• Home
  • Blogs
  • Master 2021 Latest The Questions AWS Certified Advanced Networking Specialty and Pass ANS-C00 Real Exam! [Q19-Q44]

Master 2021 Latest The Questions AWS Certified Advanced Networking Specialty and Pass ANS-C00 Real Exam! [Q19-Q44]

Share

Master 2021 Latest The Questions AWS Certified Advanced Networking Specialty and Pass ANS-C00  Real Exam!

Penetration testers simulate ANS-C00 exam PDF

NEW QUESTION 19
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
* Protocol: TCP
* Port: 80 inbound, nothing outbound
The Network ACL for the subnet is configured to allow as follows:
* Protocol: TCP
* Port: 80 inbound, nothing outbound
When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

  • A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
  • B. Add an entry to the Network Acl outbound rules for Protocol: TCP, Port Range: 1024-65535
  • C. Add an entry to the Network Acl outbound rules for Protocol: TCP, Port Range: 80
  • D. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80

Answer: C

 

NEW QUESTION 20
You have a Simple AD deployment, and you wish to use it for your Microsoft Exchange email server. You are having issues finding the AD server, why might this be? Choose the correct answer:

  • A. Simple AD is not a full Active Directory server and will not work with many MS products.
  • B. You need to contact AWS to receive a PTR record for your email server.
  • C. Your firewall is blocking it.
  • D. SSL is not implemented.

Answer: A

Explanation:
Simple AD is Samba based and does not support full Microsoft AD integration.

 

NEW QUESTION 21
An organization is migrating its on-premises applications to AWS by using a lift-and-shift approach, taking advantage of managed AWS services wherever possible. The company must be able to edit the application code during the migration phase. One application is a traditional three- tier application, consisting of a web presentation tier, an application tier, and a database tier. The external calling client applications need their sessions to remain sticky to both the web and application nodes that they initially connect to.
Which load balancing solution would allow the web and application tiers to scale horizontally independent from one another other?

  • A. Use a Network Load Balancer at the web tier, and an Application Load Balancer at the application tier.
    Enable session stickiness on the Application Load Balancer, but take advantage of the native WebSockets protocols available to the Network Load Balancer.
  • B. Use an Application Load Balancer at both the web and application tiers, setting session stickiness at the target group level for both tiers.
  • C. Deploy a web node and an application node as separate containers on the same host, using task linking to create a relationship between the pair. Add an Application Load Balancer with session stickiness in front of all web node containers.
  • D. Use an Application Load Balancer at the web tier and a Classic Load Balancer at the application tier.
    Set session stickiness on both, but update the application code to create an application-controlled cookie on the Classic Load Balancer.

Answer: B

 

NEW QUESTION 22
An IT company wants to securely perform an on-off migration of its on-premises VMs to the AWS Cloud by using AWS Server Migration Service {AWS SMS) For the first phase of the migration, the company must migrate 50 development VMs m batches during non-peak times over the next 7 days The VMs are between 2 GB and 5 GB in size The company has 1 Gbps of available bandwidth over the internet Which network connectivity option meets these requirements MOST cost-effectively?

  • A. Order an AWS Direct Connect connection Provision a public VIF
  • B. Create a VPN connection to AWS.
  • C. Contact an AWS partner to order a hosted VIF
  • D. Use the existing internet connection

Answer: B

 

NEW QUESTION 23
You manage a webserver that serves a webpage on AWS infrastructure. You utilize an Application Load Balancer, CloudFront, S3, and some other AWS services for this site. You are only responsible for the server and you don't have access to the AWS console or API. You need to find out what IPs are accessing your website. What is the best way to achieve this? Choose the correct answer:

  • A. Run "curl http://169.254.169.254/latest/meta-data/access_log
  • B. Add "X-Forwarded For" to the access logs and view the access logs.
  • C. Ask someone with IAM permissions to view the Flow Logs to give you access.
  • D. View the access logs. They already show this information.

Answer: B

Explanation:
Add "X-Forwarded For" to the access logs and view the access logs is the best answer here. IAM permissions could work, but not necessary, the curl command queries metadata, not access logs.

 

NEW QUESTION 24
Which of the following does not configure Amazon CloudFront cache behaviors to forward cookies to an origin for web distributions?

