Übungsfragen

Frage 1

A company has two AWS Direct Connect links to its on-premises data center. One Direct Connect link terminates in the us-east-1 Region, and the other Direct Connect link terminates in the af-south-1 Region. The company is using BGP to exchange routes with AWS. The company's on-premises environment needs to be configured to use the us-east-1 link as the primary path to AWS and the af-south-1 link as the secondary (backup) path. A network engineer must configure BGP on the on-premises router to ensure that the us-east-1 link is preferred for all traffic to AWS, and the af-south-1 link is used only if the primary link fails. The solution must use standard BGP attributes and AWS BGP community tags. How should a network engineer configure BGP to ensure that af-south-1 is used as a secondary link to AWS?

Fragenanalyse

Core concept: This question tests how to build deterministic primary/backup routing over two AWS Direct Connect connections by combining customer-side BGP best-path selection with AWS Direct Connect BGP communities. The on-premises router should prefer the us-east-1 session for traffic destined to AWS by assigning it a higher local preference, while the af-south-1 session should be treated as backup with a lower local preference. On the AWS side, the customer should tag routes advertised over the backup DX with the AWS low-local-preference community so AWS prefers the primary DX for return traffic when both paths are available. Why correct: The correct design is to set a higher local preference on the us-east-1 BGP peer and a lower local preference on the af-south-1 BGP peer so the enterprise network always chooses us-east-1 first for outbound traffic to AWS. In addition, the af-south-1 link should be tagged with AWS community 7224:7300, which tells AWS to assign a lower local preference to routes learned on that connection. This makes af-south-1 the less-preferred path from AWS back to on premises, so it functions as the backup unless the primary path fails. Key features: - Local Preference is a standard BGP attribute used inside the customer AS; higher values are preferred. - AWS Direct Connect supports BGP communities such as 7224:7300 to influence AWS local preference for inbound traffic toward customer prefixes. - Using both controls together provides symmetric primary/backup intent: customer-side preference for outbound traffic and AWS-side preference for return traffic. Common misconceptions: - Many candidates confuse AWS DX communities with customer local preference. AWS communities influence AWS's handling of routes you advertise, not your router's best-path decision. - Another common mistake is assuming 7224:7100 means 'primary' and 7224:7300 means 'secondary' in a generic sense. In practice, 7224:7300 is the explicit low-preference community used to de-prefer a backup path. - It is also easy to reverse local preference values, which would make the backup link active instead of standby. Exam tips: - For customer-to-AWS path preference, look first at local preference on the customer router: higher on the primary, lower on the backup. - For AWS-to-customer return path preference, look for the AWS DX community that lowers AWS local preference on the backup path, typically 7224:7300. - If an option gets local preference right but applies the low-preference AWS community to the primary link, it is not the best answer.

Frage 2

(2 auswählen)

A company's security policy dictates that all outbound traffic from its AWS VPC to the on-premises data center must be inspected by a third-party security appliance. This appliance runs on an Amazon EC2 instance within the VPC. A network engineer has been tasked with improving the network performance between the on-premises data center and this security appliance. The existing connection is a standard VPN over the internet. The performance is currently a bottleneck for the on-premises users. The network engineer must improve the network performance between the on-premises data center and the EC2-based security appliance. The solution should focus on increasing throughput and reducing latency for this specific traffic flow. Which actions should the network engineer take to meet these requirements? (Choose two.)

