Free AWS-Certified-Advanced-Networking-Specialty Exam Braindumps

An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication.
Which of the following options meets the organization's requirements?

1. A. Use a Classic Load Balancer and upload the client certificate private keys to i
2. B. Perform SSL mutual authentication of the client-side certificate there.
3. C. Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
4. D. Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
5. E. Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.

Correct Answer: B

A company uses multiple AWS accounts within AWS Organizations and has services deployed in a single AWS Region. The instances in a private subnet occasionally download patches from the internet through a NAT gateway The company recently migrated from VPC peering to AWS Transit Gateway The cumulative traffic through deployed NAT gateways Is less than 1Gbps The NAT gateway hourly charge contributes to most of the NAT gateway costs across all linked accounts.
What should the company do to reduce NAT gateway hourly costs?

1. A. Deploy and use NAT gateways in the same Availability Zone as the heavy-traffic resources.
2. B. Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC Use VPC peering to send traffic through the centralized NAT gateways.
3. C. Use VPC endpoints to send traffic to AWS services in the same Region.
4. D. Move to a centralized NAT gateway architecture with NAT gateways deployed in an egress VPC Use AWS Transit Gateway to send traffic through the centralized NAT gateways.

Correct Answer: B

A logistics company has deployed a hybrid environment that has multiple VPCs in both the us-east-1 Region and the af-south-1 Region The on-premises data center is connected to us-east-1 through an AWS Direct Connect connection The Direct Connect connection is connected to a Direct Connect gateway that is associated with a transit gateway The transit gateway is attached to all the VPCs in us-east-1
An application that is deployed in af-south-1 requires access to a database in the data center The application also requires access to file storage in a VPC in us-east-1
Which solution will meet these requirements with the LOWEST latency?

1. A. Create a transit gateway in af-south-1, and attach the VPCs Create a transit gateway peering connection between the transit gateways
2. B. Create a Direct Connect connection in af-south-1, and attach the VPCs with a Direct Connect gateway and a transit gateway Create an AWS Site-to-Site VPN connection over the internet between the Direct Connect connections.
3. C. Create a transit gateway in af-south-1 and attach the VPCs Associate the transit gateway in af-south-1 with the Direct Connect gateway tn us-east-1
4. D. Create inter-Region VPC peering connections between the VPCs in each Region Use the transit gateway attachments in us-east-1 to access the database in the data center

Correct Answer: A

An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.
What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

1. A. Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.
2. B. Provision a private virtual interface for each VPC connection.
3. C. Enable VPC Flow Logs for each VPC.
4. D. Use AWS KMS to encrypt traffic between on-premises and AWS.
5. E. Provision a VPN connection to each VPC over the internet.

Correct Answer: AC

A company has established an AWS Direct Connect connection between its customer gateway at its on-premises data center and a virtual private gateway m the AWS Cloud The BGP routing protocol
configuration includes the Autonomous System Number {ASN) of 7224 on the AWS end of the connection
and the BGP ASN of 65004 on the company end of the connection
The company's IT administrators report that servers that run at the on-premises data center are not able to
communicate with the company's web application that runs on a fleet of Amazon EC2 Instances A network engineer performs initial troubleshooting The network engineer finds that the private VIF is operational and that there is a fully established BGP peering session However, the company still cannot route traffic over the private VIF
Which of the following is a possible cause of this connectivity issue?

1. A. Firewall or ACL rules are blocking TCP pod 179 or are blocking high-numbered ephemeral TCP pons
2. B. The provider is advertising 50 prefixes for private VIFs
3. C. VPC route tables am lacking prefixes that point to the virtual private gateway to which the private VIF is connected
4. D. Peer IP addresses for both sides of the BGP peering session are not configured correctly.

Correct Answer: A