Question 1

A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back. What should the network engineer do to resolve the error?

Options :

A : Change the order of resource creation in the CloudFormation template.

B :

Add the DependsOn attribute to the resource declaration for the virtual private gateway. Specify the route table entry resource.

C : Add a wait condition in the template to wait for the creation of the virtual private gateway.

D :

Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource.

Answer: D

Question 2

An ecommerce company is migrating its legacy web application to the AWS Cloud. Since the application is complex and may take several months to refactor, the CTO at the company tasked the development team to build an ad-hoc solution of using CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed. The ad-hoc solution has worked for several weeks, however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from CloudFront". Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests. Which of the following will you attribute as the likely cause of the error and what is the solution to address this issue?

Options :

A :

he SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server

B :

The SSL certificate on the legacy web application server has expired. Install a new self-signed certificate along with the full certificate chain onto the legacy web application server

C :

The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server via the AWS Certificate Manager (ACM) in the us-east-1 Region

D :

The SSL certificate on the CloudFront distribution has expired. Reissue the SSL certificate on the CloudFront distribution via the AWS Certificate Manager (ACM) in the us-east-1 Region

Answer: A

Question 3

The networking team at an e-commerce company has created a VPC with CIDR 21.5.0.0/16 with only a private subnet and VPN connection to the on-premises data center using the AWS VPC wizard. The team wants to connect to the instance in a private subnet over SSH. How would you define the security rule for SSH?

Options :

A :

Allow Inbound traffic on port 80 and port 22 to allow the user to connect to a private subnet over the internet

B : Allow Inbound traffic on port 22 from the public subnet having a bastion host

C : Allow Inbound traffic on port 22 from the on-premises network

D : Allow Inbound traffic on port 80 and port 22 from the public subnet having a bastion host

Answer: C

Question 4

A company has developed a web service for language translation. The web service's application runs on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The instances run behind an Application Load Balancer (ALB) and are deployed in a private subnet. The web service can process requests that contain hundreds of megabytes of data. The company needs to give some customers the ability to access the web service. Each customer has its own AWS account. The company must make the web service accessible to approved customers without making the web service accessible to all customers. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.)

Options :

A : Create VPC peering connections with the approved customers only.

B :

Create an AWS PrivateLink endpoint service. Configure the endpoint service to require acceptance that will be granted to approved customers only.

C :

Configure an authentication action for the endpoint service's load balancer to allow customers to log in by using their AWS credentials. Provide only approved customers with the URL.

D :

Configure a Network Load Balancer (NLB) and a listener with the ALB as a target. Associate the NLB with the endpoint service.

E : Associate the ALB with the endpoint service.

Answer: B,D

Question 5

A Network Engineer is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The security team has flagged a concern of a probable attack on the origin server IP addresses, despite it being served by CloudFront. Suggest a solution that provides the strongest level of protection to the origin server?

Options :

A : Configure private access to content by using special CloudFront signed URLs or signed cookies

B :

Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header

C :

Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront

D :

Configure Origin Access Identity(OAI) on the origin server, which will only allow requests originating from CloudFront

Answer: B

Confidently Practice Online with Free ANS-C01 Exam Cram

Buying Options: