it with the four virtual private gateways. · Create four transit VIFs on each Direct Connect connection and associate them with the Direct Connect gateway. A transit VIF allows you to connect to a Direct Connect gateway using a private ASN. · Create an association between the Direct Connect gateway and the transit gateways in each Region. This will enable the on-premises location to access the VPCs that are attached to the transit gateways.
A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following: A transit gateway with all VPCs attached to it Several hundred application VPCs A centralized egress internet VPC with a NAT gateway and an internet gateway A centralized ingress internet VPC that hosts public Application Load Balancers On-premises connectivity through an AWS Direct Connect gateway attachment The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on-premises network) traffic by using Suricata compatible rules. The network engineer must deploy the firewall by using a solution that requires the least possible architectural changes to the existing production environment. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)
ADeploy Network Firewall in all Availability Zones in each application VPC.
BDeploy Network Firewall in all Availability Zones in a centralized inspection VPC.Correta
CUpdate the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks.Correta
DUpdate the EXTERNAL_NET rule group variable to include all CIDR ranges of the VPCs and on- premises networks.
EConfigure a single transit gateway route table. Associate all application VPCs and the centralized inspection VPC with this route table.
FConfigure two transit gateway route tables. Associate all application VPCs with one transit gateway route table. Associate the centralized inspection VPC with the other transit gateway route table.Correta
A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS. The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint. Which solution will meet these requirements?
AConfigure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.Correta
BConfigure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
CConfigure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
DConfigure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
Resposta correta:A
Explicação
Explanation: Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc- connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet."
A company's VPC has Amazon EC2 instances that are communicating with AWS services over the public internet. The company needs to change the connectivity so that the communication does not occur over the public intemet. The company deploys AWS PrivateLink endpoints in the VPC. After the deployment of the PrivateLink endpoints, the EC2 instances can no longer communicate at all with the required AWS services. Which combination of steps should a network engineer take to restore communication with the AWS services? (Select TWO.)
AIn the VPC route table, add a route that has the PrivateLink endpoints as the destination.
BEnsure that the enableDnsSupport attribute is set to True for the VPC. Ensure that each VPC endpoint has DNS support enabled.Correta
CEnsure that the VPC endpoint policy allows communication.Correta
DCreate an Amazon Route 53 public hosted zone for all services.
ECreate an Amazon Route 53 private hosted zone that includes a custom name for each service.
Resposta correta:B, C
Explicação
Explanation: To use AWS PrivateLink, you need to create interface type VPC endpoints for the services that you want to access privately from your VPC1. These endpoints appear as elastic network interfaces (ENIs) with private IPs in your subnets2. To enable DNS resolution for these endpoints, you need to set the enableDnsSupport attribute to True for your VPC, and enable DNS support for each endpoint3. You also need to ensure that the VPC endpoint policy allows communication between your VPC and the service4. You do not need to create any route table entries or Route 53 hosted zones for the endpoints, as they are not required for PrivateLink5. AWS PrivateLink FAQs Amazon Web Services 2: AWS PrivateLink and service endpoint - Amazon EC2 Overview and Networking Introduction for Telecom Companies 3: VPC Endpoints: Secure and Direct Access to AWS Services 4: AWS PrivateLink and service endpoint - Amazon EC2 Overview and Networking Introduction for Telecom Companies 5: AWS Private Link vs VPC Endpoint - Stack Overflow
A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing application runs as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. An Amazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority to provision its certificates. The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encrypted during processing so that only certain application components can decrypt the sensitive data. Which combination of steps will meet these requirements? (Choose two.)
AImport the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into AWS Certificate Manager (ACM) in us-west-2.
BImport the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.Correta
CUpload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-le profile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newly created profile. Link the configuration t cache behavior that is associated with sensitive POST requests.
DUpload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryption configuration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newly created configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.
EUpload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryption profile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newly created profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.Correta
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?
ACreate a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway.
BCreate VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
CCreate VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.Correta
DCreate a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
Resposta correta:C
Explicação
Explanation: Option C provides a secure and scalable solution using VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink enables private connectivity between VPCs and services without exposing the data to the public internet or using a VPN connection. By creating VPC endpoints in each application VPC, the company can securely access the central shared services VPC without the need for complex network configurations. Furthermore, PrivateLink supports cross-account connectivity, which makes it a scalable solution as more business units consume data from the central shared services VPC in the future.
Pronto para a prática real?
Teste 15 questões no player com interface de prova — cronômetro, navegação e revisão. Depois garanta acesso a todas as 287 questões.