Last updated on September 1, 2023
Here are 10 AWS Certified Advanced Networking Specialty ANS-C01 practice exam questions to help you gauge your readiness for the actual exam.
Question 1
A company is building its customer web portal in multiple EC2 instances behind an Application Load Balancer. The portal must be accessible on www.tutorialsdojo.com as well as on its tutorialsdojo.com root domain.
How should the Network Engineer set up Amazon Route 53 to satisfy this requirement?
- Set up an Alias A Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB.
- Set up a CNAME Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB.
- Set up a CNAME Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create an Alias A record that points to the ALB.
- Set up a non-alias A Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB.
Correct Answer: 1
Amazon Route 53 alias records provide a Route 53–specific extension to DNS functionality. Alias records let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 bucket. They also let you route traffic from one record in a hosted zone to another record.
Unlike a CNAME record, you can create an alias record at the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name tutorialsdojo.com, the zone apex is tutorialsdojo.com. You can’t create a CNAME record for tutorialsdojo.com, but you can create an alias record for tutorialsdojo.com that routes traffic to www.tutorialsdojo.com.
When Route 53 receives a DNS query for an alias record, Route 53 responds with the applicable value for that resource:
A CloudFront distribution – Route 53 responds with one or more IP addresses for CloudFront edge servers that can serve your content.
An Elastic Beanstalk environment – Route 53 responds with one or more IP addresses for the environment.
An ELB load balancer – Route 53 responds with one or more IP addresses for the load balancer.
An Amazon S3 bucket that is configured as a static website – Route 53 responds with one IP address for the Amazon S3 bucket.
Another Route 53 record in the same hosted zone – Route 53 responds as if the query is for the record that is referenced by the alias record.
Hence, the correct answer is: Set up an Alias A Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB.
The option that says: Set up a CNAME Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB is incorrect. Although the configuration for the subdomain is correct, you still can’t create a CNAME record for the root domain or zone apex. You have to set up an Alias A record instead.
The option that says: Set up a CNAME Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create an Alias A record that points to the ALB is incorrect because you can’t create a CNAME record for the root domain or zone apex. The subdomain configuration is technically correct because you can set up an Alias A record for your subdomain in Route 53. The issue here is the use of a CNAME record in the zone apex.
The option that says: Set up a non-alias A Record for tutorialsdojo.com with the ALB as the target. For the www.tutorialsdojo.com subdomain, create a CNAME record that points to the ALB is incorrect because a non-alias A Record can only accept IP addresses and not the DNS name of the ALB.
References:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load-balancer.html
Question 2
A company has a hybrid cloud architecture that connects its on-premises Microsoft Active Directory to its Amazon VPC. The company is launching an application that uses Amazon Elastic MapReduce with a fleet of On-Demand EC2 instances. Two AWS Managed Microsoft AD domain controllers as well as the DHCP options set of the VPC have been provisioned and properly configured. The Network Engineer must ensure that the requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS.
What should the Engineer implement in order to satisfy this requirement?
- Set up a new conditional forwarder to the Amazon-provided DNS server.
- Configure a seamless EC2 Domain-Join in the AWS Managed Microsoft AD.
- Create a new PTR record in the Route 53 private hosted zone that points to the on-premises Microsoft Active Directory.
- Set up an Amazon Connect omnichannel connection to ensure that the requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS.
Correct Answer: 1
AWS Directory Service lets you run Microsoft Active Directory (AD) as a managed service. AWS Directory Service for Microsoft Active Directory also referred to as AWS Managed Microsoft AD, is powered by Windows Server 2012 R2. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you.
With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory, providing users and groups with access to resources in either domain using single sign-on (SSO).
You can follow the steps below to integrate your on-premises Microsoft Active Directory and your AWS resources:Â
- Connect your on-premises network to the VPC using AWS Direct Connect or a VPN connection, and verify that the new Windows Server instances can resolve the domain’s DNS name.
- Promote the new Windows Server instances in your VPC to domain controllers in your Active Directory domain.
- Configure your on-premises Active Directory Sites and Services to include sites and subnets that represent the Availability Zones within your VPC, and place the newly promoted domain controllers in their associated sites.
- Promote the Windows Server instances in the private subnets to domain controllers in your Active Directory domain.
