NotJustExam Interactive Question Bank | [Amazon] ANS-C01

Question 1

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.
Which solution will meet these requirements?

A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.

Correct Answer: A

Explanation:

Based on the question's requirements and the discussion summary, I agree with the suggested answer, which is option A.

Reasoning:
The primary requirement is to maintain end-to-end encryption between the client and the backend, using mutual TLS (mTLS) for two-way authentication. gRPC over TCP port 443 is being used. Given these constraints, an Application Load Balancer (ALB) is unsuitable because it decrypts traffic at the load balancer, violating the end-to-end encryption requirement.

A Network Load Balancer (NLB) with a TCP listener can forward traffic directly to the backend pods without decryption, thus preserving end-to-end encryption. By installing the AWS Load Balancer Controller for Kubernetes, the NLB can be dynamically configured to forward traffic to the appropriate backend pods based on Kubernetes service definitions. This setup supports the scaling requirements outlined in the question.

The implementation of mTLS typically involves the application itself handling the certificate exchange and validation; the NLB simply provides a transparent TCP connection.

Why other options are not correct:

Option B (ALB with HTTPS listener): An ALB with an HTTPS listener decrypts the traffic at the load balancer. This violates the requirement that traffic must not be decrypted between the client and the backend.
Option C (ALB with HTTPS listener and target group): Similar to option B, this option uses an ALB which decrypts traffic, violating the stated requirements.
Option D (NLB with TLS listener and target group): While NLB supports TLS listener, it will terminate TLS at NLB. The question mentioned "traffic must not be decrypted between the client and the backend", so it's not a correct choice.

AWS Load Balancer Controller: https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Network Load Balancer: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

Question 2

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?

A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.
B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X-Forwarded-For request header with traffic to the targets.
C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets.
D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets.

Correct Answer: A

Explanation:

I agree with the suggested answer A.

Reasoning:
The question requires:

Highly available web server behind an Elastic Load Balancer.
Load balancer to route requests to multiple target groups based on the URL in the request.
All traffic must use HTTPS with TLS processing offloaded to the load balancer.
The web server must know the user’s IP address.

Option A uses an Application Load Balancer (ALB) with an HTTPS listener and path-based routing, which satisfies the requirements for URL-based routing and HTTPS with TLS offloading. The X-Forwarded-For header ensures the web server receives the user's IP address. This is the most appropriate solution.

Why other options are not suitable:

Option B: While it uses an ALB and host-based routing, the requirement specifically mentions routing based on the *URL* in the request, not the host.
Option C: A Network Load Balancer (NLB) operates at Layer 4 and does not support path-based routing (URL-based). While NLBs can preserve the client IP address, they don't meet the URL-based routing requirement. Also, based on the discussion content, it may not provide zonal isolation for HA.
Option D: Similar to option C, an NLB does not support path-based routing. Host-based routing isn't suitable when the requirement specifies URL-based routing.

Therefore, option A is the best solution as it directly addresses all stated requirements.

Citations:

Application Load Balancer features, https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
X-Forwarded-For header, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

Question 3

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint.
Which solution will meet these requirements?

A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.

Correct Answer: A

Explanation:

I agree with the suggested answer A.
Reasoning: The question requires that the application be accessible only through the AWS Global Accelerator and not through direct internet connection to the ALB. To achieve this, the ALB needs to be in a private subnet to prevent direct internet access. The internet gateway is needed for the Global Accelerator to function, but no route to the internet gateway should be added to the subnet's route table to prevent direct internet access to the ALB.
The ALB's security group must be configured to allow inbound traffic from the internet on the ALB listener port, which is the HTTPS port (443). This allows traffic originating from the vending machines (via the internet) and routed through the Global Accelerator to reach the ALB.

The statement "Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway" might seem contradictory but is correct in this context. The Internet Gateway (IGW) needs to be attached to the VPC for the AWS Global Accelerator to route traffic. However, to ensure that the ALB is not directly accessible from the internet, the route table associated with the ALB's subnet should not have a route to the IGW. This forces all traffic to the ALB to go through the Global Accelerator.

Why other options are incorrect:

Option B: Missing the Internet Gateway. The AWS Global Accelerator needs to attach the Internet Gateway in the VPC.
Option C: The ALB should be placed in a private subnet to prevent direct access from the internet. In addition, the ALB's security group should allow inbound traffic from the accelerator's IP addresses on the ALB listener port, but not allow inbound traffic from the internet.
Option D: The ALB's security group should allow inbound traffic from the accelerator's IP addresses on the ALB listener port, not allow inbound traffic from the internet.

