NEW QUESTION 1
A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead.
Which solution will meet these requirements?

• A. Launch an Amazon EC2 instance in the VP
• B. Use Traffic Mirroring by specifying the NAT gateway as the source and the EC2 instance as the destinatio
• C. Analyze the captured traffic by using open-source tools to identify the AWS resources that are generating the suspicious traffic.
• D. Use VPC flow log
• E. Launch a security information and event management (SIEM) solution in the VP
• F. Configure the SIEM solution to ingest the VPC flow log
• G. Run queries on the SIEM solution to identify the AWS resources that are generating the suspicious traffic.
• H. Use VPC flow log
• I. Publish the flow logs to a log group in Amazon CloudWatch Log
• J. Use CloudWatch Logs Insights to query the flow logs to identify the AWS resources that are generating the suspicious traffic.
• K. Configure the VPC to stream the network traffic directly to an Amazon Kinesis data strea
• L. Send the data from the Kinesis data stream to an Amazon Kinesis Data Firehose delivery stream to store the data in Amazon S3. Use Amazon Athena to query the data to identify the AWS resources that are generating the suspicious traffic.

Answer: C

NEW QUESTION 2
An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

• A. Use an internet connection.
• B. Set up an AWS VPN connection.
• C. Provision an AWS Direct Connection private virtual interface.
• D. Provision a Direct Connect public virtual interface.

Answer: A

NEW QUESTION 3
A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The company has established network connectivity from all VPCs to the
on-premises DNS servers.
Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. The applications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.
What should a network engineer do to meet these requirements?

• A. Create a new Route 53 Resolver inbound endpoint in the shared services VP
• B. Create forwarding rules for the on-premises hosted domain
• C. Associate the rules with the new Resolver endpoint and each application VP
• D. Update each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
• E. Create a new Route 53 Resolver outbound endpoint in the shared services VP
• F. Create forwarding rules for the on-premises hosted domain
• G. Associate the rules with the new Resolver endpoint and each application VPC.
• H. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosted domain
• I. Associate the rules with the new Resolver endpoint and each application VPUpdate each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
• J. Create a new Route 53 Resolver inbound endpoint in the shared services VP
• K. Create forwarding rules for the on-premises hosted domain
• L. Associate the rules with the new Resolver endpoint and each application VPC.

Answer: B

Explanation:
Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1. Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2. Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2. This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

NEW QUESTION 4
A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.
The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams.
The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

• A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access.
• B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VP
• C. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS server
• D. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created.
• E. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers.
• F. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWSaccount to resolve queries for this domain.
• G. Launch two Amazon EC2 instances in the shared AWS accoun
• H. Install BIND on each instanc
• I. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS accoun
• J. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS server
• K. Set the forwarding IP addresses to the IP addresses of the BIND servers.
• L. Create a private hosted zone in the shared AWS account for each account that runs the service.Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC.

Answer: ABD

Explanation:
To meet the requirements of updating the DNS registration process while maximizing cost-effectiveness and minimizing configuration changes, the network engineer should take the following steps:
Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint’s IP addresses that were created (Option B).
Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain (Option D).
Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access (Option A).
These steps will allow service creators to register their DNS records while keeping costs low and minimizing configuration changes.

NEW QUESTION 5
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Create a central egress VPC that has private NAT gateway
• B. Connect all the VPCs to the central egress VPC by using AWS Transit Gatewa
• C. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.
• D. Create a central shared services VP
• E. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• F. Ensure that private DNS is turned of
• G. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• H. Create an Amazon Route 53 forwarding rule for each interface VPC endpoin
• I. Associate the forwarding rules with all the VPC
• J. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
• K. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• L. Ensure that private DNS is turned of
• M. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• N. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manage
• O. Associate the private hosted zones with all the VPC
• P. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to the interface VPC endpoint in the shared services VPC.
• Q. Create a central shared services VP
• R. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• S. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• T. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.

Answer: B

Explanation:
Interface VPC endpoints enable private connectivity between VPCs and supported AWS serviceswithout requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection2. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private access to AWS services2. Amazon S3 and AWS Systems Manager support interface VPC endpoin2ts. By turning off private DNS, the interface VPC endpoints can be accessed by using their private IP addresses2. By using Amazon Route 53 forwarding rules, DNS queries can be resolved to the interface VPC endpoints in the shared services VPC3.

NEW QUESTION 6
A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.
A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.
Which solution will meet these requirements?

• A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
• B. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
• C. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
• D. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• E. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
• F. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• G. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
• H. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

Answer: D

Explanation:
Configuring an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration would enable evaluation of the compliance status of the security groups based on predefined or custom rules3. Creating an AWS Systems Manager Automation runbook to remediate noncompliant security groups would enable automation of the remediation process2. Additionally, configuring AWS Config to trigger the runbook when a noncompliant change is detected would enable timely and consistent remediation of security group changes.

NEW QUESTION 7
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.
The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.
What is the MOST operationally efficient solution to resolve this issue?

• A. Enable the new Availability Zone on the NLB
• B. Create a new NLB for the instances in the second Availability Zone
• C. Enable proxy protocol on the NLB
• D. Create a new target group with the instances in both Availability Zones

Answer: A

Explanation:
When adding instances in a new Availability Zone to an existing Network Load Balancer (NLB), it is important to ensure that the new Availability Zone is enabled on the NLB. This will allow traffic to be routed to instances in both Availability Zones. This can be done by editing the settings of the NLB and selecting the new Availability Zone from the list of available zones.