- Ensure that instances can resolve names via AD DNS by statically assign AD DNS servers on Windows instances or setting theÂ
domain-name-servers field in new DHCP options set in your VPC to include your AWS-based domain controllers hosting Active Directory DNS.Â
By default, the Microsoft Active Directory-provided DNS doesn’t automatically forward requests to the VPC-provided DNS. You have to configure a DNS forwarder so that requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS. You can use the Windows DNS Server Tools feature to configure a DNS forwarder.
Hence, the correct answer is:Â Set up a new conditional forwarder to the Amazon-provided DNS server.
The option that says: Configure a seamless EC2 Domain-Join in the AWS Managed Microsoft AD is incorrect because the seamless EC2 Domain-Join process only allows you to share a directory between two AWS accounts and not for resolving hostnames in your internal, on-premises Active Directory domain.
The option that says: Create a new PTR record in the Route 53 private hosted zone that points to the on-premises Microsoft Active Directory is incorrect because a PTR record in Route 53 simply maps an IP address to the corresponding domain name. It is not capable of connecting your Route 53 private hosted zone to the on-premises Microsoft Active Directory.
The option that says: Set up an Amazon Connect omnichannel connection to ensure that the requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS is incorrect because Amazon Connect is just an easy-to-use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost. This service is not suitable for integrating your on-premises Active Directory and AWS VPC.
References:
https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/Â
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Check out this Amazon Route 53 Cheat Sheet:
https://tutorialsdojo.com/amazon-route-53/
Resolve Route 53 Private Hosted Zones from an On-premises Network:
https://tutorialsdojo.com/resolve-route-53-private-hosted-zones-from-an-on-premises-network/
Question 3
A company has a suite of publicly accessible web applications that are hosted in several Amazon EC2 instances. To improve the infrastructure security, the Network Engineer must automate the network configuration analysis of all EC2 instances that regularly checks for ports that are reachable from outside the VPC. This will protect the architecture from malicious activities and port scans by external systems. The solution should also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and other vulnerabilities.
What should the Engineer do to satisfy this requirement?
- Amazon Inspector
- Bidirectional Forwarding Detection (BFD)
- AWS Security Hub
- Amazon Macie
Correct Answer: 1
You can use Amazon Inspector to assess your assessment targets (collections of AWS resources) for potential security issues and vulnerabilities. Amazon Inspector compares the behavior and the security configuration of the assessment targets to selected security rule packages. In the context of Amazon Inspector, a rule is a security check that Amazon Inspector performs during the assessment run.
An Amazon Inspector assessment can use any combination of the following rules packages:
Network assessments:
-Network Reachability
Host assessments:
-Common vulnerabilities and exposures
-Center for Internet Security (CIS) Benchmarks
-Security best practices for Amazon Inspector
The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. The findings that Amazon Inspector generates also provide guidance about restricting access that is not secure. The findings generated by these rules show whether your ports are reachable from the Internet through an Internet gateway (including instances behind Application Load Balancers or Classic Load Balancers), a VPC peering connection, or a VPN through a virtual gateway.
These findings also highlight network configurations that allow for potentially malicious access, such as mismanaged security groups, ACLs, IGWs, and so on. These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured. By including this package in your assessment run, you can implement detailed network security checks without having to install scanners and send packets, which are complex and expensive to maintain, especially across VPC peering connections and VPNs.
Hence, the correct answer is:Â Amazon Inspector.
Bidirectional Forwarding Detection (BFD) is incorrect because this is just a detection protocol to provide fast forwarding path failure detection times, which allows for a faster routing re-convergence time. This is primarily used in an AWS Direct Connect (DX) connection and not for analyzing your network configurations to find security vulnerabilities in your EC2 instances.
AWS Security Hub is incorrect because it only gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts.
Amazon Macie is incorrect because this is simply a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie is primarily used in Amazon S3 to identify and alert you for sensitive data in your S3 buckets, such as personally identifiable information (PII).
References:
https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_network-reachability.html
Check out this Amazon Inspector Cheat Sheet:
https://tutorialsdojo.com/amazon-inspector/
Question 4
The company’s on-premises network has an established AWS Direct Connect connection to its VPC in AWS. A Network Engineer is designing the network infrastructure of a multitier application hosted in an Auto Scaling group of EC2 instances. The application will be accessed by the employees from the on-premises network as well as from the public Internet. The network configuration must automatically update routes in your route table based on your dynamic BGP route advertisement.
