Amazon Exam Practice Questions - Page 94

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A network engineer is working on a private DNS design to integrate AWS workloads and on-premises resources. The AWS deployment consists of five VPCs in the eu-west-1 Region that connect to the on-premises network over AWS Direct Connect. The VPCs communicate with each other by using a transit gateway. Each VPC is associated with a private hosted zone that uses the aws.example.internal domain. The network engineer creates an Amazon Route 53 Resolver outbound endpoint in a shared services VPC and attaches the shared services VPC to the transit gateway. The network engineer is implementing a solution for D...

In this scenario, the network engineer needs to implement a solution that resolves DNS queries for AWS-hosted workloads using private hosted zones and forwards all other DNS queries to an on-premises DNS resolver. Let’s evaluate the options in detail: A) Add a forwarding rule for “” that targets the on-premises server's DNS IP address. Add a system rule for aws.example.internal that targets Route 53 Resolver. - Explanation: - The rule for “” would forward all queries to the on-premises DNS resolver, which would handle any DNS queries that do not match the `aws.example.internal` domain. - The system rule for `aws.example.internal` would ensure that queries for the AWS workloads are resolved using the private hosted zone in Route 53. - Accepted Reasoning: This option ensures that DNS queries for `aws.example.internal` are resolved by the Route 53 Resolver, while all other queries are forwarded to the on-premises DNS server. - Why it's correct: This solution meets the requirement to use the private hosted zone for `aws.example.internal` and forward all other queries to the on-premises DNS resolver. B) Add a forwarding rule for aws.example.internal that targets Route 53 Resolver. Add a system rule for “.” that targets the Route 53 Resolver outbound endpoint. - Explanation: - The forwarding rule for `aws.example.internal` would direct these queries to Route 53 Resolver, which is appropriate for AWS-related DNS queries. - The system rule for “.” targets the Route 53 Resolver outbound endpoint, meaning it would forward all root domain queries (including any queries that don't match the private hosted zone for `aws.example.internal`) to the Route 53 Resolver. - Rejection Reason: This approach is incorrect because the system rule for “.” targets all DNS queries, including `aw...

Author: Olivia Johnson · Last updated May 16, 2026

A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three global offices are connected to the us-east-1 Region through AWS Site-to-Site VPN links that terminate on a transit gateway with BGP routing activated. The company recently started to produce content at a higher resolution to support 8K streaming. The size of the content files has increased to three times the size of the content files from the previous ...

To reduce the upload times for large video files from the global offices to Amazon EC2 instances, it’s essential to address factors such as bandwidth, latency, and network efficiency. Let’s analyze the options based on these criteria: A) Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing. - Explanation: Adding a second VPN tunnel from each office and enabling ECMP routing would effectively distribute the traffic load between two separate tunnels, increasing overall bandwidth and improving the upload speed. With ECMP, traffic can be load-balanced across multiple paths, which can help optimize the network for large file transfers. - Why it’s selected: This option improves network capacity and redundancy, which could significantly reduce the upload times by utilizing multiple VPN paths. This approach directly addresses the issue of slow uploads by enhancing throughput. B) Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location. - Explanation: Jumbo MTU allows for larger packet sizes (up to 9001 bytes, compared to the default 1500 bytes). This can reduce the number of packets that need to be sent over the network, thereby improving efficiency and reducing the overhead of packet fragmentation. Larger MTU sizes can optimize the transfer of large files, such as video content. - Why it’s selected: Enabling Jumbo MTU could improve the performance of file transfers, especially for large files like video content, by reducing overhead and improving efficiency. C) Replace the existing VPN tunnels with new tunnels that have acceleration activated. - Explanation: AWS Site-to-Site VPN supports AWS VPN acceleration, which helps improve the performance of VPN connections, particularly for high-throughput applications. VPN acceleration uses a combination of AWS hardware and software optimizations to enhance throughput, reduce latency, and speed up data transfers. - Why it’s rejected: While VPN acceleration can help with th...

Author: Aarav2020 · Last updated May 16, 2026

An application team for a startup company is deploying a new multi-tier application into the AWS Cloud. The application will be hosted on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind a publicly accessible Network Load Balancer (NLB). The application requires the clients to work with UDP traffic and TCP traffic. In the near term, the application will serve only users within the same geographic location. The application team plans to extend the application to a global audience and will move the deployment to multiple AWS Regions around the world to bring the application closer to the end users. The application team wants to use the new Regions to deploy new versions of the application and wants to be ...

In this scenario, the application team needs to deploy a multi-tier application across multiple AWS Regions and manage traffic distribution during rollouts. The team also wants to minimize latency and jitter and ensure precise traffic control. Let’s break down each option based on the requirements: A) Create an Amazon CloudFront distribution to align to each Regional deployment. Set the NLB for each Region as the origin for each CloudFront distribution. Use an Amazon Route 53 weighted routing policy to control traffic to the newer Regional deployments. - Pros: - CloudFront can help with global content delivery by caching content at edge locations, reducing latency for users. - Route 53 weighted routing gives the ability to control the amount of traffic going to each region during rollouts. - Cons: - CloudFront is designed for HTTP/HTTPS traffic primarily, which may not be optimal for handling UDP traffic (which is a requirement for this application). While CloudFront can handle TCP traffic, it doesn't natively support UDP traffic. - Managing traffic across multiple regions could be more complex since CloudFront is best suited for static content, not as much for dynamic application traffic in this specific use case. Rejected: Not ideal due to CloudFront’s lack of native UDP support and the complexity of routing for dynamic application traffic. B) Create an AWS Global Accelerator accelerator and listeners for the required ports. Configure endpoint groups for each Region. Configure a traffic dial for the endpoint groups to control traffic to the newer Regional deployments. Register the NLBs with the endpoint groups. - Pros: - Global Accelerator is optimized for both TCP and UDP traffic, which is a requirement for this application. - Provides low-latency routing based on global health and geography. - Traffic dials offer precise control over traffic distribution to newer Regional deployments. - Can handle both UDP and TCP protocols, ensuring minimal jitter and latency. - Directly integrates with NLBs, making it well-suited for managing EC2 instances and their auto scaling groups. - Cons: - Global Accelerator introduces additional cost for using its service, but this is justified given its low-latency routing capabilities and support for both TCP and UDP. Selected option: This option is well-suited to the application’s needs because it suppo...

Author: RadiantJaguar56 · Last updated May 16, 2026

A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group. The company wants to access the management application by using the same URL as the web application, with a path prefix of/management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the managem...

Understanding the Requirements: - Web application: Stateless, running in an Auto Scaling group behind an Application Load Balancer (ALB) in private subnets. - Management application: Stateful, running in a separate Auto Scaling group behind the same ALB but accessed by appending `/management` to the same URL. - Access restriction: Only on-premises IP addresses should have access to the management application. - SSL/TLS: AWS Certificate Manager (ACM) will be used to protect the web application. Breakdown of the Options: A) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness. - Explanation: - This option inserts a rule into the ALB HTTPS listener, which matches requests with the `/management` path pattern. - It adds a source IP condition to restrict access to the management application to the on-premises IP address space. - Stickiness is enabled for the management application target group, ensuring that a user’s requests are routed to the same EC2 instance for the duration of their session. - Why selected: This solution meets the key requirements: routing based on both path prefix and IP source, and restricting access to the management application to on-premises IPs. The path `/management` will match the management application, and the source IP restriction ensures that only on-premises clients can access it. Selected: This option addresses the required functionality correctly. B) Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes. - Explanation: - Modifying the default rule changes how the ALB handles requests that do not match `/management`, which is unnecessary in this case. You want requests with the `/management` path to go to the management application. - This rule forwards requests without the `/management` prefix to the management application, which is incorrect and could lead to unintended routing of non-management traffic to the management target group. - Stickiness is enabled, but the routing behavior is flawed because the condition for `/management` is not applied correctly. Rejected: The routing logic here is incorrect and doesn’t match the required conditions for the `/management` path prefix. ...

Author: Ming88 · Last updated May 16, 2026

A company deploys a software solution on Amazon EC2 instances that are in a cluster placement group. The solution's UI is a single HTML page. The HTML file size is 1,024 bytes. The software processes files that exceed 1,024 MB in size. The software shares files over the network to clients upon request. The files are shared with the Don't Fragment flag set. Elastic network interfaces of the EC2 instances are set up with jumbo frames. The UI is always accessible from all allowed source IP addresses, regardless of whether the source IP addresses are within a VPC, on the in...

Understanding the Problem: - The software solution is deployed on Amazon EC2 instances in a cluster placement group, which ensures high network performance between instances. - The solution's UI is a small HTML file (1,024 bytes), while the software processes large files (over 1,024 MB) that need to be transferred over the network to clients. - The Don't Fragment flag is set, which means that the packets must not be fragmented, requiring the entire packet to fit within the maximum transmission unit (MTU) for the network. - Jumbo frames are enabled on the EC2 instances, meaning the MTU is likely set to 9001 bytes. - The clients sometimes do not receive files because the files fail to travel successfully from the EC2 instances to the clients. Key Points: - Don't Fragment flag: If the network path has a lower MTU than the file size or if the jumbo frames are not properly supported along the entire path, packets will be dropped due to the flag. - Jumbo frames: These require all network devices along the path to support them. If any part of the network path does not support jumbo frames, the transfer will fail. Analyzing the Options: A) The source IP addresses are from on-premises hosts that are routed over AWS Direct Connect. - Explanation: - AWS Direct Connect supports jumbo frames, but it is possible that the on-premises network devices or the connection from on-premises to AWS may not support jumbo frames. - If there is an MTU mismatch between the EC2 instances (configured with jumbo frames) and the on-premises network (not supporting jumbo frames), the packets will fail to transmit successfully because the Don't Fragment flag will prevent packet fragmentation. - Why selected: This option is a potential root cause if the on-premises network does not support jumbo frames or the MTU is mismatched between AWS and on-premises devices. B) The source IP addresses are from on-premises hosts that are routed over AWS Site-to-Site VPN. - Explanation: - AWS Site-to-Site VPN does not inherently support jumbo frames. If the VPN tunnel is used, the MTU is typically 1,500 bytes, which is the standard for IP traffic. If jumbo frames are used in the EC2 instances (with an MTU of 9001 bytes), the packets will need to be fragmented, but the Don't Fragment flag prevents this. - This mismatch in MTU between the EC2 insta...

Author: RadiantJaguar56 · Last updated May 16, 2026

A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility. The company has deployed WorkSpaces in its own AWS account in VPC A. A network engineer decides to provide the security visibility by using two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC B, in a separate ...

Solution Breakdown: The company is deploying Amazon WorkSpaces in VPC A and wants to route traffic through firewall appliances deployed in VPC B (in a separate AWS account). The firewall appliances are set up behind a Gateway Load Balancer (GWLB), and the goal is to configure secure and proper network connectivity to route traffic from the WorkSpaces in VPC A through the firewall appliances in VPC B. Key considerations for this solution: 1. VPC A (WorkSpaces) needs to send its traffic through VPC B (firewall appliances). 2. GWLB should be set up in VPC B to manage traffic through the firewall appliances. 3. The connection between VPC A and VPC B should be configured using VPC endpoints and appropriate routing. 4. The security should ensure that only WorkSpaces from the WorkSpaces account can route traffic through the firewall appliances. Detailed Option Analysis: A) Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint. - Explanation: - This option proposes creating a GWLB in VPC A with the firewall appliances as targets. - GWLB should be in VPC B (where the firewall appliances reside), not VPC A. - The routing should direct WorkSpaces' traffic through the firewall appliances in VPC B, not through a GWLB in VPC A. - Why rejected: The GWLB should be in VPC B, not VPC A since the firewall appliances reside in VPC B. Routing through the GWLB in VPC A would not route traffic correctly. B) Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint. - Explanation: - This option correctly places the GWLB in VPC B, where the firewall appliances are deployed. - It involves creating a VPC endpoint in the WorkSpaces account and adding the correct routing in VPC A to route traffic to the GWLB endpoint. - Why selected: This is a valid solution. It ensures t...

Author: Amira · Last updated May 16, 2026

A company plans to run a computationally intensive data processing application on AWS. The data is highly sensitive. The VPC must have no direct internet access, and the company has applied strict network security to control access. Data scientists will transfer data from the company's on-premises data center to the instances by using an AWS Site-to-Site VPN connection. The on-premises data center uses the network range 172.31.0.0/20 and will use the network range 172.31.16.0/20 in the application VPC. The data scientists report that they can start new instances of the application but that they cannot transfer any data from the on-premises data center. A network engineer enables VPC flow...

