Question 1

A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone

What is the MOST reliable way to implement DNS in this scenario?

ACreate a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.

BCreate private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.

CModify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.

DCreate a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.

Answer : C

Question 2

A company wants to migrate its workloads to the AWS Cloud. The company has two web applications and wants to run them in separate, isolated VPCs. The company needs to use Elastic Load Balancing to distribute requests between application instances.

For security reasons, internet gateways must not be attached to the application VPCs. Inbound HTTP requests to the application must be routed through a centralized VPC. and the application VPCs must not be exposed to any other inbound traffic The application VPCs cannot be allowed to initiate any outbound connections

What should a network engineer do to meet these requirements?

ARun the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private DNS names of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB.

BRun the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private IP addresses of the ALBs Configure host-based routing to route application traffic to the corresponding target group through the NLB.

CRun the applications behind private Network Load Balancers (NLBs) in separate VPCs. Create VPC peering connections between the application VPCs and the centralized VPC. Create a public Application Load Balancer (ALB) in the centralized VPC. Create target groups for the private DNS names of the NLBs. Configure host-based routing to route application traffic between individual applications though the ALB.

DRun the applications behind private Network Load Balancers (NLBs) in
separate VPCs. Configure each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC Create target groups that include the private IP addresses of each endpoint. Create a public Application Load Balancer (ALB) in the centralized VPC. Configure host-based routing to route application traffic to the corresponding target group through the ALB.

Answer : D

Question 3

A VPC is deployed with a 10 0 0.0/16 CIDR block. The engineering team is reviewing DHCP options and there is disagreement about the valid DNS addresses available for the VPC Which addresses are valid IP addresses provided by Amazon for this subnet' (Select TWO.)

A8.8.8.8

B10.00.2

C10.1.0.2

D169.254.169.253

E169.254.169.254

Answer : B, D

Question 4

A company uses AWS Direct Connect lo connect its corporate network to multiple VPCs in the same AWS account and the same AVVS Region Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection

What is the MOST scalable way to add VPCs with on-premises connectivity?

AProvision a new Direct Connect connection to handle the additional VPCs Use the new connection to connect additional VPCs.

BCreate virtual private gateways for each VPC that is over the service quota Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network

CCreate a Direct Connect gateway, and add virtual private gateway associations to the VPCs. Configure a private VIF to connect to the corporate network

DCreate a transit gateway and attach the VPCs Create a Direct Connect gateway, and associate it with the transit gateway Create a transit VIF to the Direct Connect gateway

Answer : D

Question 5

A company has established an AWS Direct Connect connection between its customer gateway at its on-premises data center and a virtual private gateway m the AWS Cloud The BGP routing protocol configuration includes the Autonomous System Number {ASN) of 7224 on the AWS end of the connection and the BGP ASN of 65004 on the company end of the connection

The company's IT administrators report that servers that run at the on-premises data center are not able to communicate with the company's web application that runs on a fleet of Amazon EC2 Instances A network engineer performs initial troubleshooting The network engineer finds that the private VIF is operational and that there is a fully established BGP peering session However, the company still cannot route traffic over the private VIF

Which of the following is a possible cause of this connectivity issue?

AFirewall or ACL rules are blocking TCP pod 179 or are blocking high-numbered ephemeral TCP pons

BThe provider is advertising 50 prefixes for private VIFs

CVPC route tables am lacking prefixes that point to the virtual private gateway to which the private VIF is connected

DPeer IP addresses for both sides of the BGP peering session are not configured correctly.