Suggested Answer: A

AWS Global Accelerator Endpoints, https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.html

Question 4

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?

A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway.
B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.

Correct Answer: C

Explanation:

I agree with the suggested answer C.
Reasoning: The question emphasizes granular security controls and scalability. AWS PrivateLink offers the most secure and scalable solution for connecting VPCs in this scenario. PrivateLink allows you to expose services in the central shared services VPC through VPC endpoint services. Application VPCs can then create VPC endpoints to securely access these services without traversing the public internet. This approach inherently provides granular security controls by limiting access to specific services and eliminating the need for open network routes.
PrivateLink offers several advantages:

Security: Traffic remains within the AWS network, avoiding exposure to the public internet.
Granular Access Control: Security groups and endpoint policies can be used to precisely control which resources and services are accessible through the endpoint.
Simplified Network Management: No need to manage overlapping IP addresses or complex routing configurations.
Scalability: PrivateLink is designed to scale as the number of business units and services grows.

Reasons for not choosing other options:

A: Transit Gateway with full mesh connectivity, While Transit Gateway can provide connectivity between VPCs, creating a full mesh between all VPCs is not the most secure approach. It increases the attack surface and makes it more difficult to implement granular security controls. Also, full mesh can be costly and complex to manage as the number of VPCs increases.
B: VPC Peering, VPC peering can be used to connect VPCs, but it becomes difficult to manage and scale as the number of VPCs increases. Each peering connection must be configured individually, creating a complex web of connections. VPC peering also does not provide the same level of granular security control as PrivateLink. Security groups can be used to control traffic between peered VPCs, but it is more difficult to restrict access to specific services.
D: Central transit VPC with VPN appliance, This approach introduces additional complexity and overhead. Managing a VPN appliance requires patching, maintenance, and monitoring. Also, VPN connections can be less performant than PrivateLink.

Citations:

AWS PrivateLink, https://aws.amazon.com/privatelink/

Question 5

A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.
A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem.
Which solution will meet these requirements?

A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps.
C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection.
D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.

Correct Answer: A

Explanation:

I agree with the suggested answer A.
Reasoning: The question requires identifying the business unit causing the throughput spike and resolving the saturation issue. Option A correctly addresses both requirements. First, it uses CloudWatch metrics to pinpoint the problematic VIF. Second, it suggests creating a new, higher-bandwidth connection (10 Gbps) and migrating traffic to it, which alleviates the saturation issue.
Here's a breakdown of why the other options are less suitable:

Option B: While identifying the problematic VIF is correct, upgrading the *existing* Direct Connect bandwidth is generally not possible. Direct Connect connections are provisioned at specific speeds, and increasing the capacity usually involves establishing a new connection at the desired bandwidth and migrating traffic. This makes Option B less feasible.
Option C and D: These options suggest reviewing `ConnectionBpsIngress` and `ConnectionPpsEgress`. These metrics provide information about the overall connection, not individual VIFs. Since the goal is to identify *which business unit's VIF* is causing the spike, these metrics are not granular enough. Also, Option C suggests a 5Gbps hosted connection, whereas the original setup is a 4Gbps dedicated connection, thus will not resolve the slowness issue.

Therefore, Option A is the most appropriate solution because it correctly identifies the source of the problem and provides a practical solution to address the Direct Connect saturation.

Key considerations supporting this recommendation:

CloudWatch Metrics: Using `VirtualInterfaceBpsEgress` and `VirtualInterfaceBpsIngress` is the correct approach to monitor bandwidth usage at the VIF level.
Direct Connect Scalability: Increasing Direct Connect capacity often involves provisioning a new connection, as noted in AWS documentation.

The analysis of CloudWatch metrics for individual VIFs is critical for identifying the source of the increased throughput, and creating a new, higher-bandwidth Direct Connect connection provides a scalable solution for resolving the saturation issue.

Based on AWS best practices and the specifics of the scenario, the recommended answer is A.

Citations:

AWS Direct Connect FAQs, https://aws.amazon.com/directconnect/faqs/
Monitoring Your Direct Connect Connection Using CloudWatch, https://docs.aws.amazon.com/directconnect/latest/UserGuide/monitoring_cloudwatch.html

Question 6

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)

A. Deploy the SaaS service endpoint behind a Network Load Balancer.
B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
C. Deploy the SaaS service endpoint behind an Application Load Balancer.
D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.

