Amazon

Clearcat.Net | FIRST ATTEMPT PASS | WWW.CLEARCATNET.COM

(ANS-C00)

AWS Certified Advanced Networking - Specialty

✅Follow us on: Facebook | Instagram | LinkedIn | reddit | Twitter | Quora | YouTube

Send us your request/inquiry at clearcat.net@gmail.com or connect us for Live Support any time for any certification exam dumps
pdf Or for most asked Interview Q&A PDFs to ensure your success in first try!!

YouTube.com t.Me
/CLEARCATNET /CLEARCATNET

Get any exam latest real exam questions PDF Now-

✅Visit us - www.CLEARCATNET.com
✅Mail us- clearcat.net@gmail.com
✅Live Support- https://t.me/CLEARCATNET
Question:1 ANS-C00: Actual Exam Q&A | CLEARCATNET
Your organization's corporate website must be available on www.acme.com and acme.com.
How should you configure Amazon Route 53 to meet this requirement?
• A. Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record
targeting the ELB.
• B. Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting
the acme.com record.
• C. Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record
targeting the acme.com record.
• D. Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record
with the acme.com record target.

Correct Answer: A
Explanation: Unlike a CNAME record, you can create an alias record at the top node of a DNS namespace, also
known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com.
You can't create a CNAME record for example.com, but you can create an alias record for example.com that routes
traffic to www.example.com (as long as www.example.com doesn't already have a CNAME record).

Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-
alias.html

Question:2 ANS-C00: Actual Exam Q&A | CLEARCATNET

You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application
needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options
Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your
VPC.
Which action is required to support a successful Amazon EMR cluster launch?
• A. Add a conditional forwarder to the Amazon-provided DNS server.
• B. Enable seamless domain join for the Amazon EMR cluster.
• C. Launch an AD connector for the internal domain.
• D. Configure an Amazon Route 53 private zone for the EMR cluster.

Correct Answer: A
Explanation: Services that use the Hadoop framework, such as Amazon EMR, require instances to resolve their own
fully qualified domain names (FQDN). In such cases, DNS resolution can fail if the domain-name-servers option is set
to a custom value. To ensure proper DNS resolution, consider adding a conditional forwarder on your DNS server to
forward queries for the domain region-name.compute.internal to the Amazon DNS server. For more information,
see Setting up a VPC to host clusters in the Amazon EMR Management Guide.

Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html

Question:3 ANS-C00: Actual Exam Q&A | CLEARCATNET

You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO
suspects your application will be the target of malicious activity. You are tasked with notifying the security team in
the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Choose two.)
• A. Internet gateway
• B. VPC Flow Logs
• C. AWS CloudTrail
• D. Lambda
• E. AWS Inspector

Correct Answer: BD
Explanation: Flowlogs will show all traffic up to L4, good to detect any port scanning.
Lambda will be triggered when a port scanning is detected from flow logs
One of the VPC Flow Logs values is the ability to detect and block vulnerability scans against their network by
checking for ping sweeps, port scans and other malicious activity associated with attempts to discover weaknesses in
the network. Once the sources of such scans are identified, security admins can block them from further access in
order to prevent intrusions. In addition, to protect your AWS platform from being port scanned by external systems,
you can use AWS Lambda scripts to run periodically.
Reference: https://www.sumologic.com/insight/use-aws-vpc-flow-logs/

Question:4 ANS-C00: Actual Exam Q&A | CLEARCATNET

You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the
application instances from the Internet and from an on-premises network. The on-premises network is connected to
your VPC over an AWS Direct Connect link.
How should you design routing to meet these requirements?
• A. Configure a single routing table with two default routes: one to the Internet via an IGW, the other to the
on-premises network via the VGW. Use this routing table across all subnets in your VPC.
• B. Configure two routing tables: one that has a default route via the IGW, and another that has a default
route via the VGW. Associate both routing tables with each VPC subnet.
• C. Configure a single routing table with a default route via the IGW. Propagate a default route via BGP on the
AWS Direct Connect customer router. Associate the routing table with all VPC subnet.
• D. Configure a single routing table with a default route via the IGW. Propagate specific routes for the on-
premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all
VPC subnets.

Correct Answer: D
Explanation: Specific /24 (minimum) will be advertised and you have own the IP space,which aws will validate from
regional inet registries.

Question:5 ANS-C00: Actual Exam Q&A | CLEARCATNET

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company's
highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth,
low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was
made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a `backdoor`, and you have been asked to clarify the risk to the
company.
Which concern from the security team is valid and should be addressed?
• A. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.
• B. Direct Connect customers with a Public VIF in the same region could directly reach the router.
• C. EC2 instances in the same region with access to the Internet could directly reach the router.
• D. The S3 service could reach the router through a pre-configured VPC Endpoint.

Correct Answer: A

Explanation: AWS Direct Connect advertises all local and remote AWS Region prefixes where available, and includes
on-net prefixes from other AWS non-region points of presence (POPs) where available, such as Amazon CloudFront
or Amazon Route 53. Direct Connect supports a range of Border Gateway Protocol (BGP) community tags to help
control the scope (regional, continent, or global) of routes advertised and received over a public VIF.

