Free Amazon ANS-C01 Exam Questions

Question 1

Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.

Which two actions should you take to fix this problem? (Select two.)

A : BGP AS prepend attribute to prepend additional AS numbers while advertising routers from R1 to VGW.

B : BGP local preference attribute to assign R1 to a lower local preference number than R2.

C : BGP local preference attribute to assign R1 a higher local preference number than R2.

D : BGP MED attribute to assign a higher MED value to the routes advertised R1 to VGW.

E : BGP MED attribute to assign a higher MED value to the routes advertised from R2 to VGW.

Answer: A,D

Question 2

A company has developed a web service for language translation. The web service's application runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) and are deployed in a private subnet. The web service can process requests that contain hundreds of megabytes of data. The company needs to give some customers the ability to access the web service. Each customer has its own AWS account. The company must make the web service accessible to approved customers without making the web service accessible to all customers. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

A : Create VPC peering connections with the approved customers only.

B : Create an AWS PrivateLink endpoint service. Configure the endpoint service to require acceptance that will be granted to approved customers only.

C : Configure an authentication action for the endpoint service's load balancer to allow customers to log in by using their AWS credentials. Provide only approved customers with the URL.

D : Configure a Network Load Balancer (NLB) and a listener with the ALB as a target. Associate the NLB with the endpoint service.

E : Associate the ALB with the endpoint service.

Answer: B,D

Question 3

A company has configured an AWS Cloud WAN core network with edge locations in the us-east-1 Region and the us-west-1 Region. Each edge location has two segments: development and staging. The segments use the default core network policy. The company has attached VPCs to the core network. A development VPC is attached to the development segment in us-east-1 and is configured to use the 10.0.0.0 CIDR block. A staging VPC is attached to the staging segment in us-west-1 and is configured to use the 10.5.0.0 CIDR block. The company has updated the route tables for both VPCs with a route that directs any traffic for 0.0.0.0/0 to the core network. The companys network team needs to establish communication between the two VPCs by using the AWS Cloud WAN core network. The network team is not receiving a response during tests of communication between the VPCs. The network team has verified that security groups and network ACLs are not blocking the traffic. What should the network team do to establish this communication?

A : Update both VPC route tables to have a new static route. Configure a route on the development VPC to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route on the staging VPC to direct the traffic for 10.5.0.0 to the staging VPC attachment.

B : Update the segment filter to allow traffic on the development and staging segments.

C : Set the isolate-attachments parameter to False for the development and staging segments.

D : Update the core network policy to add a static route for each segment. Configure a route to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route to direct the traffic for 10.5.0.0 to the staging VPC attachment.

Answer: D

Question 4

A company has configured an AWS Cloud WAN core network with edge locations in the us-east-1 Region and the us-west-1 Region. Each edge location has two segments: development and staging. The segments use the default core network policy. The company has attached VPCs to the core network. A development VPC is attached to the development segment in us-east-1 and is configured to use the 10.0.0.0 CIDR block. A staging VPC is attached to the staging segment in us-west-1 and is configured to use the 10.5.0.0 CIDR block. The company has updated the route tables for both VPCs with a route that directs any traffic for 0.0.0.0/0 to the core network. The companys network team needs to establish communication between the two VPCs by using the AWS Cloud WAN core network. The network team is not receiving a response during tests of communication between the VPCs. The network team has verified that security groups and network ACLs are not blocking the traffic. What should the network team do to establish this communication?

A : Update both VPC route tables to have a new static route. Configure a route on the development VPC to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route on the staging VPC to direct the traffic for 10.5.0.0 to the staging VPC attachment.

B : Update the segment filter to allow traffic on the development and staging segments.

C : Set the isolate-attachments parameter to False for the development and staging segments.

D : Update the core network policy to add a static route for each segment. Configure a route to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route to direct the traffic for 10.5.0.0 to the staging VPC attachment.

Answer: D

Question 5

A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states that any time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NAT gateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possible administrative overhead. The solution also must provide the network security team with a simple way to view compliance history. Which solution will meet these requirements?

A : Develop a script that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the script on an Amazon EC2 instance in each account. Use a cron job to run the script every 5 minutes. Log the results of the checks to an Amazon RDS for MySQL database.

B : Create an AWS Lambda function that programmatically checks for NAT gateways in an AWS account, sends an email alert, and terminates the NAT gateway if a NAT gateway is detected. Deploy the Lambda function to each account by using AWS Serverless Application Model (AWS SAM) templates. Store the results of the checks on an Amazon OpenSearch Service cluster in each account.

C : Enable Amazon GuardDuty. Create an Amazon EventBridge rule for the Behavior:EC2/NATGatewayCreation GuardDuty finding type. Configure the rule to invoke an AWS Step Functions state machine to send an email alert and terminate a NAT gateway if a NAT gateway is detected. Store the runtime log as a text file in an Amazon S3 bucket.

D : Create a custom AWS Config rule that checks for NAT gateways in an AWS account. Configure the AWS Config rule to perform an AWS Systems Manager Automation remediation action to send an email alert and terminate the NAT gateway if a NAT gateway is detected. Deploy the AWS Config rule and the Systems Manager runbooks to each account by using AWS CloudFormation StackSets

Answer: D