AWS Certified Advanced Networking -
Specialty
1. An organization has a newly installed 1-Gbps AWS Direct Connect connec- tion. The organization has opted to
use cross-connect from the Direct Connect location provider to a port on the router in the same facility. To enable
the use of the virtual interface, the router must be configured appropriately.
What are the minimum requirements for your router?: 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP
Address, BGP Session with MD5
2. A company manages more than 500 public web applications on AWS Cloud which are deployed in a single
AWS Region. The fully qualified domain names (FQDNs) of all of the applications are configured to use HTTPS
and are served via Application Load Balancers (ALBs). These ALBs are configured to use public SSL/TLS
certificates. The company has hired you to migrate the web applications to a multi-Region architecture. You must
ensure that all HTTPS services continue to work without interruption.
Which of the following solutions would you suggest to address these require- ments?: Generate a separate certificate
for each FQDN in each AWS Region using AWS Certificate Manager. Associate the certificates with the corresponding
ALBs in the relevant AWS Region
3. The development team at a company is deploying a web application in a VPC that requires SSL mutual
authentication with a client-side certificate. The ELB Classic Load Balancer listener must support mutual
authentication between the client and the application.
Which load balancer protocol should you select for this application?: TCP
4. A social media company is delivering web content from an Amazon EC2 instance in a public subnet with
address 2021:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the
subnet contain the following entries:
2 098765432112 eni-0596e500987654321 2021:db8:2:200::2 2021:db8:1:100::1
0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112
eni-0596e500987654321 2021:db8:1:100::1 2021:db8:2:200::2 0 0 58 236 42336
1551200195 1551200434 REJECT OK
Which of the following actions will restore network reachability to the EC2 instance?: Update the network ACL
associated with the subnet to allow outbound traffic
5. The networking team at a company has noticed issues with Quality of Service (QoS) in the traffic to the EC2
instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a
programming error or a networking error.
As an AWS Certified Networking Specialist, which of the following solutions would you recommend for the given
use case?: Configure traffic mirroring on
, AWS Certified Advanced Networking -
Specialty
the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance
and stream the logs to an S3 bucket for further analysis
6. A company runs a hybrid cloud infrastructure and it has 99 routes in the dynamic BGP propagated route
table. The networking team at the company wants to add 2 more routes for 10.1.0.0 and 10.3.0.0. You cannot
modify or remove routes that have already been announced.
Which of the following solutions will you recommend?: Combine the two routes into a default route and advertise it
7. A cybersecurity company has its flagship application running on EC2 in- stances in a VPC and the application
must publish custom metrics with pro- prietary information to CloudWatch in the same AWS Region. All
connectivity must be established using private IP addresses.
Which of the following options will address these requirements?: Connect the application to CloudWatch using an
interface endpoint
8. A company is deploying a critical application on multiple EC2 instances in a VPC. Per the company
policy, any failed client connections to the EC2 instances must be logged.
Which of the following options would you recommend as the MOST cost-ef- fective solution to address these
requirements?: Set up VPC Flow Logs for the elastic network interfaces associated with the instances and configure the
VPC Flow Logs to be filtered for rejected traffic. Publish the Flow Logs to CloudWatch Logs
9. An online retail organization runs its e-commerce website on AWS. The Amazon EC2 instances running the
application are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services.
Differ- ent URLs (mobile.shopping.com, web.shopping.com, api.shopping.com) will serve the required content to
the end-users.
Which combination of services must be used to serve the content correctly to the end-users? (Select two): Use Host
conditions in ALB listener to route
*.shopping.com to appropriate target groups
Use Host conditions in ALB listener to route shopping.com to appropriate target groups
10.A health care company has two web applications and wants to run them in separate, isolated VPCs. The
company is looking at using Elastic Load Balancing to distribute requests between application instances. The
security and compliance team at the company has imposed the following restrictions: Inbound HTTP requests to
the application must be routed through a central- ized VPC
Application VPCs must not be exposed to any other inbound traffic
, AWS Certified Advanced Networking -
Specialty
Application VPCs cannot be allowed to initiate any outbound connections Internet gateways must not be attached
the application VPCs
Which of the following solutions would you recommend to address these requirements?: Configure the applications
behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint
service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the
centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to
route application traffic to the corresponding target group through the ALB
11.The networking team at a retail company is configuring a virtual interface for accessing your VPC on a
newly provisioned 10-Gbps AWS Direct Connect connection.
