Question 1

A company wants to implement a distributed architecture on AWS that uses a Gateway Load Balancer (GWLB) and GWLB endpoints. The company has chosen a hub-and-spoke model. The model includes a GWLB and virtual appliances that are deployed into a centralized appliance VPC and GWLB endpoints. The model also includes internet gateways that are configured in spoke VPCs. Which sequence of traffic flow to the internet from the spoke VPC is correct?

Options :

A : 1.An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

B : 1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

C :

1. An application in a spoke VPC sends traffic to the GWLB endpoint.

2. Traffic is delivered securely and privately to the GWLB.

3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

D : 1. An application in a spoke VPC sends traffic to the GWLB.

2. Traffic is delivered securely and privately to the GWLB endpoint.

3. The GWLB sends the traffic to a virtual appliance for inspection.

4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

Answer: A

Question 2

A company wants to analyze TCP internet traffic. The traffic originates from Amazon EC2 instances in the companys VPC. The EC2 instances initiate connections through a NAT gateway. The company wants to capture data about the traffic including source and destination IP addresses ports, and the first 8 bytes of the TCP segments of the traffic. The company needs to collect, store, and analyze all the required data points. Which solution will meet these requirements?

Options :

A :

Configure the EC2 instances to be VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch Logs Insights

B :

Configure the NAT gateway to be a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an Amazon S3 bucket. Analyze the data by using Amazon Athena.

C :

Turn on VPC Flow Logs for the EC2 instances. Specify the default format and set Amazon CloudWatch Logs as the log destination. Analyze the flow log data by using CloudWatch Logs Insights.

D :

Turn on VPC Flow Logs for the EC2 instances. Specify a custom format and set Amazon S3 as the log destination. Analyze the flow log data by using Amazon Athena.

Answer: A

Question 3

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?

Options :

A : Change the ALB security policy to a policy that supports TLS 1.2 protocol only

B : Use AWS Key Management Service (AWS KMS) to encrypt session keys

C :

Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)

D : Change the ALB security policy to a policy that supports forward secrecy (FS)

Answer: D

Question 4

Consider a scenario where an EC2 instance in a private subnet reaches out to the internet via a NAT gateway in a public subnet. The EC2 instance sends a 1 GB file to one of the Amazon Simple Storage Service (Amazon S3) buckets via the NAT gateway. The EC2 instance, NAT gateway, and S3 Bucket are in the same AWS region. The NAT gateway and EC2 instance are in the same Availability Zone. Which costs should be included when the total cost of this file transfer is calculated?

Options :

A :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

B :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway

C :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + The data transfer charges for 1 GB data between the NAT gateway and the EC2 instance

D :

NAT Gateway Hourly Charge + NAT Gateway data processing charge for 1 GB of data transfer through the Gateway + standard EC2 data transfer charge for 1 GB of data sent to S3 bucket

Answer: B

Question 5

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed. What connection option should the organization use to get up and running at minimal cost?

Options :

A : Use an internet connection.

B : Set up an AWS VPN connection.

C : Provision an AWS Direct Connection private virtual interface.

D : Provision a Direct Connect public virtual interface.

Answer: A

Confidently Practice Online with Free ANS-C01 Exam Cram

Buying Options: