You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 ֳ— 7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud.
Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets.
Select the correct network configuration that best facilitates your company's continued growth plans.
D
Answers A, B, and C all rely on an Internet connection. An Internet connection cannot guarantee QoS and will be subject to performance fluctuations - therefore they are all incorrect options. The only difference between these options is whether a Virtual Private Gateway is required ג€" the answer is yes and therefore the correct answer is D.
Reference:
https://aws.amazon.com/directconnect/faqs/
You are your company's AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.
Select the correct option from the list below.
B
Answers A, C and D are incorrect answers as they reference a non-existing setting - there is no such thing as a "default peering bi-directional communication flag".
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html#one-to-two-vpcs-instances
In your current role as the corporate network architect `" you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series
Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC.
Select which option is NOT required.
B
A customer gateway within the corporate network is NOT required. The Customer Gateway (CGW) is a component that you deploy within your VPC that logically represents you VPN physical hardware's perimeter public IP - therefore Answer C is required. A Virtual Private Gateway (VPG) is the AWS VPN Concentrator end point ג€" and is always a requirement that needs to be deployed in your VPC - therefore it must always be deployed ג€" therefore Answer D is required.
AWS only supports IPsec in Tunnel mode ג€" therefore Answer A is required.
Reference:
https://aws.amazon.com/vpc/faqs/
You need to create a baseline of normal traffic flow in order to implement some security changes to your organization.
What two items would be best to use? (Choose two.)
AD
Your company has just deployed IPv6 in a VPC. All of the instances currently use a NAT, but once they configured the instances for IPv6 only, they were unable to access the resources on the instances via IPv6. What is the best option to fix this?
B
NAT is not compatible with IPv6 and an IGW would allow full access to the instances, which is not good. An egress-only IGW is the best solution.
Your company just acquired a new company. You have two VPCs ?one is 172.31.0.0/16 and one is 10.111.0.0/16. The acquired company uses 10.111.0.0/16 for their VPC. Your VPC "A" has a group of 12 servers in the range 10.111.2.101 ?10.111.2.112. Their VPC "B" has 20 servers from 10.111.2.171 ?10.111.2.190.
You need to access both VPCs from the 172.31.0.0/16 VPC "C".
What is the best way to approach this problem?
A
You can peer VPCs with the same CIDR block to a third VPC, so changing the CIDR block is not necessary. You can adjust the route tables to point to individual servers, but this would be very inefficient. 10.111.2.96/28 does not provide enough addresses for the AWS required addresses. AWS reserves 5 addresses per subnet and this only allows 11 addresses. 10.111.2.96/27 provides 32 addresses with 27 usable. Since it is a /27, it will take precedence over the /24 and route the traffic destined for these instances correctly.
Due to security requirements, all traffic must be encrypted between your VPC and your on-premises data center. You also want to maintain reliability.
What two options will allow you to achieve this? (Choose two.)
BD
To run VPN over DX, you need to have a public VIF to access the VPN endpoints.
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning.
What is most likely the problem?
B
You must apply the SSL to your Elastic Loadblanacer and your CDN to encrypt all aspects of your site.
You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly.
What could be the problem?
B
Autonegotiation is enabled. A DX connection uses single-mode fiber, not CAT6; BFD is optional, and 802.1q is the correct standard. Autonegotiation must be disabled for DX to work properly.
You have configured a dynamic VPN between your datacenter and your VPC. Your router says the tunnel is up and BGP is active, but for some reason, you are not seeing your routes propagate.
What is most likely the issue?
D
You forgot to set route propagation to "yes" in the route table. If the route table says BGP is active and the tunnel is up, then you do not have a firewall issue. BFD has nothing to do with route propagation. You do not need a BGP MD5 key for VPN.
