- Expert Veri ed, Online, Free.

 Custom View Settings

Topic 1 - Exam A

Question #1 Topic 1

A company is planning to create a service that requires encryption in transit. The tra c must not be decrypted between the client and the backend
of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of
simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the
Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler con gured. The company needs to use mutual TLS for two-way authentication
between the client and the backend.
Which solution will meet these requirements?

A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, con gure a Network Load Balancer with a TCP listener on
port 443 to forward tra c to the IP addresses of the backend service Pods.

B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, con gure an Application Load Balancer with an HTTPS
listener on port 443 to forward tra c to the IP addresses of the backend service Pods.

C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an
HTTPS listener on port 443 to forward tra c to the target group.

D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS
listener on port 443 to forward tra c to the target group.

Correct Answer: D

Community vote distribution

(63%) B (38%)
Question #2 Topic 1

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load
Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All tra c must use HTTPS. TLS
processing must be o oaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs
for security purposes.
Which solution will meet these requirements?

A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the tra c to the correct target group.
Include the X-Forwarded-For request header with tra c to the targets.

B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the tra c to the
correct target group for each domain. Include the X-Forwarded-For request header with tra c to the targets.

C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the tra c to the correct target group.
Con gure client IP address preservation for tra c to the targets.

D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the tra c to the correct
target group for each domain. Con gure client IP address preservation for tra c to the targets.

Correct Answer: A

Community vote distribution

A (75%) B (25%)

Question #3 Topic 1

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process
automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around
the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon
ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and con gure static IP addresses of the accelerator in the vending
machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection
over the internet to the ALB endpoint.
Which solution will meet these requirements?

A. Con gure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the
internet gateway. Con gure the accelerator with endpoint groups that include the ALB endpoint. Con gure the ALB’s security group to only
allow inbound tra c from the internet on the ALB listener port.

B. Con gure the ALB in a private subnet of the VPC. Con gure the accelerator with endpoint groups that include the ALB endpoint. Con gure
the ALB's security group to only allow inbound tra c from the internet on the ALB listener port.

C. Con gure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet
gateway. Con gure the accelerator with endpoint groups that include the ALB endpoint. Con gure the ALB's security group to only allow
inbound tra c from the accelerator's IP addresses on the ALB listener port.

D. Con gure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet
gateway. Con gure the accelerator with endpoint groups that include the ALB endpoint. Con gure the ALB's security group to only allow
inbound tra c from the accelerator's IP addresses on the ALB listener port.

Correct Answer: A

Community vote distribution

A (56%) D (44%)
Question #4 Topic 1

A global delivery company is modernizing its eet management system. The company has several business units. Each business unit designs and
maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's
applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as
more business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?

A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by
using the transit gateway.

B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.

C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.

D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC.
Provide full mesh connectivity among all the VPCs.

Correct Answer: C

Community vote distribution

C (75%) B (25%)

Question #5 Topic 1

A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to ve VPCs that are
deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises
environment. Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer nds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same
time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The
network engineer must nd out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?

A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending
the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift tra c from the
existing dedicated connection to the new dedicated connection.

B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending
the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10
Gbps.

C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the
highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted
connection.

D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the
highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift tra c from the
existing dedicated connection to the new dedicated connection.

Correct Answer: A

Community vote distribution

A (57%) B (43%)
Question #6 Topic 1

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's
customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated
that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)

A. Deploy the SaaS service endpoint behind a Network Load Balancer.

B. Con gure an endpoint service, and grant the customers permission to create a connection to the endpoint service.

C. Deploy the SaaS service endpoint behind an Application Load Balancer.

D. Con gure a VPC peering connection to the customer VPCs. Route tra c through NAT gateways.

E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Con gure routing on the
transit gateway.

Correct Answer: CD

Community vote distribution

AB (100%)

Question #7 Topic 1

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the
on-premises environment must be encrypted in transit. All tra c also must be inspected in the cloud before the tra c is allowed to leave the
cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure
these components and protect them against DDoS attacks. The architecture also must provide protection against nancial liability for services
that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

A. Use Tra c Mirroring to copy all tra c to a eet of tra c capture appliances.

B. Set up AWS WAF on all network components.

C. Con gure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.

D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.

E. Use Gateway Load Balancers to insert third-party rewalls for inline tra c inspection.

F. Con gure AWS Shield Advanced and ensure that it is con gured on all public assets.

Correct Answer: BDF

Community vote distribution

DEF (100%)
Question #8 Topic 1

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The
ALB target groups are con gured to send tra c to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call
externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased signi cantly. A network engineer needs to nd out the source of this
increased usage.
Which options can the network engineer use to investigate the tra c through the NAT gateway? (Choose two.)

A. Enable VPC ow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use
CloudWatch Logs Insights to query and analyze the logs.

B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and
analyze the logs.

C. Con gure Tra c Mirroring on the NAT gateway's elastic network interface. Send the tra c to an additional EC2 instance. Use tools such as
tcpdump and Wireshark to query and analyze the mirrored tra c.

D. Enable VPC ow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for
the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to
describe the log structure. Use Athena to query and analyze the logs.

Correct Answer: CD

Community vote distribution

AD (100%)

Question #9 Topic 1

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that
includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment.
The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service
provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to
permit IPv6 tra c from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns
on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 tra c to the NAT
gateway.

B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 tra c to the NAT
instance.

C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 tra c to the egress-only
internet gateway.

D. Create an egress-only internet gateway in the VPC. Con gure a security group that denies all inbound tra c. Associate the security group
with the egress-only internet gateway.

Correct Answer: B

Community vote distribution

C (67%) B (33%)
Question #10 Topic 1

A company has deployed an AWS Network Firewall rewall into a VPC. A network engineer needs to implement a solution to deliver Network
Firewall ow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch
Service) cluster. Enable Amazon Simple Noti cation Service (Amazon SNS) noti cations on the S3 bucket to invoke the Lambda function.
Con gure ow logs for the rewall. Set the S3 bucket as the destination.

B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service)
cluster as the destination. Con gure ow logs for the rewall Set the Kinesis Data Firehose delivery stream as the destination for the Network
Firewall ow logs.

C. Con gure ow logs for the rewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the
Network Firewall ow logs.

D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the
destination. Con gure ow logs for the rewall. Set the Kinesis data stream as the destination for the Network Firewall ow logs.

Correct Answer: B

Community vote distribution

B (100%)

Question #11 Topic 1

A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that
are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central
VPC and are con gured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To
ensure that all the VPCs use the custom DNS servers, a network engineer has con gured a VPC DHCP options set in all the VPCs that speci es the
custom DNS servers to be used as domain name servers.
Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS
le system but cannot mount the le system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot
resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution
so that development teams throughout the organization can mount EFS le systems.
Which combination of steps will meet these requirements? (Choose two.)