Which of the following configuration values do you need to provide? (Select two): Virtual local area network
(VLAN) ID
Virtual private gateway
12.A financial services company is migrating sensitive data from its
on-premises data center to AWS Cloud via an existing AWS Direct Connect connection. The company must
ensure confidentiality and integrity of the data in transit to the AWS VPC.
Which of the following options should be combined to set up the most cost-ef- fective connection between your on-
premises data center and AWS? (Select three): Create an IPsec tunnel between your customer gateway appliance and
the virtual private gateway
Create a VPC with a virtual private gateway
Set up a public virtual interface on the Direct Connect connection
13.A company has set up an AWS network consisting of three transit gate- ways (tgw-1, tgw-2, and tgw-3) each
present in different AWS accounts and dif- ferent AWS Regions. The development team owns transit gateways
tgw-1 and tgw-3. Transit gateway tgw-1 has a peering attachment with transit gateway tgw-2 owned by another
team. The entire network is within AWS and does not consist of on-premises resources. The company has decided
to use Transit Gateway Network Manager for managing the network topology.
Which of the following would you identify as the key points of consideration while implementing this requirement
(Select three): When you register transit gateway tgw-1 in the Network Manager, you can see information about transit
gateway tgw-2 in your global network
To enable multi-account functionality in Network Manager, you first need to set up an account in AWS Organizations
Specialty
1. An organization has a newly installed 1-Gbps AWS Direct Connect connec- tion. The organization has opted to
use cross-connect from the Direct Connect location provider to a port on the router in the same facility. To enable
the use of the virtual interface, the router must be configured appropriately.
What are the minimum requirements for your router?: 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP
Address, BGP Session with MD5
2. A company manages more than 500 public web applications on AWS Cloud which are deployed in a single
AWS Region. The fully qualified domain names (FQDNs) of all of the applications are configured to use HTTPS
and are served via Application Load Balancers (ALBs). These ALBs are configured to use public SSL/TLS
certificates. The company has hired you to migrate the web applications to a multi-Region architecture. You must
ensure that all HTTPS services continue to work without interruption.
Which of the following solutions would you suggest to address these require- ments?: Generate a separate certificate
for each FQDN in each AWS Region using AWS Certificate Manager. Associate the certificates with the corresponding
ALBs in the relevant AWS Region
3. The development team at a company is deploying a web application in a VPC that requires SSL mutual
authentication with a client-side certificate. The ELB Classic Load Balancer listener must support mutual
authentication between the client and the application.
Which load balancer protocol should you select for this application?: TCP
4. A social media company is delivering web content from an Amazon EC2 instance in a public subnet with
address 2021:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the
subnet contain the following entries:
2 098765432112 eni-0596e500987654321 2021:db8:2:200::2 2021:db8:1:100::1
0 0 58 236 42336 1551200195 1551200434 ACCEPT OK 2 098765432112
eni-0596e500987654321 2021:db8:1:100::1 2021:db8:2:200::2 0 0 58 236 42336
1551200195 1551200434 REJECT OK
Which of the following actions will restore network reachability to the EC2 instance?: Update the network ACL
associated with the subnet to allow outbound traffic
5. The networking team at a company has noticed issues with Quality of Service (QoS) in the traffic to the EC2
instances hosting a VOIP program. The team needs to inspect the network packets to determine if it is a
programming error or a networking error.