Fragenanalyse

Core Concept: This question tests EC2 network performance optimization for a specific traffic path (on-premises to an EC2-based inspection appliance). The bottleneck is between the data center and the EC2 instance, so improvements should target the instance’s packet processing and network I/O capabilities rather than changing VPC routing constructs. Why the Answer is Correct: A (enhanced networking) directly increases packets per second (PPS), lowers latency, and reduces jitter by using SR-IOV-based drivers (ENA or Intel VF) to provide higher throughput and more consistent performance. This is a primary best practice for network appliances (firewalls/IDS/IPS) that are sensitive to PPS and per-packet overhead. C (increase the EC2 instance size) is also correct because network performance in AWS is strongly tied to instance type/size. Larger instances typically provide higher baseline and burst bandwidth, higher PPS, and more CPU resources for encryption/inspection. For a third-party security appliance, CPU and memory can be as limiting as NIC throughput, especially when doing deep packet inspection. Key AWS Features / Best Practices: - Use instance families optimized for networking (e.g., Nitro-based instances with ENA) and ensure ENA is enabled in the AMI/driver. - Select an instance size that provides sufficient “Network bandwidth” and “PPS” for the expected throughput; also consider CPU headroom for inspection. - If the VPN is the limiting factor overall, the typical architectural step would be AWS Direct Connect, but it is not an option here; therefore, the best available actions are to optimize the EC2 appliance’s networking and capacity. Common Misconceptions: - It’s tempting to choose Transit Gateway (B) to “improve performance,” but TGW is a routing hub; it does not inherently increase throughput/latency for a single EC2 appliance path, and it adds an extra hop. - Placement groups (D) help with low-latency east-west traffic between EC2 instances, not on-premises-to-EC2 over VPN. - Multiple ENIs (E) don’t aggregate bandwidth for a single flow and add complexity; scaling throughput is usually done by choosing the right instance type/size and enhanced networking, or horizontally scaling appliances behind load balancing. Exam Tips: When the question asks to improve performance “to an EC2 instance,” first think: enhanced networking (ENA/SR-IOV), instance type/size network limits, and CPU for packet processing. Only choose routing constructs (TGW, placement groups) when the problem is explicitly about multi-VPC connectivity, east-west latency, or routing scale—not raw appliance throughput.

Frage 3

A company recently implemented a security policy that prohibits developers from launching VPC network infrastructure. The policy states that any time a NAT gateway is launched in a VPC, the company's network security team must immediately receive an alert to terminate the NAT gateway. The network security team needs to implement a solution that can be deployed across AWS accounts with the least possible administrative overhead. The solution also must provide the network security team with a simple way to view compliance history. The solution must be able to detect the creation of a NAT Gateway in any VPC, alert the security team, automatically terminate the resource, and provide a historical record of compliance. The solution must also be easily deployable across multiple AWS accounts with minimal manual effort. Which solution will meet these requirements?

Frage 4

A company is migrating applications from an on-premises data center to AWS, requiring data exchange with an on-premises mainframe. The solution must achieve 4 Gbps transfer speeds for peak traffic and ensure high availability and resiliency against circuit or router failures. Design a highly available, resilient networking solution that supports 4 Gbps and withstands circuit or router failures. Which solution will meet these requirements?

Frage 5

(3 auswählen)

A company uses an AWS Direct Connect private VIF with a Link Aggregation Group (LAG) that consists of two 10 Gbps connections. The company's security team has implemented a new requirement for external network connections to provide layer 2 encryption. The company's network team plans to use MACsec support for Direct Connect to meet the new requirement. The network team must implement MACsec encryption on the existing Direct Connect connection to a private VIF without disrupting service and with the least possible downtime. Which combination of steps should the network team take to implement this functionality? (Choose three.)

Möchtest du alle Fragen unterwegs üben?

Lade Cloud Pass kostenlos herunter – mit Übungstests, Fortschrittsverfolgung und mehr.

Frage 6

(2 auswählen)

An investment platform must log all internet service traffic and retain it for 2 years. In dev, the team validated a cross‑account Amazon VPC Traffic Mirroring design using a Network Load Balancer (NLB) as the mirror target. In production, mirroring is enabled but some traffic is not mirrored and the missing packets appear random. Identify plausible explanations for intermittent/lost mirrored traffic with this design. Which statements explain why not all the traffic is mirrored? (Choose two.)

Frage 7

A fintech company has multiple development environments across different AWS accounts, all operating in the us-east-1 Region. These environments host backend services on Amazon EC2 instances within private subnets, which are accessed via a Network Load Balancer (NLB) in a public subnet. For compliance reasons, API access to these services is restricted to a small number of approved third-party vendors. The NLB's security group is configured to only allow inbound TCP traffic on port 443 from a specific set of vendor IP address ranges. The company has a strict policy that whenever a new vendor is onboarded, their IP address range must be added to the NLB's security group in every account. A network engineer must find the most operationally efficient way to centrally manage these vendor IP address ranges across all accounts. The network engineer needs to implement a solution that allows for a single, centralized update of a new vendor's IP address range. This change must then be automatically reflected in the security groups of all relevant accounts without manual intervention in each account. The solution must be highly efficient and scalable. Which solution will meet these requirements in the MOST operationally efficient manner?