A. Con gure the BIND DNS servers in the central VPC to forward queries for efs.us-east-1.amazonaws.com to the Amazon provided DNS
server (169.254.169.253).

B. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use
AmazonProvidedDNS for name resolution.

C. Create an Amazon Route 53 Resolver inbound endpoint in the central VPUpdate all the VPC DHCP options sets to use the Route 53 Resolver
inbound endpoint in the central VPC for name resolution.

D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule
with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.

E. Create an Amazon Route 53 private hosted zone for the efs.us-east-1.amazonaws.com domain. Associate the private hosted zone with the
VPC where the EC2 instance is deployed. Create an A record for fs-33444567d.efs.us-east-1.amazonaws.com in the private hosted zone.
Con gure the A record to return the mount target of the EFS mount point.

Correct Answer: AB

Community vote distribution

BD (100%)
Question #12 Topic 1

An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2
instances are part of an Auto Scaling group. The company wants to implement a solution to distribute tra c from customers to the EC2 instances.
The company must encrypt all tra c at all stages between the customers and the application servers. No decryption at intermediate points is
allowed.
Which solution will meet these requirements?

A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Con gure the Auto Scaling group to register instances with
the ALB's target group.

B. Create an Amazon CloudFront distribution. Con gure the distribution with a custom SSL/TLS certi cate. Set the Auto Scaling group as the
distribution's origin.

C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Con gure the Auto Scaling group to register instances with the NLB's
target group.

D. Create a Gateway Load Balancer (GLB). Con gure the Auto Scaling group to register instances with the GLB's target group.

Correct Answer: A

Community vote distribution

C (100%)

Question #13 Topic 1

A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated
AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the rst location is advertising 110
routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway
by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network
engineer checks the VPC route table and sees that the routes from the rst data center location are not being populated into the route table. The
network engineer must resolve this issue in the most operationally e cient manner.
What should the network engineer do to meet these requirements?

A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of
the VPC.

B. Change the router con gurations to summarize the advertised routes.

C. Open a support ticket to increase the quota on advertised routes to the VPC route table.

D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.

Correct Answer: D

Community vote distribution

B (100%)
Question #14 Topic 1

A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a
shared AWS account for the connection to its on-premises data centers and the company o ces. The workloads consist of private web-based
services for internal use. These services run in different AWS accounts. O ce-based employees consume these services by using a DNS name in
an on-premises DNS zone that is named example.internal.
The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process
involves many teams.
The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS
records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require
the least possible number of con guration changes.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the
employees who need access.

B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named
aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were
created.

C. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers.

D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this
domain.

E. Launch two Amazon EC2 instances in the shared AWS account. Install BIND on each instance. Create a DNS conditional forwarder on each
BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS account.
Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to
the IP addresses of the BIND servers.

F. Create a private hosted zone in the shared AWS account for each account that runs the service. Con gure the private hosted zone to contain
aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service
and the shared account VPC.

Correct Answer: CEF

Community vote distribution

BDF (67%) ABF (33%)
Question #15 Topic 1

A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all tra c
between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC
with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The
company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for
tra c inspection.
Soon after the con guration of routing, the company receives reports of intermittent connections for tra c that crosses Availability Zones.
What should a network engineer do to resolve this issue?

A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.

B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.

C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.

D. Modify the transit gateway by selecting multicast support.

Correct Answer: B

Community vote distribution

B (100%)

Question #16 Topic 1

A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the
company needs to remove the NAT gateway.
In the private subnets, the company has resources that use the uni ed Amazon CloudWatch agent. A network engineer must create a solution to
ensure that the uni ed CloudWatch agent continues to work after the removal of the NAT gateway.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute
to true.

B. Create a new security group with an entry to allow outbound tra c that uses the TCP protocol on port 443 to destination 0.0.0.0/0

C. Create a new security group with entries to allow inbound tra c that uses the TCP protocol on port 443 from the IP pre xes of the private
subnets.

D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring.
Associate the new security group with the endpoint network interfaces.

E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch. Associate the new security group with the
endpoint network interfaces.

F. Associate the VPC endpoint or endpoints with route tables that the private subnets use.

Correct Answer: BDF

Community vote distribution

ACD (83%) ABD (17%)
Question #17 Topic 1

An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world.
The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three
operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation
center is connected to the internet through at least two upstream internet service providers.
The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they
collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS
Regions. The company will use Amazon Route 53 for DNS services.
A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud.
Which solution will meet these requirements with the HIGHEST availability?

A. Set up an Amazon CloudFront distribution with origin failover. Create an origin group for each Region where the solution is deployed.

B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to
Yes.

C. Set up an accelerator in AWS Global Accelerator. Con gure Regional endpoint groups and health checks.

D. Set up Bring Your Own IP (BYOIP) addresses. Use the same PI addresses for each Region where the solution is deployed.

Correct Answer: C

Community vote distribution

C (100%)

Question #18 Topic 1

A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new
10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration
must occur over encrypted paths between the on-premises data center and the AWS Cloud.
Which solution will meet these requirements while providing the HIGHEST throughput?

A. Con gure a public VIF on the Direct Connect connection. Con gure an AWS Site-to-Site VPN connection to the transit gateway as a VPN
attachment.

B. Con gure a transit VIF on the Direct Connect connection. Con gure an IPsec VPN connection to an EC2 instance that is running third-party
VPN software.

C. Con gure MACsec for the Direct Connect connection. Con gure a transit VIF to a Direct Connect gateway that is associated with the transit
gateway.

D. Con gure a public VIF on the Direct Connect connection. Con gure two AWS Site-to-Site VPN connections to the transit gateway. Enable
equal-cost multi-path (ECMP) routing.

Correct Answer: D

Community vote distribution

C (83%) D (17%)
Question #19 Topic 1

A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN
connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has
encountered an error and is rolling back.
What should the network engineer do to resolve the error?

A. Change the order of resource creation in the CloudFormation template.

B. Add the DependsOn attribute to the resource declaration for the virtual private gateway. Specify the route table entry resource.

C. Add a wait condition in the template to wait for the creation of the virtual private gateway.

D. Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource.

