• ホーム
  • ブログ
  • AWS-Advanced-Networking-Specialty問題集PDFで100%合格保証付き [Q14-Q38]

AWS-Advanced-Networking-Specialty問題集PDFで100%合格保証付き [Q14-Q38]

Share

AWS-Advanced-Networking-Specialty問題集PDFで100%合格保証付き

AWS-Advanced-Networking-Specialtyブレーン問題集でリアル試験最新問題2022年01月29日には155問題


Amazon AWS-Advanced-Networking-Specialty 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Determine The Appropriate Configuration Of DHCP Within AWS
  • Design And Implement Hybrid IT Network Architectures At Scale
トピック 2
  • Evaluate Monitoring Strategies In Support Of Security And Compliance Objectives
  • Reconcile AWS Service Requirements With Network Requirements
トピック 3
  • Leverage Tools to Automate AWS Networking Tasks
トピック 4
  • Design And Implement For Security And Compliance
  • Given A Scenario, Troubleshoot And Resolve A Network Issue
トピック 5
  • Evaluate Automation Alternatives Within AWS For Network Deployments
  • Explain The Process To Extend Connectivity Using AWS Direct Connect
トピック 6
  • Evaluate AWS Security Features For Managing Network Traffic
  • Utilize Encryption Technologies To Secure Network Communications
トピック 7
  • Design and Maintain Network Architecture for all AWS Services
トピック 8
  • Configure Network Integration With Application Services
  • Evaluate Design Alternatives That Leverage AWS Direct Connect
トピック 9
  • Evaluate DNS Solutions In A Hybrid IT Architecture
  • Define Routing Policies For Hybrid IT Architectures
トピック 10
  • Evaluate And Optimize Cost Allocations Given A Network Design And Application Data Flow
トピック 11
  • Implement Core AWS Services According to Basic Architecture Best Practices

 

質問 14
An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the 'Remote' (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09
Parameters:
Originating VCId:
Type: String
RemoteVPCId:
Type: String
RemoteVPCAccountId:
Type: String
Resources:
newVPCPeeringConnection:
Type: 'AWS::EC2::VPCPeeringConnection'
Properties:
VpcdId: !Ref OriginatingVPCId
PeerVpcId: !Ref RemoteVPCId
PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

  • A. Resources:NetworkInterfaceToRemoteVPC:Type: "AWS::EC2NetworkInterface"
  • B. Resources:newEC2Route:Type: AWS::EC2::Route
  • C. Resources:VPCGatewayToRemoteVPC:Type: "AWS::EC2::VPCGatewayAttachment"
  • D. Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
  • E. Resources:newVPCPeeringConnection:Type: 'AWS::EC2VPCPeeringConnection'PeerRoleArn: !Ref PeerRoleArn

正解: B,E

解説:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

 

質問 15
A legacy, on-premises web application cannot be load balances effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic monitoring needs. Which of the following designs will meet these requirements?

  • A. Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
  • B. Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
  • C. Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
  • D. Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.

正解: B

 

質問 16
A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.
Which of the following actions meet the requirements? (Select two.)

  • A. The ElastiCache server outbound security group rules must be configured to permit the Lambda function's security group.
  • B. The Lambda function must be assigned a public IP address to access the public Amazon SQS API.
  • C. The Lambda function needs an IAM role to access Amazon SQS
  • D. The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.
  • E. The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.

正解: B,C

解説:
Explanation/Reference:
References: https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

 

質問 17
Which of these is not a requirement to set up a DX connection? Choose the correct answer:

  • A. Support for 802.1q VLANs
  • B. Single mode fiber capability
  • C. BGP MD5 Authentication
  • D. Autonegotiation enabled

正解: D

解説:
Autonegotiation must be disabled.

 

質問 18
A team implements a highly available solution using Amazon AppStream 2.0. The AppStream 2.0 fleet needs to communicate with resources both in an existing VPC and on-premises. The VPC is connected to the on-premises environment using an AWS Direct Connect private virtual interface.
What implementation enables on-premises users to connect to AppStream and existing VPC resources?

  • A. Deploy two subnets into the existing VPC. Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint
  • B. Deploy a new VPC with two subnets. Create a VPC peering connection between the two VPCs for users to access the AppStream endpoint.
  • C. Deploy two subnets into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
  • D. Deploy one subnet into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.

正解: A

 

質問 19
A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.
Which of the following actions meet the requirements? (Select two.)

  • A. The ElastiCache server outbound security group rules must be configured to permit the Lambda function's security group.
  • B. The Lambda function must be assigned a public IP address to access the public Amazon SQS API.
  • C. The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.
  • D. The Lambda function needs an IAM role to access Amazon SQS
  • E. The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.

正解: C,D

解説:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html

 

質問 20
A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected.
What is causing this issue?

  • A. The NAT gateway does not support fragmented packets.
  • B. The security group on the instances does not allow PMTUD.
  • C. The internet gateway only supports an MTU of 1500 bytes.
  • D. An Amazon EC2 instance expects to communicate with an MTU of 9001.