Frage 8

A company’s on‑premises firewall connects to AWS Transit Gateway with a single Site‑to‑Site VPN. Growing traffic now saturates the VPN. The company needs a secure, highly available design that scales VPN throughput from on‑premises to multiple VPCs. Increase aggregate VPN bandwidth without sacrificing availability or security. Which solution will meet these requirements?

Fragenanalyse

Core Concept: This question tests scaling and high availability for AWS Site-to-Site VPN connectivity into AWS Transit Gateway (TGW). The key concepts are using multiple VPN tunnels/attachments, dynamic routing with BGP, and Equal-Cost Multi-Path (ECMP) to increase aggregate throughput while maintaining resiliency. Why the Answer is Correct: Creating multiple dynamic (BGP) Site-to-Site VPN connections to a transit gateway and enabling ECMP allows traffic to be distributed across multiple VPN tunnels/paths in parallel. A single Site-to-Site VPN connection already includes two tunnels for HA, but a single VPN connection can still become a throughput bottleneck. By adding additional VPN connections (each with two tunnels) and using BGP with ECMP, the on-premises firewall and TGW can load-share flows across multiple tunnels, increasing aggregate bandwidth while preserving redundancy. This design remains secure (IPsec) and highly available (multiple tunnels across multiple connections). Key AWS Features / Best Practices: - Transit Gateway supports ECMP for VPN attachments when using dynamic routing (BGP). This is the standard AWS approach for scaling VPN throughput. - Use multiple VPN connections (and ideally multiple customer gateway devices or multiple public IPs on the same device if supported) to improve both capacity and resilience. - BGP enables automatic route exchange and faster failover than static routes, and is required for ECMP load sharing behavior in this context. - This pattern aligns with AWS Well-Architected (Reliability and Performance Efficiency): redundancy plus horizontal scaling. Common Misconceptions: - “Two tunnels equals double bandwidth”: the two tunnels in a single VPN are primarily for HA; load sharing is not guaranteed unless ECMP is used and the device supports it. - “Static routes are simpler”: static routing typically prevents ECMP with TGW VPN and reduces operational resilience because failover and routing changes are manual. - “VPN acceleration fixes saturation”: acceleration can reduce latency/jitter but does not replace the need for parallel paths to scale aggregate throughput. Exam Tips: When you see “TGW + VPN saturated + need more bandwidth + keep HA,” think “multiple BGP VPNs + ECMP.” If the question emphasizes scaling throughput across multiple VPCs, TGW is the hub, and ECMP with dynamic routing is the canonical AWS answer. Always prefer managed AWS networking features over self-managed VPN appliances unless there is a specific requirement they uniquely satisfy.

Frage 9

(3 auswählen)

A company uses AWS Client VPN to allow remote users to access resources in multiple peered VPCs and an on-premises data center. The Client VPN endpoint route table has a single 0.0.0.0/0 entry, and its security group has no inbound rules and an outbound rule allowing all traffic to 0.0.0.0/0. Remote users report incorrect geographic location information in web search results. Resolve incorrect geographic location issues for Client VPN users with minimal service interruption. Which combination of steps should a network engineer take to resolve this issue with the LEAST amount of service interruption? (Choose three.)

Frage 10

A network engineer is working on a private DNS design to integrate AWS workloads and on-premises resources for a manufacturing company. The AWS deployment consists of five VPCs in the eu-west-1 Region that connect to the on-premises network over AWS Direct Connect. The VPCs communicate with each other by using a transit gateway. Each VPC is associated with a private hosted zone that uses the corp.global.internal domain. The network engineer creates an Amazon Route 53 Resolver outbound endpoint in a shared services VPC and attaches the shared services VPC to the transit gateway. The network engineer must implement a solution for DNS resolution where queries for hostnames ending with corp.global.internal must use the private hosted zone within AWS, while queries for all other domains must be forwarded to a private on-premises DNS resolver. The solution must be centralized and work across all five VPCs. Which solution will meet these requirements?

