Question 1

A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets. The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zones and EC2 instances. All connections from the same client session must be connected to the same EC2 instance. The company must provide end-toend encryption for all connections between the clients and the application by using the application SSL certificate. Which solution will meet these requirements?

Options :

A :

Create a Network Load Balancer. Create a target group. Set the protocol to TCP and the port to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2 instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for the listener. Deploy SSL certificates to the EC2 instances.

B :

Create an Application Load Balancer. Create a target group. Set the protocol to HTTP and the port to 80 for the target group. Turn on session affinity (sticky sessions) with an application-based cookie policy. Register the EC2 instances as targets. Create an HTTPS listener. Set the default action to forward to the target group. Use AWS Certificate Manager (ACM) to create a certificate for the listener.

C :

Create a Network Load Balancer. Create a target group. Set the protocol to TLS and the port to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2 instances as targets. Create a listener. Set the protocol to TLS and the port to 443 for the listener. Use AWS Certificate Manager (ACM) to create a certificate for the application.

D :

Create an Application Load Balancer. Create a target group. Set the protocol to HTTPS and the port to 443 for the target group. Turn on session affinity (sticky sessions) with an application-based cookie policy. Register the EC2 instances as targets. Create an HTTP listener. Set the port to 443 for the listener. Set the default action to forward to the target group.

Answer: A

Question 2

A company runs an application on Amazon EC2 instances. A network engineer implements a NAT gateway in the application's VPC to replace self-managed NAT instances. After the network engineer shifts traffic from the self-managed NAT instances to the NAT gateway, users begin to report issues. During troubleshooting, the network engineer discovers that the connection to the application is closing after approximately 6 minutes of inactivity. What should the network engineer do to resolve this issue?

Options :

A :

Check for increases in the Amazon CloudWatch IdleTimeoutCount metric for the NAT gateway. Configure TCP keepalive on the application EC2 instances.

B :

Check for increases in the Amazon CloudWatch ErrorPortAIlocation metric for the NAT gateway. Configure an HTTP timeout value on the application EC2 instances.

C :

Check for increases in the Amazon CloudWatch PacketsDropCount metric for the NAT gateway. Configure an HTTPS timeout value on the application EC2 instances.

D :

Check for decreases in the Amazon CloudWatch ActiveConnectionCount metric for the NAT gateway. Configure UDP keepalive on the application EC2 instances.

Answer: A

Question 3

A company has an application that runs on premises. The application needs to communicate with an application that runs in a VPC on AWS. The communication between the applications must be encrypted and must use private IP addresses. The communication cannot travel across the public internet. The company has established a 1 Gbps AWS Direct Connect connection between the on-premises location and AWS. Which solution will meet the connectivity requirements with the LEAST operational overhead?

Options :

A :

Configure a private VIF on the Direct Connect connection. Associate the private VIF with the VPC's virtual private gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the virtual private gateway.

B :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

C :

Configure a public VIF on the Direct Connect connection. Associate the public VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.

D :

Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up a third-party firewall in a new VPC that is attached to the transit gateway. Set up a VPN connection to the third-party firewall.

Answer: D

Question 4

The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH. How would you define the security rule for SSH?

Options :

A :

Allow Inbound traffic on port 80 and port 22 to allow the user to connect to a private subnet over the internet

B : Allow Inbound traffic on port 22 from the public subnet having a bastion host

C : Allow Inbound traffic on port 22 from the on-premises network

D : Allow Inbound traffic on port 80 and port 22 from the public subnet having a bastion host

Answer: C

Question 5

A company's AWS infrastructure is spread across more than 50 accounts and across five AWS Regions. The company needs to manage its security posture with simplified administration and maintenance for all the AWS accounts. The company wants to use AWS Firewall Manager to manage the firewall rules and requirements. The company creates an organization with all features enabled in AWS Organizations. Which combination of steps should the company take next to meet the requirements? (Select THREE.)

Options :

A : Configure only the Firewall Manager administrator account to join the organization.

B : Configure all the accounts to join the organization.

C : Set an account as the Firewall Manager administrator account.

D : Set an account as the Firewall Manager child account.

E : Set up AWS Config for all the accounts and all the Regions where the company has resources.

F : Set up AWS Config for only the organization-s management account.

Answer: B,C,E