Understanding the Problem: - The company is running a computationally intensive data processing application in AWS, and the VPC must have no direct internet access. - The data is highly sensitive, and strict network security is in place to control access. - Data scientists are unable to transfer data from the on-premises data center to the AWS instances over a Site-to-Site VPN connection. - The on-premises data center has the network range `172.31.0.0/20`, and the application VPC uses `172.31.16.0/20`. The flow logs show that the data scientists can start new instances of the application but cannot transfer data. This implies there might be a misconfiguration in the network security settings (security groups, network ACLs) blocking the inbound or outbound traffic between the on-premises data center and the VPC. Key Factors to Consider: - VPC Flow Logs indicate some traffic is being blocked, so the issue likely resides in security configurations like security groups or network ACLs. - The issue seems to be related to traffic flow between the on-premises network and the VPC, either inbound or outbound. - Network ACLs control both inbound and outbound traffic, while Security Groups are stateful and only control the traffic flowing in/out of specific EC2 instances. Analyzing the Options: A) Modify the security group for the application. Add an inbound rule to allow traffic from the on-premises data center network range to the application. - Explanation: - Security groups are stateful, meaning that if inbound traffic is allowed, the response traffic is automatically allowed as well. - If the on-premises data center is trying to send data to the application instances, inbound traffic must be allowed by the security group for the instances. - Why selected: This is a valid option since the data is being transferred from the on-premises data center to the AWS instances, which requires allowing inbound traffic from the on-premises range to the application instances. B) Modify the network ACLs for the VPC subnet. Add an inbound rule to allow traffic from the on-premises data center network range to the VPC subnet range. -...

Author: NebulaEagle11 · Last updated May 16, 2026

A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS. The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet...

Let's analyze the key requirements and constraints of the problem to determine the best solution: 1. Temporary scaling: The company wants to deploy EC2 instances temporarily, so flexibility in scaling is essential. 2. Connectivity to on-premises servers: The EC2 instances need to share data with existing on-premises servers, meaning there must be a secure network connection between the AWS VPC and the on-premises data center. 3. No direct internet access: The EC2 instances must not be accessible from the internet, meaning the instances should reside in private subnets. 4. Routing through the on-premises firewall: All internet traffic from the EC2 instances should route through the on-premises data center firewall, meaning the EC2 instances should have no direct access to the internet. 5. Access to third-party web applications: The EC2 instances need to access external services, such as third-party web applications. Option Analysis: - Option A: - The VPC contains both public and private subnets. - The AWS Site-to-Site VPN connects the VPC to the on-premises data center. - EC2 instances are deployed in private subnets, ensuring they aren't directly accessible from the internet. - A NAT gateway in the public subnet provides a route for instances in the private subnet to access the internet, but not directly, ensuring traffic routes through the on-premises firewall. - Routes are configured for both the internet and on-premises data center subnets. - Selection rationale: This option allows the EC2 instances to access the internet through the on-premises firewall (via the NAT gateway) while also maintaining secure connectivity to the on-premises servers. The EC2 instances are not exposed to the internet. - Option B: - The VPC contains only private subnets. - The AWS Site-to-Site VPN connects the VPC to the on-premises data center. - EC2 instances are deployed in private subnets. - Routing is configured to route traffic through the virtual private gateway to th...

Author: Vivaan · Last updated May 16, 2026

A company is deploying a web application into two AWS Regions. The company has one VPC in each Region. Each VPC has three Amazon EC2 instances as web servers behind an Application Load Balancer (ALB). The company already has configured an Amazon Route 53 public hosted zone for example.com. Users will access the application by using the fully qualified domain name (FQDN) of app.example.com. The company needs a DNS solution that allows global users to access the application. The solution must route the users' requests to the Region that pr...

To determine the best solution, let's break down the key requirements of the problem: Requirements: 1. Global access to the web application: Users from any location should be able to access the web application in the closest AWS Region to them. 2. Lowest response time: The solution must route traffic to the Region that provides the lowest response time, which suggests a latency-based routing policy. 3. Failover capability: If the primary Region is unavailable, the solution must fail over to the next-best Region. Option Analysis: - Option A: - Geolocation routing: This option uses a geolocation routing policy, which routes traffic based on the location of the user. However, this method is not based on latency, and would route users based on geographic regions, not by the fastest response time. - Health checks: It also includes a health check monitoring the ALBs by IP address. - Rejection rationale: While geolocation routing could route users to a specific Region, it does not address the requirement for routing traffic to the Region with the lowest response time. Additionally, the failover strategy is not guaranteed in a geolocation-based routing solution. - Option B: - Geolocation routing with health checks: Similar to Option A, this option uses a geolocation routing policy but also includes a health check for each ALB by IP address. - Rejection rationale: Again, this uses geolocation routing, which routes traffic based on the user's location rather than response time. The failover logic is not latency-based, and thus, it does not meet the requirement of routing traffic to the region with the lowest response time. - Option C: - Latency-based routing: This option uses latency-based routing, which routes traffic to the Region with the lowest response time. It also includes a health check that monitors TCP port 80 of each ALB by IP address. ...

Author: Benjamin · Last updated May 16, 2026

A consulting company manages AWS accounts for its customers. One of the company's customers needs to add intrusion prevention for its environment without having to re-architect the environment. The customer's environment includes five VPCs in two AWS Regions in the United States. VPC-to-VPC connectivity is achieved through VPC peering. The customer does not pla...

Let's break down the requirements and the options to determine the best solution: Requirements: 1. Intrusion prevention: The solution must provide intrusion prevention to enhance the security of the customer's environment. 2. No re-architecture: The solution must be implemented without needing to change the architecture of the customer's environment. 3. Multiple VPCs in multiple AWS Regions: There are five VPCs in two regions with VPC-to-VPC peering. 4. Unencrypted traffic: The solution must support unencrypted traffic. 5. Future VPC expansion: The customer does not plan to increase the number of VPCs in the next two years. Option Analysis: - Option A: Configure VPC security groups and network ACLs: - VPC security groups and network ACLs are standard mechanisms to control traffic between instances and subnets within a VPC. They provide basic traffic filtering and protection. - Rejection rationale: While security groups and network ACLs help control traffic, they do not offer dedicated intrusion prevention capabilities, such as detecting and blocking malicious traffic. These tools alone would not meet the customer's requirement for intrusion prevention. - Option B: Use an AWS Network Firewall centralized deployment model in each VPC: - AWS Network Firewall is a managed service designed for network traffic filtering, providing intrusion prevention and detection features, such as deep packet inspection, filtering, and blocking of malicious traffic. - A centralized deployment model refers to deploying a single instance of the firewall in a central VPC to manage all traffic between other VPCs, possibly using VPC peering or transit gateways. - Rejection rationale: The centralized deployment model could be challenging for the customer since they have VPC peering in place. For the centralized model to work, routing and VPC configurations might need to be reworked, which would involve re-architecting the environment. The solution needs to avoid this. - Option C: Use...

Author: Jack · Last updated May 16, 2026

A company hosts its IT infrastructure in an on-premises data center. The company wants to migrate the infrastructure to the AWS Cloud in phases. A network engineer wants to set up a 10 Gbps AWS Direct Connect dedicated connection between the on-premises data center and VPCs. The company's network provider needs 3 months to provision the Direct Connect connection. In the meantime, the network engineer implements a temporary solution by deploying an AWS Site-to-Site VPN connection that terminates to a virtual private gateway. The network engineer observes that the ban...

Problem Overview: - The company is migrating infrastructure to AWS and has set up a temporary AWS Site-to-Site VPN connection to the VPC while waiting for the Direct Connect connection to be provisioned. - The VPN bandwidth is capped at 1.25 Gbps, even though the customer gateway device should be capable of more. The network engineer needs to increase the VPN bandwidth to meet business needs before Direct Connect is available. Key Factors: - Bandwidth Limitation: The VPN connection is limited to 1.25 Gbps. This is likely due to AWS's default limit or the limitations of the Site-to-Site VPN connection itself. - Temporary Solution: The Direct Connect connection will be implemented later, so the focus is on improving the existing VPN connection in the meantime. - Multiple VPN Connections: AWS supports creating multiple VPN connections to improve bandwidth, but the solution must be easy to implement and efficient. Option Analysis: Option A: Contact AWS Support to request a bandwidth quota increase for the existing Site-to-Site VPN connection. - Explanation: AWS typically sets default bandwidth limits for Site-to-Site VPN connections, and it's possible to request an increase in the limit by contacting AWS Support. - Rejection rationale: The bandwidth limitation is usually due to the VPN tunnel's configuration, and it's unlikely that AWS Support can increase the VPN connection bandwidth beyond the set maximum (1.25 Gbps per tunnel). Therefore, this is not the most effective solution. Option B: Discuss the issue with the hardware vendor. Buy a bigger and more powerful customer gateway device that has faster encryption and decryption capabilities. - Explanation: Upgrading the customer gateway device could improve performance if the current device is the bottleneck. - Rejection rationale: While upgrading the customer gateway device may improve encryption/decryption performance, it does not directly address the underlying AWS VPN limitations. AWS's VPN service itself may have inherent throughput caps, so this approach is unlikely to resolve the issue. Option C: Create several additional Site-to-Site VPN connections that terminate on the same virtual gateway. Configure equal-cost multi-path (ECMP) ro...

Author: Aarav · Last updated May 16, 2026

A company has business operations in the United States and in Europe. The company's public applications are running on AWS and use three transit gateways. The transit gateways are located in the us-west-2, us-east-1, and eu-central-1 Regions. All the transit gateways are connected to each other in a full mesh configuration. The company accidentally removes the route to the eu-central-1 VPCs from the us-west-2 transit gateway route table. The company also a...

Problem Overview: - The company is using AWS Transit Gateways in multiple regions: us-west-2, us-east-1, and eu-central-1, with a full mesh configuration between the transit gateways. - Route removal: Routes to the VPCs in eu-central-1 were removed from the us-west-2 transit gateway route table, and routes to the VPCs in us-west-2 were removed from the eu-central-1 transit gateway route table. - The goal is to identify the misconfiguration with the least operational overhead. Key Considerations: 1. Operational Overhead: The solution should minimize manual intervention and provide an automated or easily actionable way to pinpoint the issue. 2. Network Troubleshooting: The misconfiguration is related to route tables, so tools that help track network traffic or analyze route mappings are ideal. 3. Ease of Use: The chosen option should help identify missing routes without requiring in-depth manual packet capture or flow analysis. Option Analysis: Option A: Use the Route Analyzer feature for AWS Transit Gateway Network Manager. - Explanation: AWS Transit Gateway Network Manager includes a Route Analyzer feature that helps identify and visualize issues in the transit gateway route tables. This tool can be used to examine and troubleshoot connectivity problems across multiple regions and transit gateways. - Selection rationale: This is the most effective solution for the issue. The Route Analyzer is specifically designed for this type of scenario, where there are route configuration issues between transit gateways. It automatically detects route misconfigurations and provides an easy-to-understand view of the affected routes, making it the least operationally intensive solution. - Why this is preferred: It is built for the exact use case of identifying misconfigurations in route tables, and it automates much of the diagnostic process. Option B: Use the AWSSupport-SetupIPMonitoringFromVPC AWS Systems Manager Automation runbook. Push network telemetry data to Amazon CloudWatch Logs for analysis. - Explanation: This runbook automates the collection of network telemetry data from VPCs and pushes it to CloudWatch Logs. The dat...

Author: Emily · Last updated May 16, 2026

A marketing company is using hybrid infrastructure through AWS Direct Connect links and a software-defined wide area network (SD-WAN) overlay to connect its branch offices. The company connects multiple VPCs to a third-party SD-WAN appliance transit VPC within the same account by using AWS Site-to-Site VPNs. The company is planning to connect more VPCs to the SD-WAN appliance transit VPC. However, the company faces challenges of scalability, route table limitations, and higher costs wit...

To solve the company's scalability, route table limitations, and cost challenges, the solution must provide an architecture that simplifies management, reduces operational overhead, and enables seamless connectivity between multiple VPCs and the SD-WAN appliance transit VPC. Let’s analyze the provided options based on these factors: Option A: Configure a transit gateway to attach the VPCs. Configure a Site-to-Site VPN connection between the transit gateway and the third-party SD-WAN appliance transit VPC. Use the SD-WAN overlay links to connect to the branch offices. - Pros: - Transit Gateway (TGW) is highly scalable and simplifies routing between multiple VPCs. - Using Site-to-Site VPN ensures secure connectivity between the TGW and the SD-WAN appliance. - Cons: - While this solution resolves scalability issues for VPCs, the reliance on Site-to-Site VPN introduces potential performance and cost concerns, especially if the SD-WAN appliance supports better integration options. - Site-to-Site VPNs are typically less efficient and may create higher operational overhead due to the need for additional configuration and management of VPN tunnels. Option B: Configure a transit gateway to attach the VPCs. Configure a transit gateway Connect attachment for the third-party SD-WAN appliance transit VPC. Use transit gateway Connect native integration of SD-WAN virtual hubs with AWS Transit Gateway. - Pros: - The Transit Gateway Connect feature is designed for integrating SD-WAN solutions directly with AWS Transit Gateway, reducing complexity and eliminating the need for Site-to-Site VPNs. - Transit Gateway Connect offers better scalability, performance, and cost-efficiency, with native support for SD-WAN integration. - It removes the dependency on traditional VPN connections and provides more robust routing capabilities. - Cons: - This requires that the third-party SD-WAN appliance supports Transit Gateway Connect natively. If the appliance doesn't support this feature, this option would be nonviable. Option C: Configure a transit gateway to attach the VPCs. Configure VPC peering between the VPCs and the third-party SD-WAN appliance transit VPC. Use the SD-WAN overlay links to con...