As an AWS Certified Networking Specialist, which of the following solutions would you recommend for the given
use case?: Configure traffic mirroring on
, AWS Certified Advanced Networking -
Specialty
the source EC2 instances hosting the VOIP program, set up a network monitoring program on a target EC2 instance
and stream the logs to an S3 bucket for further analysis
6. A company runs a hybrid cloud infrastructure and it has 99 routes in the dynamic BGP propagated route
table. The networking team at the company wants to add 2 more routes for 10.1.0.0 and 10.3.0.0. You cannot
modify or remove routes that have already been announced.
Which of the following solutions will you recommend?: Combine the two routes into a default route and advertise it
7. A cybersecurity company has its flagship application running on EC2 in- stances in a VPC and the application
must publish custom metrics with pro- prietary information to CloudWatch in the same AWS Region. All
connectivity must be established using private IP addresses.
Which of the following options will address these requirements?: Connect the application to CloudWatch using an
interface endpoint
8. A company is deploying a critical application on multiple EC2 instances in a VPC. Per the company
policy, any failed client connections to the EC2 instances must be logged.
Which of the following options would you recommend as the MOST cost-ef- fective solution to address these
requirements?: Set up VPC Flow Logs for the elastic network interfaces associated with the instances and configure the
VPC Flow Logs to be filtered for rejected traffic. Publish the Flow Logs to CloudWatch Logs
9. An online retail organization runs its e-commerce website on AWS. The Amazon EC2 instances running the
application are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services.
Differ- ent URLs (mobile.shopping.com, web.shopping.com, api.shopping.com) will serve the required content to
the end-users.
Which combination of services must be used to serve the content correctly to the end-users? (Select two): Use Host
conditions in ALB listener to route
*.shopping.com to appropriate target groups
Use Host conditions in ALB listener to route shopping.com to appropriate target groups
10.A health care company has two web applications and wants to run them in separate, isolated VPCs. The
company is looking at using Elastic Load Balancing to distribute requests between application instances. The
security and compliance team at the company has imposed the following restrictions: Inbound HTTP requests to
the application must be routed through a central- ized VPC
Application VPCs must not be exposed to any other inbound traffic
, AWS Certified Advanced Networking -
Specialty
Application VPCs cannot be allowed to initiate any outbound connections Internet gateways must not be attached
the application VPCs
Which of the following solutions would you recommend to address these requirements?: Configure the applications
behind private Network Load Balancers (NLBs) in separate VPCs. Set up each NLB as an AWS PrivateLink endpoint
service with associated VPC endpoints in the centralized VPC. Set up a public Application Load Balancer (ALB) in the
centralized VPC and point the target groups to the private IP addresses of each endpoint. Set up host-based routing to
route application traffic to the corresponding target group through the ALB
11.The networking team at a retail company is configuring a virtual interface for accessing your VPC on a
newly provisioned 10-Gbps AWS Direct Connect connection.
Which of the following configuration values do you need to provide? (Select two): Virtual local area network
(VLAN) ID
Virtual private gateway
12.A financial services company is migrating sensitive data from its
on-premises data center to AWS Cloud via an existing AWS Direct Connect connection. The company must
ensure confidentiality and integrity of the data in transit to the AWS VPC.
Which of the following options should be combined to set up the most cost-ef- fective connection between your on-
premises data center and AWS? (Select three): Create an IPsec tunnel between your customer gateway appliance and
the virtual private gateway
Create a VPC with a virtual private gateway
Set up a public virtual interface on the Direct Connect connection
13.A company has set up an AWS network consisting of three transit gate- ways (tgw-1, tgw-2, and tgw-3) each
present in different AWS accounts and dif- ferent AWS Regions. The development team owns transit gateways
tgw-1 and tgw-3. Transit gateway tgw-1 has a peering attachment with transit gateway tgw-2 owned by another
team. The entire network is within AWS and does not consist of on-premises resources. The company has decided
to use Transit Gateway Network Manager for managing the network topology.
Which of the following would you identify as the key points of consideration while implementing this requirement
(Select three): When you register transit gateway tgw-1 in the Network Manager, you can see information about transit
gateway tgw-2 in your global network
To enable multi-account functionality in Network Manager, you first need to set up an account in AWS Organizations