What should the Engineer do to implement this network setup?
- Enable route propagation in the route table of the VPC and specify the virtual private gateway as the target.
- Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway.
- Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway.
- Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway.
Correct Answer: 1
Route tables determine where network traffic is directed. In your VPC route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.
AWS uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match). If your route table has overlapping or matching routes, the following rules apply:
-If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred, even if the propagated routes are more specific.
-If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection have the same destination CIDR block as other existing static routes (longest prefix match cannot be applied), AWS prioritizes the static routes whose targets are an internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, a NAT gateway, a transit gateway, or a gateway VPC endpoint.Â
Hence, the correct answer is:Â Enable route propagation in the route table of the VPC and specify the virtual private gateway as the target.
The option that says: Set up two different route tables in the VPC. The first route table must have a default route to the Internet Gateway and the second table has a route to the virtual private gateway is incorrect because using two route tables is not required in this scenario. You can use a single route table with a specific route to the on-premises network and enable route propagation.
The option that says: Disable the default route propagation option in the route table of the VPC and add a specific route to the on-premises network. Choose the virtual private gateway as the target. Enable the route propagation option in the customer gateway is incorrect. You have to enable route propagation for the route table to automatically propagate the network routes to the on-premises network. You have to enable this in the Amazon VPC and not in the customer gateway. Moreover, this option is not enabled by default.Â
The option that says:Â Modify the main route table of the VPC to have two default routes. The first route goes to the public Internet via the Internet Gateway while the second route goes to the on-premises network via the virtual private gateway is incorrect because a route table cannot have two default routes. Route propagation should also be enabled in order to satisfy the requirements.
References:
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
Check out these Cheat Sheets:Â
https://tutorialsdojo.com/aws-direct-connect/
https://tutorialsdojo.com/amazon-vpc/
https://tutorialsdojo.com/vpc-peering/
Longest Prefix Match: Understanding Advanced Concepts in VPC Peering:
https://tutorialsdojo.com/longest-prefix-match-understanding-advanced-concepts-in-vpc-peering/
Question 5
An enterprise is extending its on-premises data storage systems using AWS. A Network Engineer established an AWS Direct Connect connection with a Public Virtual Interface (VIF) to the on-premises network to allow low latency access to Amazon S3. The Engineer must ensure that the network connection is properly secured.
Which of the following is a valid security concern about this network architecture?
- AWS Direct Connect advertises all public prefixes with the well-known NO_EXPORT BGP community tag to help control the scope (regional or global) and route preference of traffic. However, the NO_EXPORT BGP community tag is only supported for private virtual interfaces and transit virtual interfaces.
- The prefixes are always advertised to all public AWS Regions so all Direct Connect customers in the same or different region can access your router as long as they also have a Public VIF. You cannot apply BGP community tags on the public prefixes.
- It’s not possible to directly access an S3 bucket through a public virtual interface (VIF) using Direct Connect. You must have a pre-configured VPC endpoint for Amazon S3.
- Prefixes are advertised to all public AWS Regions (global) by default. The Network Engineer must add a BGP community tag to control the scope and route preference of the traffic on public virtual interfaces.
Correct Answer: 4
AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, and the other to an AWS Direct Connect router. With this connection, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet service providers in your network path. An AWS Direct Connect location provides access to AWS in the Region with which it is associated. You can use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all other public Regions.
AWS Direct Connect applies inbound (to your on-premises data center) and outbound (from your AWS Region) routing policies for a public AWS Direct Connect connection. You can also use Border Gateway Protocol (BGP) community tags on advertised Amazon routes and apply BGP community tags on the routes you advertise to Amazon. You can use the NO_EXPORT BGP community tag to help control the scope (Regional or global) and route preference of traffic on public virtual interfaces. If you do not apply any community tags, prefixes are advertised to all public AWS Regions (global) by default.
In Direct Connect, it’s not possible to directly access an S3 bucket through a private virtual interface (VIF) using a Gateway VPC endpoint. Take note that the on-premises traffic can’t traverse the Gateway VPC endpoint. You have to use an Interface VPC endpoint instead if you have a private virtual interface in place.