Correct Answer: AB

Explanation:

I agree with the suggested answer, which is A and B.
Reasoning:

Option A: Deploying the SaaS service endpoint behind a Network Load Balancer (NLB) is crucial. NLBs provide static IP addresses and handle traffic at the transport layer (TCP, UDP), which is suitable for a wide range of applications. This setup enables the SaaS provider to present a stable and scalable endpoint for its services.
Option B: Configuring an endpoint service and granting customers permission to create connections to the endpoint service directly addresses the IP address overlap issue. This leverages AWS PrivateLink, which allows customers to privately access the SaaS service without exposing traffic to the internet or requiring IP address sharing. Customers can create VPC endpoints in their VPCs, which connect directly to the NLB in the provider's VPC.

Why other options are incorrect:

Option C: Deploying behind an Application Load Balancer (ALB) is not suitable for PrivateLink in this scenario. While ALBs support PrivateLink, NLB is generally preferred for this use case due to its ability to handle a broader range of traffic types and its static IP addresses, which simplify the endpoint service configuration.
Option D: VPC peering with NAT Gateways does not resolve the IP address overlap issue. NAT Gateways translate private IP addresses to public IP addresses, but the underlying issue of overlapping private IP ranges remains, causing routing conflicts. Moreover, customers specifically stated they do not want to share their internal IP addresses.
Option E: Using AWS Transit Gateway and sharing it with customers might seem like a viable solution, but it still potentially requires managing overlapping IP address ranges. While Transit Gateway simplifies network management, it does not inherently solve IP overlap problems, and the customers are unwilling to share their IP ranges.

In summary, the combination of an NLB and an endpoint service using PrivateLink provides a secure, scalable, and private connection between the SaaS provider and its customers without requiring them to expose or share their internal IP addresses, directly addressing the problem statement.

Citations:

AWS PrivateLink, https://aws.amazon.com/privatelink/
AWS Network Load Balancer, https://aws.amazon.com/elasticloadbalancing/network-load-balancer/
AWS Transit Gateway, https://aws.amazon.com/transit-gateway/

Question 7

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
B. Set up AWS WAF on all network components.
C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct Answer: DEF

Explanation:

I agree with the suggested answer of DEF. Here's a breakdown of why these options are correct and why the others are not:

D: Use AWS Direct Connect with MACsec support for connectivity to the cloud.
Reasoning: This option directly addresses the requirement to encrypt all data in transit between the on-premises environment and the AWS Cloud. MACsec (Media Access Control Security) provides point-to-point encryption at the data link layer, ensuring confidentiality and integrity of the data as it travels over the Direct Connect link.

E: Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
Reasoning: This option fulfills the requirement to inspect all traffic in the cloud before it leaves for the on-premises environment or the internet. Gateway Load Balancers (GWLB) allow you to easily insert third-party firewalls and other network appliances into your network traffic flow for deep packet inspection, intrusion detection/prevention, and other security functions.

F: Configure AWS Shield Advanced and ensure that it is configured on all public assets.
Reasoning: This option is crucial for protecting the workload components exposed to the internet against DDoS attacks and mitigating the financial liability associated with scaling out during such events. AWS Shield Advanced provides enhanced DDoS protection and includes DDoS cost protection, which can help reduce or eliminate unexpected charges due to scaling.

Why the other options are incorrect:

A: Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances. Traffic mirroring is useful for monitoring and analyzing network traffic, but it doesn't actively inspect or block malicious traffic inline. It's more of a passive observation tool.
B: Set up AWS WAF on all network components. AWS WAF (Web Application Firewall) primarily protects web applications from common web exploits. While WAF is important for securing web-facing components, it is typically associated with Application Load Balancers (ALBs) and API Gateways, and not all network components. It does not provide comprehensive network traffic inspection.
C: Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses. While a Lambda function could be used to update security group rules, this approach is not scalable or efficient for real-time DDoS mitigation. Security Groups have limitations on the number of rules and are not designed for dynamic, high-volume blocking of malicious IPs. AWS Shield Advanced provides much more sophisticated and automated DDoS protection.

Therefore, the combination of Direct Connect with MACsec, Gateway Load Balancers with firewalls, and AWS Shield Advanced provides a comprehensive solution for encrypting traffic, inspecting traffic, and protecting against DDoS attacks.

Citations:

AWS Direct Connect, https://aws.amazon.com/directconnect/
AWS Gateway Load Balancer, https://aws.amazon.com/gateway-load-balancer/
AWS Shield Advanced, https://aws.amazon.com/shield/

Question 8

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
C. Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Correct Answer: AD

Explanation:

I agree with the suggested answer of AD.

Reasoning:
The problem requires identifying the source of increased NAT gateway usage. VPC Flow Logs provide records of network traffic passing through the NAT gateway, including source and destination IP addresses, ports, and the number of bytes transferred. Analyzing these logs allows identifying the source of the increased traffic. Both CloudWatch Logs Insights and Athena are suitable tools for querying and analyzing VPC Flow Logs.