Author: Lina Zhang · Last updated May 16, 2026

A company is running a hybrid cloud environment. The company has multiple AWS accounts as part of an organization in AWS Organizations. The company needs a solution to manage a list of IPv4 on-premises hosts that will be allowed to access resources in AWS. The solution must provide version control for the list of ...

To meet the company's requirement of managing a list of IPv4 on-premises hosts that will be allowed to access resources in AWS, while also ensuring version control and making the list available to all AWS accounts within the organization, let’s analyze each option: Option A: Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWS Resource Access Manager. Add the managed prefix list to the resource share. Share the resource with the organization. - Pros: - Customer-managed prefix lists are designed to store and manage IP address ranges for use in AWS services like security groups and route tables. - By sharing the prefix list through AWS Resource Access Manager (RAM), the list can be easily shared across multiple accounts in the AWS organization. - Provides version control because you can update the prefix list entries and they can be immediately available to all accounts within the organization. - Cons: - This method may be more complex than necessary for organizations that don't already use prefix lists or if there are no services like security groups or route tables explicitly leveraging this feature. Option B: Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Use AWS Firewall Manager to share the managed prefix list with the organization. - Pros: - Using AWS Firewall Manager allows central management and distribution of security policies, including IP lists, across multiple accounts. - AWS Firewall Manager integrates with prefix lists, providing version control, and it ensures that the list is updated and applied across the organization. - Cons: - This approach is designed for organizations already using Firewall Manager to manage security policies. If the company doesn't have it set up, the solution might require additional configuration and overhead. - This option may be overkill if the company's needs are focused purely on managing the IP list, not on broader firewall policy management. Option C: Create a security group. Add inbound rule entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWS Resource Access Manager. Add the security group to the resource share. Share the resource with the organization. - Pros: - Security groups are simple to manage and provide a way to control inbound traffic based on IP addresses. - Cons: - Security groups are not ideal for version control or managing a list of IP addresses. Managing large lists of IP addresses directly in s...

Author: Ava · Last updated May 16, 2026

A company's application is deployed on Amazon EC2 instances in a single VPC in an AWS Region. The EC2 instances are running in two Availability Zones. The company decides to use a fleet of traffic inspection instances from AWS Marketplace to inspect traffic between the VPC and the internet. The company is performing tests before the company deploys the architecture into production. The fleet is located in a shared inspection VPC behind a Gateway Load Balancer (GWLB). To minimize the cost of the solution, the company deployed only one inspection instance in each Availability Zone that the application uses. During tests, a network engineer notices that traffic inspection works a...

To address the issue where traffic inspection works as expected under normal conditions but fails during maintenance (likely due to the unavailability of inspection instances), the solution must focus on improving availability and redundancy of the inspection instances, ensuring that traffic can still be routed through inspection instances even if one instance is undergoing maintenance or fails. Let’s analyze each option: Option A: Deploy one inspection instance in the Availability Zones that do not have inspection instances deployed. - Pros: - This approach would help ensure that all Availability Zones (AZs) have at least one inspection instance, increasing redundancy. - By having inspection instances in both AZs where the application runs, traffic would be properly routed to a functioning instance in the event of a failure or maintenance. - Cons: - While deploying instances in the second AZ would increase redundancy, this doesn't fully address the issue of load balancing across AZs and the potential for timeouts during instance failures. - This step alone does not guarantee a seamless failover experience for traffic. Option B: Deploy one additional inspection instance in each Availability Zone where the inspection instances are deployed. - Pros: - By deploying two inspection instances per AZ, you achieve redundancy within each Availability Zone. - This ensures that if one inspection instance fails or is in maintenance, the other can take over seamlessly, preventing session timeouts. - This solution also improves fault tolerance and ensures the application instances can continue functioning during maintenance or failures. - Cons: - The downside is that it requires additional cost since you're deploying more inspection instances in each AZ. However, this trade-off is necessary to ensure high availability and avoid session timeouts. Option C: Enable the cross-zone load balancing attribute for the GWLB. - Pros: - Cross-zone load balancing would allow the Gateway Load Balancer to distribute traffic evenly across inspection instances in multiple AZs, improving the overall load distribution. - This could help prevent session timeouts because traffic would be balanced and routed to the available inspection instances. - Cons: - This does not address the lack of redundancy in a single AZ during maintenance. Even with cross-zone load balancing, if an AZ doesn't have a functioning inspection ...

Author: Noah · Last updated May 16, 2026

A company has developed a new web application on AWS. The application runs on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate behind an Application Load Balancer (ALB) in the us-east-1 Region. The application uses Amazon Route 53 to host the DNS records for the domain. The content that is served from the website is mostly static images and files that are not updated frequently. Most of the traffic to the website from end users will originate from the United States. Some traffic will originate from Canada and Europe. A network engineer ...

To meet the requirements of reducing latency for end users while ensuring all traffic is encrypted in transit until it reaches the Application Load Balancer (ALB), we must consider factors like low-latency content delivery, security (encryption), and cost efficiency. Option A: Configure the ALB to use an AWS Global Accelerator accelerator in us-east-1. Create a secure HTTPS listener. Create an alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the DNS name that is assigned to the accelerator for the ALB. - Pros: - AWS Global Accelerator improves latency by routing traffic through the AWS global network, directing users to the nearest AWS edge location. - This approach minimizes latency by using the AWS backbone network and automatically selects the best regional endpoint. - Traffic would be encrypted in transit with HTTPS, ensuring compliance with the encryption requirement. - Cons: - Global Accelerator is a premium service and may introduce additional costs, particularly when serving traffic globally. - It is more suited for global applications, but if the majority of users are in the United States with only some traffic from Canada and Europe, this could be overkill, especially in terms of cost. Option B: Configure the ALB to use a secure HTTPS listener. Create an Amazon CloudFront distribution. Set the origin domain name to point to the DNS record that is assigned to the ALB. Configure the CloudFront distribution to use an SSL certificate. Set all behaviors to force HTTPS. Create an alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the DNS name that is assigned to the ALB. - Pros: - CloudFront is a content delivery network (CDN) that can distribute static content to edge locations worldwide, reducing latency for users in Canada, Europe, and the United States. - Traffic will be encrypted in transit until it reaches the ALB (via HTTPS), meeting the security requirement. - CloudFront is designed to reduce the cost of serving static content, improving performance, and reducing the load on the ALB. - Cons: - CloudFront would incur additional cost, especially for caching and delivering content to global edge locations. However, this cost is generally lower than using Global Accelerator. Option C: Configure the ALB to use a secure HTTPS listener. Create an Amazon CloudFront distribution. Set the origin domain name to point to the DNS record that is assigned to the ALB. Configure the CloudFront distribution to use an SSL certificate and redirect HTTP to HTTPS. Create an alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the CloudFront distribution. - Pros: - This solution is similar to Option B but w...

Author: Aria · Last updated May 16, 2026

A company deploys an internal website behind an Application Load Balancer (ALB) in a VPC. The VPC has a CIDR block of 172.31.0.0/16. The company creates a private hosted zone for the domain example.com for the website in Amazon Route 53. The company establishes an AWS Site-to-Site VPN connection between its office network and the VPC. A network engineer needs to set up a DNS solution so that employees can v...

To allow employees to access the internal website by visiting a private domain URL (`https://example.com`), the DNS solution needs to route the traffic to the internal Application Load Balancer (ALB) behind the VPC. The company has established a Site-to-Site VPN connection, and the goal is to ensure that employees on the office network can resolve the domain name to the ALB inside the VPC. Let's analyze the options step by step: Option A: Create an alias record that points to the ALB in the Route 53 private hosted zone. - Pros: - Alias records are a special type of record in Route 53 that allow mapping domain names to AWS resources (like ALB) without needing an IP address. An alias record in a private hosted zone will resolve the domain to the ALB internally. - Since the ALB is private (with an internal DNS name), the alias record will ensure the domain name resolves correctly within the VPC. - This method is highly suitable because it directly resolves the private domain to the internal ALB. - Cons: - No significant drawbacks here, as this is the recommended approach for associating domain names with ALBs in Route 53 private hosted zones. Option B: Create a CNAME record that points to the ALB internal domain in the Route 53 private hosted zone. - Pros: - A CNAME record can be used to alias the domain to the ALB's internal DNS name. - Cons: - CNAME records are typically used to alias domain names to other domain names, but alias records are a better fit for associating domain names with AWS resources like ALBs. Route 53 also has a limit on CNAME usage in certain scenarios (like the root domain), making alias records more flexible in this case. - Although it would work, it's not the most efficient or recommended method within AWS, especially when working with AWS resources like ALBs. Option C: Create a Route 53 Resolver inbound endpoint. On the office DNS server, configure a conditional forwarder to forward the DNS queries to the Route 53 Resolver inbound endpoint. - Pros: - The Route 53 Resolver inbound endpoint would allow DNS queries from the office network (outside AWS) to resolve the private domain. - Cons: - This is a more complex solution. The inbound endpoint is typically used when you need to forward DNS queries from a non-AWS network (like the office network) to a private hosted zone in Route 53. - This solution might be overkill because there’s a simpler way to solve this using a conditiona...

Author: Emma · Last updated May 16, 2026

A company is deploying AWS Cloud WAN with edge locations in the us-east-1 Region and the ap-southeast-2 Region. Individual AWS Cloud WAN segments are configured for the development environment, the production environment, and the shared services environment at each edge location. Many new VPCs will be deployed for the environments and will be configured as attachments to the AWS Cloud WAN core network. The company's network team wants to ensure that VPC attachments are configured for the correct segment. The network team will tag the VPC attachments by using the Environment key with a value ...

Let's break down each option and determine which one best meets the requirements: Requirements: 1. Production Environment in us-east-1 must require acceptance for attachment requests. 2. All other attachment requests should not require acceptance. 3. The Environment tag will be used to specify the segment (Development, Production, Shared Services). Key Considerations: - Condition Logic: The "and" condition logic requires that both conditions (the tag and the region) be true for the rule to apply. The "or" condition logic allows for either condition (tag or region) to be true. - Acceptance Requirement: Only the production environment in us-east-1 should require acceptance. Option Analysis: A) Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "or" value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag:Environment values to their respective segments. - Problem: The "or" logic means that any attachment with a tag:Environment value of "Production" or in the "us-east-1" region will trigger acceptance, which is not ideal. This will cause all production environments (even outside of us-east-1) to require acceptance, which is not desired. - Rejection Reason: This rule does not meet the requirement for the production environment in other regions (e.g., ap-southeast-2) not to require acceptance. B) Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "and" value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag:Environment values to their respective segments. - Problem: This approach is correct for requiring acceptance for production attachments only in the us-east-1 region. The "and" condition ensures that both the tag ("Production") and the region ("us-east-1") must match for the rule to apply, which is exactly what...

Author: Vivaan · Last updated May 16, 2026

A company is migrating applications from a data center to AWS. Many of the applications will need to exchange data with the company's on-premises mainframe. The company needs to achieve 4 Gbps transfer speeds to meet peak traffic demands. A network engineer must design a highly available solution that maximi...

To address the requirements outlined in the problem, the solution must satisfy the following criteria: 1. Achieve 4 Gbps transfer speeds to meet peak traffic demands. 2. Maximize resiliency by being able to withstand the loss of circuits or routers. 3. High availability solution with redundancy, ideally involving multiple connections across multiple locations. Key Considerations: - Bandwidth Requirement: The company needs 4 Gbps of total bandwidth to meet the peak traffic demands. This means the combined capacity from AWS Direct Connect connections must be at least 4 Gbps. - Redundancy: The solution should support high availability. This means using multiple connections across multiple locations and routers to ensure that if one connection or router fails, traffic can continue to flow. - Resiliency: To ensure resiliency, we need to ensure that connections from multiple Direct Connect locations are utilized and terminated on different routers in the company’s data center. Option Analysis: A) Order four 10 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate one connection from each Direct Connect location to a router at the company location. Terminate the other connection from each Direct Connect location to a different router at the company location. - Bandwidth: This provides 40 Gbps of total bandwidth, far exceeding the 4 Gbps requirement. This is ideal in terms of bandwidth as it exceeds the need. - Redundancy: This option uses multiple locations and multiple routers, which provides high availability and resiliency. If one circuit or router fails, traffic can still flow through the other connections or routers. - Resiliency: With four 10 Gbps connections across two locations and two routers, this solution ensures maximum resiliency, satisfying the requirement to withstand the loss of circuits or routers. - Conclusion: This option is over-provisioned in terms of bandwidth but perfectly meets the resiliency and redundancy requirements. B) Order two 10 Gbps AWS Direct Connect connections that are evenly spread over two locations. Terminate the connection from each Direct Connect location to a different router at the company location. - Bandwidth: This provides 20 Gbps of total bandwidth, which is also more than sufficient to meet the 4 Gbps requirement. However, it only provides two connections, which might not be as resilient as four. - Resiliency...