Hence, the correct answer is:Â Prefixes are advertised to all public AWS Regions (global) by default. The Network Engineer must add a BGP community tag to control the scope and route preference of the traffic on public virtual interfaces.
The option that says: AWS Direct Connect advertises all public prefixes with the well-known NO_EXPORT BGP community tag to help control the scope (regional or global) and route preference of traffic. However, the NO_EXPORT BGP community tag is only supported for private virtual interfaces and transit virtual interfaces is incorrect because the NO_EXPORT BGP community tag is also supported for public virtual interfaces.Â
The option that says: The prefixes are always advertised to all public AWS Regions so all Direct Connect customers in the same, or different, region can access your router as long as they also have a Public VIF. You cannot apply BGP community tags on the public prefixes is incorrect because you can actually use Border Gateway Protocol (BGP) community tags on advertised Amazon routes as well as the routes you advertise to Amazon. You can use the NO_EXPORT BGP community tag to help control the scope (Regional or global) and route preference of traffic on public virtual interfaces.Â
The option that says:Â It’s not possible to directly access an S3 bucket through a public virtual interface (VIF) using Direct Connect. You must have a pre-configured VPC endpoint for Amazon S3 is incorrect because it is actually possible to access an S3 bucket through a public virtual interface. This configuration doesn’t require an Amazon Virtual Private Cloud (Amazon VPC) endpoint for Amazon S3 because the on-premises traffic can’t traverse the Gateway VPC endpoint.
References:
https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-access-direct-connect
https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
Check out this AWS Direct Connect Cheat Sheet:Â
https://tutorialsdojo.com/aws-direct-connect/
Tutorials Dojo’s AWS Certified Advanced Networking – Specialty Exam Study Guide:
https://tutorialsdojo.com/aws-certified-advanced-networking-specialty-exam-study-path
Question 6
A Network Administrator is instructed to support high-throughput processing workloads between the company’s on-premises Storage Gateway appliance and AWS Storage Gateway. She must establish a dedicated network connection to reduce the company’s network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
What are the steps that the Administrator should do to properly implement this integration? (Select THREE.)
- Create and establish an AWS Direct Connect connection between the on-premises data center and the Storage Gateway public endpoints.
- Establish an AWS Managed VPN connection between the on-premises data center and the Storage Gateway private endpoint.
- Connect the on-premises Storage Gateway appliance to the AWS Direct Connect router.
- Connect the on-premises Storage Gateway appliance to the VPC via a Virtual Public Gateway.
Correct Answer: 1,3,5
AWS Direct Connect links your internal network to the AWS Cloud. By using AWS Direct Connect with AWS Storage Gateway, you can create a connection for high-throughput workload needs, providing a dedicated network connection between your on-premises gateway and AWS.
Storage Gateway uses public endpoints. With an AWS Direct Connect connection in place, you can create a public virtual interface to allow traffic to be routed to the Storage Gateway endpoints. The public virtual interface bypasses Internet service providers in your network path. The Storage Gateway service public endpoint can be in the same AWS Region as the AWS Direct Connect location, or it can be in a different AWS Region.
To use AWS Direct Connect with Storage Gateway:Â
- Create and establish an AWS Direct Connect connection between your on-premises data center and your Storage Gateway endpoint.
- Connect your on-premises Storage Gateway appliance to the AWS Direct Connect router.
- Create a public virtual interface, and configure your on-premises router accordingly.
Hence, the correct answers are:
– Create and establish an AWS Direct Connect connection between the on-premises data center and the Storage Gateway public endpoints
– Connect the on-premises Storage Gateway appliance to the AWS Direct Connect router.
– Create a public virtual interface, and configure your on-premises router accordingly
The option that says: Establish an AWS Managed VPN connection between the on-premises data center and the Storage Gateway private endpoint is incorrect because a VPN is an Internet-based connection and not a dedicated network connection that can increase bandwidth throughput. In addition, you have to use the public endpoints of AWS Storage Gateway and not VPC (private) endpoints.
The option that says: Connect the on-premises Storage Gateway appliance to the VPC via a Virtual Public Gateway is incorrect because you have to connect the on-premises Storage Gateway appliance to the AWS Direct Connect router or via a Virtual Private Gateway. Take note that there is no Virtual Public Gateway in AWS.