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/control-routes-direct-connect/

Question:6 ANS-C00: Actual Exam Q&A | CLEARCATNET

Your organization uses a VPN to connect to your VPC but must upgrade to a 1-G AWS Direct Connect connection for
stability and performance. Your telecommunications provider has provisioned the circuit from your data center to an
AWS Direct Connect facility and needs information on how to cross-connect
(e.g., which rack/port to connect).
What is the AWS-recommended procedure for providing this information?
• A. Create a support ticket. Provide your AWS account number and telecommunications company's name and
where you need the Direct Connect connection to terminate.
• B. Create a new connection through your AWS Management Console and wait for an email from AWS with
information.
• C. Ask your telecommunications provider to contact AWS through an AWS Partner Channel. Provide your
 AWS account number.
• D. Contact an AWS Account Manager and provide your AWS account number, telecommunications
company's name, and where you need the Direct Connect connection to terminate.

Correct Answer: B
Explanation:
"After you request the connection, AWS makes a Letter of Authorization and Connecting Facility Assignment (LOA-
CFA) available to you to download, or emails you with a request for more information. If you receive a request for
more information, you must respond within 7 days or the connection is deleted. The LOA-CFA is the authorization to
connect to AWS, and is required by your network provider to order a cross connect for you. If you do not have
equipment in the AWS Direct Connect location, you cannot order a cross connect for yourself there."

Question:7 ANS-C00: Actual Exam Q&A | CLEARCATNET

You manage a web service that is used by client applications deployed in 300 offices worldwide. The web service
architecture is an Elastic Load Balancer (ELB) distributing traffic across four application servers deployed in an Auto
Scaling group across two Availability Zones.
The ELB is configured to use round robin, and sticky sessions are disabled. You have configured the NACLs and
security groups to allow port 22 from your bastion host, and port 80 from 0.0.0.0/0. The client configuration is
managed by each regional IT team.
Upon inspection you find that a large amount of requests from incorrectly configured sites are causing a single
application server to degrade. The remainder of the requests are equally distributed across all servers with no
negative effects.
What should you do to remedy the situation and prevent future occurrences?
• A. Mark the affected instance as degraded in the ELB and raise it with the client application team.
• B. Update the NACL to only allow port 80 to the application servers from the ELB servers.
• C. Update the Security Groups to only allow port 80 to the application servers from the ELB.
• D. Terminate the affected instance and allow Auto Scaling to create a new instance.

Correct Answer: C
Explanation:
Forcing traffic via SG config means even if the EC2 instances has public IPs, the SG would drop the traffic as HTTP 80
is only allowed via ELB.

Question:8 ANS-C00: Actual Exam Q&A | CLEARCATNET

A multinational organization has applications deployed in three different AWS regions. These applications must
securely communicate with each other by VPN.
According to the organization's security team, the VPN must meet the following requirements:
✑ AES 128-bit encryption
✑ SHA-1 hashing
✑ User access via SSL VPN
✑ PFS using DH Group 2
✑ Ability to maintain/rotate keys and passwords
✑ Certificate-based authentication
Which solution should you recommend so that the organization meets the requirements?
• A. AWS hardware VPN between the virtual private gateway and customer gateway
• B. A third-party VPN solution deployed from AWS Marketplace
• C. A private MPLS solution from an international carrier
• D. AWS hardware VPN between the virtual private gateways in each region

Correct Answer: B
Explanation:
AWS based Hardware VPN doesn't have the ability to change password/rotate keys and use certificate based auth.
One can get these advance VPN features from third-party VPN software available in the AWS Marketplace and install
that in a EC2 instance in all the regions

Question:9 ANS-C00: Actual Exam Q&A | CLEARCATNET

Refer to the image.

You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows:
✑ VPC A: 10.0.0.0/16
✑ VPC B: 192.168.0.0/16
✑ VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3
and i-4 in VPC B have the IP addresses
192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24.
✑ i-3 must be able to communicate with i-1
✑ i-4 must be able to communicate with i-2
✑ i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Choose two.)
• A. Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
• B. Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
• C. Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
• D. Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC
C.
• E. Create two route tables: one with a route for destination VPC A, and another for destination VPC C.

Correct Answer: AE
Reference: https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html

Question:10 ANS-C00: Actual Exam Q&A | CLEARCATNET

A legacy, on-premises web application cannot be load balanced effectively. There are both planned and unplanned
events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage
spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the
additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of
the following designs will meet these requirements?
• A. Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
• B. Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
• C. Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.
• D. Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
 Thank you for Trying our Free
Sample Questions
But We Recommend try our Premium Exam Material (Full Premium
PDF) dumps in PDF Format to certain your Guaranteed success in First
Attempt Only.
VISIT US NOW TO DOWNLOAD FULL PDF INSTANTLY 👇

https://www.clearcatnet.com/Papers

Send us your request/inquiry at clearcat.net@gmail.com or connect us for Live Support any time for any certification exam dumps
pdf Or for most asked Interview Q&A PDFs to ensure your success in first try!!

Get any exam latest real exam questions PDF Now- YouTube.com

/CLEARCATNET
✅Visit us - www.clearcatnet.com
t.Me
✅Mail us- clearcat.net@gmail.com
/CLEARCATNET
✅Live Support- https://t.me/clearcatnet