Author: Mia · Last updated May 16, 2026

A company has 10 web server Amazon EC2 instances that run in an Auto Scaling group in a production VPC. The company has 10 other web servers that run in an on-premises data center. The company has a 10 Gbps AWS Direct Connect connection between the on-premises data center and the production VPC. The company needs to implement a load balancing solution that receives HTTPS traffic from thousands of external users. The solution must distribute the traffic across the web servers on AWS and the w...

Let's go through each option and evaluate how it addresses the company's requirements: Key Requirements: 1. Distribute traffic across web servers in both AWS (EC2 instances) and on-premises data center. 2. The solution must ensure that HTTPS requests go to the same server for the entire session (sticky sessions). 3. The solution should be able to handle high-volume HTTPS traffic (thousands of external users). 4. Maintain a connection between on-premises servers and EC2 instances via AWS Direct Connect. Option Analysis: A) Create a Network Load Balancer (NLB) in the production VPC. Create a target group. Specify IP as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable connection draining on the NLB. - Target Type: The IP target type in NLB means that you can register both EC2 instances (with IPs) and on-premises servers (with IPs), which works for hybrid cloud setups. - Sticky Sessions: NLB does not support sticky sessions out of the box. Connection draining is supported, but it only helps gracefully remove instances, not sticky sessions for session persistence. - Conclusion: NLB does not support sticky sessions for HTTPS traffic, which is a key requirement. Therefore, this option does not meet the sticky session requirement. B) Create an Application Load Balancer (ALB) in the production VPC. Create a target group. Specify IP as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable application-based session affinity (sticky sessions) on the ALB. - Target Type: Using the IP target type on an ALB allows you to register both EC2 instances and on-premises servers by their IP addresses. - Sticky Sessions: ALB supports application-based session affinity (sticky sessions) which is essential for ensuring that HTTPS requests from the same client always go to the same server during the session. - Conclusion: Th...

Author: Zara · Last updated May 16, 2026

A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company has decided to use AWS Site-to-Site VPN to establish connectivity between its on-premises network and its AWS environment. The company does not have a static public IP address for its on-premises network. A network engineer must implement a solution to initiate the VPN connection on the AWS side of the connection for traffic from the AWS enviro...

To establish a VPN connection between an AWS transit gateway and the on-premises network without a static public IP address for the on-premises network, the network engineer must take the following key steps: Key Considerations: 1. Dynamic IP Address: Since the on-premises network does not have a static IP address, the solution should allow the VPN to work even with dynamic IPs. 2. Initiate Connection from AWS: The VPN connection should be initiated from the AWS side, as per the requirement. 3. Protocol Support: The correct VPN protocols and configuration must be set to establish and maintain a secure connection. 4. VPN Tunnel Configuration: The options should facilitate a connection that works even when the on-premises network does not have a static public IP. Option Analysis: A) Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 1 (IKEv1). - IKEv1 is an older version of the protocol used in IPsec VPNs. It has some security vulnerabilities and limitations compared to IKEv2. AWS prefers IKEv2 for its improved security and reliability. - Rejection Reason: IKEv1 is not recommended for new configurations due to its limitations and potential security risks. B) Configure the Site-to-Site VPN tunnel options to use Internet Key Exchange version 2 (IKEv2). - IKEv2 is the preferred and more secure option compared to IKEv1. It supports modern encryption and provides better security, faster reconnection after link failures, and improved reliability. - Selection Reason: IKEv2 is the best choice because it meets modern security requirements and works more efficiently with AWS services. C) Use a private certificate authority (CA) from AWS Private Certificate Authority to create a certificate. - A private certificate authority (CA) is used when you want to manage your own certificates for internal purposes or private communications within your organization. - However, the VPN connection between AWS and an on-premises network usually doesn't require private certificates in this context. AWS typically uses pre-shared keys (PSK) for Site-to-Site VPNs. - Rejection Reason: Private CA is unnecessary for establishing a Site-to-Site VPN in this case. D) Use a public certificate authority (CA) from AWS Private Certificate Authority to create a certificate. - Similar to the...

Author: Leo · Last updated May 16, 2026

A company's AWS environment has two VPCs. VPC A has a CIDR block of 192.168.0.0/16. VPC B has a CIDR block of 10.0.0.0/16. Each VPC is deployed in a separate AWS Region. The company has remote users who work outside the company's offices. These users need to connect to an application that is running in the VPCs. Traffic to and from the VPCs over the internet must be encrypted. A network engineer must set up connectivi...

To meet the requirement of securely connecting remote users to the application running in the two VPCs (VPC A and VPC B), the solution must ensure that traffic between the remote users and the VPCs is encrypted over the internet and has minimal management overhead. Here's the breakdown of the options: Key Requirements: 1. Remote Access: Remote users need to connect to the application running in the two VPCs. 2. Encryption: The traffic between the remote users and the VPCs must be encrypted. 3. Minimal Management Overhead: The solution must minimize ongoing management tasks. 4. Separate Regions: The VPCs are deployed in separate AWS Regions. Option Analysis: A) Establish an AWS Site-to-Site VPN connection between VPC A and VPC B. - A Site-to-Site VPN connects on-premises networks or remote AWS networks. While this would provide encrypted communication between the two VPCs, it does not directly address remote users connecting to the application. - Rejection Reason: This solution only connects the VPCs, not the remote users. It also requires managing the VPN infrastructure, which does not minimize overhead in this case. B) Establish a VPC peering connection between VPC A and VPC B. - VPC Peering allows direct traffic between VPCs. However, it requires managing routing between VPCs. It doesn't inherently provide remote access to users outside of the VPCs, and it does not directly address encrypted connections over the internet. - Rejection Reason: VPC Peering only facilitates communication between VPCs but doesn't cater to remote user access. The solution requires a separate remote access mechanism. C) Create an AWS Client VPN endpoint in VPC A and VPC B. Add an authorization rule to grant access to VPC A and VPC B. - AWS Client VPN provides encrypted access for remote users. By setting up a Client VPN endpoint in both VPCs, remote users can securely access resources in both VPCs. The authorization rules allow remote users to access resources in both VPCs. - Selection Reason: This approach provides secure, encrypted access to both VPCs for remote users ...

Author: Samuel · Last updated May 16, 2026

A company uses Amazon Route 53 to register a public domain, example.com, in an AWS account. A central services group manages the account. The company wants to create a subdomain, test.example.com, in another AWS account to offer name services for Amazon EC2 instances that are hosted in the account. The company does not want to migrate the parent domain to the subdomain account. A network engineer...

The task is to create a subdomain, test.example.com, in a separate AWS account while keeping example.com in the original AWS account. The network engineer has created a Route 53 hosted zone for the subdomain in the second account, and now needs to ensure the DNS resolution between the parent domain and subdomain works seamlessly. Option Analysis: 1. Option A: Add records for the hosts of the new subdomain to the new Route 53 hosted zone. - Explanation: This step is necessary for defining specific resource records (such as A records, CNAME records, etc.) within the new Route 53 hosted zone for the subdomain. This allows the subdomain to resolve to the correct resources (e.g., EC2 instances) within the second AWS account. - Reason for selection: It is a required step to ensure that DNS queries for resources under test.example.com will return the correct results. 2. Option B: Update the DNS service for the parent domain by adding name server (NS) records for the subdomain. - Explanation: To delegate authority for the subdomain test.example.com to another AWS account, you must add NS records in the parent domain's hosted zone (in the first account) pointing to the name servers of the new hosted zone for the subdomain. - Reason for selection: This delegation step is essential so that DNS queries for test.example.com are resolved by the hosted zone in the second AWS account. 3. Option C: Update the DNS service for the subdomain by adding name server (NS) records for the parent domain. - Explanation: This step is unnecessary because test.example.com is the subdomain, and there’s no need to point it to the name servers of the parent domain example.com. The parent domain's name ...

Author: Lucas Carter · Last updated May 16, 2026

An IoT company collects data from thousands of sensors that are deployed in the Unites States and South Asia. The sensors use a proprietary communication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group and run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region. Occasion...

Problem Analysis: The IoT company is experiencing packet loss when data is sent from sensors located in South Asia to EC2 instances deployed in the us-west-2 Region. The data travels over the internet using UDP, and this loss could be due to network congestion, latency issues, or unreliable network paths. Solution Options: 1. Option A: Use AWS Global Accelerator with the existing NLB. - Explanation: AWS Global Accelerator improves the availability and performance of applications by directing user traffic to the optimal endpoint based on health, geography, and routing policies. By using Global Accelerator in conjunction with the existing Network Load Balancer (NLB), the company can ensure that traffic from sensors in South Asia is routed through the AWS Global Accelerator, which leverages the AWS global network to reduce latency and improve packet delivery success. - Reason for selection: This solution enhances the availability and reliability of the UDP traffic from South Asia by routing it over a more reliable network, reducing packet loss. 2. Option B: Create an Amazon CloudFront distribution. Specify the existing NLB as the origin. - Explanation: CloudFront is primarily used for HTTP/HTTPS traffic and can’t be used for UDP traffic. Since the sensors use a proprietary communication protocol based on UDP, CloudFront is not an appropriate solution. - Reason for rejection: CloudFront is not designed to work with UDP traffic, and therefore, cannot be used to resolve the issue of lost data from sensors. 3. Option C: Create a second deployment of the EC2 instances and the NLB in the ap-south-1 Region. Use an Amazon Route 53 latency routing policy to resolve to the Region that provides the least latency. - Explanation: Deploying EC2 instances and NLBs in the ap-south-1 (Mumbai) Region would provide a closer endpoint for sensors in South Asia, reducing network latency and possibly preventing packet loss. The Route 53 latency routing policy will direct traffic to the region with the lowest late...

Author: Rahul · Last updated May 16, 2026

A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-par...

To meet the new company regulation requiring that all network traffic to and from the EC2 instances be sent to a centralized third-party EC2 appliance for content inspection, the solution needs to provide a way to mirror traffic from the EC2 instances to a dedicated appliance. Let's evaluate each option. Option Analysis: 1. Option A: Configure VPC flow logs on each EC2 network interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2 appliance to acquire flow logs from the S3 bucket. Log in to the appliance to monitor network content. - Explanation: VPC flow logs capture metadata about network traffic, such as IP addresses, ports, and protocols, but do not capture the actual content of the traffic. This option will not meet the requirement for content inspection, as it does not provide the actual traffic payloads, just metadata. - Reason for rejection: This solution doesn't provide the actual data content necessary for inspection, making it unsuitable for content inspection. 2. Option B: Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application. - Explanation: This solution uses traffic mirroring to capture the actual packet-level network traffic from the EC2 instances and sends it to the third-party appliance. By placing the appliance behind an NLB, traffic can be directed for inspection. Traffic mirroring allows the appliance to analyze the traffic in real time. - Reason for selection: This solution is ideal because it mirrors the actual traffic for content inspection and can handle both inbound and outbound traffic, fulfilling the regulation requirement. 3. Option C: Configure a mirror session. Specify an Amazon Kinesis Data F...

Author: Amira · Last updated May 16, 2026

A company has two AWS Direct Connect links. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS. How...

To configure AWS Direct Connect links to prioritize one link over the other while maintaining the secondary link, we need to take into account BGP attributes like local preference and community tags. Here's how to assess the provided options: Key Factors: 1. Local Preference: This BGP attribute is used to influence the outbound traffic routing. The higher the value, the more preferred the route. If we want to make us-east-1 the primary link, we need to set a higher local preference for that link. 2. Community Tags: Community tags can be used to control routing behavior. Tags like `7224:7100` and `7224:7300` can be configured on the BGP peers to mark routes and influence routing decisions. 3. Redundancy: We want to ensure that the af-south-1 link serves as a secondary path (backup link). Therefore, the local preference for af-south-1 should be lower than for us-east-1, making af-south-1 less preferred by default. Analysis of Options: - Option A: - Community tags: - us-east-1 → `7224:7100` (typically for primary path) - af-south-1 → `7224:7300` (typically for secondary path) - Local preference: - us-east-1 → 200 (higher, making it more preferred) - af-south-1 → 50 (lower, making it less preferred) This is a valid configuration, where us-east-1 is preferred due to the higher local preference, and af-south-1 serves as the secondary link. - Option B: - Community tags: - us-east-1 → `7224:7300` (typically for secondary path) - af-south-1 → `7224:7100` (typically for primary path) - Local preference: - us-east-1 → 200 (h...

Author: Manish · Last updated May 16, 2026

A team of infrastructure engineers wants to automate the deployment of Application Load Balancer (ALB) components by using the AWS Cloud Development Kit (AWS CDK). The CDK application must deploy an infrastructure stack that is reusable and consistent across multiple environments, AWS Regions, and AWS accounts. The lead network architect on the project has already bootstrapped the target accounts. The lead network architect also has deployed core network components such as VPCs and Amazon Route 53 private hosted zones across the multiple environments and Regions. The infras...

Problem Context: The infrastructure engineers want to automate the deployment of Application Load Balancer (ALB) components using AWS CDK across multiple environments, regions, and accounts. The goal is to leverage existing network components (VPCs, Route 53 private hosted zones) and ensure reusability and consistency with the least manual effort. Solution Approach: The most suitable approach involves leveraging AWS CDK’s features for environment and region-specific configurations. Let’s evaluate the provided options: --- Option A: Design the CDK application to read AWS CloudFormation parameters for the values that vary across environments and Regions. Reference these variables in the CDK stack for resources that require the variables. - Explanation: Using CloudFormation parameters allows the CDK application to be flexible and reusable across different environments and regions. The parameters can be defined for values like VPC IDs, subnet IDs, Route 53 private hosted zones, etc., which will vary depending on the environment. This approach makes it possible to configure the infrastructure dynamically during deployment, without the need for hardcoding values. - Reason for selection: This approach allows for parameterization of values, ensuring that the stack can be reused and customized easily across different environments and regions. It minimizes manual work and hardcoding, which is ideal for scaling the infrastructure across accounts and regions. - Reason for rejection: The option is rejected for not being the most straightforward solution, as AWS CDK provides more flexible mechanisms to handle environment-specific configurations (like using context values or environment variables directly). --- Option B: Design the CDK application to read environment variables that contain account and Region details at runtime. Use these variables as properties of the CDK stack. Use context methods in the CDK stack to retrieve variable values. - Explanation: Environment variables can be used to inject account and region-specific details at runtime. These can be passed to the CDK stack during execution. Using context methods like `cdk.context.get()` can help retrieve environment-specific configuration values, making the stack adaptable and reusable. This method allows dynamically pulling environment settings for each deployment without modifying the CDK code for each environment. - Reason for selection: This is a highly dynamic approach, as it provides flexibility by allowing the CDK stack to be context-aware, and the values can be passed in at runtime. This reduces manual steps and ensures consistency in deployments. - Reason for rejection: Although it offers flexibility, the reliance on environment variables requires a good infrastructure setup to manage these variables across different environments, which might be more complicated than using CloudFormation parameters. --- Option C: Create a dedicated account for shared application services in the multi-a...

Author: Victoria · Last updated May 16, 2026

A company has critical VPC workloads that connect to an on-premises data center through two redundant active-passive AWS Direct Connect connections. However, a recent outage on one Direct Connect connection revealed that it takes more than a minute for traffic to fail over to the secondary Direct Connect connection. The comp...

To solve the problem of reducing the BGP failover time from minutes to seconds, let's evaluate each of the proposed solutions and their respective benefits. Option A: Reduce the BGP hold-down timer that is configured on the BGP sessions on the Direct Connect connection VIFs. - BGP Hold-down Timer: The BGP hold-down timer defines how long BGP waits to declare a route as invalid after a failure. By reducing this timer, you can potentially speed up the detection of failures, but BGP still needs to wait for a certain period before it can advertise a new route. - Drawback: While reducing the hold-down timer might reduce failover time to some extent, BGP isn't inherently fast in responding to network failures (due to its reliance on timers). BGP is a more complex protocol meant to handle larger network topologies, and it doesn't optimize for sub-second failover. Therefore, this approach will not provide a significant reduction in failover time. Option B: Configure an Amazon CloudWatch alarm for the Direct Connect connection state to invoke an AWS Lambda function to fail over the traffic. - CloudWatch Alarm with Lambda: This method triggers a failover based on the state of the Direct Connect connection. However, it requires detection of the connection failure by CloudWatch, followed by the invocation of a Lambda function to reconfigure routing. - Drawback: While this might be useful for monitoring, it does not address the fundamental issue of BGP failover time. CloudWatch detection itself may not be instantaneous, and invoking Lambda could add additional delay. It’s also not directly related to reducing the time BGP takes to detect and propagate changes in routing, which is the core of the failover process. Option C: Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect...

Author: Vivaan · Last updated May 16, 2026

A European car manufacturer wants to migrate its customer-facing services and its analytics platform from two on-premises data centers to the AWS Cloud. The company has a 50-mile (80.4 km) separation between its on-premises data centers and must maintain that separation between its two locations in the cloud. The company also needs failover capabilities between the two locations in the cloud. The company's infrastructure team creates several accounts to separate workloads and responsibilities. The company provisions resources in the eu-west-3 Region and in the eu-central-1 Region. The company selects an AWS Direct Connect Partner in each Region and requests two resilient 1 Gbps fiber connections fro...

To meet the requirements of the European car manufacturer's solution—maintaining separation between its two cloud locations, failover capabilities, and connectivity between all VPCs and on-premises networks—let’s carefully evaluate the given options. Key Requirements: 1. Separation between locations: The solution needs to maintain separation between the two locations in the cloud (eu-west-3 and eu-central-1). 2. Failover capabilities: The company needs to ensure that network issues will not disrupt access to services in either Region, so failover between Regions is essential. 3. VPC Connectivity: All VPCs in both Regions must be able to communicate with each other and with the on-premises network. 4. Multiple connections for resilience: The company has requested two resilient 1 Gbps fiber connections from each AWS Direct Connect partner. Now let’s evaluate each option: Option A: Create a Direct Connect gateway. Create a private VIF on each of the Direct Connect connections. Attach the private VIFs to the Direct Connect gateway. Use equal-cost multi-path (ECMP) routing to aggregate the four connections across the two Regions. Attach the Direct Connect gateway directly to each VPC's virtual private gateway. - Analysis: This solution involves using a Direct Connect gateway, attaching VIFs (Virtual Interfaces) to it, and using ECMP routing to aggregate the connections. It suggests directly connecting the Direct Connect gateway to each VPC’s virtual private gateway (VGW). - Issue: This solution doesn't fully leverage the required regional failover capabilities and cross-region connectivity. Attaching the Direct Connect gateway directly to each VGW limits the flexibility of routing between VPCs across regions. Additionally, ECMP helps distribute traffic across multiple paths, but it doesn’t provide robust failover if one of the regions or connections goes down, nor does it address VPC-to-VPC connectivity across regions directly. Rejected because it doesn't offer the necessary cross-region failover and VPC-to-VPC routing for separation and resiliency. Option B: Create a Direct Connect gateway. Create a transit gateway. Attach the transit gateway to the Direct Connect gateway. Create a transit VIF on each of the Direct Connect connections. Attach the transit VIFs to the Direct Connect gateway. Use a link aggregation group (LAG) to aggregate the four connections across the two Regions. Attach the transit gateway directly to each VPC. - Analysis: This solution uses a Direct Connect gateway and a transit gateway for both cross-region connectivity and failover. The LAG enables aggregation of the four 1 Gbps connections, improving resilience and redundancy. - Issue: While this solution aggregates connections for better resilience, it doesn't provide direct pe...

Author: Maya · Last updated May 16, 2026

A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2 instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and the first 8 bytes of payload of TCP seg...

To meet the company's requirement of analyzing TCP traffic and collecting detailed information such as source and destination IP addresses, ports, and the first 8 bytes of payload from TCP segments, we need to evaluate the available options based on the following criteria: 1. Capture the required traffic details (source/destination IP, ports, and payload). 2. Collect and store the traffic data for analysis. 3. Analyze the data effectively to gain insights into the traffic patterns and behaviors. Option A: Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch Logs Insights. - VPC Traffic Mirroring: This solution captures and mirrors traffic at the network interface level, including the detailed information needed such as TCP/IP headers and the first 8 bytes of the payload (if configured). By setting the EC2 instances as the mirror sources, you can capture the traffic initiated by these instances. - CloudWatch Logs: The mirrored traffic is forwarded to CloudWatch Logs, where you can analyze it using CloudWatch Logs Insights. This option allows for deep analysis and querying of the captured data, but CloudWatch Logs Insights is typically used for log data and might not be optimal for network traffic data at a deep packet inspection level. Reason for selection: VPC traffic mirroring is a direct solution for capturing the detailed TCP traffic data required. It can forward the relevant data to CloudWatch Logs for analysis. However, the CloudWatch Logs Insights might not be the most efficient or detailed tool for the traffic analysis, especially when needing to handle raw network traffic. Option B: Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an Amazon OpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards. - NAT Gateway as Mirror Source: NAT gateways are designed to handle and forward traffic between private instances in the VPC and the internet, but they don't directly support traffic mirroring. You cannot mirror traffic from the NAT gateway in the same way you can from EC2 instances or ENIs (Elastic Network Interfaces). - OpenSearch for Analysis: OpenSearch Service could be useful for analyzing network data and providing dashboards for visualization. However, capturing the required TCP traffic dat...

Author: Benjamin · Last updated May 16, 2026

A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between the VPCs. The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A network engineer...

To meet the requirement for high-bandwidth connectivity between three VPCs in a single AWS region, let's evaluate each of the proposed options in terms of scalability, throughput, and ease of implementation. Option A: Configure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transit gateway. - Transit Gateway: The AWS Transit Gateway is designed to simplify and scale network architectures by enabling communication between multiple VPCs, on-premises networks, and remote networks. The transit gateway provides high-throughput and low-latency communication between VPCs by acting as a central hub. - High Throughput: A transit gateway supports high throughput and can handle high-bandwidth traffic between VPCs. It also allows for simpler routing and scaling compared to VPC peering. - Scalability: The transit gateway supports up to 50 Gbps of throughput per connection and can easily scale with the addition of more VPCs. - Routing: The solution uses dynamic or static routing (with static routing specified here), making it flexible and easy to manage. - Advantage: This solution meets the need for high-bandwidth connectivity between VPCs and can scale as the number of VPCs or the required bandwidth increases. Selected option: This is the best option as it provides the highest throughput with easy management and scalability. Option B: Configure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs. - VPC Peering: In this solution, VPC peering is set up between each pair of VPCs. While this can work for smaller environments, it quickly becomes complex and inefficient as the number of VPCs grows. - Throughput: VPC peering can provide good throughput but has limitations in terms of managing traffic at scale. The bandwidth depends on the type of instance and the network performance of each VPC's connection. - Scalability: When using VPC peering, each additional VPC requires setting up new peering connections. This can create a large and hard-to-manage mesh of peerings that becomes more difficult to maintain over time, particularly with 3 VPCs. - Routing: Static routing in each VPC would require manual management and updates as the network grows. - Drawback: Although VPC peering can work for smaller, simpler networks, it’s not ideal for scalability and maintaining high-throughput connectivity, especially in larger setups like the one described. Rejected: This option is less scalable, and maintaining multiple ...

Author: FrozenWolf2022 · Last updated May 16, 2026

A network engineer needs to deploy an AWS Network Firewall firewall into an existing AWS environment. The environment consists of the following: * A transit gateway with all VPCs attached to it * Several hundred application VPCs * A centralized egress internet VPC with a NAT gateway and an internet gateway * A centralized ingress internet VPC that hosts public Application Load Balancers * On-premises connectivity through an AWS Direct Connect gateway attachment The application VPCs have workloads deployed across multiple Availability Zones in private subnets with the VPC route table s default route (0.0.0.0/0) pointing to the transit gateway. The Network Firewall firewall needs to inspect east-west (VPC-to-VPC) traffic and north-south (internet-bound and on...

To deploy AWS Network Firewall into the existing AWS environment with minimal architectural changes and ensure that both east-west (VPC-to-VPC) and north-south (internet-bound and on-premises network) traffic are inspected, we need to choose the most efficient configuration. Let's evaluate the requirements and each option. Key Requirements: 1. Inspect East-West and North-South Traffic: The firewall must inspect both VPC-to-VPC (east-west) traffic and traffic going to/from the internet or on-premises (north-south). 2. Suricata-Compatible Rules: The firewall must support Suricata-compatible rule sets for traffic inspection. 3. Minimal Architectural Changes: The deployment should require the least disruption to the current network setup, which already involves VPCs connected through a transit gateway. Option A: Deploy Network Firewall in all Availability Zones in each application VPC. - Analysis: Deploying the firewall in every Availability Zone (AZ) of each application VPC would be very complex and would require significant changes to the VPCs’ architecture. Each application VPC would need a firewall endpoint in each AZ, and the traffic inspection would need to be configured within each individual VPC. - Drawback: This approach would involve many changes and isn’t the most efficient way to integrate the firewall, especially since the goal is minimal disruption and it complicates network management across many VPCs. Rejected: This approach introduces significant complexity and architectural changes, which goes against the goal of minimal disruption. Option B: Deploy Network Firewall in all Availability Zones in a centralized inspection VPC. - Analysis: This approach involves deploying the Network Firewall in a centralized inspection VPC that spans across all Availability Zones. By doing this, traffic from all application VPCs can be routed through this inspection VPC, allowing for centralized inspection of both east-west and north-south traffic. - Minimal Changes: This option only requires changes to the routing and firewall inspection in the transit gateway and the centralized inspection VPC, which minimizes architectural disruption. - Scalability: A centralized inspection VPC is easier to scale and manage compared to deploying firewalls in each AZ of every application VPC. Selected: This is the best choice because it allows for centralized management and inspection without the need to deploy firewalls in each AZ of every VPC. This is highly scalable and less disruptive. Option C: Update the HOME_NET rule group variable to include all CIDR ranges of the VPCs and on-premises networks. - Analysis: The `HOME_NET` variable in Suricata rule sets defines the internal network addresses (for instance, VPC CIDR ranges) that should be considered as the "home" network for traffic inspection. Updating this variable ensures that the firewall inspects traffic originating from the application VPCs and on-premises networks. - Requirement: This step is necessary to ensure that the firewall correctly identifies and i...