* **Option A:** Enabling VPC Flow Logs on the NAT gateway's elastic network interface and using CloudWatch Logs Insights is a valid approach. CloudWatch Logs Insights allows querying and analyzing log data in near real-time. * **Option D:** Enabling VPC Flow Logs on the NAT gateway's elastic network interface, publishing the logs to S3, and using Athena is also a valid approach. Athena allows querying data in S3 using SQL, which is suitable for analyzing large volumes of log data.

Reasons for not choosing other options:
* **Option B & E:** NAT Gateways do not have native access logs. * **Option C:** Traffic Mirroring is not a cost-effective or practical solution for analyzing NAT gateway traffic. It involves capturing and analyzing packets in real-time, which can be resource-intensive and complex to set up and manage. Analyzing VPC Flow Logs is a more efficient and scalable solution.

Citations:
VPC Flow Logs, https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
CloudWatch Logs Insights, https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html
Amazon Athena, https://aws.amazon.com/athena/

Question 9

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

Correct Answer: C

Explanation:

I agree with the suggested answer C.

Reasoning: The scenario requires enabling IPv6 connectivity for instances in a private subnet, ensuring that the company's servers initiate all IPv6 traffic and preventing IPv6 traffic from the public internet. An egress-only internet gateway is designed precisely for this purpose. It allows instances in the private subnet to initiate outbound IPv6 connections to the internet, while preventing the internet from initiating IPv6 connections to the instances.

The key features of an egress-only internet gateway that make it suitable for this scenario are:

It is for IPv6 traffic only.
It allows outbound connections but blocks inbound connections.
It is a managed service, reducing the operational overhead.

By adding a route to the subnet's route table pointing IPv6 traffic (::/0) to the egress-only internet gateway, instances in the subnet can initiate outbound IPv6 connections.

Reasons for not choosing other options:

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway. NAT Gateways do not support IPv6. They are designed for IPv4 to IPv4 NAT. This option does not fulfill the IPv6 requirement.
B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance. NAT instances, while capable of providing NAT functionality, are not the recommended solution for IPv6. Also, this option requires managing the NAT instance, and does not scale. Furthermore, like NAT Gateways, NAT instances are typically IPv4 solutions.
D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway. Egress-only internet gateways do not associate with security groups. Security groups are applied to instances, not gateways.

In summary, option C correctly implements an egress-only internet gateway with proper routing to allow outbound IPv6 connectivity from private subnets while blocking inbound connections. This aligns perfectly with the requirements in the question.

Title: Egress-only internet gateways, https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

Question 10

A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.
B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
C. Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

Correct Answer: B

Explanation:

I agree with the suggested answer B.
Reasoning:
The question emphasizes delivering Network Firewall flow logs to Amazon OpenSearch Service (Amazon Elasticsearch Service) in the shortest possible time. Amazon Kinesis Data Firehose is designed for near real-time streaming data delivery to destinations like Amazon OpenSearch Service. Network Firewall natively supports Kinesis Data Firehose as a logging destination, which simplifies the configuration and reduces latency. The delivery time for logs to Kinesis Data Firehose is 3-6 minutes on average, which fulfills the requirement of delivering logs in the shortest possible time.

Reasons for not choosing other options:

Option A: Using S3, Lambda, and SNS introduces additional steps and latency. Logs are first delivered to S3, then the SNS notification triggers the Lambda function, which then loads logs into OpenSearch. This adds overhead and increases the overall delivery time.
Option C: Directly configuring flow logs to send to OpenSearch is not a supported configuration. Network Firewall needs an intermediary service to deliver logs to OpenSearch.
Option D: Kinesis Data Streams is designed for custom processing of streaming data. While it can be used to deliver logs to OpenSearch, it typically requires more configuration and processing logic compared to Kinesis Data Firehose, which is purpose-built for this type of delivery. Also, Kinesis Data Streams does not directly integrate with OpenSearch; you would likely still need a Lambda function or other processing layer, increasing complexity and latency.

Therefore, Kinesis Data Firehose provides the most direct and efficient method for delivering Network Firewall flow logs to OpenSearch in the shortest possible time.

Citations:
AWS Network Firewall Logging, https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging.html
Amazon Kinesis Data Firehose, https://aws.amazon.com/kinesis/data-firehose/

[Amazon] ANS-C01 - Advanced Networking Specialty Exam Dumps & Study Guide

Free [Amazon] ANS-C01 - Advanced Networking Specialty Practice Questions Preview

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10