Assessment Test

  1. Which Virtual Private Network (VPN) protocols are supported under the AWS managed VPN connection option?

    1. Internet Protocol Security (IPsec)
    2. Generic Routing Encapsulation (GRE)
    3. Dynamic Multipoint VPN (DMVPN)
    4. Layer 2 Tunneling Protocol (L2TP)

  2. How will you vertically-scale Virtual Private Network (VPN) throughput in a Virtual Private Cloud (VPC) when terminating the VPN on Amazon Elastic Compute Cloud (Amazon EC2) with minimal downtime?

    1. Attach multiple elastic network interfaces to the existing Amazon EC2 instance responsible for VPN termination.
    2. Stop the Amazon EC2 instance and change the instance type to a larger instance type. Start the instance.
    3. Take a snapshot of the instance. Launch a new, larger instance using this snapshot, and move the Elastic IP address from the existing instance to the new instance.
    4. Launch a new Amazon EC2 instance of a larger instance type. Move the Amazon Elastic Block Store (Amazon EBS) disk from the existing instance to the new instance.

  3. Which of the following is required to create a 1 Gbps AWS Direct Connect connection?

    1. Open Shortest Path First (OSPF)
    2. 802.1Q Virtual Local Area Network (VLAN)
    3. Bidirectional Forwarding Detection (BFD)
    4. Single-mode fiber

  4. The Letter of Authorization – Connecting Facility Assignment (LOA-CFA) document downloaded via the AWS Management Console provides the AWS Direct Connect location provider with which of the following?

    1. The cross-connect port detail for the AWS end of the connection
    2. The cross-connect port detail for the customer end of the connection
    3. The cross-connect’s assigned AWS Region
    4. The billing address for the cross-connect

  5. You have a three-tier web application. You have to move this application to AWS. As a first step, you decide to move the web layer to AWS while keeping the application and database layer on-premises. During initial phases of this migration, the web layer will have servers both in AWS and on-premises. How will you architect this setup? (Choose two.)

    1. Set up an AWS Direct Connect private Virtual Interface (VIF).
    2. Use Network Load Balancer to distribute traffic to the web layer on-premises and in the Virtual Private Cloud (VPC).
    3. Set up an AWS Direct Connect public VIF.
    4. Set up an IP Security (IPsec) Virtual Private Network (VPN) from on-premises to AWS, terminating at the Virtual Private Gateway (VGW).
    5. Use Classic Load Balancer to distribute traffic to the web layer on-premises and in the VPC.

  6. You have set up a transit Virtual Private Cloud (VPC) architecture. You are connected to the hub VPC using AWS Direct Connect and a detached Virtual Private Gateway (VGW). You want all hybrid IT traffic to the production spoke VPC to pass through the transit hub VPC. You also want on-premises traffic to the test VPC to bypassing the transit VPC, reaching the test spoke VPC directly. How will you architect this solution, considering least latency and maximum security?

    1. Set up an AWS Direct Connect private Virtual Interface (VIF) to an AWS Direct Connect Gateway. Attach the VGW of the test VPC to the AWS Direct Connect Gateway.
    2. Assign public IP addresses to the Amazon Elastic Compute Cloud (Amazon EC2) instance in the test VPC, and access these resources using the public IP addresses over AWS Direct Connect public VIF.
    3. Set up a VPN from a detached VGW to an Amazon EC2 instance in the test VPC.
    4. Set up a VPN from the detached VGW to the VGW of the test VPC.

  7. You have created a Virtual Private Cloud (VPC) with an IPv4 CIDR of 10.0.0.0/27. What is the maximum number of IPv4 subnets that you can create?

    1. 1
    2. 2
    3. 3
    4. 4

  8. You create a new Virtual Private Cloud (VPC) in us-east-1 and provision three subnets inside this VPC. Which of the following statements is true?

    1. By default, these subnets will not be able to communicate with each other; you will need to create routes.
    2. All subnets are public by default.
    3. All subnets will have a route to one another.
    4. Each subnet will have identical Classless Inter-Domain Routing (CIDR) blocks.

  9. Your networking group has decided to migrate all of the 192.168.0.0/16 Virtual Private Cloud (VPC) instances to 10.0.0.0/16. Which of the following is a valid option?

    1. Add a new 10.0.0.0/16 Classless Inter-Domain Routing (CIDR) range to the 192.168.0.0/16 VPC. Change the existing addresses of instances to the 10.0.0.0/16 space.
    2. Change the initial VPC CIDR range to the 10.0.0.0/16 CIDR.
    3. Create a new 10.0.0.0/16 VPC. Use VPC peering to migrate workloads to the new VPC.
    4. Use Network Address Translation (NAT) in the 192.168.0.0/16 space to the 10.0.0.0/16 space using NAT Gateways.

  10. What do Amazon CloudFront Origin Access Identities (OAIs) do?

    1. Increase the performance of Amazon CloudFront by preloading video streams.
    2. Allow the use of Network Load Balancer as an origin server.
    3. Restrict access to Amazon Elastic Compute Cloud (Amazon EC2) web instances.
    4. Restrict access to an Amazon Simple Storage Service (Amazon S3) bucket to only special Amazon CloudFront users.

  11. Which types of distributions are required to support Amazon CloudFront Real-Time Messaging Protocol (RTMP) media streaming? (Choose two.)

    1. An RTMP distribution for the media files
    2. A web distribution for the media player
    3. A web distribution for the media files
    4. An RTMP distribution for media files and the media player
    5. Amazon CloudFront does not support RTMP streaming.

  12. Voice calls to international numbers from inside your company must go through an open-source Session Border Controller (SBC) installed on a custom Linux Amazon Machine Image (AMI) in your Virtual Private Cloud (VPC) public subnet. The SBC handles the real-time media and voice signaling. International calls often have garbled voice, and it is difficult to understand what people are saying. What may increase the quality of international voice calls?

    1. Place the SBC in a placement group to reduce latency.
    2. Add additional network interfaces to the instance.
    3. Use an Application Load Balancer to distribute load to multiple SBCs.
    4. Enable enhanced networking on the instance.

  13. Your big data team is trying to determine why their proof of concept is running slowly. For the demo, they are trying to ingest 100 TB of data from Amazon Simple Storage Service (Amazon S3) on their c4.8xl instance. They have already enabled enhanced networking. What should they do to increase Amazon S3 ingest rates?

    1. Run the demo on premises, and access Amazon S3 from AWS Direct Connect to reduce latency.
    2. Split the data ingest on more than one instance, such as two c4.4xl instances.
    3. Place the instance in a placement group, and use an Amazon S3 endpoint.
    4. Place a Network Load Balancer between the instance and Amazon S3 for more efficient load balancing and better performance.

  14. An AWS CloudFormation change set can be used for which of the following purposes? (Choose two.)

    1. Checking if an existing resource has been altered outside of AWS CloudFormation.
    2. Examining the differences between the current stack and a new template.
    3. Specifying which changes are to be applied to a stack from a new template by editing the change set.
    4. Rolling back a previous update to an existing stack.
    5. Executing a stack update after changes are approved in a continuous delivery pipeline.

  15. You have created an AWS CloudFormation stack to manage network resources in an account with the intent of allowing unprivileged users to make changes to the stack. When a user attempts to make a change and update the stack, however, the user gets a permission denied error when a resource is updated. What might be the cause?

    1. The stack does not have a stack policy attached to it that allows updates.
    2. The user does not have permission to invoke the CloudFormation:UpdateStack Application Programming Interface (API).
    3. The template does not have a stack policy attached to it that allows updates.
    4. The stack does not have an AWS Identity and Access Management (IAM) service role attached to it that allows updates.

  16. You are trying to resolve host names from an instance in VPC A for instances that resides in VPC B. The two VPCs are peered within the same region. What action must be taken to enable this?

    1. Disable DNS host names by setting the enableDnsHostnames value to false in VPC B, the peered VPC.
    2. Enable the value for Allow DNS Resolution from Peer VPC for the VPC peering connection.
    3. Build an IP Security (IPsec) tunnel from an instance in the VPC A to the VGW of VPC B to allow DNS resolution between the VPCs.
    4. Build your own DNS resolver in VPC B, and point VPC A’s instances to this resolver.