Author: FrostFalcon88 · Last updated May 16, 2026

A company is using a shared services VPC with two domain controllers. The domain controllers are deployed in the company's private subnets. The company is deploying a new application into a new VPC in the account. The application will be deployed onto an Amazon EC2 for Windows Server instance in the new VPC. The instance must join the existing Windows domain that is supported by the domain controllers in the shared services VPC. A transit gateway is attached to both the shared services VPC and the new VPC. The company has updated the route tables for the transit gateway, the shared services VPC, and the new VPC. The security groups for the domain controllers and the instance are...

To troubleshoot the issue of the EC2 instance being unable to join the domain, we need to identify the problem with minimal operational overhead. Let's analyze the options: Option A: Use AWS Network Manager to perform a route analysis for the transit gateway network. Specify the existing EC2 instance as the source. Specify the first domain controller as the destination. Repeat the route analysis for the second domain controller. - Reasoning: This option checks if the routing between the EC2 instance and the domain controllers is functioning correctly. By analyzing the route path, you can confirm that the traffic between the EC2 instance and the domain controllers is correctly routed via the transit gateway. - Pros: It is a good way to verify whether the network routing is set up correctly without having to dive into detailed logs or packet captures. This can help identify if the traffic is being blocked or misrouted. - Cons: This only provides a routing analysis and may not give you detailed information on network-level connectivity issues such as port blocking or application-level failures. - Conclusion: This option is useful for ensuring the EC2 instance and domain controllers can communicate, but it does not provide detailed packet-level insights. Option B: Use port mirroring with the existing EC2 instance as the source and another EC2 instance as the target to obtain packet captures of the connection attempts. - Reasoning: Port mirroring would allow you to capture all the network traffic between the EC2 instance and the domain controllers. This would be valuable for troubleshooting domain join issues because it can show whether domain-related traffic (e.g., LDAP, Kerberos) is even reaching the domain controllers. - Pros: This option provides the most granular visibility into network traffic, making it easier to diagnose specific issues with domain join operations. - Cons: This option introduces operational overhead, as it involves setting up packet capture instances and analyzing large amounts of traffic. It's effective but not the least operational overhead. - Conclusion: While highly effective, it might be more complicated and time-consuming than necessary for a first-level investigation. Option C: Review the VPC flow logs on the shared services VPC and the new VPC. - Reasoning: VPC flow logs can show whether traffic is being allowed or denied between the EC2 instance and the domain controllers. By examining flow logs, you can see if the necessary traffic (like DNS, Kerberos, or LDAP) is being blocked, which would explain why the EC2 instance cannot join the domain. - Pros: This p...

Author: Deepak · Last updated May 16, 2026

A company has an order processing system that needs to keep credit card numbers encrypted. The company's customer-facing application runs as an Amazon Elastic Container Service (Amazon ECS) service behind an Application Load Balancer (ALB) in the us-west-2 Region. An Amazon CloudFront distribution is configured with the ALB as the origin. The company uses a third-party trusted certificate authority to provision its certificates. The company is using HTTPS for encryption in transit. The company needs additional ...

To meet the requirements of keeping credit card numbers encrypted during processing, field-level encryption must be enabled for specific data that needs additional protection. Here's the reasoning behind the selected options and the rejection of others: Option A: Import the third-party certificate for the ALB. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into AWS Certificate Manager (ACM) in us-west-2. - Reasoning: This option addresses the secure transmission of data between the client and the CloudFront distribution. However, this option does not address field-level encryption, which is a requirement for encrypting the sensitive data at the field level during processing. - Conclusion: While necessary for encryption in transit, it doesn't solve the issue of field-level encryption for sensitive data like credit card numbers. Hence, this option does not meet the requirement. Option B: Import the third-party certificate for the ALB into AWS Certificate Manager (ACM) in us-west-2. Associate the certificate with the ALB. Upload the certificate for the CloudFront distribution into ACM in the us-east-1 Region. - Reasoning: This option ensures that SSL/TLS certificates are managed properly for both the ALB and CloudFront. It addresses encryption in transit but does not fulfill the field-level encryption requirement, which is the focus of the question. Field-level encryption needs specific configuration within CloudFront for data processing, which this option does not mention. - Conclusion: This is necessary for securing communication but does not address field-level encryption, so this option does not meet the requirement. Option C: Upload the private key that handles the encryption of the sensitive data to the CloudFront distribution. Create a field-level encryption profile and specify the fields that contain sensitive information. Create a field-level encryption configuration, and choose the newly created profile. Link the configuration to the appropriate cache behavior that is associated with sensitive POST requests. - Reasoning: This option suggests uploading the private key to the CloudFront distribution. This is incorrect because AWS field-level encryption uses public key encryption. The private key must remain secure and should not be uploaded to CloudFront. The other actions related to creating a field-level encryption profile and linking it to the appropriate cache behavior are correct, but the private key shou...

Author: SilverBear · Last updated May 16, 2026

A company has deployed a multi-VPC environment in the AWS Cloud. The company uses a transit gateway to connect all the VPCs together. In the past, the company has experienced a loss of connectivity between applications after changes to security groups, network ACLs, and route tables in a VPC. When these ...

Let's evaluate each option based on the company's needs to automatically verify connectivity after changes are made to security groups, network ACLs, and route tables in a VPC: Option A: Create a list of paths between different resources to check in VPC Reachability Analyzer. Create an Amazon EventBridge rule to monitor when a change is made and logged in Amazon CloudWatch. Configure the rule to invoke an AWS Lambda function to test the different paths in Reachability Analyzer. - Reasoning: VPC Reachability Analyzer is specifically designed to check network connectivity between resources within a VPC. Using it to verify paths between resources is suitable because it directly tests connectivity within a VPC, including potential issues related to security groups, network ACLs, and route tables. Amazon CloudWatch can be used to monitor logs and metrics related to changes, but this option is less ideal because changes to security groups or route tables might not always generate log entries in CloudWatch directly (they are often logged in AWS CloudTrail instead). While this option is possible, CloudWatch monitoring is not as specific for tracking changes that could affect VPC resources. - Conclusion: This approach can be used but may not be the most effective given that CloudWatch doesn't always capture the precise changes to VPC configuration that impact connectivity. Option B: Create a list of paths between different resources to check in VPC Reachability Analyzer. Create an Amazon EventBridge rule to monitor when a change is made and logged in AWS CloudTrail. Configure the rule to invoke an AWS Lambda function to test the different paths in Reachability Analyzer. - Reasoning: CloudTrail records detailed logs about all API calls made within an AWS account, including changes to VPC configuration, security groups, network ACLs, and route tables. Monitoring CloudTrail logs with Amazon EventBridge will allow you to trigger an action (such as invoking a Lambda function) when changes occur. VPC Reachability Analyzer will then test the paths between resources, verifying whether connectivity is intact. This is an effective way to automate testing for connectivity after configuration changes. - Conclusion: This option is ideal because it directly monitors changes to VPC configuration using CloudTrail and leverages VPC Reachability Analyzer for testing connectivity. Option C: Create a list of paths to check i...

Author: Victoria · Last updated May 16, 2026

A company hosts a web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The company uses an Amazon CloudFront distribution with the ALB as an origin. The application recently experienced an attack. In response, the company associated an AWS WAF web ACL with the Cloud...

Let's evaluate each option based on the requirement to analyze application attacks detected by AWS WAF using Amazon Athena. Option A: Configure the ALB and the EC2 instance subnets to produce VPC flow logs. Configure the VPC flow logs to deliver logs to an Amazon S3 bucket for log analysis. - Reasoning: VPC flow logs capture network traffic data between resources, such as EC2 instances and the ALB. While this can help you analyze traffic patterns, VPC flow logs do not capture AWS WAF-specific data such as blocked requests or attacks detected by WAF. VPC flow logs focus on network traffic, not on the specific events that are relevant for analyzing WAF detections. - Conclusion: VPC flow logs are not tailored to capture AWS WAF detection data and are not suitable for analyzing application attacks that AWS WAF detects. This option is not the best choice. Option B: Create a trail in AWS CloudTrail to capture data events. Configure the trail to deliver logs to an Amazon S3 bucket for log analysis. - Reasoning: AWS CloudTrail captures API calls made in your AWS environment, which includes actions performed by AWS services. CloudTrail logs do not capture AWS WAF web ACL logs or the details of specific attack requests detected by WAF. CloudTrail is useful for tracking changes to AWS resources and actions, but it is not designed to log WAF-specific events. - Conclusion: CloudTrail logs are not focused on capturing the application-specific data needed to analyze AWS WAF attack detections. This option does not meet the requirement. Option C: Configure the AWS WAF web ACL to deliver logs to an Amazon Kinesis Data Firehose delivery stream. Configure the stream to deliver the data to an Amazon S3 bucket for log analysis....

Author: Max · Last updated May 16, 2026

A real estate company is using Amazon Workspaces to provide corporate managed desktop service to its real estate agents around the world. These Workspaces are deployed in seven VPCs. Each VPC is in a different AWS Region. According to a new requirement, the company's cloud-hosted security information and events management (SIEM) system needs to analyze DNS queries generated by the Workspaces to identify the target domains that are connected to t...

Let's evaluate each option based on the requirements and the most cost-effective solution: Option A: Create VPC flow logs in each VPC that is connected to the Workspaces instances. Publish the log data to a central Amazon S3 bucket. Configure the SIEM system to poll the S3 bucket periodically. - Reasoning: VPC flow logs capture network traffic metadata, including DNS queries. While this solution collects relevant data, VPC flow logs do not provide detailed DNS query information (e.g., domain names, request types), as they capture only high-level networking data such as IP addresses and traffic flow details. Additionally, publishing flow logs to an S3 bucket and having the SIEM system poll the bucket periodically could introduce latency and be more expensive in terms of storage and data transfer costs. - Conclusion: This option is not ideal because VPC flow logs do not capture detailed DNS queries, and the polling approach for log collection may not be as efficient or cost-effective. Option B: Configure an Amazon CloudWatch agent to log all DNS requests in Amazon CloudWatch Logs. Configure a subscription filter in CloudWatch Logs. Push the logs to the SIEM system by using Amazon Kinesis Data Firehose. - Reasoning: This solution would allow you to capture DNS queries at the instance level by using the CloudWatch agent, which is a more targeted approach for logging DNS queries compared to VPC flow logs. By setting up a subscription filter in CloudWatch Logs and pushing the logs to the SIEM system using Amazon Kinesis Data Firehose, you can achieve near-real-time log delivery. However, deploying the CloudWatch agent on each Workspace could be operationally complex and costly, especially across seven VPCs and numerous Workspaces. - Conclusion: While this option provides more detailed DNS data, the operational complexity of managing CloudWatch agents on each Workspace may not be the most cost-effective solution. Option C: Configure VPC Traffic Mirroring to copy network traffic from each Workspace and to send the traffic to the SIEM system probes for analysis. - Reasoning...

Author: ElectricLionX · Last updated May 16, 2026

A network engineer needs to design the architecture for a high performance computing (HPC) workload. Amazon EC2 instances will require 10 Gbps flows and an aggregate throughput of up to 100 Gbps across many instance...

To optimize the architecture for a high-performance computing (HPC) workload with 10 Gbps flows and an aggregate throughput of up to 100 Gbps across many instances, the focus is on achieving low-latency communication, high throughput, and proper configuration for the EC2 instances. Let's analyze each option: Option A: Place nodes in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system. - Why Selected: The cluster placement group allows instances to be placed physically close together to reduce latency, and when combined with the Elastic Fabric Adapter (EFA), it optimizes high-throughput, low-latency communication between instances. EFA enables scalable, low-latency networking, which is essential for HPC workloads. - Why Rejected: This option restricts the EC2 instances to a single subnet within a VPC. For very large workloads with potentially high instance counts (up to 100 Gbps), this could limit scalability. However, in smaller, more contained scenarios where the total network requirements are within the limits of a single subnet, this option can still be viable. Option B: Place nodes in multiple subnets in a single VPC. Configure a spread placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system. - Why Rejected: A spread placement group distributes instances across different underlying hardware to ensure high availability, but it is not optimized for low-latency, high-throughput communication. While ENAs provide high performance for networking, they do not guarantee the same low-latency characteristics as EFA, which is critical for HPC workloads. Option C: Place nodes in multiple VPCs. Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system. - Why Rejected: This option introduces an unnecessary level of complexity by using multiple VPCs and an A...

Author: Aria · Last updated May 16, 2026

A company uses multiple AWS accounts and VPCs in a single AWS Region. The company must log all network traffic for Amazon EC2 instances and Amazon RDS databases. The company will use the log information to monitor and identify traffic flows in the event of a security incident. The information must be retained for 12 months but will be accessed infrequently after the first 90 days. T...