Frage 11

A European automaker is moving customer‑facing services and analytics from two data centers (50‑mile separation) to AWS. Workloads span accounts in eu‑west‑3 and eu‑central‑1. In each Region, the company orders two resilient 1 Gbps DX circuits. The network must interconnect all VPCs and on‑premises, maintain Regional separation, and provide failover across Regions. Design multi‑Region connectivity over DX with full VPC reachability and cross‑Region resiliency. Which solution will meet these requirements?

Fragenanalyse

Core Concept: This question tests AWS Direct Connect multi-Region design using Direct Connect Gateway (DXGW) and AWS Transit Gateway (TGW) to provide scalable, full-mesh VPC connectivity plus resilient on-premises connectivity, while preserving Regional separation and enabling cross-Region failover. Why the Answer is Correct: Option C is the only design that cleanly meets all requirements: (1) interconnect all VPCs and on-premises, (2) keep Regional separation (each Region has its own routing domain), and (3) provide cross-Region resiliency. A DXGW provides a global attachment point for Direct Connect and can be associated with multiple TGWs (including in different Regions). By deploying one TGW per Region and attaching each to the DXGW using transit VIFs, the on-premises network can reach both Regional TGWs over the resilient DX circuits. Then, peering the TGWs provides controlled cross-Region connectivity between VPCs in eu-west-3 and eu-central-1. If one Region (or its DX path) is impaired, routing can fail over to the other Region via the remaining DX connectivity and the TGW peering path, while still keeping each Region’s VPC attachments local to its TGW. Key AWS Features: - DXGW + transit VIF: enables DX to connect to TGW (not directly to VPCs) and supports multi-account/multi-VPC at scale. - One TGW per Region: maintains Regional separation and avoids a single global routing blast radius. - TGW peering: provides cross-Region VPC-to-VPC and transitive routing between the two TGWs (with explicit route table control). - Resiliency: two DX circuits per Region (ideally diverse locations) plus BGP path selection for failover. Common Misconceptions: - Using private VIFs to VGWs (Option A) seems simpler, but does not scale to “all VPCs” well and does not provide a clean, managed cross-Region VPC interconnect. - A single TGW for two Regions (Option B) is not valid because TGW is a Regional resource; “inter-Region LAG” is also not an AWS construct for DX. - Mixing private VIFs and TGW attachments (Option D) is conceptually inconsistent: DXGW-to-TGW requires transit VIFs, and “inter-Region LAG” again is not applicable. Exam Tips: Remember: TGW is Regional; DXGW is global. For multi-Region DX with many VPCs, the common pattern is DX circuits -> DXGW (transit VIF) -> TGW per Region, and TGW peering for cross-Region connectivity and failover. Watch for invalid terms like “inter-Region LAG” and for designs that don’t scale beyond a few VPCs.

Frage 12

An application team for a startup company is deploying a new multi-tier application into the AWS Cloud. The application will be hosted on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind a publicly accessible Network Load Balancer (NLB). The application requires the clients to work with UDP traffic and TCP traffic. In the near term, the application will serve only users within the same geographic location. The application team plans to extend the application to a global audience and will move the deployment to multiple AWS Regions around the world to bring the application closer to the end users. The application team wants to use the new Regions to deploy new versions of the application and wants to be able to control the amount of traffic that each Region receives during these rollouts. In addition, the application team must minimize first-byte latency and jitter (randomized delay) for the end users. The application team must design a network architecture that can handle both TCP and UDP traffic, support phased global rollouts by controlling traffic distribution to multiple AWS Regions, and reduce latency and jitter for end users. How should the application team design the network architecture for the application to meet these requirements?

Frage 13

A TGW is attached to a DX gateway and 19 VPCs. Two new VPCs (10.0.32.0/21 and 10.0.40.0/21) will be attached. The allowed prefix list has room for only one more entry. Advertise the routes from AWS to on‑premises while staying within the prefix‑list entry limit. What should the engineer do?