  17. When using Amazon Route 53, the EDNS0 extension is used when you want to do which of the following?

    1. Adjust the Time To Live (TTL) of Domain Name System (DNS) records.
    2. Increase the accuracy of geolocation routing by adding optional extensions to the DNS protocol.
    3. Increase the accuracy of geolocation routing by removing unneeded extensions to the DNS protocol.
    4. Create a geolocation resource record set in a private hosted zone.

  18. What happens when you associate an Amazon CloudFront distribution with an AWS Lambda@Edge function?

    1. AWS Lambda is deployed in your Virtual Private Cloud (VPC).
    2. AWS Lambda@Edge will create an Amazon Simple Notification Service (Amazon SNS) topic for email notification.
    3. Amazon CloudFront intercepts requests and responses at Amazon CloudFront Regional Edge Caches.
    4. Amazon CloudFront intercepts requests and responses at Amazon CloudFront edge locations.

  19. After deploying Amazon RDS in a new subnet within a VPC, application developers report that they cannot connect to the database from another subnet within the VPC. What action must be taken?

    1. Create a VPC peering connection to the Amazon RDS subnets.
    2. Enable Multi-AZ deployment.
    3. Create a route to the Amazon RDS instance subnets.
    4. Add the application server security group to the Amazon RDS inbound security group.

  20. Which of the following techniques is used to mitigate the impact on Amazon Route 53 of malicious actors?

    1. Classifying and prioritizing requests from users who are known to be reliable
    2. Leveraging customer-provided whitelist/blacklist IP addresses
    3. Blocking traffic using customer-defined Amazon Route 53 security groups
    4. Redirecting suspicious DNS requests to honeypot responders

  21. You are responsible for your company’s AWS resources, and you notice a significant amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates that the source of the traffic is scanning for open ports on your Amazon Elastic Compute Cloud (Amazon EC2) instances. Which one of the following resources can deny the IP address from reaching the instances in your VPC?

    1. Security group
    2. Internet gateway (IGW)
    3. Network Access Control List (ACL)
    4. AWS PrivateLink

  22. AWS uses what framework to provide independent confirmation around the efficacy of guest-to-guest separation on Amazon Elastic Compute Cloud (Amazon EC2) hypervisors?

    1. Health Insurance Portability and Accountability Act (HIPAA)
    2. International Organization for Standardization (ISO) 27001
    3. Service Organization Controls (SOC) 2
    4. Payment Card Industry Data Security Standard (PCI DSS)

  23. You place an application load balancer in front of two web servers that are stateful. Users begin to report intermittent connectivity issues when accessing the website. Why is the site not responding?

    1. The website needs to have port 443 open.
    2. Sticky sessions must be enabled on the application load balancer.
    3. The web servers need to have their security group set to allow all Transmission Control Protocol (TCP) traffic from 0.0.0.0/0.
    4. The network Access Control List (ACL) on the subnet needs to allow a stateful connection.

  24. You create a new instance, and you are able connect over Secure Shell (SSH) to its private IP address from your corporate network. The instance does not have Internet access, however. Your internal policies forbid direct access to the Internet. What is required to enable access to the Internet?

    1. Assign a public IP address to the instance.
    2. Ensure that port 80 and port 443 are not set to DENY in the instance security group.
    3. Deploy a Network Address Translation (NAT) gateway in the private subnet.
    4. Make sure that there is a default route in the subnet route table that goes to your on-premises network.

  25. You create Virtual Private Cloud (VPC) peering connections between VPC A and VPC B and between VPC B and VPC C. You can communicate between VPC A and VPC B and communicate between VPC B and VPC C, but not between VPC A and VPC C. What must be done to allow traffic between VPC A and VPC C?

    1. Create a network Access Control List (ACL) to allow the traffic.
    2. Create an additional peering connection between VPC A and VPC C.
    3. Update the route tables in VPC A and VPC C.
    4. Add a rule to the security groups on VPC A and VPC C.