NEW QUESTION 8
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

• A. Create a self-signed certificate for service.example.co
• B. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificat
• C. Change the default behavior to redirect HTTP to HTTPS.
• D. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificat
• E. Change the default behavior to redirect HTTP to HTTPS.
• F. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instance
• G. Configure the backend to use this certificate for its HTTPS listene
• H. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
• I. Attach the existing Auto Scaling group to this new target group.
• J. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instance
• K. Configure the backend to use this certificate for its HTTPS listene
• L. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
• M. Attach the existing Auto Scaling group to this new target group.
• N. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificat
• O. Modify the CloudFront origin to use the HTTPS protocol onl
• P. Delete the HTTPlistener on the ALB.
• Q. Create a self-signed certificate for service-alb.example.co
• R. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificat
• S. Modify the CloudFront origin to use the HTTPS protocol onl
• T. Delete the HTTP listener on the ALB.

Answer: BDE

NEW QUESTION 9
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.
Which solution will meet these requirements?

• A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS servic
• B. Create a lifecycle hook to add new tasks to the target group from Amazon ECS as required to handle scalin
• C. Specify the GLB in the service definitio
• D. Create a VPC peer for external AWS account
• E. Update the route tables so that the AWS accounts can reach the GLB.
• F. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS servic
• G. Create path-based routing rules to allow the application to target the containers that are registered in the target grou
• H. Specify the ALB in the service definitio
• I. Create a VPC endpoint service for the ALB Share the VPC endpoint service with other AWS accounts.
• J. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS servic
• K. Create path-based routing rules to allow the application to target the containers that are registered in the target grou
• L. Specify the ALB in the service definitio
• M. Create a VPC peer for the external AWS account
• N. Update the route tables so that the AWS accounts can reach the ALB.
• O. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS servic
• P. Specify the NLB in the service definitio
• Q. Create a VPC endpoint service for the NL
• R. Share the VPC endpoint service with other AWS accounts.

Answer: D

NEW QUESTION 10
A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises over Direct Connect.
What should a network engineer do to meet these requirements?

• A. Enable Amazon CloudWatch metrics on Direct Connect to track the received route
• B. Configure a CloudWatch alarm to send notifications when routes change.
• C. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insight
• D. Use Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes change.
• E. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes change.
• F. Enable Amazon CloudWatch Logs on the transit VIFs to track the received route
• G. Create a metric filter Set an alarm on the filter to send notifications when routes change.

Answer: B

Explanation:
https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-cloudwatch-events.html
To receive notification each time a new route is advertised to AWS from on premises over Direct Connect, a network engineer should onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights and use Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes change (Option B). This solution allows for real-time monitoring of route changes and automatic notification when new routes are advertised.

NEW QUESTION 11
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.
What should a network engineer do to meet these requirements with the LEAST amount of configuration?

• A. Set up an AWS Site-to-Site VPN connection between on premises and AW
• B. Deploy an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• C. Set up an AWS Direct Connect connection with a private VI
• D. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• E. Set up an AWS Client VPN connection between on premises and AW
• F. Deploy an Amazon Route 53 Resolver inbound endpoint in the VPC.
• G. Set up an AWS Direct Connect connection with a public VI
• H. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that is hosting the VP
• I. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Answer: A

Explanation:
Setting up an AWS Site-to-Site VPN connection between on premises and AWS would enable a secure and encrypted connection over the public internet1. Deploying an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC would enable forwarding of DNS queries for on-premises servers to the on-premises DNS servers2. This would allow EC2 instances in the VPC to resolve names of on-premises servers during the migration period. After the migration period, the Route 53 Resolver outbound endpoint can be deleted with minimal configuration changes.

NEW QUESTION 12
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

• A. Create one hosted connectio
• B. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direc
• C. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• D. Create one hosted connectio
• E. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• F. Create one dedicated connectio
• G. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• H. Create one dedicated connectio
• I. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Answer: B

Explanation:
This solution meets the requirements of the company by using a single Direct Connect connection with two VIFs, one connected to the transit gateway in us-east-1 and the other connected to the VPC in eu-west-1. Two Direct Connect gateways are used, one for each VIF, to route traffic from the Direct Connect location to the corresponding AWS Region along the path that has the lowest latency. This setup ensures that traffic between the VPCs in us-east-1 and on-premises databases is routed through the transit gateway, while traffic between the VPC in eu-west-1 and the on-premises server is routed directly through the private VIF.

NEW QUESTION 13
A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.
Which route table configurations on the transit gateway will meet these requirements?

• A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VP
• B. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
• C. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VP
• D. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.
• E. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
• F. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disable
• G. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.

Answer: A

NEW QUESTION 14
A company has a hybrid cloud environment. The company’s data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity.
The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a backend application in one of the VPCs.
The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages from other applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWS infrastructure.
Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interface endpoint? (Choose three.)

• A. Create the interface endpoint for Amazon SQS with the option for private DNS names turned on.
• B. Create the interface endpoint for Amazon SQS with the option for private DNS names turned off.
• C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.co
• D. Add necessary records that point to the interface endpoin
• E. Associate the private hosted zones with other VPCs.
• F. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.com with previously created necessary records that point to the interface endpoin
• G. Associate the private hosted zones with other VPCs.
• H. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.com in VPCs and on premises.
• I. Access the SQS endpoint by using the private DNS name of the interface endpoint.sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises.

Answer: ADF

NEW QUESTION 15
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?

• A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual applianc
• B. Add routes that are more specific to point to the primary SD-WAN virtual appliance.
• C. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
• D. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
• E. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

Answer: A

NEW QUESTION 16
......