The option that says:Â Set up a private virtual interface and configure your on-premises router accordingly is incorrect because you have to use a public virtual interface instead.
References:
https://docs.aws.amazon.com/storagegateway/latest/userguide/using-dx.html
https://aws.amazon.com/storagegateway/faqs/Â
Check out this AWS Direct Connect and Storage Gateway Cheat Sheet:Â
https://tutorialsdojo.com/aws-direct-connect/
https://tutorialsdojo.com/aws-storage-gateway/
Question 7
A multinational company has several public websites that were registered using a 3rd-party DNS registrar. The DNS services being used by their websites are from an external service provider, which also includes the Domain Name System Security Extensions (DNSSEC) feature.
The company needs to transfer the domain registration and the DNS services to Amazon Route 53. The migration should have little to no downtime as the websites are already running production workloads.
Which of the following is the most operationally efficient solution with the LEAST amount of downtime?
- Create a new hosted zone and DNS records in Amazon Route 53. Lower the TTL (time to live) setting of the NS (name server) record to 300 and remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Lower the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Increase the TTL to 172800 seconds for the NS record once the migration is complete. Transfer domain registration to Amazon Route 53 and re-enable DNSSEC signing.
- Create a new hosted zone and DNS records in Amazon Route 53 with the DNSSEC feature enabled. Lower the TTL (time to live) setting of the NS (name server) record to 300. Increase the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Lower the TTL to 600 seconds for the NS record once the migration is complete. Transfer domain registration to Amazon Route 53 and re-enable DNSSEC signing.
- Create a new hosted zone and DNS records in Amazon Route 53. Lower the TTL (time to live) setting of the NS (name server) record to 300 and remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Transfer domain registration to Amazon Route 53, where the DNSSEC will be automatically re-enabled. Lower the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Set the TTL to 600 seconds for the NS record once the migration is complete.
- Create a new hosted zone and DNS records in Amazon Route 53. Remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Transfer domain registration to Amazon Route 53, where the DNSSEC will be automatically re-enabled. Update the NS records to use Route 53 name servers and monitor the traffic. Configure the TTL to 172800 seconds for the NS record once the migration is complete.
Correct Answer: 1
If you’re transferring one or more domain registrations to Route 53, and you’re currently using a domain registrar that doesn’t provide paid DNS service, you need to migrate the DNS service before you migrate the domain. Otherwise, the registrar will stop providing DNS service when you transfer your domains, and the associated websites and web applications will become unavailable on the internet. (You can also migrate the DNS service from the current registrar to another DNS service provider. We don’t require you to use Route 53 as the DNS service provider for domains that are registered with Route 53.)
The process depends on whether you’re currently using the domain:
-If the domain is currently getting traffic—for example, if your users are using the domain name to browse a website or access a web application.
-If the domain isn’t getting any traffic (or is getting very little traffic)
For both options, your domain should remain available during the entire migration process. However, in the unlikely event that there are issues, the first option lets you roll back the migration quickly. With the second option, your domain could be unavailable for a few days.
If you want to migrate DNS service to Amazon Route 53 for a domain that is currently getting traffic—for example, if your users are using the domain name to browse to a website or access a web application — perform the procedures below:
-Get your current DNS configuration from the current DNS service provider (optional but recommended)
-Step 2: Create a hosted zone
-Step 3: Create records
-Step 4: Lower TTL settings
-Step 5: (If you have DNSSEC configured) Remove the DS record from the parent zone
-Step 6: Wait for the old TTL to expire
-Step 7: Update the NS records to use Route 53 name servers
-Step 8: Monitor traffic for the domain
-Step 9: Change the TTL for the NS record back to a higher value
-Step 10: Transfer domain registration to Amazon Route 53
-Step 11: Re-enable DNSSEC signing (if required)
Ensure that you properly set the TTL of your current DNS service and Amazon Route 53 before you update your DNS records. By default, the typical TTL setting for the NS record is 172800 seconds, which is equivalent to two days. This means that it would take 2 days for your DNS change to be propagated. You have to lower the TTL settings when you conduct the migration and then set it back to its default value after the domain was successfully moved to Amazon Route 53.