Correct Answer: D

Community vote distribution

D (100%)
Question #20 Topic 1

A company operates its IT services through a multi-site hybrid infrastructure. The company deploys resources on AWS in the us-east-1 Region and
in the eu-west-2 Region. The company also deploys resources in its own data centers that are located in the United States (US) and in the United
Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect 15 VPCs to each other. The company has created a transit
gateway peering connection between the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP addresses used
within the data centers. The VPC CIDR pre xes can also be aggregated either on a Regional level or for the company's entire AWS environment.
The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through Interior BGP
(iBGP) sessions. The data centers maintain connectivity to AWS through one AWS Direct Connect connection in the US and one Direct Connect
connection in the UK. Each Direct Connect connection is terminated on a Direct Connect gateway and is associated with a local transit gateway
through a transit VIF.
Tra c follows the shortest geographical path from source to destination. For example, packets from the UK data center that are targeted to
resources in eu-west-2 travel across the local Direct Connect connection. In cases of cross-Region data transfers, such as from the UK data center
to VPCs in us-east-1, the private WAN connection must be used to minimize costs on AWS. A network engineer has con gured each transit
gateway association on the Direct Connect gateway to advertise VPC-speci c CIDR IP pre xes only from the local Region. The routes toward the
other Region must be learned through BGP from the routers in the other data center in the original, non-aggregated form.
The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network
engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original tra c routing
goal when the network is operating normally.
Which modi cations will meet these requirements? (Choose two.)

A. Remove all the VPC CIDR pre xes from the list of subnets advertised through the local Direct Connect connection. Add the company's
entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection.

B. Add the CIDR pre xes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct
Connect connection. Con gure data center routers to make routing decisions based on the BGP communities received.

C. Add the aggregate IP pre x for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct
Connect connection.

D. Add the aggregate IP pre x for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised
through the local Direct Connect connection.

E. Remove all the VPC CIDR pre xes from the list of subnets advertised through the local Direct Connect connection. Add both Regional
aggregate IP pre xes to the list of subnets advertised through the Direct Connect connection on both sides of the network. Con gure data
center routers to make routing decisions based on the BGP communities received.

Correct Answer: BC

Community vote distribution

CE (57%) 14% 14% Other
Question #21 Topic 1

A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has
con gured Tra c Mirroring. However, the mirrored tra c is overwhelming the Amazon EC2 instance that is the tra c mirror target. The EC2
instance hosts tools that the company’s security team uses to analyze the tra c. The network engineer needs to design a highly available solution
that can scale to meet the demand of the mirrored tra c.
Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) as the tra c mirror target. Behind the NLB. deploy a eet of EC2 instances in an Auto Scaling group.
Use Tra c Mirroring as necessary.

B. Deploy an Application Load Balancer (ALB) as the tra c mirror target. Behind the ALB, deploy a eet of EC2 instances in an Auto Scaling
group. Use Tra c Mirroring only during non-business hours.

C. Deploy a Gateway Load Balancer (GLB) as the tra c mirror target. Behind the GLB. deploy a eet of EC2 instances in an Auto Scaling group.
Use Tra c Mirroring as necessary.

D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the tra c mirror target. Behind the ALB. deploy a eet of EC2
instances in an Auto Scaling group. Use Tra c Mirroring only during active events or business hours.

Correct Answer: A

Community vote distribution

C (67%) A (33%)

Question #22 Topic 1

A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company
has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The
applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using
corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for
aws.example.com to host the VPC resources.
The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The
company's on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the
VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-
premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement? (Choose three.)

A. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the outbound endpoint.

B. Con gure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.

C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.

D. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.

E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.

F. Con gure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.

Correct Answer: BDF

Community vote distribution

BCE (100%)
Question #23 Topic 1

A government contractor is designing a multi-account environment with multiple VPCs for a customer. A network security policy requires all tra c
between any two VPCs to be transparently inspected by a third-party appliance.
The customer wants a solution that features AWS Transit Gateway. The setup must be highly available across multiple Availability Zones, and the
solution needs to support automated failover. Furthermore, asymmetric routing is not supported by the inspection appliances.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)

A. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the
inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group.
Create a Network Load Balancer (NLB), and set it up to forward to the newly created target group. Con gure a default route in the inspection
VPCs transit gateway subnet toward the NLB.

B. Deploy two clusters that consist of multiple appliances across multiple Availability Zones in a designated inspection VPC. Connect the
inspection VPC to the transit gateway by using a VPC attachment. Create a target group, and register the appliances with the target group.
Create a Gateway Load Balancer, and set it up to forward to the newly created target group. Con gure a default route in the inspection VPC’s
transit gateway subnet toward the Gateway Load Balancer endpoint.

C. Con gure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate
the other route table with the inspection VPC’s attachment. Propagate all VPC attachments into the inspection route table. De ne a static
default route in the application route table. Enable appliance mode on the attachment that connects the inspection VPC.

D. Con gure two route tables on the transit gateway. Associate one route table with all the attachments of the application VPCs. Associate
the other route table with the inspection VPCs attachment. Propagate all VPC attachments into the application route table. De ne a static
default route in the inspection route table. Enable appliance mode on the attachment that connects the inspection VPC.

E. Con gure one route table on the transit gateway. Associate the route table with all the VPCs. Propagate all VPC attachments into the route
table. De ne a static default route in the route table.

Correct Answer: BD

Community vote distribution

BC (100%)
Question #24 Topic 1

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC,
including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be
allowed to open communications directly to the EC2 instances.
The on-premises data center's customer gateway is con gured with a stateful rewall device that lters for incoming and outgoing requests to
and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to
its data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?

A. Create a VPN connection over the Direct Connect connection by using the on-premises rewall. Use the rewall to block all tra c from on
premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

B. Con gure the on-premises rewall to lter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if
the EC2 instances in the VPC initiate the tra c.

C. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private.
Con gure the on-premises rewall to allow connections from the IP address that is assigned to the NAT gateway.

D. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Con gure the on-premises rewall to allow
connections from the IP address that is assigned to the NAT instance.

Correct Answer: C

Community vote distribution

C (100%)

Question #25 Topic 1

A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company
hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each
Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company
has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.
The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and
allow for future growth. The production environments will generate an additional 2 Gbps of tra c per Region back to the data centers. This tra c
will increase over time.
Which solution will meet these requirements?

A. Set up an AWS Direct Connect connection from each data center to AWS in each Region. Create and attach private VIFs to a single Direct
Connect gateway. Attach the Direct Connect gateway to all the VPCs. Remove the existing VPN connections that are attached directly to the
virtual private gateways.

B. Create a single transit gateway with VPN connections from each data center. Share the transit gateway with each account by using AWS
Resource Access Manager (AWS RAM). Attach the transit gateway to each VPC. Remove the existing VPN connections that are attached
directly to the virtual private gateways.

C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transit
gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each
VPRemove the existing VPN connections that are attached directly to the virtual private gateways.

D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC. Create new VPN connections
from each data center to the transit VPCs. Terminate the original VPN connections that are attached to all the original VPCs. Retain the new
VPN connection to the new transit VPC in each Region.