To address the company's requirements of logging network traffic for Amazon EC2 instances and RDS databases, and storing metadata such as `vpc-id`, `subnet-id`, and `tcp-flags` for 12 months, we need to select a solution that provides low-cost retention, meets the metadata requirements, and supports infrequent access after the first 90 days. Let's break down the options: Option A: Configure VPC flow logs with the default fields. Store the logs in Amazon CloudWatch Logs. - Why Rejected: While this option will capture default flow log data (like source/destination IP addresses, traffic volume, etc.), it doesn't meet the requirement to capture specific custom fields (`vpc-id`, `subnet-id`, `tcp-flags`). Additionally, storing large quantities of logs in CloudWatch Logs can be costly, especially when the data must be retained for long periods, such as 12 months. CloudWatch is more suited for real-time monitoring, and accessing logs infrequently can become expensive for long-term retention. Option B: Configure Traffic Mirroring on all AWS resources to point to a Network Load Balancer that will send the mirrored traffic to monitoring instances. - Why Rejected: Traffic Mirroring is a more comprehensive tool for capturing detailed packet-level traffic, but it is more suitable for deep inspection and security analysis. It's complex to implement and manage, and it incurs additional costs due to the processing and data transfer involved in mirroring traffic. Traffic Mirroring is typically used for advanced monitoring, debugging, or security use cases, but it's overkill for simple network traffic logging in the scenario where we are only concerned with flow logs. The costs and complexity would far exceed the requirements for this use case. Option C: Configure VPC flow logs with additional custom format fields. Store the logs in Amazon S3. - Why Selected: This option satisfies the metadata requirement, including the ability to add custom fields like `vpc-id`, `subnet-id`, and `tcp-flags` through the custom format feature of VPC flow logs. Storing logs in Amazon S3 is cost-effective for long-term retention (12 months in this case) and infrequen...

Author: Ahmed · Last updated May 16, 2026

A network engineer is evaluating a network setup for a global retail company. The company has an AWS Direct Connect connection between its on-premises data center and the AWS Cloud. The company has AWS resources in the eu-west-2 Region. These resources consist of multiple VPCs that are attached to a transit gateway. The company recently provisioned a few AWS resources in the eu-central-1. Region in a single VPC close to its users in this area. The network engineer must connect the resources i...

Let's evaluate the options in the context of the network setup and requirements outlined: Scenario Summary: - The company has an AWS Direct Connect connection between its on-premises data center and AWS (in the eu-west-2 Region). - There are multiple VPCs in eu-west-2 connected via a transit gateway. - The company has resources in eu-central-1 in a single VPC and wants to connect it to the existing Direct Connect connection, as well as the resources in eu-west-2. - The solution must minimize changes to the Direct Connect connection. Option A: Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu-central-1. Use a transit VIF to connect the VPC and the Direct Connect router. - Why Rejected: This option would require creating a new virtual private gateway and a new Direct Connect virtual interface (VIF) to establish a connection from the VPC in eu-central-1 to the on-premises data center via Direct Connect. However, since the company already has an existing Direct Connect connection in eu-west-2, introducing a separate virtual private gateway and new VIF for eu-central-1 would require unnecessary changes to the existing infrastructure, which is against the goal of minimizing changes to the existing Direct Connect setup. - Additional Complexity: This approach would also create a separate Direct Connect path for eu-central-1, which is less efficient compared to using the existing transit gateway network. Option B: Create a new transit gateway in eu-central-1. Create a peering attachment request to the transit gateway in eu-west-2. Add a static route in the transit gateway route table in eu-central-1 to point to the transit gateway peering attachment. Accept the peering request. Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment. - Why Selected: This option takes advantage of the existing transit gateway architecture in eu-west-2 and establishes a transit gateway peering between the eu-central-1 and eu-west-2 regions. - Key Benefits: - Minimal changes to Direct Connect: The Direct Connect connection remains unchanged because the on-premises data center is connected to eu-west-2, and traffic can be routed from eu-central-1 to eu-west-2 via the peered transit gateways. - Efficient routing: This solution allows eu-central-1 to benefit from the existing network setup in eu-west-2 without modifying the Direct Connect connection or creating new infrastructure elements like additional VIFs. - Scalability: Transit gateway peering allows easy routing and integration across multiple regions, making this solution scalable as the company's network grows. - How It Works: - eu-central-1 will route traffic to eu-west-2 via the transit gateway peering attachment. - The Direct Connect connection to the on-premises data cente...

Author: Ming88 · Last updated May 16, 2026

A company has a 2 Gbps AWS Direct Connect hosted connection from the company's office to a VPC in the ap-southeast-2 Region. A network engineer adds a 5 Gbps Direct Connect hosted connection from a different Direct Connect location in the same Region. The hosted connections are connected to different routers from the office with an iBGP session running in between the routers. The network engineer wants to ensure that the VPC uses the 5 Gbps ...

To ensure that the VPC uses the 5 Gbps hosted connection to route traffic to the office and fails over to the 2 Gbps hosted connection if the 5 Gbps connection goes down, the solution should rely on manipulating BGP (Border Gateway Protocol) path selection. Let's evaluate each option to determine the most suitable solution: Option A: Configure an outbound BGP policy from the router that is connected to the 2 Gbps connection. Advertise routes with a longer AS_PATH attribute to AWS. - Why Rejected: The AS_PATH attribute in BGP is primarily used for preventing routing loops and influencing the selection of inbound routes. By advertising routes with a longer AS_PATH on the 2 Gbps connection, you are telling AWS to prefer the 5 Gbps hosted connection (which has the shorter AS_PATH). However, this would not provide failover functionality because the primary path would be set to the 5 Gbps connection, and the 2 Gbps connection would only be used as a secondary path if the 5 Gbps connection fails. - Failover Issue: This method would not effectively trigger failover in the event of a failure of the 5 Gbps link, as it focuses on influencing AWS's path selection, not the failover logic. Option B: Advertise a longer prefix route from the router that is connected to the 2 Gbps connection. - Why Rejected: The length of the prefix in BGP routing is an important factor in determining the best path for routing traffic. By advertising a longer prefix from the 2 Gbps connection, the traffic will prefer the 5 Gbps connection (with the shorter prefix). However, the issue is that advertising a longer prefix does not directly contribute to failover in the event of the 5 Gbps connection failure. - Failover Issue: This approach won't effectively handle failover since it will prioritize the 5 Gbps connection and doesn't introduce a mechanism to switch to the 2 Gbps link if the primary 5 Gbps connection goes down. Option C: Advertise a less specific route from the router that is connected to the 5 Gbps connection. - Why Selected: BGP prefers the more specific route, meaning that when advertising a less specific route (such as a larger subnet or aggregate), the 5 Gbps connection will be preferred over the 2 Gbps one. If the 5 Gbps connection fails, the less specific route will be replaced by the more specific one from the 2 Gbps connection, causing traffic to fail over to the 2 Gbps connection. - How It Works: - By advertising a less s...

Author: Aria · Last updated May 16, 2026

An ecommerce company needs to implement additional security controls on all its domain names that are hosted in Amazon Route 53. The company's new policy requires data authentication and data integrity verification for all queries to the company's domain names. The current Route 53 architecture has four public hosted zones. A network engineer needs to implement DNS Security Extensions (DNSS...

To implement DNSSEC signing and validation for domain names in Amazon Route 53 with data authentication, integrity verification, and alert capabilities, let's evaluate each of the options to determine which combination of steps will meet the requirements. Option A: Enable DNSSEC signing for Route 53 Request that Route 53 create a key-signing key (KSK) based on a customer managed key in AWS Key Management Service (AWS KMS). - Why Rejected: When enabling DNSSEC in Route 53, Route 53 automatically creates the key-signing key (KSK) and the zone-signing key (ZSK). There is no need for the user to manually request Route 53 to create the KSK based on a customer-managed key in KMS. This option implies unnecessary manual steps, which are handled automatically by Route 53 when DNSSEC is enabled. Option B: Enable DNSSEC signing for Route 53 Request that Route 53 create a zone-signing key (ZSK) based on a customer managed key in AWS Key Management Service (AWS KMS). - Why Rejected: Similar to Option A, Route 53 automatically creates the zone-signing key (ZSK) when DNSSEC is enabled. The ZSK is used to sign records in the hosted zone. There is no need to create a customer-managed key in AWS KMS for this purpose, as Route 53 will handle the creation and management of both the KSK and ZSK automatically when DNSSEC signing is enabled. Option C: Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record for each subdomain. - Why Rejected: DNSSEC works by creating a "chain of trust," but the Delegation Signer (DS) record must be added to the parent zone, not each subdomain. The DS record contains a hash of the KSK from the child zone (your hosted zone in Route 53) and is used to establish trust with the parent domain. Adding DS records to subdomains doesn't create a valid chain of trust. This step would be incorrect for establishing the chain of trust. Option D: Create a chain of trust for the hosted zones by adding a Delegation Signer (DS) record to the parent zone. - Why Selected: This is the correct approach to create a chain of trust for DNSSEC. After enabling DNSSEC for the hosted zones in Route 53, you must add a DS record to the parent zone (the zone where your domain is registered). The DS record contains the hash of the KSK and is used to establish DNSSEC validation between the child zone (the hosted zone in Route 53) and the pare...

Author: Deepak · Last updated May 16, 2026

A financial company that is located in the us-east-1 Region needs to establish secure connectivity to AWS. The company has two on-premises data centers, each located within the same Region. The company's network team needs to establish hybrid connectivity to its AWS environment with reliable and consistent connectivity. The connection must provide access to the company's private resources inside its AWS environment. The resources are located in the us-east-1 and us-west-2 Regions. The connection must allow resources from the corporate networks to send large amounts of data to Amazon S3 over the same connection. To meet complia...

To meet the company's requirements for secure, high availability, and consistent connectivity to AWS, with encryption for all packets and the ability to send large amounts of data to Amazon S3, we need to evaluate the options carefully based on the specific requirements outlined. Key Requirements: - Hybrid Connectivity: The solution must connect the on-premises data centers with AWS. - Highly Available: The solution should ensure reliable and redundant connectivity. - Encryption: Data must be encrypted in transit. - Large Data Transfer to Amazon S3: The connection must support the transfer of large amounts of data to S3. - Access to Private Resources: The connection should allow access to private AWS resources across multiple regions. Let's break down the options: --- A) Set up a private VIF to send data to Amazon S3. Use an AWS Site-to-Site VPN connection over the private VIF to encrypt data in transit to the VPCs in us-east-1 and us-west-2. - Analysis: A private VIF (Virtual Interface) provides dedicated, private connectivity over AWS Direct Connect, which is a highly reliable and low-latency connection. However, using AWS Site-to-Site VPN over the private VIF introduces unnecessary complexity, as the VPN will encrypt the data, but Direct Connect itself provides private connectivity that already ensures security and encryption through its physical link. The solution is not optimal, as Direct Connect typically eliminates the need for a Site-to-Site VPN when using private VIFs. - Rejection Reason: Using a VPN over Direct Connect adds redundancy in encryption but increases complexity without providing a significant benefit in this case. --- B) Set up an AWS Direct Connect connection to each of the company's data centers. - Analysis: This option suggests a Direct Connect connection to each data center, which is ideal for providing private, low-latency, and high-bandwidth connectivity between on-premises and AWS. With a Direct Connect connection, data can flow securely, and encryption can be handled by the connection or through a Site-to-Site VPN if additional security is needed. - Strengths: This solution supports high availability (as each data center would have its own Direct Connect connection) and is highly suitable for sending large data volumes to S3 while ensuring encryption and consistent performance. This also ensures access to AWS private resources and meets compliance requirements for secure connectivity. - Selection: This is a strong candidate for meeting the company's needs. --- C) Set up an AWS Direct Connect connection from one of the company's data centers to us-east-1 and us-west-2. - Analysis: A Direct Connect connection from one data center to both us-east-1 and us-west-2 is not ideal. While it wo...

Author: Nathan · Last updated May 16, 2026

A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. The company's existing architecture includes a VPC that uses RFC 1918 IP address space. The VPC is connected to an on-premises data center over AWS Direct Connect Amazon Route 53 provides name resolution within the VPC. Locally managed DNS servers in the data center provide DNS services to the on-premises hosts. The company has applica...

To enable the company's on-premises applications to access Amazon S3 in the us-west-2 Region privately, without using public IP address space, we need to focus on solutions that ensure private connectivity to S3 while maintaining the existing DNS resolution setup for the on-premises network. Let's break down the options: Key Requirements: - Private Access to S3 (without using public IP addresses). - Seamless DNS Resolution for applications on-premises, leveraging existing DNS configurations. - The solution must work with AWS Direct Connect for the hybrid architecture. - RFC 1918 IP address space is used for the VPC. Analysis of Options: --- A) Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint. - Analysis: An S3 Interface Endpoint uses PrivateLink, which provides private connectivity to S3 over the VPC's internal IP space, avoiding the need to route through the public internet. However, in this scenario, the on-premises data center DNS servers need to resolve the DNS hostname of the VPC endpoint for S3. - Rejection Reason: The main issue here is that Route 53 Resolver in the VPC (used for on-premises DNS resolution) isn’t part of the solution. The solution doesn’t mention how DNS queries would be handled for the on-premises network, which is necessary for name resolution of the VPC endpoint. --- B) Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on-premises to the inbound endpoint. - Analysis: This solution involves creating an S3 interface endpoint in the VPC (ensuring private access to S3 via PrivateLink) and using a Route 53 Resolver inbound endpoint. The data center DNS servers are then configured to forward DNS queries for S3 (specifically the S3 domain) to the inbound endpoint in the VPC, allowing on-premises applications to resolve the S3 endpoint privately. - Selection Reason: This is the best solution because it ensures private access to S3 (via the interface endpoint), and the DNS queries for S3 are resolved correctly by forwarding to the inbound resolver, which makes sure the on-premises appli...