Updating the Name Server (NS) records should happen first before you transfer the domain registration of your web domain to Amazon Route 53. If you’ve configured DNSSEC for your domain, you should remove the Delegation Signer (DS) record from the parent zone before you migrate your domain to Route 53. If the parent zone is hosted through Route 53 or another registrar, contact them to remove the DS record. Because it isn’t currently possible to have DNSSEC signing enabled across two providers, you must remove any DS or DNSKEYs to deactivate DNSSEC. This temporarily signals to DNS resolvers to disable DNSSEC validation.
Hence, the correct answer is: Create a new hosted zone and DNS records in Amazon Route 53. Lower the TTL (time to live) setting of the NS (name server) record to 300 and remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Lower the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Increase the TTL to 172800 seconds for the NS record once the migration is complete. Transfer domain registration to Amazon Route 53 and re-enable DNSSEC signing.
The option that says: Create a new hosted zone and DNS records in Amazon Route 53 with the DNSSEC feature enabled. Lower the TTL (time to live) setting of the NS (name server) record to 300. Increase the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Lower the TTL to 600 seconds for the NS record once the migration is complete. Transfer domain registration to Amazon Route 53 and re-enable DNSSEC signing is incorrect because you should remove the Delegation Signer (DS) record first on the current DNS service. Not doing this first step will cause DNSSEC issues during migration. Keep in mind that you should set the TTL to a higher value, like 172800 seconds, and not lower as this affects the DNS performance of your website.
The option that says: Create a new hosted zone and DNS records in Amazon Route 53. Lower the TTL (time to live) setting of the NS (name server) record to 300 and remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Transfer domain registration to Amazon Route 53, where the DNSSEC will be automatically re-enabled. Lower the TTL setting of the NS record in the Route 53 hosted zone. Once the TTL expires, update the NS records to use Route 53 name servers and monitor the traffic. Set the TTL to 600 seconds for the NS record once the migration is complete is incorrect. First off, the DNSSEC feature is not automatically re-enabled in Route 53 after migration. The process of transferring the domain registration to Route 53 should happen after the DNS Service was successfully ported and not before. This may cause some issues during the web domain migration. You should also set the TTL to 172800 seconds for the NS record once the migration is complete, not 600 seconds (5 minutes), to optimize DNS calls.
The option that says: Create a new hosted zone and DNS records in Amazon Route 53. Remove the Delegation Signer (DS) record from the parent zone in the current DNS service provider. Transfer domain registration to Amazon Route 53, where the DNSSEC will be automatically re-enabled. Update the NS records to use Route 53 name servers and monitor the traffic. Configure the TTL to 172800 seconds for the NS record once the migration is complete is incorrect because the TTL setting must be lowered on the current DNS service provider before porting the NS records to Route 53. This solution will cause downtime to the websites as the change will only be reflected once the TTL setting (which is usually set to 172800 seconds or 2 days) of the current DNS service provider has elapsed. In addition, the DNSSEC feature is not automatically re-enabled in Amazon Route 53. This feature must be manually configured.
References:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/migrate-dns-domain-in-use.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html
Check out this Amazon Route 53 Cheat Sheet:
https://tutorialsdojo.com/amazon-route-53/
Question 8
A multinational organization plans to adopt a hybrid cloud infrastructure that requires a dedicated connection between its on-premises data center and virtual private cloud (VPC) in AWS. The connection must allow the cloud-based applications hosted in EC2 instances to fetch data from the organization’s on-premises file servers with a more consistent network experience than Internet-based connections.
Which of the following options should the Network team implement to satisfy this requirement?
- Set up a VPC Peering connection between the VPC and the on-premises data center.
- Set up an AWS Direct Connect connection between the VPC and the on-premises data center.
- Set up an Amazon Connect omnichannel connection between the VPC and the on-premises data center.
- Set up an AWS VPN CloudHub between the VPC and the on-premises data center.
Correct Answer: 2
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases, can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. Â
Hence, the correct answer is:Â Set up an AWS Direct Connect connection between the VPC and the on-premises data center
The option that says:Â Set up a VPC Peering connection between the VPC and the on-premises data center is incorrect because VPC Peering is an Internet-based connection that is primarily used to connect two or more VPCs. You can’t set up a connection between your VPC and your on-premises data center using VPC Peering.Â
The option that says:Â Set up an AWS VPN CloudHub between the VPC and the on-premises data center is incorrect because a VPN is an Internet-based connection, unlike Direct Connect, which provides a dedicated connection. An Internet-based connection means that the traffic from the VPC and to the on-premises network traverses the public Internet, which is why it is slow. You should use Direct Connect instead.
