A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly availablearchitecture. The network engineer is configuring the new launch template for the Auto Scaling group.In
addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by theapplication to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an ElasticIP address that should be used as the public IP address for the second network interface.How can the network engineer implement the required architecture?
A. Configure the two network interfaces in the launch template. Define the primary network interface to be created in one of the privatesubnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IPaddresses.
B. Configure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init scriptafter boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambdafunction, assign a network interface to an AWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-initscript to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set upAWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF thatconnects to a Direct Connect gateway that is associated with a transit gateway.The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should berouted to the failover data center only in the case of an outage.Which solution will meet these requirements?
A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100. Set the BGP community tag for all prefixes fromthe failover data center to 7224:7300
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes fromthe failover data center to 7224:7100
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300. Set the BGP community tag for all prefixes fromthe failover data center to 7224:9100
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100. Set the BGP community tag for all prefixes fromthe failover data center to 7224:9300
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. Theapplication will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store correspondingmetadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (AmazonSQS) queue.A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve newobjects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with newwatermarked objects. The company does not want public IP addresses on the EC2 instances.Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?
A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create aninternet gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internetgateway.
B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internetgateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway
C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints forAmazon S3 and DynamoDB.
D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints forAmazon S3 and DynamoDB.
A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a sharedservices VPC, and a VPN connection to the company's on-premises environment. A network engineer needs to implement a transit gatewaywith the following requirements:. Application VPCs must be isolated from each other.. Bidirectional communication must be allowed between the application VPCs and the on-premises network.. Bidirectional communication must be allowed between the application VPCs and the shared services VPC.The network engineer creates the transit gateway with options disabled for default route table association and default route tablepropagation. The network engineer also creates the VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designing a solution that needs the least number of transitgateway route tables.Which combination of actions should the network engineer perform to accomplish this goal? (Choose two.)
A. Configure a separate transit gateway route table for on premises. Associate the VPN attachment with this transit gateway route table.Propagate all application VPC attachments to this transit gateway route table.
B. Configure a separate transit gateway route table for each application VPC. Associate each application VPC attachment with itsrespective transit gateway route table. Propagate the shared services VPC attachment and the VPN attachment to this transit gatewayroute table.
C. Configure a separate transit gateway route table for all application VPCs. Associate all application VPCs with this transit gateway routetable. Propagate the shared services VPC attachment and the VPN attachment to this transit gateway route table.
D. Configure a separate transit gateway route table for the shared services VPC. Associate the shared services VPC attachment with thistransit gateway route table. Propagate all application VPC attachments to this transit gateway route table.
E. Configure a separate transit gateway route table for on premises and the shared services VPC. Associate the VPN attachment and theshared services VPC attachment with this transit gateway route table. Propagate all application VPC attachments to this transit gatewayroute table.
A network engineer is designing hybrid connectivity with AWS Direct Connect and AWS Transit Gateway. A transit gateway is attached to aDirect Connect gateway and 19 VPCs across different AWS accounts. Two new VPCs are being attached to the transit gateway. The IP addressadministrator has assigned 10.0.32.0/21 to the first VPC and 10.0.40.0/21 to the second VPC. The prefix list has one CIDR block remainingbefore the prefix list reaches the quota for the maximum number of entries.What should the network engineer do to advertise the routes from AWS to on premises to meet these requirements?
A. Add 10.0.32.0/21 and 10.0.40.0/21 to both AWS managed prefix lists.
B. Add 10.0.32.0/21 and 10.0.40.0/21 to the allowed prefix list.
C. Add 10.0.32.0/20 to both AWS managed prefix lists.
D. Add 10.0.32.0/20 to the allowed prefix list.
A company is running a hybrid cloud environment. The company has multiple AWS accounts as part of an organization in AWS Organizations.The company needs a solution to manage a list of IPv4 on-premises hosts that will be allowed to access resources in AWS. The solution mustprovide version control for the list of IPv4 addresses and must make the list available to the AWS accounts in the organization.Which solution will meet these requirements?
A. Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWSResource Access Manager. Add the managed prefix list to the resource share. Share the resource with the organization.
B. Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Use AWS Firewall Manager to share themanaged prefix list with the organization.
C. Create a security group. Add inbound rule entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWS ResourceAccess Manager. Add the security group to the resource share. Share the resource with the organization.
D. Create an Amazon DynamoDB table. Add entries for the initial list of on-premises IPv4 hosts. Create an AWS Lambda function thatassumes a role in each AWS account in the organization to authorize inbound rules on security groups based on entries from theDynamoDB table.
An IoT company collects data from thousands of sensors that are deployed in the Unites States and South Asia. The sensors use a proprietarycommunication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling groupand run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region.Occasionally, the data from the sensors in South Asia gets lost in transit over the internet and does not reach the EC2 instances.Which solutions will resolve this issue? (Choose two.)
A. Use AWS Global Accelerator with the existing NLB.
B. Create an Amazon CloudFront distribution. Specify the existing NLB as the origin.
C. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 latency routingpolicy to resolve to the Region that provides the least latency.
D. Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 failover routingpolicy to resolve to an alternate Region in case packets are dropped.
E. Turn on enhanced networking on the EC2 instances by using the most recent Elastic Network Adapter (ENA) drivers.
A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and thefirst 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points.Which solution will meet these requirements?
A. Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to AmazonCloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.
B. Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an AmazonOpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.
C. Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyzethe flow log data by using CloudWatch Logs Insights.
D. Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data byusing Amazon Athena.
A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing applicationruns as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. AnAmazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority toprovision its certificates.The company is using HTTPS for encryption in transit. The company needs additional field-level encryption to keep sensitive data encryptedduring processing so that only certain application components can decrypt the sensitive data.Which combination of steps will meet these requirements? (Choose two.)
A. Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFrontdistribution into AWS Certificate Manager (ACM) in us-west-2.
B. Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with theALUpload the certificate for the CloudFront distribution into ACM in the us-east-1 Region.
C. Upload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.
D. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionconfiguration, and specify the fields that contain sensitive information. Create a field-level encryption profile, and choose the newlycreated configuration. Link the profile to the appropriate cache behavior that is associated with sensitive GET requests.
E. Upload the public key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryptionprofile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newlycreated profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests.
A network engineer is evaluating a network setup for a global retail company. The company has an AWS Direct Connect connection betweenits on-premises data center and the AWS Cloud. The company has AWS resources in the eu-west-2 Region. These resources consist of multipleVPCs that are attached to a transit gateway.The company recently provisioned a few AWS resources in the eu-central-1. Region in a single VPC close to its users in this area. The networkengineer must connect the resources in eu-central-1 with the on-premises data center and the resources in eu-west-2. The solution mustminimize changes to the Direct Connect connection.What should the network engineer do to meet these requirements?
A. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a transit VIF to connect theVPC and the Direct Connect router.
B. Create a new transit gateway in eu-central-1. Create a peering attachment request to the transit gateway in eu-west-2. Add a staticroute in the transit gateway route table in eu-central-1 to point to the transit gateway peering attachment. Accept the peering request.Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment.
C. Create a new transit gateway in eu-central-1. Use an AWS Site-to-Site VPN connection to peer both transit gateways. Add a static routein the transit gateway route table in eu-central-1 to point to the transit gateway VPN attachment. Add a static route in the transit gatewayroute table in eu-west-2 to point to the new transit gateway peering attachment.
D. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a public VIF to connect theVPC and the Direct Connect router.