正解: B

 

質問 21
You have a website hosted on EC2 that is not serving web pages. You have ensured that the server is running and the site is configured properly. What could be the problem? Choose the correct answer:

  • A. Your NACL does not allow port 80 outbound.
  • B. Your NACL does not allow ports 1024 ?65535 outbound.
  • C. Your security group does not allow outbound traffic.
  • D. Your NACL does not allow ports 1024 ?65535 inbound.

正解: B

解説:
The ephemeral ports 1024 ?65535 are required outbound for return traffic. For the server to access websites, those same ports need to be allowed inbound.

 

質問 22
After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?

  • A. You can create a hosted virtual interface.
  • B. You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
  • C. You can change the region of your virtual interface.
  • D. You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.

正解: B

解説:
You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual interface to connect to public resources or a private virtual interface to connect to your VPC. Also, it is possible to configure multiple virtual interfaces on a single AWS Direct Connect connection, and you'll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key. To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.
Reference:
http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.
html

 

質問 23
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL.
Which of the following solutions should you deploy? (Select two.)

  • A. Run Squid proxy on a NAT instance.
  • B. Include s3.amazonaws.com in the whitelist.
  • C. Create a VPC endpoint for S3.
  • D. Utilize a security group to restrict access.
  • E. Deploy a NAT gateway into your VPC.

正解: A,C

解説:
Explanation
https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-con

 

質問 24
A Network Engineer is troubleshooting a network connectivity issue for an instance within a public subnet that cannot connect to the internet. The first step the Engineer takes is to SSH to the instance via a local bastion within the VPC and runs an ifconfig command to inspect the IP addresses configured on the instance. The output is as follows:

The Engineer notices that the command output does not contain a public IP address. In the AWS Management Console, the public subnet has a route to the internet gateway. The instance also has a public IP address associated with it.
What should the Engineer do next to troubleshoot this situation?

  • A. Evaluate the security groups and the network access control list.
  • B. Associate an Elastic IP address to the interface.
  • C. Configure the public IP on the interface.
  • D. Disable source/destination checking for the instance.

正解: D

 

質問 25
You have an application that is processing confidential data. The data is currently stored in your data center. You are moving workloads to AWS, and you need to ensure confidentiality and integrity of the data in transit to your VPC. Your company has an existing AWS Direct Connect connection.
What combination of steps should you perform to set up the most cost-effective connection between your on-premises data center and AWS? (Choose 3)

  • A. Configure a public virtual interface on your Direct Connect connection.
  • B. Set up a VPC with an Internet gateway.
  • C. Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC.
  • D. Set up a VPC with a virtual private gateway.
  • E. Configure a private virtual interface to the virtual private gateway.
  • F. Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway.

正解: A,D,F

解説:
Setting up a VPN over your Direct Connect connection will secure the data in transit. The steps to do so are: adding a VGW to the VPC; setting up a public virtual interface; and creating the IPsec tunnel between your data center and the VGW via the public virtual interface. B would send traffic over the public Internet. D is not possible because a public virtual interface is needed to announce the VGW endpoint IPs. E would not take advantage of the already existing Direct Connect connection.

 

質問 26
Your organization's corporate website must be available on www.acme.com and acme.com.
How should you configure Amazon Route 53 to meet this requirement?

  • A. Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
  • B. Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
  • C. Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record targeting the ELB.
  • D. Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record with the acme.com record target.

正解: C

解説:
Explanation
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html

 

質問 27
You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.
Which design should you choose?

  • A. Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
  • B. Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.
  • C. Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
  • D. Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.

正解: C

解説:
https://aws.amazon.com/blogs/aws/aws-direct-connect-access-to-multiple-us-regions/

 

質問 28
A computing team is evaluating whether to place a high performance computing (HPC) application in AWS. The team is concerned about application performance and wants to know what options are available to increase networking performance.
Which of the following changes would increase performance for this application? (Choose two.)

  • A. Enable an MTU of 9001 in the application's operating system.
  • B. Place the application across many smaller instances to achieve higher total throughput.
  • C. Deploy the application in two Availability Zones and insert them in one placement group.
  • D. Enable enhanced networking on the instances.
  • E. Increase the MTU of the VPC to 9001.

正解: D,E

 

質問 29
A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?

  • A. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
  • B. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
  • C. Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
  • D. Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.

正解: D

 

質問 30
You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.
Which three factors that must be supported should you consider when choosing the customer router? (Select three.)

  • A. 802.1q trunking
  • B. 802.1ax or 802.3ad link aggregation
  • C. 1-Gbps copper connectivity
  • D. single-mode optical fiber connectivity
  • E. BGP
  • F. OSPF

正解: A,D,E

解説:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html#overview_requirements

 

質問 31
A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for
25 customers The company creates a unique hostname for each customer to use to access the application Hostnames use the format customer-name example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name example com, the ALB should route the request to the correct group of EC2 instances The company requires a highly available solution that is easy to maintain Which solution meets these requirements at the LOWEST cost?