The option that says: Set up an Amazon Connect omnichannel connection between the VPC and the on-premises data center is incorrect because Amazon Connect is just an easy-to-use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost. This service is not suitable for integrating your VPC and on-premises network.
References:
https://aws.amazon.com/directconnect/
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-network-to-amazon.html
Check out this AWS Direct Connect Cheat Sheet:
https://tutorialsdojo.com/aws-direct-connect/
Question 9
A company is launching a web application that will be hosted in an Amazon ECS cluster with an EC2 launch type. The Network Engineer configured the associated security group and network ACL of the instances to allow inbound traffic on ports 80 and 443. After the deployment, the QA team noticed that the application is unreachable over the public Internet.
What should the Engineer do to rectify this issue?
- Ensure that the security group has a rule that allows outbound traffic on port 80 and port 443.
- Verify that the network ACL has a rule that allows Inbound traffic on the ephemeral ports 1024 – 65535.
- Set the network mode to
bridgeto ensure that every task that is launched from the task definition gets its own elastic network interface (ENI) and a primary private IP address. - Ensure that the network ACL has a rule that allows Outbound traffic on the ephemeral ports 1024 – 65535.
Correct Answer: 4
To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.
The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic from the ephemeral port range.
You might want to use a different range for your network ACLs depending on the type of client that you’re using or with which you’re communicating. The client that initiates the request chooses the ephemeral port range. The range varies depending on the client’s operating system.
-Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000.
-Requests originating from Elastic Load Balancing use ports 1024-65535.
-Windows operating systems through Windows Server 2003 use ports 1025-5000.
-Windows Server 2008 and later versions use ports 49152-65535.
-A NAT gateway uses ports 1024-65535.
-AWS Lambda functions use ports 1024-65535.
For example, if a request comes into a web server in your VPC from a Windows XP client on the internet, your network ACL must have an outbound rule to enable traffic destined for ports 1025-5000.
If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on).
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the deny rules earlier in the table than the allow rules that open the wide range of ephemeral ports.
Hence, the correct answer is:Â Ensure that the network ACL has a rule that allows Outbound traffic on the ephemeral ports 1024 – 65535.
The option that says: Ensure that the security group has a rule that allows outbound traffic on port 80 and port 443 is incorrect because Security groups are stateful, which means that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. An allowed inbound traffic is also permitted to flow out, regardless of outbound rules.
The option that says:Â Verify that the network ACL has a rule that allows Inbound traffic on the ephemeral ports 1024 – 65535Â is incorrect because you should allow the Outbound traffic to the ephemeral port range (1024-65535) in the network ACL and not the Inbound traffic.
The option that says: Set the network mode to bridge to ensure that every task that is launched from the task definition gets its own elastic network interface (ENI) and a primary private IP address is incorrect. If the network mode is set to bridge, the task utilizes Docker’s built-in virtual network, which runs inside each container instance. A better solution is to use the awsvpc network mode. When you use the awsvpc network mode in your task definitions, every task that is launched from that task definition gets its elastic network interface (ENI) and a primary private IP address.
References:Â
https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
Check out this Amazon VPC Cheat Sheet:
https://tutorialsdojo.com/amazon-vpc/
Question 10
A Network Administrator is migrating an on-premises application to AWS Cloud to improve its scalability and availability. The application will be hosted in Amazon EC2 Instances that are deployed on a private subnet with an Application Load Balancer in front to distribute IPv4 traffic. The users of the application are internal employees only.
As part of its processing, the application will also pull massive amounts of data from an external API service over the Internet. The Administrator must allow the EC2 instances to fetch data from the Internet but prevent external hosts over the Internet from initiating a connection with the instances. When the application downloads data from the Internet, the connection must be highly available, and the bandwidth should scale up to 45 Gbps.
The solution must also support long-running queries and downloads initiated by the EC2 instances. Some requests may take a total of 10 minutes to complete.
What is the MOST suitable solution that the Administrator should implement?
