Amazon ANS-C00 exam dumps update in Lead4pass | Pass exam
AWS Certified Advanced Networking – Specialty exam code: “ANS-C00”. Amazon ANS-C00 exam dumps have been updated. For complete ANS-C00 exam questions and answers, visit https://www.lead4pass.com/aws-certified-advanced-networking-specialty.html (PDF+VCE).
You can choose between PDF and VCE modes to help you successfully pass the exam.
Awsexamdumps updates more AWS Certified Specialty exam questions and answers throughout the year. Follow the AWS EXAM DUMPS to help you pass the exam.
Free Amazon ANS-C00 exam PDF
Amazon ANS-C00 exam PDF is part of Lead4Pass ANS-C00 exam dumps:
Amazon ANS-C00 exam questions and answers help you practice the test online
Check your learning level online, all test answers are at the end of the article.
When using AWS Config, which two items are stored on S3 as a part of its operation?
A. Configuration Items and Configuration History
B. Configuration Recorder and Configuration Snapshots
C. Configuration History and Configuration Snapshots
D. Configuration Snapshots and Configuration Streams
Explanation: S3 is used to store the Configuration History files and any Configuration Snapshots of your data within a
single bucket, which is defined within the Configuration Recorder. You can get AWS Config to create a new bucket for
you and select an existing bucket. If you have multiple AWS accounts you may want to aggregate your Configuration
History and Snapshot files into the same S3 Bucket for your primary account, just be aware that this can be achieved.
However, you will need to grant write access for the service principal (config.amazonaws.com) in your other accounts
write access to the S3 bucket.
The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.
Which of the following maximizes network performance on AWS? (Choose two.)
A. Support for the enhanced networking drivers
B. Support for sending traffic over the Direct Connect connection
C. The instance sizes and families supported by the security appliance
D. Support for placement groups within the VPC
E. Security appliance support for multiple elastic network interfaces
You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster
members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group\\’s group-id to make it easier to add or remove nodes from the cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while
deploying additional cluster members in another AWS region?
A. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security
group rules that reference each other\\’s security group-id in each region.
B. Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security
group CIDR-based rules that correspond with the VPC CIDR in the other region.
C. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create
cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
D. Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create
cluster security group rules that reference each other\\’s security group-id in each region.
What is the IPv6 subnet CIDR used by a VPC?
A VPC will always use /56 as its CIDR
Your company has just completed a transition to IPv6 and has deployed a website on a server. You were able to
download software on the instance without an issue. This website is deployed using IPv6, but the public is not able to
access it. What should you do to fix this problem?
A. Add an internet gateway for the instance.
B. Add an egress-only internet gateway.
C. Add an inbound rule to your security group that allows inbound traffic on port 80 for ::/0.
D. Add an inbound rule to your security group that allows inbound traffic on port 80 for 0.0.0.0/0.
Your instance can reach the internet if it was able to download sofftware, so an IGW is not needed.
0.0.0.0/0 is for IPv4.
An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney regions. The
organization wants to determine whether all available Elastic IP addresses (EIPs) in these accounts are attached to
Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the specified regions for compliance and costoptimization purposes. Which of the following meets the requirements with the LEAST management overhead?
A. Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions
to find the unattached and unused EIPs.
B. Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the
unattached and unused EIPs.
C. Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and
D. Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find
the unattached and unused EIPs.
Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6
addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances.
Outbound traffic is required for updates. What are two options to alleviate your company\\’s concerns? (Choose two.)
A. Remove any rules allowing ::/0 inbound in the security group.
B. Block ::/0 inbound in the NACL.
C. Create an egress-only internet gateway.
D. Block 0.0.0.0/0 inbound in the NACL.
Explanation: 0.0.0.0/0 will only block IPv4, blocking ::/0 in the NACL will prevent return traffic and updates to the
instances. An egress-only internet gateway or blocking ::/0 inbound in the security group will allow the instances to
initiate outbound connections and receive the return traffic, while still preventing outside attackers from initiating
connections to the instances.
Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from onpremises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?
A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private
B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access,
but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is
below the threshold limit. When an EC2 instance\\’s CPU Utilization rate drops below the threshold John has set, what
will happen and why?
A. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.
B. CloudWatch will stop the instance when the action is executed
C. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm
D. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access
through IAM policies.
Explanation: Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs
one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The
user can setup an action which stops the instances when their CPU utilization is below a certain threshold for a certain
period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has
read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the
stop or terminate actions will not be performed on the Amazon EC2 instance.
You have two VPCs that you need to connect to an on-premises datacenter using VPNs. When you create the tunnels,
you find that both tunnels use the same addresses. What two things can you do to overcome this? (Choose two.)
A. Delete the VPN, create a “dummy VPN”, recreate the VPN, then delete the “dummy” VPN.
B. Delete your AWS account and create a new one since the VPN tunnel addresses are created from a hash of your
account number and a proprietary algorithm.
C. Create a VHF within you router for each network.
D. Create a VRF within your router for each network.
You need to quickly view inbound traffic to an instance to determine why it isn\\’t reaching the instance properly. What is the best tool for this?
D. Flow Logs
CloudWatch only shows the amount of data in. Wireshark cannot see anything inside AWS infrastructure.
You can only use it to view instance traffic.
A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25
customers. The company creates a unique hostname for each customer to use to access the application. Hostnames
use the format customer-name.example.com.
Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application.
When a customer visits customer-name.example.com, the ALB should route the request to the correct group of EC2
instances. The company requires a highly available solution that is easy to maintain.
Which solution meets these requirements at the LOWEST cost?
A. Create one ALB for all customers. Create a listener rule that includes an HTTP header condition to match the URL.
Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
B. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Configure
an NGINX proxy server to manage connections to each ALB. Use Amazon Route 53 to create a CNAME record for
each customer-name.example.com hostname that points to the NGINX proxy server.
C. Create one ALB for all customers. Create a listener rule that includes a Host header condition to match the
hostname. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an
alias record for each customer-name.example.com hostname that points to the ALB.
D. Create one ALB for each customer. Configure the listener to route requests to the customer target group. Create an
Amazon CloudFront distribution. Add each ALB to the distribution as a custom origin. Use Amazon Route 53 to create
an alias for each customer-name.example.com hostname that points to the CloudFront distribution.
Which statement about Elastic IP addresses is incorrect?
A. Additional EIPs associated with one instance incur a charge.
B. Once an EIP is associated with an instance, you must manually change the hostname if you want it to match.
C. Once you associate an EIP with an instance, the original public IP is released.
D. Disassociated EIPs incur a charge.
The hostname automatically changes to match the new EIP.
Publish The Answer：
AWS EXAM DUMPS shares more Amazon exam questions and answers throughout the year.
To pass the Amazon ANS-C00 exam, please visit https://www.lead4pass.com/aws-certified-advanced-networking-specialty.html (Total Questions: 366 Q&A).
Get complete dumps of Amazon ANS-C00 exams to help you successfully pass your first exam.
Amazon ANS-C00 exam PDF is part of Lead4Pass ANS-C00 exam dumps: