Question 1

An application's EC2 instances are located in a private subnet and these instances access sensitive data in S3 via a NAT gateway deployed in a public subnet. The S3 bucket is located in the same AWS Region as the EC2 instances. The development team at the company wants to ensure that this bucket can be accessed only from the VPC where the application resides. As an AWS Certified Networking Specialist, which of the following solutions would you suggest to meet these requirements?

Options :

A :

Create an S3 bucket policy and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range and deny all other IP address ranges

B :

Create a new IAM role for the EC2 instances that provides access to the S3 bucket and assign the role to the application instances. Set up an S3 bucket policy to allow access only from the role

C :

Set up an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint

D : Set up an Origin Access Identity (OAI) for the S3 bucket and allow access only from within the VPC

Answer: C

Question 2

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application through a limited contiguous block of approved IP addresses (10.1.0.0/24). A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of 10.1.0.0/24. What should the network engineer do next to meet the requirements?

Options :

A : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a public NAT Sateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

public NAT gateway in the corresponding Availability

Zone. Add a route to the route table that is associated with the subnets of the public NAT gateways to

send traffic destined for the application to the transit

gateway.

B : In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range.

Create a private NAT gateway in each of the new

subnets. Update the route tables that are associated with other subnets to route application traffic to the

private NAT gateway in the corresponding

Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT

gateways to send traffic destined for the application to

the transit gateway.

C : In the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the private NAT gateway. Add a route to the

route table that is associated with the subnet of the

private NAT gateway to send traffic destined for the application to the transit gateway.

D : In the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the

new subnet. Update the route tables that are

associated with other subnets to route application traffic to the public NAT gateway. Add a route to the

route table that is associated with the subnet of the

public NAT gateway to send traffic destined for the application to the transit gateway.

Answer: B

Question 3

A retail company operates its IT infrastructure in a hybrid cloud configuration with the on-premises data center connected to the AWS Cloud via an AWS Site-to-Site VPN connection. The networking team has set up an AWS VPC with a CIDR range of 10.0.0.0/16 and the on-premises network has a CIDR range of 172.31.0.0/24. The VPC's route table also has a static route to an internet gateway and a propagated route to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. Which of the following represents a correct statement regarding the routing for traffic destined to the on-premises network?

Options :

A : All traffic destined for 172.31.0.0/24 is routed via the internet gateway

B : All traffic destined for 172.31.0.0/24 is routed via the virtual private gateway

C :

All traffic destined for 172.31.0.0/24 could be routed via the internet gateway or the virtual private gateway as decided by the router randomly

D :

The on-premises network would be unreachable as the local route would be preferred for all traffic destined for 172.31.0.0/24

Answer: A

Question 4

A Network Engineer is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The security team has flagged a concern of a probable attack on the origin server IP addresses, despite it being served by CloudFront. Suggest a solution that provides the strongest level of protection to the origin server?

Options :

A : Configure private access to content by using special CloudFront signed URLs or signed cookies

B :

Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header

C :

Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront

D :

Configure Origin Access Identity(OAI) on the origin server, which will only allow requests originating from CloudFront

Answer: B

Question 5

A company runs an application on Amazon EC2 instances. A network engineer implements a NAT gateway in the application's VPC to replace self-managed NAT instances. After the network engineer shifts traffic from the self-managed NAT instances to the NAT gateway, users begin to report issues. During troubleshooting, the network engineer discovers that the connection to the application is closing after approximately 6 minutes of inactivity. What should the network engineer do to resolve this issue?

Options :

A :

Check for increases in the Amazon CloudWatch IdleTimeoutCount metric for the NAT gateway. Configure TCP keepalive on the application EC2 instances.

B :

Check for increases in the Amazon CloudWatch ErrorPortAIlocation metric for the NAT gateway. Configure an HTTP timeout value on the application EC2 instances.

C :

Check for increases in the Amazon CloudWatch PacketsDropCount metric for the NAT gateway. Configure an HTTPS timeout value on the application EC2 instances.

D :

Check for decreases in the Amazon CloudWatch ActiveConnectionCount metric for the NAT gateway. Configure UDP keepalive on the application EC2 instances.

Answer: A