  • A. Amazon EMR
  • B. Origin server
  • C. AWS CLI
  • D. Amazon S3

Answer: D

Explanation:
Amazon S3 and some HTTP servers do not process cookies. Do not configure Amazon CloudFront cache behaviors to forward cookies to an origin that doesn't process cookies or you'll adversely affect cache ability and consequently performance.
Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

 

NEW QUESTION 25
You have a global corporate network with 153 individual IP prefixes in your internal routing table.
You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (iGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.
How should you configure your on-premises BGP peer to meet these requirements?

  • A. Summarize your prefix announcement to less than 100
  • B. Announce a default route to the VPC over the BGP session
  • C. Configure AS-Prepending on your BGP session
  • D. Enable route propagation on the VPC route table

Answer: A

Explanation:
100 prefix is the limit on BGP over direct connect.
https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

 

NEW QUESTION 26
A company's IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?

  • A. Enable Amazon GuardDuty on the account and specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.
  • B. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the Security team.
  • C. Enable Amazon GuardDuty on the account and the specific region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the Security team.
  • D. Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the Security team.

Answer: B

 

NEW QUESTION 27
Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account.
Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Select two.)

  • A. Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
  • B. Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
  • C. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.
  • D. Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the onpremises DNS.
  • E. Update the Route 53 private hosted zone's VPC associations to include the new VPC.

Answer: B,E

 

NEW QUESTION 28
Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC's IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?

  • A. AWS CloudFormation custom resource using an AWS Lambda invocation.
  • B. CloudFormation::OpsWorks::Stack with custom Chef configuration.
  • C. AWS CloudFormation parameters using the "Fn::FindInMap" intrinsic function.
  • D. AWS CloudFormation parameters using the "Ref::" intrinsic function

Answer: A

Explanation:
When a custom resource is created, updated, or deleted, AWS CloudFormation sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic or invokes an AWS Lambda function.

 

NEW QUESTION 29
A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy.
Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone What is the MOST reliable way to implement DNS in this scenario?

  • A. Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.
  • B. Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.
  • C. Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.
  • D. Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

Answer: C

 

NEW QUESTION 30
Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?

  • A. AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
  • B. AWS Direct Connect neither provides BGP nor provides the failover.
  • C. AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection.
  • D. AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.

Answer: C

Explanation:
When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS.
There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections.
Reference:
http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantCo nnections

 

NEW QUESTION 31
In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS.
These connections can terminate on one or two routers in your network. You can do this while
__________________ with AWS Direct Connect step.

  • A. verifying your Virtual Interface
  • B. configuring redundant connections
  • C. creating a Virtual Interface
  • D. completing the cross-connect

Answer: B

Explanation:
In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS.
These connections can terminate on one or two routers in your network. You can do this in Configure Redundant Connections with AWS Direct Connect step.
Reference:
http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#RedundantCo nnections

 

NEW QUESTION 32
An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the 'Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

  • A. Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
  • B. Resources:newVPCPeeringConnection:Type: 'AWS::EC2VPCPeeringConnection'PeerRoleArn: !Ref PeerRoleArn
  • C. Resources:NetworkInterfaceToRemoteVPC:Type: "AWS::EC2NetworkInterface"
  • D. Resources:VPCGatewayToRemoteVPC:Type: "AWS::EC2::VPCGatewayAttachment"
  • E. Resources:newEC2Route:Type: AWS::EC2::Route

Answer: B,E

Explanation:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

 

NEW QUESTION 33
You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027
1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027
1432917082 ACCEPT OK
2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094
1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

  • A. The outbound security group is blocking the traffic.
  • B. The outbound network access control list is blocking the traffic
  • C. The inbound network access control list is blocking the traffic
  • D. The inbound security group is blocking the traffic.

Answer: A

 

NEW QUESTION 34
Your company's policy requires that all VPCs peer with a "common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC.
The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.
Which step should you take to enable access to Amazon S3?

  • A. Update the S3 bucket policy with the private IP address of the instance.
  • B. Exclude 169.254.169.0/24 from the instance's proxy configuration.
  • C. Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.
  • D. Update the CORS configuration for Amazon S3 to allow traffic from the proxy.

Answer: C

 

NEW QUESTION 35
A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.
What is causing this issue?

  • A. The security group on the instances does not allow PMTUD.
  • B. The internet gateway only supports an MTU of 1500 bytes.
  • C. An Amazon EC2 instance expects to communicate with an MTU of 9001.
  • D. The NAT gateway does not support fragmented packets.