Correct Answer: A

Community vote distribution

C (67%) B (33%)
Question #26 Topic 1

A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website
has static content such as images. The company is using Amazon S3 to store the content.
The company has deployed a eet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group
behind an Application Load Balancer. The EC2 instances will serve tra c, and they must pull content from an S3 bucket to render the webpages.
The company is using AWS Direct Connect with a public VIF for on-premises connectivity to the S3 bucket.
A network engineer notices that tra c between the EC2 instances and Amazon S3 is routing through a NAT gateway. As tra c increases, the
company's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from the
tra c between the EC2 instances and Amazon S3.
Which solution will meet these requirements?

A. Create a Direct Connect private VIF. Migrate the tra c from the public VIF to the private VIF.

B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF.

C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table.

D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table.

Correct Answer: D

Community vote distribution

D (100%)

Question #27 Topic 1

A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit
gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct
Connect connections that use transit VIFs. The company must receive noti cation each time a new route is advertised to AWS from on premises
over Direct Connect.
What should a network engineer do to meet these requirements?

A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes. Con gure a CloudWatch alarm to send noti cations
when routes change.

B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use Amazon EventBridge (Amazon CloudWatch Events)
to send noti cations when routes change.

C. Con gure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send noti cations when routes
change.

D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes. Create a metric lter Set an alarm on the lter to send
noti cations when routes change.

Correct Answer: D

Community vote distribution

B (100%)
Question #28 Topic 1

A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires
connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and
its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt tra c between AWS
and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?

A. Deploy a new public VIF with encryption on the existing Direct Connect connections. Reroute tra c through the new public VIF.

B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute
tra c from the Direct Connect private VIF to the new VPNs.

C. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Con gure MACsec on the edge routers. Reroute tra c to the new
Direct Connect connections. Decommission the original Direct Connect connections

D. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Deploy a new public VIF on the new Direct Connect connections.
Deploy two AWS Site-to-Site VPN connections on top of the new public VIF. Reroute tra c from the existing private VIF to the new Site-to-Site
connections. Decommission the original Direct Connect connections.

Correct Answer: C

Community vote distribution

C (50%) B (50%)

Question #29 Topic 1

A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a
network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and
user agent of each user that accesses the application.
What is the MOST operationally e cient solution that meets these requirements?

A. Con gure the ALB to store logs in an Amazon S3 bucket. Download the les from Amazon S3, and use a spreadsheet application to analyze
the logs.

B. Con gure the ALB to push logs to Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to analyze the logs.

C. Con gure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service). Use
search operations in Amazon OpenSearch Service (Amazon Elasticsearch Service) to analyze the data.

D. Con gure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.

Correct Answer: D

Community vote distribution

D (100%)
Question #30 Topic 1

A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network.
The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling
group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront
origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the tra c to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

A. Create a self-signed certi cate for service.example.com. Import the certi cate into AWS Certi cate Manager (ACM). Con gure CloudFront
to use this imported SSL/TLS certi cate. Change the default behavior to redirect HTTP to HTTPS.

B. Create a certi cate for service.example.com by using AWS Certi cate Manager (ACM). Con gure CloudFront to use this custom SSL/TLS
certi cate. Change the default behavior to redirect HTTP to HTTPS.

C. Create a certi cate with any domain name by using AWS Certi cate Manager (ACM) for the EC2 instances. Con gure the backend to use
this certi cate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol
for its targets. Attach the existing Auto Scaling group to this new target group.

D. Create a public certi cate from a third-party certi cate provider with any domain name for the EC2 instances. Con gure the backend to use
this certi cate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol
for its targets. Attach the existing Auto Scaling group to this new target group.

E. Create a certi cate for service-alb.example.com by using AWS Certi cate Manager (ACM). On the ALB add a new HTTPS listener that uses
the new target group and the service-alb.example.com ACM certi cate. Modify the CloudFront origin to use the HTTPS protocol only. Delete
the HTTP listener on the ALB.

F. Create a self-signed certi cate for service-alb.example.com. Import the certi cate into AWS Certi cate Manager (ACM). On the ALB add a
new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certi cate. Modify the CloudFront origin
to use the HTTPS protocol only. Delete the HTTP listener on the ALB.

Correct Answer: BCE

Community vote distribution

BDE (100%)

Question #31 Topic 1

A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances
in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.
The company's operations team notices that tra c is being routed only to the instances in the rst Availability Zone.
What is the MOST operationally e cient solution to resolve this issue?

A. Enable the new Availability Zone on the NLB

B. Create a new NLB for the instances in the second Availability Zone

C. Enable proxy protocol on the NLB

D. Create a new target group with the instances in both Availability Zones

Correct Answer: A

Community vote distribution

A (100%)
Question #32 Topic 1

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture.
The network engineer is con guring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the
application to exchange tra c with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP
address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?

A. Con gure the two network interfaces in the launch template. De ne the primary network interface to be created in one of the private
subnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IP addresses.

B. Con gure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init script after
boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.

C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambda function,
assign a network interface to an AWS Global Accelerator endpoint.

D. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init
script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.

Correct Answer: D

Question #33 Topic 1

A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and
its internet applications, all of which are offered from the same domain name.
A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The
application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP
addresses assigned. The backend components are deployed in private subnets from RFC1918.
Components of the application need to be able to access other components of the application within the application's VPC by using the same host
names as the host names that are used over the public internet. The network engineer also needs to accommodate future DNS changes, such as
the introduction of new host names or the retirement of DNS entries.
Which combination of steps will meet these requirements? (Choose three.)

A. Add a geoproximity routing policy in Route 53.

B. Create a Route 53 private hosted zone for the same domain name Associate the application’s VPC with the new private hosted zone.

C. Enable DNS hostnames for the application's VPC.

D. Create entries in the private hosted zone for each name in the public hosted zone by using the corresponding private IP addresses.

E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that runs when AWS CloudTrail logs a Route 53 API call to the public
hosted zone. Create an AWS Lambda function as the target of the rule. Con gure the function to use the event information to update the
private hosted zone.

F. Add the private IP addresses in the existing Route 53 public hosted zone.

Correct Answer: BCD

Community vote distribution

BCD (75%) BDE (25%)
Question #34 Topic 1

A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon
ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over
an SSL connection. Tra c must be able to ow to the application from other AWS accounts over private connectivity. The application must scale
in a manageable way as more consumers use the application.
Which solution will meet these requirements?

A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to the
target group from Amazon ECS as required to handle scaling. Specify the GLB in the service de nition. Create a VPC peer for external AWS
accounts. Update the route tables so that the AWS accounts can reach the GLB.