- Launch a NAT Instance in a public subnet. Modify the route table to block any incoming traffic from the Internet. Configure TCP keepalive on the EC2 instances with a value of more than 600 seconds.
- Launch a NAT Gateway in a private subnet. Configure the route table to direct the outgoing Internet traffic from the private subnet to the NAT gateway. Enable TCP keepalive on the EC2 instances with a value of more than 600 seconds.
- Set up a Direct Connect Gateway with five 10 Gbps AWS Direct Connect connections. Associate Direct Connect Gateway to the Internet gateway of the VPC. Configure TCP keepalive on the EC2 instances with a value of less than 600 seconds.
- Launch a NAT Gateway in a public subnet. Update the route table to direct the outgoing Internet traffic from the private subnet to the NAT gateway. Enable TCP keepalive on the EC2 instances with a value of less than 600 seconds.
Correct Answer: 4
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services but prevent the Internet from initiating a connection with those instances.
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.
In this scenario, it is better to use NAT gateway as it provides better availability, higher bandwidth, and requires less administrative effort than NAT Instance. You also have to deploy the NAT Gateway in a public subnet so it can communicate to the Internet.
If a connection that’s using a NAT gateway is idle for 600 seconds or more, the connection times out by default. When a connection times out, a NAT gateway returns an RST packet to any resources behind the NAT gateway that attempt to continue the connection (it does not send a FIN packet).
To prevent the connection from being dropped, you can initiate more traffic over the connection. Alternatively, you can enable TCP keepalive on the instance with a value less than 600 seconds. Take note that the value should be less and not more than the idle time value, to ensure that the connection will be reinitiated properly before the timeout takes effect.
Hence, the correct answer is: Launch a NAT Gateway in a public subnet. Update the route table to direct the outgoing Internet traffic from the private subnet to the NAT gateway. Enable TCP keepalive on the EC2 instances with a value of less than 600 seconds.
The option that says: Launch a NAT Instance in a public subnet. Modify the route table to block any incoming traffic from the Internet. Configure TCP keepalive on the EC2 instances with a value of more than 600 seconds is incorrect because it is not appropriate to use the route table to block the incoming Internet traffic to your VPC. Moreover, a NAT Instance is not highly available, and its bandwidth can’t scale up to 45 Gbps, unlike a NAT Gateway. This should also be launched in a public subnet and not in private. You should also enable TCP keepalive on the EC2 instances with a value of less than 600 seconds and not more than the actual connection timeout.
The option says:Â Launch a NAT Gateway in a private subnet. Configure the route table to direct the outgoing Internet traffic from the private subnet to the NAT gateway. Enable TCP keepalive on the EC2 instances with a value of more than 600 seconds is incorrect because the NAT Gateway must be launched in the public subnet. In addition, the value for the TCP keepalive should be less and not more than the idle time value. Setting this to more than 600 seconds will result in a timeout after 10 minutes.Â
The option says: Set up a Direct Connect Gateway with five 10 Gbps AWS Direct Connect connections. Associate Direct Connect Gateway to the Internet gateway of the VPC. Configure TCP keepalive on the EC2 instances with a value of less than 600 seconds is incorrect because AWS Direct Connect is primarily used to link your internal on-premises network to your AWS VPC. You can’t use this to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
References:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html#nat-gateway-troubleshooting-timeout
Check out this Amazon VPC Cheat Sheet:
https://tutorialsdojo.com/amazon-vpc/
For more practice questions like these and to further prepare you for the actual AWS Certified Advanced Networking Specialty ANS-C01 exam, we recommend that you take our top-notch AWS Certified Advanced Networking Specialty Practice Exams, which have been regarded as the best in the market.Â
Also, check out our AWS Certified Advanced Networking Specialty ANS-C01 exam study guide here.
Get $4 OFF in AWS Solutions Architect & Data Engineer Associate Practice Exams for $10.99 ONLY!
Be Inspired and Mentored with Cloud Career Journeys!
Enroll Now – Our Azure Certification Exam Reviewers
Enroll Now – Our Google Cloud Certification Exam Reviewers
Tutorials Dojo Exam Study Guide eBooks
FREE AWS Exam Readiness Digital Courses
Subscribe to our YouTube Channel
FREE Intro to Cloud Computing for Beginners
FREE AWS, Azure, GCP Practice Test Samplers
Written by: Jon Bonso
