Exams > Amazon > ANS-C00: AWS Certified Advanced Networking - Specialty
ANS-C00: AWS Certified Advanced Networking - Specialty
Page 18 out of 37 pages Questions 171-180 out of 367 questions
Question#171

Your company just deployed a WAF to protect its resources. You need to create a baseline before you start blocking traffic. How will you achieve this?

  • A. Set the WAF to Monitor mode.
  • B. Set the WAF to its defaults and let it do its job.
  • C. Setup a Lambda function to monitor Flow Logs and analyze the traffic using Elasticsearch.
  • D. A WAF is default deny and does not allow this. You need to use an IDS instead.
Discover Answer Hide Answer

A
Monitor mode is the only good choice.

Question#172

Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to ensure the site is as secure as possible. What two items could you recommend? (Choose two.)

  • A. An NACL that blocks all ports to your subnets.
  • B. A restricted bucket policy.
  • C. A WAF on the load balancer.
  • D. A WAF on your CloudFront distribution.
Discover Answer Hide Answer

BD
A WAF on CloudFront and a restricted bucket policy to ensure the only access is from CloudFront. You cannot apply a WAF to a classic load balancer and an
NACL that blocks all ports would block access to the load balancer.

Question#173

You have two public applications on different domains that use two front-end servers and two back-end servers each. You wish to achieve high availability for both applications. What two options should you configure? (Choose two.)

  • A. Route 53: 2 public zones and 2 private zones.
  • B. Route 53: 2 public zones and 1 private zone.
  • C. 3 load balancers: 2 public and 1 internal.
  • D. 4 load balancers: 2 public and 2 internal.
Discover Answer Hide Answer

AD
Route 53: 2 public zones and 2 private zones and 4 load balancers: 2 public and 2 internal. This will allow one domain to be balanced over two application servers which will then have traffic balanced to the two backend servers.

Question#174

Your company was recently acquired and a Direct Connection connection was extended from your new parent corporation to your AWS VPC using a hosted VIF.
What data charges are billed to your account for that connection?

  • A. You are only responsible for the port hours of the VIF.
  • B. You are not charged anything.
  • C. You are responsible for all data transfer out.
  • D. You are responsible for all data transfer in.
Discover Answer Hide Answer

C
You are only responsible for the data transfer out. The port hours are the responsibility of the owner of the connection.

Question#175

The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity.
Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

  • A. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5
  • B. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES
  • C. The following protocols may be used to configure IPsec confidentiality, PSK, RSA
  • D. The following protocols may be used to configure IPsec confidentiality, PSK, MD5
  • E. The following protocols may be used to configure IPsec confidentiality, PSK, RSA
Discover Answer Hide Answer

B
Answer A is incorrect - as MD5 is a hashing protocol (data integrity) Answer C is incorrect - as PSK is short for Pre-Shared Keys (key exchange) - and again MD5 is a hashing protocol (data integrity)
Answer D is incorrect - as both MD5 and SHA are hashing protocols (data integrity) Answer E is incorrect - as both PSK and RSA are used for key exchanges
This leaves Answer B is the only correct IPsec configuration covering confidentiality. DES, 3DES, and AES are all encryption protocols.
Reference:
https://en.wikipedia.org/wiki/IPsec

Question#176

Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

  • A. For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible
  • B. Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway
  • C. Jumbo Frames are not supported for traffic that exits the Internet Gateway
  • D. T2.micro instances do not support Jumbo Frames
Discover Answer Hide Answer

D
All answers except for Answer D are correct. Answer D is incorrect in that AWS does indeed support Jumbo Frames on all instance types within the T2 family class - including the T2.micro instance type.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

Question#177

Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

  • A. Frames
  • B. Packets
  • C. Data
  • D. Segments
Discover Answer Hide Answer

D
Segments is the PDU used between transport layers.
Reference:
https://en.wikipedia.org/wiki/Transmission_Control_Protocol

Question#178

Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

  • A. 8 subnets and 30 hosts per subnet
  • B. 16 subnets and 14 hosts per subnet
  • C. 32 subnets and 30 hosts per subnet
  • D. 8 subnets and 14 hosts per subnet
Discover Answer Hide Answer

B
16 subnets and 14 hosts per subnet are possible in the CIDR.
Reference:
https://en.wikipedia.org/wiki/IPv4_subnetting_reference

Question#179

An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in
24hrs. This business critical application is dependent a very large set of routes `" required for integration with other system. You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re`"home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

  • A. Within the new VPC ג€" establish a Direct Connect connection with max 10Gbps port speed for data replication. Establish a 802.1Q VLAN and configure a Virtual Private Gateway and Private Virtual Interface, and ensure Jumbo Frames is enabled.
  • B. Within the new VPC ג€" deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with BGP dynamic routing
  • C. Within the new VPC ג€" deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with static routing, and ensure Jumbo Frames is enabled.
  • D. Within the new VPC ג€" deploy a software based virtual router (for example a Cisco CSR). Configure with dual ENIs (external and internal), create and attach an EIP to the external ENI, Configure and setup IPsec VPN tunnels, and ensure Jumbo Frames is enabled.
Discover Answer Hide Answer

B
Answer A ג€" Let's start by stating that all possible options are actually workable solutions. The key criteria of the question is to complete the data migration aspects as *quickly* as possible. With this in mind we can immediately rule out Answer A ג€" due to the time it takes to provision and activate a fully functional Direct
Connect connection, 72+ hrs. Answer C is the same as Answer D but lacks BGP ג€" therefore we would need to setup the routes manually ג€" more time and effort.
Additionally Answer D uses Jumbo Frames ג€" but AWS does not support Jumbo frames over the Virtual Private Gateway ג€" therefore Answer D's use of Jumbo
Frames is negated. Overall Answer B is considered the quickest option.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

Question#180

Convert the following IPv4 address in presented in binary form, into dotted decimal form 10101100.01111011.00001101.10011101.

  • A. 172.123.13.157
  • B. 173.13.13.157
  • C. 172.122.13.15
  • D. 172.124.13.57
Discover Answer Hide Answer

A
An IPv4 address in dotted decimal format is constructed using binary arithmetic. In binary arithmetic, each bit within a group represents a power of two.
Specifically, the first bit in a group represents 2 to the power of 0, the second bit represents 2 to the power of 1, the third bit represents 2 to the power of 2, and so on. Binary format is simple because each successive bit in a group is exactly twice the value of the previous bit.
The first octet is 128 + 32 + 8 + 4 = 172
The second octet 64 + 32 + 16 + 8 + 2 + 1 = 123

The third octet 8 + 4 + 1 = 13 -
The fourth octet is 128 + 16 + 8 + 4 + 1 = 157
Reference:
https://en.wikipedia.org/wiki/IPv4

chevron rightPrevious Nextchevron right