B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the
application to target the containers that are registered in the target group. Specify the ALB in the service de nition. Create a VPC endpoint
service for the ALB Share the VPC endpoint service with other AWS accounts.

C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the
application to target the containers that are registered in the target group. Specify the ALB in the service de nition. Create a VPC peer for the
external AWS accounts. Update the route tables so that the AWS accounts can reach the ALB.

D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service de nition. Create a
VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.

Correct Answer: D

Community vote distribution

D (67%) B (33%)

Question #35 Topic 1

A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of
192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has con gured an Auto Scaling group as the target
of a Network Load Balancer (NLB).
The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do
not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment
with the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17.
A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments.
Which solution will meet these requirements?

A. Create a VPC peering connection between the web service VPC and the existing production VPC. Add a routing rule to the appropriate route
table to allow data to ow to 192.168.224.0/19 from the existing production environment and to ow to 192.168.128.0/17 from the web
service environment. Con gure the relevant security groups and ACLs to allow the systems to communicate.

B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there.

C. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpoint for
the web service in the existing production VPC.

D. Create a transit gateway in the existing production environment. Create attachments to the production VPC and the web service VPC.
Con gure appropriate routing rules in the transit gateway and VPC route tables for 192.168.224.0/19 and 192.168.128.0/17. Con gure the
relevant security groups and ACLs to allow the systems to communicate.

Correct Answer: C

Community vote distribution

C (100%)
Question #36 Topic 1

A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. The application is
hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit
gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have
been updated to support the new IPv6 requirements.
The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-
stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.
When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network
engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer must allow
outbound internet access from the instances.
What is the MOST operationally e cient solution that meets these requirements?

A. Update the Direct Connect transit VIF and con gure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN
connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to
provide connectivity within the VPC and between the VPC and the on-premises devices

B. Update the Direct Connect transit VIF and con gure BGP peering with the AWS assigned IPv6 peering address. Update the existing VPN
connection to support IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to
provide connectivity within the VPC and between the VPC and the on-premises devices.

C. Create a Direct Connect transit VIF and con gure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection
that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide
connectivity within the VPC and between the VPC and the on-premises devices.

D. Create a Direct Connect transit VIF and con gure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection
that supports IPv6 connectivity. Add a NAT gateway. Update any affected VPC security groups and route tables to provide connectivity within
the VPC and between the VPC and the on-premises devices.

Correct Answer: B

Community vote distribution

A (100%)

Question #37 Topic 1

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a
unique random session key.
What should the network engineer do to meet this requirement?

A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only

B. Use AWS Key Management Service (AWS KMS) to encrypt session keys

C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)

D. Change the ALB security policy to a policy that supports forward secrecy (FS)

Correct Answer: D

Community vote distribution

D (100%)
Question #38 Topic 1

A company has deployed a software-de ned WAN (SD-WAN) solution to interconnect all of its o ces. The company is migrating workloads to
AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to
company policies, only a single SD-WAN virtual appliance can handle tra c from AWS workloads at a given time.
How should the network engineer con gure routing to meet these requirements?

A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that are more
speci c to point to the primary SD-WAN virtual appliance.

B. Con gure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.

C. Con gure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.

D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

Correct Answer: A

Community vote distribution

D (100%)

Question #39 Topic 1

A company is planning to deploy many software-de ned WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a
transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to
the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are
attached to the transit gateway.
Which solution will meet these requirements?

A. Create a new VPC for the SD-WAN hub virtual appliance. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and
the transit gateway. Con gure BGP over the IPsec VPN connections

B. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit
gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGP parameters.
Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

C. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Create two
IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gateway. Con gure BGP over the IPsec VPN connections.

D. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit
gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the VXLAN and BGP
parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Correct Answer: D
Question #40 Topic 1

A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has ve VPCs that are all attached
to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer con gure the AWS resources to meet these requirements?

A. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain.
Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to allow UDP tra c from the source to
all receivers and to allow UDP tra c that is sent to the multicast group address.

B. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain.
Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to allow TCP tra c from the source to
all receivers and to allow TCP tra c that is sent to the multicast group address.

C. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable
subnets with the multicast domain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to
allow UDP tra c from the source to all receivers and to allow UDP tra c that is sent to the multicast group address.

D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable
subnets with the multicast domain. Register the multicast senders' network interface with the multicast domain. Adjust the network ACLs to
allow TCP tra c from the source to all receivers and to allow TCP tra c that is sent to the multicast group address.

Correct Answer: C

Community vote distribution

C (100%)

Question #41 Topic 1

A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different
paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public
websites. The application requires the customer’s source IP addresses.
A network engineer must implement a load balancing strategy that meets these requirements.
Which combination of actions should the network engineer take to accomplish this goal? (Choose two.)

A. Use a Network Load Balancer

B. Retrieve client IP addresses by using the X-Forwarded-For header

C. Use AWS App Mesh load balancing

D. Retrieve client IP addresses by using the X-IP-Source header

E. Use an Application Load Balancer.

Correct Answer: BE
Question #42 Topic 1

A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load
Balancer (NLB) to distribute the tra c to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the
application will determine which user is requesting access and will send tra c to 1 of 10 services VPCs. Each services VPC will include an NLB
that distributes tra c to the services pods in an EKS cluster.
The company is concerned about overall cost. User tra c will be responsible for more than 10 TB of data transfer from the ingress VPC to
services VPCs every month. A network engineer needs to recommend how to design the communication between the VPCs.
Which solution will meet these requirements at the LOWEST cost?

A. Create a transit gateway. Peer each VPC to the transit gateway. Use zonal DNS names for the NLB in the services VPCs to minimize cross-
AZ tra c from the ingress VPC to the services VPCs.

B. Create an AWS PrivateLink endpoint in every Availability Zone in the ingress VPC. Each PrivateLink endpoint will point to the zonal DNS
entry of the NLB in the services VPCs.

C. Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs. Use zonal DNS names for the NLB in the
services VPCs to minimize cross-AZ tra c from the ingress VPC to the services VPCs.

D. Create a transit gateway. Peer each VPC to the transit gateway. Turn off cross-AZ load balancing on the transit gateway. Use Regional DNS
names for the NLB in the services VPCs.

Correct Answer: C

Community vote distribution

C (100%)

Question #43 Topic 1

A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS
environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads
that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west
(VPC-to-VPC) tra c.
Users report that inter-VPC tra c to different Availability Zones is dropping. A network engineer veri ed this claim by issuing Internet Control
Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled
out security groups, stateful device con gurations and network ACLs as the cause of the dropped tra c.
What is causing the tra c to drop?

A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.

B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.

C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC.

D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.