Frage 14

(2 auswählen)

An IoT company collects data from thousands of sensors that are deployed in the United States and South Asia. The sensors use a proprietary communication protocol that is built on UDP to send the data to a fleet of Amazon EC2 instances. The instances are in an Auto Scaling group and run behind a Network Load Balancer (NLB). The instances, Auto Scaling group, and NLB are deployed in the us-west-2 Region. The company's data shows that data from the sensors in South Asia occasionally gets lost in transit over the public internet and does not reach the EC2 instances. The company needs a solution to resolve the issue of data loss from the South Asian sensors. The solution must provide a reliable and low-latency path for the UDP traffic from the sensors to the application, leveraging AWS services to optimize the network performance over long distances. Which solutions will resolve this issue? (Choose two.)

Frage 15

(2 auswählen)

A company runs a stateless web app (ASG) and a stateful admin/management app (separate ASG) behind the same Application Load Balancer (ALB) in private subnets. The company wants to access the management app at the same URL as the web app with the path prefix /management. Protocol, hostname, and port must be identical for both apps. Access to /management must be limited to on‑premises source IP ranges. The ALB uses an ACM certificate. Implement ALB listener rules to path‑route /management to the admin targets and restrict it to on‑premises CIDRs while keeping all traffic over the same HTTPS listener. Which combination of steps should the network engineer take? (Choose two.)

Frage 16

A company has a web application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection before it reaches its destination. The company is performing tests to ensure that this new inspection layer is correctly implemented without affecting the application's functionality. The inspection appliance is a single-node instance that needs to see a copy of all network traffic. The network engineer must design a solution that transparently forwards all ingress and egress network traffic from the application's EC2 instances to the third-party inspection appliance for real-time content inspection. The solution must capture a complete copy of the traffic and deliver it to the appliance without disrupting the original traffic flow. Which solution will meet these requirements?

Frage 17

A marketing company is using a hybrid infrastructure to connect its branch offices to AWS over AWS Direct Connect and a software-defined wide area network (SD-WAN) overlay. The company currently connects its multiple VPCs to a third-party SD-WAN appliance, which resides in a transit VPC within the same account, using AWS Site-to-Site VPNs. The company is planning to expand its AWS footprint by connecting more VPCs to the SD-WAN appliance transit VPC. However, the existing architecture is experiencing challenges with scalability, route table limitations, and higher costs due to the numerous VPN connections. A network engineer must design a new solution to address these issues and reduce the overall operational overhead. The network engineer needs to design a solution that provides scalable connectivity between all VPCs and the SD-WAN appliance while resolving the route table limitations and reducing costs. The solution must be implemented with the least amount of operational overhead. Which solution will meet these requirements with the LEAST amount of operational overhead?

Frage 18

A company has a 2 Gbps AWS Direct Connect hosted connection from its office to a VPC in ap-southeast-2 and adds a 5 Gbps hosted connection from a different Direct Connect location in the same Region. The connections terminate at different routers with an iBGP session between them. The network engineer wants the VPC to prioritize the 5 Gbps connection, with failover to the 2 Gbps connection if the 5 Gbps connection fails. Ensure the VPC uses the 5 Gbps Direct Connect connection for traffic to the office, with failover to the 2 Gbps connection when the 5 Gbps connection is down. Which solution will meet these requirements?

Frage 19

(2 auswählen)

An internal website runs behind an internal ALB in a VPC (172.31.0.0/16). A private hosted zone example.com exists in Route 53. An AWS Site-to-Site VPN connects the office network to the VPC. Employees must access https://example.com from the office network. Enable private DNS resolution for example.com from on-premises across the VPN to the VPC’s private hosted zone and ALB. Which combination of steps will meet this requirement? (Choose two.)

Frage 20

(3 auswählen)

A company has VPCs in us-east-1 connected via a transit gateway. An AWS Direct Connect connection is established to an on-premises data center, with the ConnectionState metric in Amazon CloudWatch showing UP, but the transit VIF is DOWN. The network engineer verified transit VIF and BGP configurations on the on-premises router with no issues but cannot ping the Amazon peer IP address. Troubleshoot the DOWN transit VIF to establish connectivity. Which combination of steps should the network engineer take to troubleshoot this issue? (Choose three.)