Author: Ravi Patel · Last updated May 16, 2026

A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway. A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on...

Key Considerations for Selecting a Solution: 1. Deep Packet Inspection (DPI): The solution must support DPI for traffic leaving a VPC network boundary. DPI typically requires specialized security appliances or services like next-generation firewalls (NGFW) or intrusion detection systems (IDS). 2. Centralized Logging: All actions taken on the traffic must be logged centrally in an Amazon S3 bucket or similar. This means the solution must support logging to a central account. 3. Least Administrative Overhead: The solution should be easy to manage and should minimize the operational burden of configuration, maintenance, and scaling. 4. Integration with AWS Transit Gateway: The solution should integrate with the transit gateway, which connects multiple VPCs, to ensure that traffic between VPCs is inspected and logged. --- Option Analysis: Option A: - Architecture: Create a central network VPC with an attachment to the transit gateway. Deploy an AWS Gateway Load Balancer (GLB) backed by third-party next-generation firewall appliances. - Deep Packet Inspection: The firewall appliances can perform DPI using custom policies. - Logging: The firewall appliances can capture and log network traffic to an Amazon S3 bucket in a central log account. - Administrative Overhead: This approach centralizes traffic inspection with minimal configuration. The AWS Gateway Load Balancer simplifies the integration of third-party appliances into the AWS environment. Configuring the firewall appliances to log to an S3 bucket ensures centralized logging. The solution is scalable, and the administrative overhead is low since AWS GLB simplifies routing and load balancing. Option A meets the requirements well because it leverages AWS's managed services (AWS Gateway Load Balancer) and integrates with third-party appliances for DPI. It also allows centralized logging in an S3 bucket with minimal complexity. Option B: - Architecture: Similar to Option A, it uses a central network VPC with an attachment to the transit gateway and third-party firewall appliances, but instead of AWS Gateway Load Balancer, it uses an Application Load Balancer (ALB). - Deep Packet Inspection: The firewall appliances can still perform DPI, but the ALB is not designed for DPI or traffic inspection; it’s more suited for HTTP/HTTPS traffic. - Logging: Logs are sent to a syslog server in the central log account. - Administrative Overhead: Using an ALB in this context is inappropriate because it’s not designed for DPI tasks, l...

Author: Ava · Last updated May 16, 2026

A company has an on-premises data center in the United States. The data center is connected to AWS by an AWS Direct Connect connection. The data center has a private VIF that is connected to a Direct Connect gateway. Recently, the company opened a new data center in Europe and established a new Direct Connect connection between the Europe data center and AWS. A new private VIF connects to the existing Direct Connect gateway. The company wants to use Direct Connect...

Key Considerations: 1. Direct Connect SiteLink: Direct Connect SiteLink allows private connectivity between Direct Connect-connected sites, enabling them to communicate over a private network. It works between private VIFs (Virtual Interfaces) and enables traffic routing between locations in different regions. SiteLink works with Direct Connect connections but only for private VIFs, not public or transit VIFs. 2. Operational Efficiency: The goal is to minimize operational complexity. This includes leveraging existing infrastructure and avoiding unnecessary additional resources. 3. Existing Setup: The company already has a Direct Connect gateway with private VIFs connecting two data centers (U.S. and Europe). Therefore, the focus is on adding SiteLink with minimal disruption. --- Option Analysis: Option A: - Public VIFs: Create new public VIFs for each data center. - Enable SiteLink: Enable SiteLink on these new public VIFs. Issue: SiteLink does not work with public VIFs; it only works with private VIFs that are part of Direct Connect gateways. Public VIFs are used for accessing AWS public services (like S3, EC2, etc.), not for connecting between private networks (such as the data centers). Conclusion: This option is rejected because public VIFs cannot be used with SiteLink. Option B: - Transit VIFs: Create transit VIFs from each data center. - Enable SiteLink: Enable SiteLink on the new transit VIFs. Issue: Transit VIFs are used to connect Direct Connect to AWS Transit Gateway or AWS Regions, and they are designed to handle large-scale inter-region connectivity. SiteLink, however, works with private VIFs, not transit VIFs. Therefore, enabling SiteLink on transit VIFs is not a valid solution. Conclusion: This option is rej...

Author: FrostFalcon88 · Last updated May 16, 2026

A company has a new AWS Direct Connect connection between its on-premises data center and the AWS Cloud. The company has created a new private VIF on this connection. However, the VIF status is DOWN. A network engineer verifies that the physical connection status is UP and RUNNING based on information from the AWS Management Console. The network engineer checks the customer Direc...

Question 1: Setting up Direct Connect SiteLink for private network between the US and European data centers To establish a private network between the two data centers in the United States and Europe using AWS Direct Connect SiteLink, we need a solution that leverages AWS Direct Connect and meets operational efficiency. Key Requirements: - Private network between the US and Europe data centers. - Operational efficiency: Minimize the complexity of network configurations and management. Let's evaluate the options: --- A) Create a new public VIF from each data center. Enable SiteLink on the new public VIFs. - Analysis: A public VIF (Virtual Interface) connects to public AWS services like S3, and it is used to route traffic over AWS's global network to public endpoints. SiteLink is intended for private traffic between two private locations over AWS Direct Connect, so using public VIFs is not the correct approach here. - Rejection Reason: SiteLink requires private VIFs, not public VIFs, to facilitate private network connectivity between the two data centers. --- B) Create a new transit VIF from each data center. Enable SiteLink on the new transit VIFs. - Analysis: A transit VIF connects to a Direct Connect Gateway and allows the connection of multiple VPCs across different AWS Regions. Transit VIFs are designed to handle traffic between VPCs and on-premises resources. However, SiteLink is specifically designed to work between private VIFs and not transit VIFs, which is meant for routing traffic across VPCs and regions. - Rejection Reason: SiteLink cannot be enabled on transit VIFs. This approach does not meet the requirements of establishing a private network between the data centers. --- C) Use the existing VIF from each data center. Enable SiteLink on the existing private VIFs. - Analysis: The private VIFs are the correct interface for establishing private, direct connections between AWS and on-premises data centers. SiteLink is a feature that can be enabled on private VIFs to create a private, high-bandwidth, low-latency network between different AWS locations, in this case, the data centers in the US and Europe. - Strengths: This solution leverages existing infrastructure and is operationally efficient. SiteLink is designed for exactly this purpose, enabling private connectivity across data centers and AWS regions using private VIFs. - Selection Reason: This option satisfies all the requirements for private networking, is simple to implement, and ensures operational efficiency. --- D) Create a new AWS Site-to-Site VPN connection between the data centers. Configure the new connection to use SiteLink. - Analysis: Site-to-Site VPN is typically used for connecting on-premises networks to AWS over an encrypted tunnel. While this can work for private connectivity, it adds more complexity than necessary. AWS Direct Connect with SiteLink is the preferred solution for private network connectivity as it provides more reliable, higher bandwidth connections compared to VPNs. - Rejection Reason: This approach introduces additional overhead by using a VPN and does not leverage the more efficient Direct Connect SiteLink solution. --- Conclusion for Question 1: Selected option: C This solution uses pri...

Author: John · Last updated May 16, 2026

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application through a limited contiguous block of approved IP ...

To meet the requirements of enabling Example Corp to access an application deployed on-premises by AnyCompany through a limited contiguous block of approved IP addresses (10.1.0.0/24), while ensuring high availability, the following key factors must be considered: 1. High Availability: The solution must ensure that if one Availability Zone (AZ) becomes unavailable, the application can still be accessed from another AZ. 2. Private Access: Since Example Corp's infrastructure has no internet gateway and access must be routed to the on-premises application, the solution must route traffic in a secure, private manner. 3. Use of Approved IP Range: Traffic from Example Corp needs to originate from the IP block 10.1.0.0/24 to meet compliance requirements. Option Analysis - Option A: - Creates public NAT gateways in each AZ. - Public NAT gateways are typically used when you need to route traffic to the internet, which isn’t necessary in this case because Example Corp’s application is on-premises and the goal is private communication. This makes it less appropriate. - The use of public NAT gateways also exposes the traffic to the public internet, which doesn’t align with the security requirement. - Option B: - Creates private NAT gateways in each A...

Author: Arjun · Last updated May 16, 2026

A company recently experienced an IP address exhaustion event in its VPCs. The event affected service capacity. The VPCs hold two or more subnets in different Availability Zones. A network engineer needs to develop a solution that monitors IP address usage across resources in the VPCs. The company needs to receive notification about possibl...

To meet the requirements of monitoring IP address usage in VPCs and receiving notifications when the availability limit is reached, the company wants a solution with the least operational overhead while preventing IP address exhaustion issues. Let’s go through the options and determine which one meets the goal effectively: Option Analysis - Option A: - Amazon VPC IP Address Manager (IPAM) is a managed service designed specifically to help with managing and monitoring IP address usage within AWS VPCs. It provides a centralized view of IP address usage across VPCs and subnets. - The auto-import feature automatically tracks IP address usage in VPCs and subnets, reducing manual configuration. - By using CloudWatch alarms triggered when the availability limit threshold is reached, the company will be alerted before issues occur. - Pros: - Fully managed service that reduces operational overhead. - Seamless integration with AWS services like Amazon SNS for notifications. - Provides native support for IP address monitoring without needing custom Lambda functions or metric creation. - Cons: - Some setup complexity, but minimal compared to custom solutions. - Best Fit: Ideal for this scenario as it is designed for VPC IP address management, provides automatic tracking, and integrates directly with AWS notifications with minimal manual intervention. - Option B: - Sets up a log group in Amazon CloudWatch Logs for each subnet, and uses an AWS Lambda function to read and publish metrics. - This requires custom Lambda code to track IP address usage, which adds operational overhead. - While this approach could work, it requires more setup and ongoing maintenance compared to a native service like IPAM. - Cons: - More complex and requires continuous maintenance of Lambda f...

Author: Nathan · Last updated May 16, 2026

A company has a hybrid IT setup that includes services that run in an on-premises data center and in the AWS Cloud. The company is using AWS Direct Connect to connect its data center to AWS. The company is using one AWS Site-to-Site VPN connection as backup and requires a backup connectivity option to always be present. The company is transitioning to IPv6 by implem...

To transition the data center's connectivity to AWS in the least amount of time while adopting dual-stack architectures and maintaining backup connectivity, let's evaluate each option: Key Factors: 1. Dual-Stack Transition: The company is moving to IPv6, meaning they need support for both IPv4 and IPv6 simultaneously. 2. Backup Connectivity: The company requires continuous backup connectivity using AWS Direct Connect and a Site-to-Site VPN connection. 3. Minimal Transition Time: The goal is to implement the solution quickly, ensuring minimal disruption to existing services. Option Analysis: - Option A: Create a new Site-to-Site VPN tunnel for the IPv6 traffic. - This option creates a new tunnel specifically for IPv6 traffic, which makes sense for transitioning to IPv6 but doesn’t address the need for dual-stack support in the most time-efficient manner. - Pros: Directly supports IPv6, providing a backup solution for IPv6 traffic. - Cons: This step focuses only on the VPN and requires managing a new tunnel. While it is an option, it doesn't address integrating IPv6 into the overall Direct Connect setup quickly. - Best Fit: Useful for specific scenarios where IPv6-only traffic needs to be handled separately, but not optimal in terms of simplifying the dual-stack transition. - Option B: Create a new dual-stack Site-to-Site VPN connection between the data center and AWS. Provision routing. Delete the original Site-to-Site VPN connection. - This option proposes creating a completely new dual-stack Site-to-Site VPN connection. While it will enable IPv6 traffic to flow, it requires deleting the existing connection and replacing it entirely with a new one. - Pros: Ensures a dual-stack VPN setup for both IPv4 and IPv6. - Cons: The need to delete the original connection creates downtime and increases transition time. This may not be optimal for ensuring continuous backup connectivity while migrating. - Best Fit: This option might be useful for transitioning entirely to dual-stack but is less efficient in terms of speed and operational continuity during migration. - Option C: Associate a new dual-stack public VIF with the Direct Connect connection. Migrate the Direct Connect traffic to the new VIF. - This option involves associating a new dual-stack Virtual Interface (VIF) for Direct Connect, supporting both IPv4 and IPv6 traff...

Author: Abigail · Last updated May 16, 2026

What Our Friends Say

What Our Friends Say

Amazon Practice Questions, Discussions & Exam Topics by our Authors

A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-par...

A company has two AWS Direct Connect links. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS. How...

A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between the VPCs. The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A network engineer...

A network engineer needs to design the architecture for a high performance computing (HPC) workload. Amazon EC2 instances will require 10 Gbps flows and an aggregate throughput of up to 100 Gbps across many instance...