Correct Answer: D

Community vote distribution

B (100%)
Question #44 Topic 1

A company has hundreds of Amazon EC2 instances that are running in two production VPCs across all Availability Zones in the us-east-1 Region.
The production VPCs are named
VPC A and VPC B.
A new security regulation requires all tra c between production VPCs to be inspected before the tra c is routed to its nal destination. The
company deploys a new shared VPC that contains a stateful rewall appliance and a transit gateway with a VPC attachment across all VPCs to
route tra c between VPC A and VPC B through the rewall appliance for inspection. During testing, the company notices that the transit gateway
is dropping the tra c whenever the tra c is between two Availability Zones.
What should a network engineer do to x this issue with the LEAST management overhead?

A. In the shared VPC, replace the VPC attachment with a VPN attachment. Create a VPN tunnel between the transit gateway and the rewall
appliance. Con gure BGP.

B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC B.

C. Enable transit gateway appliance mode on the VPC attachment in the shared VPC.

D. In the shared VPC, con gure one VPC peering connection to VPC A and another VPC peering connection to VPC B.

Correct Answer: B

Community vote distribution

C (100%)

Question #45 Topic 1

A company has deployed a critical application on a eet of Amazon EC2 instances behind an Application Load Balancer. The application must
always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the
EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a
change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?

A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT tra c on port 443. Publish the ow log
records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric lter for the log group for rejected tra c. Create an
alarm to notify the network engineer.

B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all tra c on port 443. Publish the ow log records
to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric lter for the log group for all tra c. Create an alarm to notify
the network engineer

C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the
destination. Create an Amazon Simple Noti cation Service (Amazon SNS) topic to notify the network engineer when a change to the security
group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in
case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the
security group occurs.

D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as
the destination. Create an Amazon Simple Noti cation Service (Amazon SNS) topic to notify the network engineer when a change to the
security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS
topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a
change to the security group occurs.

Correct Answer: C

Community vote distribution

D (80%) C (20%)
Question #46 Topic 1

A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing
resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes
Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate
subnets within the same VPC and have a Cluster Autoscaler con gured.
The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team
wants to limit the number of ow logs and wants to examine the tra c from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create VPC ow logs in the default format. Create a lter to gather ow logs only from the EKS nodes. Include the srcaddr eld and the
dstaddr eld in the ow logs.

B. Create VPC ow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr eld and the pkt-dstaddr eld in the
ow logs.

C. Create VPC ow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr eld and the pkt-dstaddr eld in
the ow logs.

D. Create VPC ow logs in a custom format. Create a lter to gather ow logs only from the EKS nodes. Include the pkt-srcaddr eld and the
pkt-dstaddr eld in the ow logs.

Correct Answer: D

Community vote distribution

D (67%) B (33%)

Question #47 Topic 1

A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is
hosted in a VPC in the AWS Cloud. As part of the data processing work ow, the HPC cluster needs to perform several DNS queries to resolve and
connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC
cluster can increase in size by ve to seven times during the company’s peak event at the end of the year.
The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are con gured to forward queries to the
default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domain names. The
company notices job failures and nds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDS and S3 bucket
endpoints.
Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?

A. Scale out the DNS service by adding two additional EC2 instances in the VPC. Recon gure half of the HPC cluster nodes to use these new
DNS servers. Plan to scale out by adding additional EC2 instance-based DNS servers in the future as the HPC cluster size grows.

B. Scale up the existing EC2 instances that the company is using as DNS servers. Change the instance size to the largest possible instance
size to accommodate the current DNS load and the anticipated load in the future.

C. Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for on
premises hosted domain names. Recon gure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-based DNS
servers. Terminate the EC2 instances.

D. Create Route 53 Resolver inbound endpoints. Create rules on the on-premises DNS servers to forward queries to the default VPC resolver.
Recon gure the HPC cluster nodes to forward all DNS queries to the on-premises DNS servers. Terminate the EC2 instances.

Correct Answer: C

Community vote distribution

C (100%)
Question #48 Topic 1

A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up
AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that
connects to a Direct Connect gateway that is associated with a transit gateway.
The network engineer must ensure that tra c from AWS to the data centers is routed rst to the primary data center. The tra c should be routed
to the failover data center only in the case of an outage.
Which solution will meet these requirements?

A. Set the BGP community tag for all pre xes from the primary data center to 7224:7100. Set the BGP community tag for all pre xes from the
failover data center to 7224:7300

B. Set the BGP community tag for all pre xes from the primary data center to 7224:7300. Set the BGP community tag for all pre xes from the
failover data center to 7224:7100

C. Set the BGP community tag for all pre xes from the primary data center to 7224:9300. Set the BGP community tag for all pre xes from the
failover data center to 7224:9100

D. Set the BGP community tag for all pre xes from the primary data center to 7224:9100. Set the BGP community tag for all pre xes from the
failover data center to 7224:9300

Correct Answer: B

Question #49 Topic 1

A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The
application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding
metadata. The S3 bucket will be con gured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS)
queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to nd out about newly uploaded objects. The cluster will retrieve new
objects, perform proprietary image and video recognition and classi cation update metadata in DynamoDB and replace the objects with new
watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?

A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create an internet
gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway.

B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internet
gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway

C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints for Amazon
S3 and DynamoDB.

D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints for Amazon
S3 and DynamoDB.

Correct Answer: C

Community vote distribution

C (100%)
Question #50 Topic 1

A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1
Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.
The company is opening a new o ce in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new
data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and
us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions
with the lowest possible latency.
How should the network engineer design the network architecture to meet these requirements?

A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transit
gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.

B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct
Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for
both transit VIFs. Peer the two transit gateways.

C. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct
Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct
Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.

D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new Direct Connect
gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF and the private
VIF.

Correct Answer: C

Question #51 Topic 1

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts
application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no
modi cation applied. The EC2 instance has the default security group with no modi cation applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.

B. The security group is blocking tra c to the IP address range used by Amazon SQS

C. There is no interface VPC endpoint con gured for Amazon SQS

D. The network ACL is blocking return tra c from Amazon SQS

E. There is no route con gured in the subnet route table for the IP address range used by Amazon SQS

Correct Answer: CE

Community vote distribution

AC (100%)
Question #52 Topic 1

A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for private communication
with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model.
The company's network services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account.
The company wants to use this centralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without
sending tra c over the public internet.
What should the network engineer do to meet these requirements?

A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS
name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the
private hosted zone with the spoke VPCs in each AWS account.

B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS
name. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate each
private hosted zone with the shared services AWS account.

C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name.
Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associate each private
hosted zone with the shared services AWS account.

D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name.
Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associate the private
hosted zone with the spoke VPCs in each AWS account.

Correct Answer: A

Community vote distribution

A (100%)

Question #53 Topic 1

A development team is building a new web application in the AWS Cloud. The main company domain, example.com, is currently hosted in an
Amazon Route 53 public hosted zone in one of the company's production AWS accounts.
The developers want to test the web application in the company's staging AWS account by using publicly resolvable subdomains under the
example.com domain with the ability to create and delete DNS records as needed. Developers have full access to Route 53 hosted zones within
the staging account, but they are prohibited from accessing resources in any of the production AWS accounts.
Which combination of steps should a network engineer take to allow the developers to create records under the example com domain? (Choose
two.)

A. Create a public hosted zone for example com in the staging account

B. Create a staging example.com NS record in the example.com domain. Populate the value with the name servers from the
staging.example.com domain. Set the routing policy type to simple routing.

C. Create a private hosted zone for staging example com in the staging account.

D. Create an example com NS record in the staging example.com domain. Populate the value with the name servers from the example.com
domain. Set the routing policy type to simple routing.

E. Create a public hosted zone for staging.example.com in the staging account.

Correct Answer: BE

Community vote distribution

BE (100%)
Question #54 Topic 1

A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has con gured the VPC with an internet
gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private
and share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances
must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application
will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that
minimizes data transfer cost.
Which solution will meet these requirements?

A. Deploy the EC2 instances in the public subnets. Create an S3 interface endpoint in the VPC. Modify the application con guration to use the
S3 endpoint-speci c DNS hostname.

B. Deploy the EC2 instances in the private subnets. Create a NAT gateway in the VPC. Create default routes in the private subnets to the NAT
gateway. Connect to Amazon S3 by using the NAT gateway.

C. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets
during endpoint creation to create routes to Amazon S3.

D. Deploy the EC2 instances in the private subnets. Create an S3 interface endpoint in the VPC. Modify the application con guration to use the
S3 endpoint-speci c DNS hostname.

Correct Answer: C
Question #55 Topic 1

A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC
to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity
account ID. Enable the feature to allow external accounts
2. In the Connectivity account: Accept the resource.
3. In the Connectivity account: Create an attachment to the VPC subnets.
4. In the Production account: Accept the attachment. Associate a route table with the attachment.

B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity
account ID. Enable the feature to allow external accounts.
2. In the Connectivity account: Accept the resource.
3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.
4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production
account ID. Enable the feature to allow external accounts.
2. In the Production account: Accept the resource.
3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.
4. In the Production account: Accept the attachment. Associate a route table with the attachment.

D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production
account ID Enable the feature to allow external accounts.
2. In the Production account: Accept the resource.
3. In the Production account: Create an attachment to the VPC subnets.
4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

Correct Answer: D

Community vote distribution

D (100%)

Question #56 Topic 1

A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application
vulnerability on one of the EC2 instances to gain access to the instance. The company xed the application and launched a replacement EC2
instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a
noti cation from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware.
Which solution will meet this requirement with the LEAST operational effort?

A. Use Amazon GuardDuty to analyze tra c patterns by inspecting DNS requests and VPC ow logs.

B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.

C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for tra c
inspection.

D. Con gure Amazon Inspector to perform deep packet inspection of outgoing tra c.

Correct Answer: C

Community vote distribution

A (75%) C (25%)
Question #57 Topic 1

A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an
Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses
AWS Certi cate Manager (ACM) to automate SSL/TLS certi cate provisioning. SSL/TLS connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users
report that they can log in but that they cannot use the application. Every new web request restarts the login process.
What should a network engineer do to resolve this issue?

A. Modify the ALB listener con guration. Edit the rule that forwards tra c to the target group. Change the rule to enable group-level
stickiness. Set the duration to the maximum application session length.

B. Replace the ALB with a Network Load Balancer. Create a TLS listener. Create a new target group with the protocol type set to TLS Register
the EC2 instances. Modify the target group con guration by enabling the stickiness attribute.

C. Modify the ALB target group con guration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the
maximum application session length.

D. Remove the ALB. Create an Amazon Route 53 rule with a failover routing policy for the application name. Con gure ACM to issue
certi cates for each EC2 instance.

Correct Answer: C

Community vote distribution

C (100%)

Question #58 Topic 1

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances
now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly
accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7
minutes but that the client EC2 instances never received the response.
Which con guration change should a network engineer implement to resolve this issue?

A. Con gure the NAT gateway timeout to allow connections for up to 600 seconds.

B. Enable enhanced networking on the client EC2 instances.

C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.

D. Close idle TCP connections through the NAT gateway.

Correct Answer: A

Community vote distribution

C (100%)
Question #59 Topic 1

A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region.
Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the
limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?

A. Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs.

B. Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual private
gateways to the corporate network.

C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Con gure a private VIF to connect to the
corporate network.

D. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit
VIF to the Direct Connect gateway.

Correct Answer: A

Community vote distribution

D (100%)

Question #60 Topic 1

A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and
two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises
databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network
segments the tra c between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

A. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in
eu-west-1. Use one Direct. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along
the path that has the lowest latency.

B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in
eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region
along the path that has the lowest latency.

C. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in
eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along
the path that has the lowest latency.

D. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in
eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region
along the path that has the lowest latency.

Correct Answer: D

Community vote distribution

D (100%)
Question #61 Topic 1

A company has deployed an application in a VPC that uses a NAT gateway for outbound tra c to the internet. A network engineer notices a large
quantity of suspicious network tra c that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network
engineer must implement a solution to determine which AWS resources are generating the suspicious tra c. The solution must minimize cost and
administrative overhead.
Which solution will meet these requirements?

A. Launch an Amazon EC2 instance in the VPC. Use Tra c Mirroring by specifying the NAT gateway as the source and the EC2 instance as the
destination. Analyze the captured tra c by using open-source tools to identify the AWS resources that are generating the suspicious tra c.

B. Use VPC ow logs. Launch a security information and event management (SIEM) solution in the VPC. Con gure the SIEM solution to ingest
the VPC ow logs. Run queries on the SIEM solution to identify the AWS resources that are generating the suspicious tra c.

C. Use VPC ow logs. Publish the ow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the ow logs
to identify the AWS resources that are generating the suspicious tra c.

D. Con gure the VPC to stream the network tra c directly to an Amazon Kinesis data stream. Send the data from the Kinesis data stream to
an Amazon Kinesis Data Firehose delivery stream to store the data in Amazon S3. Use Amazon Athena to query the data to identify the AWS
resources that are generating the suspicious tra c.

Correct Answer: B

Community vote distribution

C (100%)

Question #62 Topic 1

A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is
connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is con gured for an AWS Direct Connect
gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data center in Dublin.
Which solutions will meet these requirements? (Choose two.)

A. Con gure inter-Region VPC peering between VPC-A and VPC-B. Add the required VPC peering routes. Add the VPC-B CIDR block in the
allowed pre xes on the Direct Connect gateway association.

B. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed pre xes.

C. Con gure another transit VIF on the Direct Connect connection and associate TGW-B. Advertise the VPC-B CIDR block under the allowed
pre xes.

D. Con gure inter-Region transit gateway peering between TGW-A and TGW-B. Add the peering routes in the transit gateway route tables. Add
both the VPC-A and the VPC-B CIDR block under the allowed pre x list in the Direct Connect gateway association.

E. Con gure an AWS Site-to-Site VPN connection over the transit VIF to TGW-B as a VPN attachment.

Correct Answer: BD
Question #63 Topic 1

A company’s network engineer is designing a hybrid DNS solution for an AWS Cloud workload. Individual teams want to manage their own DNS
hostnames for their applications in their development environment. The solution must integrate the application-speci c hostnames with the
centrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also must
minimize management overhead.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Use an Amazon Route 53 Resolver inbound endpoint.

B. Modify the DHCP options set by setting a custom DNS server value.

C. Use an Amazon Route 53 Resolver outbound endpoint.

D. Create DNS proxy servers.

E. Create Amazon Route 53 private hosted zones.

F. Set up a zone transfer between Amazon Route 53 and the on-premises DNS.

Correct Answer: ABE

Community vote distribution

ACE (100%)

Question #64 Topic 1

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon
CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated
customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network
engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally e cient solution that meets these requirements?

A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customized
header to inform the web application of an authenticated customer request.

B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Con gure the ALB listener to insert
a customized header to inform the web application of an authenticated customer request.

C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edge function
also to insert a customized header to inform the web application of an authenticated customer request.

D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload.
Con gure the tool to insert a customized header to inform the web application of an authenticated customer request.

Correct Answer: C

Community vote distribution

C (100%)
Question #65 Topic 1

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the
nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC
and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.
Which route table con gurations on the transit gateway will meet these requirements?

A. Con gure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared
services VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the
production and nonproduction VPCs.

B. Con gure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC. Create
an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.

C. Con gure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional
route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.

D. Con gure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create an
additional route table with only the shared services VPC attachment associated with propagated routes from the production and
nonproduction VPCs.

Correct Answer: A

Community vote distribution

A (100%)

Question #66 Topic 1

A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS
Cloud Because of congestion, the company is experiencing availability and performance issues as tra c travels across the internet before the
tra c reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.
Which solution will meet these requirements?

A. Edit the existing Site-to-Site VPN connection by enabling acceleration. Stop and start the VPN service on the customer gateway for the new
setting to take effect.

B. Con gure a transit gateway in the same AWS Region as the existing virtual private gateway. Create a new accelerated Site-to-Site VPN
connection. Connect the new connection to the transit gateway by using a VPN attachment. Update the customer gateway device to use the
new Site to Site VPN connection. Delete the existing Site-to-Site VPN connection

C. Create a new accelerated Site-to-Site VPN connection. Connect the new Site-to-Site VPN connection to the existing virtual private gateway.
Update the customer gateway device to use the new Site-to-Site VPN connection. Delete the existing Site-to-Site VPN connection.

D. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Cloud. Update the
customer gateway device to use the new Direct Connect connection. Delete the existing Site-to-Site VPN connection.

Correct Answer: C

Community vote distribution

B (100%)
Question #67 Topic 1

An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US).
The company is targeting the western US for the expansion.
The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are
attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for
centralized security features such as proxies, rewalls, and logging.
The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region. A network engineer must establish connectivity
between the various applications in the two Regions. The solution must maximize bandwidth, minimize latency and minimize operational
overhead.
Which solution will meet these requirements?

A. Create VPN attachments between the two transit gateways. Con gure the VPN attachments to use BGP routing between the two transit
gateways.

B. Peer the transit gateways in each Region. Con gure routing between the two transit gateways for each Region's IP addresses.

C. Create a VPN server in a VPC in each Region. Update the routing to point to the VPN servers for the IP addresses in alternate Regions.

D. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2.

Correct Answer: B

Community vote distribution

B (100%)

Question #68 Topic 1

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT
messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a
load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional
latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the
AWS Cloud. The company needs to migrate without recon guring the hardware sensor modules that are already deployed across the world. The
solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances.
What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Con gure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-
premises network with the NLB.

B. Place the EC2 instances behind a Network Load Balancer (NLB). Con gure TCP listeners. Create an AWS Global Accelerator accelerator in
front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.

C. Place the EC2 instances behind an Application Load Balancer (ALB). Con gure TCP listeners. Create an AWS Global Accelerator accelerator
in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator

D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with
CloudFront.

Correct Answer: B

Community vote distribution

B (100%)
Question #69 Topic 1

A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability
Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring.
Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network
engineer enables access logging for the ALB.
What should the network engineer do next to determine which errors the ALB is receiving?

A. Send the logs to Amazon CloudWatch Logs. Review the ALB logs in CloudWatch Insights to determine which error messages the ALB is
receiving.

B. Con gure the Amazon S3 bucket destination. Use Amazon Athena to determine which error messages the ALB is receiving.

C. Con gure the Amazon S3 bucket destination. After Amazon CloudWatch Logs pulls the ALB logs from the S3 bucket automatically, review
the logs in CloudWatch Logs to determine which error messages the ALB is receiving.

D. Send the logs to Amazon CloudWatch Logs. Use the Amazon Athena CloudWatch Connector to determine which error messages the ALB is
receiving.

Correct Answer: A

Community vote distribution

B (100%)

Question #70 Topic 1

A company is planning to use Amazon S3 to archive nancial data. The data is currently stored in an on-premises data center. The company uses
AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be
transported over the public internet and must be encrypted in transit.
Which solution will meet these requirements?

A. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to access Amazon S3. Use HTTPS for
communication.

B. Create an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an
interface VPC endpoint for Amazon S3. Use HTTPS for communication.

C. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for
communication.

D. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to the transit gateway. Create an attachment for
Amazon S3. Use HTTPS for communication.

Correct Answer: B

Community vote distribution

B (100%)
Question #71 Topic 1

A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The
company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries.
To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not
receive a response from DNS Firewall.
Which change should a network engineer implement to meet these requirements?

A. Update the DNS Firewall VPC con guration to disable fail open for the VPC.

B. Update the DNS Firewall VPC con guration to enable fail open for the VPC.

C. Create a new DHCP options set with parameter dns_ rewall_fail_open=false. Associate the new DHCP options set with the VPC.

D. Create a new DHCP options set with parameter dns_ rewall_fail_open=true. Associate the new DHCP options set with the VPC.

Correct Answer: B -

Community vote distribution

B (100%)