Answer: A

 

NEW QUESTION 36
You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW).
All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.
How should you configure your on-premises BGP peer to meet these requirements?

  • A. Announce a default route to the VPC over the BGP session
  • B. Configure AS-Prepending on your BGP session
  • C. Summarize your prefix announcement to less than 100
  • D. Enable route propagation on the VPC route table

Answer: D

 

NEW QUESTION 37
An organization has created a web application inside a VPC and wants to make it available to 200 client VPCs. The client VPCs are in the same region but are owned by other business units within the organization.
What is the best way to meet this requirement, without making the application publicly available?

  • A. Deploy the web application behind an internal Application Load Balancer and control which clients have access by using security groups.
  • B. Configure the application as an AWS PrivateLink-powered service, and have the client VPCs connect to the endpoint service by using an interface VPC endpoint.
  • C. Enable VPC peering between the web application VPC and all client VPCs.
  • D. Deploy the web application behind an internet-facing Application Load Balancer and control which clients have access by using security groups.

Answer: D

 

NEW QUESTION 38
A manufacturing company has a hybrid environment that includes an AWS Direct Connect gateway that is associated with an AWS Transit Gateway The company wants to extend a third-party application that is hosted in its on-premises data center into one of its VPCs The application vendor has stated that It must use an overlay IP address to meet the company's requirement for high availability. The DHCP administrator has assigned a non-overlapping RFC1918 private address for use as the overlay IP address The security team requires connectivity to remain private Which solution meets these requirements with the LEAST management overhead''

  • A. Create a layer 2 VPN across a public VIF by using a software-based VPN on a pair of Amazon EC2 instances Use BGP to advertise the routes over the VPN
  • B. Create a transit VIF Then create static routes in the transit gateway route table to point to the VPC that contains the overlay IP address Create static routes in the VPC route table that point to the transit gateway Update the route tables on premises as needed
  • C. Create a transit VIF with automatically propagated routes in the transit gateway route table Create a new subnet in the VPC for the overlay IP address, and propagate the route to the VPC route table. Update the route tables on premises as needed.
  • D. Create an external Network Load Balancer by using Amazon Route 53 to create records that point to the target application's overlay IP address. Create static entries in the VPC route table

Answer: B

 

NEW QUESTION 39
A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain
"example.com" should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain "dev.example.com" should reside on-premises. The administrator has decided to use Amazon Route 53 to achieve this scenario.
What procedurals steps must be taken to implement the solution?

  • A. Use a Route 53 public and private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • B. Use a Route 53 public hosted zone for example.com and perform subdomain delegation for dev.example.com
  • C. Use a Route 53 private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • D. Use a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com

Answer: D

 

NEW QUESTION 40
You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

  • A. Packet sniffing at the VPC level
  • B. VPC flow logs at the subnet level
  • C. CloudWatch Logs at the VPC level
  • D. Packet sniffing at the instance level

Answer: C

 

NEW QUESTION 41
An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication.
Which of the following options meets the organization's requirements?

  • A. Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
  • B. Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
  • C. Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
  • D. Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.

Answer: B

 

NEW QUESTION 42
You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? Choose the 2 correct answers:

  • A. Ensure you choose instances that use enhanced networking.
  • B. Create two subnets in different AZs and create a placement group.
  • C. Create two subnets in the same AZ and create a placement group.
  • D. Set the MTU of your instances to 1500.

Answer: A,C

Explanation:
A placement group can only be deployed in the same AZ and is only useful with enhanced networking instances.

 

NEW QUESTION 43
A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain
"example.com" should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain "dev.example.com" should reside on-premises. The administrator has decided to use Amazon Route 53 to achieve this scenario.
What procedurals steps must be taken to implement the solution?

  • A. Use a Route 53 public and private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • B. Use a Route 53 public hosted zone for example.com and perform subdomain delegation for dev.example.com
  • C. Use a Route 53 private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • D. Use a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com

Answer: D

 

NEW QUESTION 44
......

Penetration testers simulate ANS-C00 exam: https://www.actual4cert.com/ANS-C00-real-questions.html

Bestselling On-The-Job Reference Exam Questionshttps://drive.google.com/open?id=1r5nXyaHs1T-Mse3U5dCYruBq_xqOfoTB

 

Related Blogs

more
Amazon ANS-C00 Certification Practice Exam

Copyright © 2026 ACTUAL4CERT.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.