  • A. Create one ALB for each customer Configure the listener to route requests to the customer target group Create an Amazon CloudFront distribution Add each ALB to the distribution as a custom origin Use Amazon Route 53 to create an alias for each customer-name example com hostname that points to the CloudFront distribution
  • B. Create one ALB for each customer Configure the listener to route requests to the customer target group Configure an NGINX proxy server to manage connections to each ALB Use Amazon Route 53 to create a CNAME record for each customer-name example com hostname that points to the NGINX proxy server
  • C. Create one ALB for ail customers Create a listener rule that includes a Host header condition to match the hostname Add a forward action to route the request to the customer target group Use Amazon Route
    53 to create an alias record for each customer-name example com hostname that points to the ALB
  • D. Create one ALB for all customers Create a listener rule that includes an HTTP header condition to match the URL Add a forward action to route the request to the customer target group Use Amazon Route 53 to create an alias record for each customer-name example com hostname that points to the ALB

正解: D

 

質問 32
Refer to the image.

You have three VPCs: A, B, and C.
VPCs A and C are both peered with VPC B.
The IP address ranges are as follows:
* VPC A: 10.0.0.0/16
* VPC B: 192.168.0.0/16
* VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10.
Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and
* i-4 are in the subnet 192.168.1.0/24.
* i-3 must be able to communicate with i-1
* i-4 must be able to communicate with i-2
* i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Select two.)

  • A. Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
  • B. Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
  • C. Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
  • D. Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
  • E. Create two route tables: one with a route for destination VPC A, and another for destination VPC C.

正解: C,D

 

質問 33
You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?
Choose the correct answer:

  • A. You need to add a deny rule outbound also since NACLs are stateful.
  • B. A NACL can't protect against a DDoS.
  • C. You configured the rule number to be too low.
  • D. The DDoS isn't a TCP attack.

正解: D

解説:
The DDoS isn't a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.

 

質問 34
A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You congure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

  • A. Change the BGP advertisements from the corporate network to only be a default route.
  • B. Attach the second virtual interface to an alternative virtual private gateway.
  • C. Attach the virtual private gateway to a VPC and enable route propagation.
  • D. Filter the public IP prexes on the corporate network from the private virtual interface.

正解: A

解説:
Explanation
https://aws.amazon.com/es/premiumsupport/knowledge-center/virtual-interface-bgp-down/

 

質問 35
A company hosts several applications in the AWS Cloud across multiple VPCs that are connected to a transit gateway Redundant AWS Direct Connect connections and a Direct Connect gateway provide private network connectivity lo the company's on-premises environment During a maintenance window, the networking team adds eight VPCs The application management team notices that there is no reachability between the newly created VPCs and the on-premises environment Connectivity between all VPCs through the transit gateway is working as expected.
Which of the following are possible causes of the connectivity issues? (Choose TWO)

  • A. The prefixes that are advertised from the Direct Connect gateway to the on-premises router do not contain the CIDR blocks of the newly created VPCs
  • B. The route tables (or the newly created VPCs have only summary routes for (he on-premises environment (fiat point to the transit gateway attachment.
  • C. The route tables for the newly created A. VPCs do not have the routes to the on-premises environment that point to the transit gateway attachment
  • D. The on-premises route tables do not contain the exact CIDR blocks of the newly created VPCs
  • E. The prefixes that are advertised from the Direct Connect gateway to the on-premises router are shorter than the CIDR blocks of the newly created VPCs

正解: B,E

 

質問 36
An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: "There are not enough free addresses in subnet
'subnet-12345677' to satisfy the requested number of instances."
What action will resolve the availability problem?

  • A. Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
  • B. Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
  • C. Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
  • D. Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.

正解: D

 

質問 37
Which of the following physical layer standards is required for connection to AWS Direct Connect over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable?

  • A. Multi mode fiber, 1000BASE-SX for 1 gigabit Ethernet, or 10GBASE-SR for 10 gigabit Ethernet
  • B. Multi mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet
  • C. Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet
  • D. Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-LR for 10 gigabit Ethernet

正解: D

解説:
Connections to AWS Direct Connect require single mode fiber, 1000BASE-LX (1310nm) for 1 gigabit Ethernet, or 10GBASE-LR (1310nm) for 10 gigabit Ethernet.
Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

 

質問 38
......

AWS-Advanced-Networking-Specialty問題集には100%厳密検証された問題と解答で合格保証付きもしくは全額返金:https://www.goshiken.com/Amazon/AWS-Advanced-Networking-Specialty-mondaishu.html

最新AWS-Advanced-Networking-SpecialtyのPDF問題集リアル無料テスト本日更新です:https://drive.google.com/open?id=1230uPIIXRHY3CW7nbPiz9d5JdThCLv6Z

関するブログ

もっと
AWS-Advanced-Networking-Specialty無料問題集