Get Latest ANS-C00  Dumps PDF (Dumpspass4sure) 
                     Amazon
ANS-C00 Dumps
  
AWS Certified Advanced Networking 
Specialty (ANS-C00)
Verified By Experts
Get Prepared And Pass Your Exam
Teach Yourself
 
Question: 1 
   
The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data 
must use strong cryptography. These merchants must also use security protocols to protect sensitive 
data during transmission over public networks. 
You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind 
Amazon CloudFront. 
How should you configure CloudFront to meet this requirement? 
 
A.  Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol 
Policy to ‘Match Viewer’. 
B.  Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the 
origin without TLS termination at the edge. 
C.  Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via 
AWS Direct Connect. 
D.  Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request 
to the origin via the Amazon private network. 
 
Answer: A     
 
Explanation 
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-
specify.html#Downlo 
  
Question: 2 
   
A network architect is designing an internet website. It has web, application, and database tiers that will 
run in AWS. The website uses Amazon DynamoDB. 
Which architecture will minimize public exposure of the back-end instances? 
 
A.  A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the 
application tier, and private subnets for DynamoDB. 
B.  A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the 
application tier. The application tier connects DynamoDB through a VPC endpoint. 
C.  A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the 
application tier, and private subnets for DynamoDB. 
D.  A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the 
application tier. The application tier connects DynamoDB through a VPC endpoint. 
 
Answer: D     
 
  
 
Question: 3 
   
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway 
is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the 
Internet gateway. 
The instance has a security group configured to allow as follows: 
Protocol: TCP 
Port: 80 inbound, nothing outbound 
The Network ACL for the subnet is configured to allow as follows: 
Protocol: TCP 
Port: 80 inbound, nothing outbound 
When you try to browse to the web server, you receive no response. 
Which additional step should you take to receive a successful response? 
 
A.  Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80 
B.  Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535 
C.  Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80 
D.  Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535 
 
Answer: D     
 
Question: 4 
   
Your company operates a single AWS account. A common services VPC is deployed to provide shared 
services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and 
each VPC must peer with the common services VPC. You must choose the most efficient and cost 
effective approach. 
Which approach should be used to automate the required VPC peering? 
 
A.  AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function. 
B.  An OpsWorks Chef recipe to execute a command-line peering request. 
C.  Cfn-init with AWS CloudFormation to execute a command-line peering request.  
D.  An AWS CloudFormation template that includes a peering request. 
 
Answer: D     
 
Explanation 
https://cloakable.irdeto.com/2017/10/11/how-to-implement-vpc-peering-between-2-vpcs-in-the-same-
aws-account-usin 
  
Question: 5 
   
 
An organization will be extending its existing on-premises infrastructure into the cloud. The design 
consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available 
configuration across two Availability Zones for automatic failover. 
What MUST be configured for this design to work? (Select two.) 
 
A.  A different Autonomous System Number (ASN) for each firewall. 
B.  Border Gateway Protocol (BGP) routing 
C.  Autonomous system (AS) path prepending 
D.  Static routing 
E.  Equal-cost multi-path routing (ECMP) 
 
Answer: B C     
 
Explanation 
https://docs.aws.amazon.com/solutions/latest/cisco-based-transit-vpc/appendix-a.html 
 
Question: 6 
   
A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The 
Lambda function also needs to write messages to Amazon SQS. The Lambda function has been 
configured to run in a subnet in the VPC. 
Which of the following actions meet the requirements? (Select two.) 
 
A.  The Lambda function needs an IAM role to access Amazon SQS 
B.  The Lambda function must route through a NAT gateway or NAT instance in another subnet to access 
the public SQS API. 
C.  The Lambda function must be assigned a public IP address to access the public Amazon SQS API. 
D.  The ElastiCache server outbound security group rules must be configured to permit the Lambda 
function’s security group. 
E.  The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses. 
 
Answer: A B     
 
Explanation 
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html 
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html 
 
Question: 7 
   
A company is about to migrate an application from its on-premises data center to AWS. As part of the 
planning process, the following requirements involving DNS have been identified. 
The organization’s VPC uses the CIDR block 172.16.0.0/16. 
Assuming that there is no DNS namespace overlap, how can these requirements be met? 
 
 
A.  Change the DHCP options set for the VPC to use both the Amazon-provided DNS server and the 
on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the 
name server 172.16.0.2 as authoritative for the Route 53 private hosted zone. 
B.  Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure 
the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and 
forward all other queries to 172.16.0.2. Change the DHCP options set for the VPC to use the new DNS 
proxies. 
Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as 
authoritative for the Route 53 private hosted zone. 
C.  Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure 
the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and 
forward all other queries to the Amazon-provided DNS server (172.16.0.2). Change the DHCP options set 
for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, 
delegating the proxies as authoritative for the Route 53 private hosted zone. 
D.  Change the DHCP options set for the VPC to use both the on-premises DNS systems. Configure the 
on-premises DNS systems with a stub-zone, delegating the Route 53 private hosted zone’s name servers 
as authoritative for the Route 53 private hosted zone. 
 
Answer: C     
 
Question: 8 
   
Your organization’s corporate website must be available on www.acme.com and acme.com. 
How should you configure Amazon Route 53 to meet this requirement?  
 
A.  Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record 
targeting the ELB. 
B.  Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record 
targeting the acme.com record. 
C.  Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record 
targeting the acme.com record. 
D.  Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR 
record with the acme.com record target. 
 
Answer: A     
 
Question: 9 
   
An organization's Security team has a requirement that all data leaving its on-premises data center be 
encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally 
log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to 
build out this design. 
What steps should be taken to ensure that connectivity to AWS meets these security requirements? 
(Choose two.) 
 
 
A.  Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC. 
B.  Provision a private virtual interface for each VPC connection. 
C.  Enable VPC Flow Logs for each VPC. 
D.  Use AWS KMS to encrypt traffic between on-premises and AWS. 
E.  Provision a VPN connection to each VPC over the internet. 
 
Answer: B E     
 
Question: 10 
   
A network engineer is managing two AWS Direct Connect connections. Each connection has a public 
virtual interface configured with a private ASN. The engineer wants to configure active/passive routing 
between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is 
required for the on-premises equipment? (Select two.) 
 
A.  Use Local Pref to control outbound traffic.  
B.  Use AS Prepending to control inbound traffic. 
C.  Use eBGP multi-hop between loopback interfaces. 
D.  Use BGP Communities to control outbound traffic. 
E.  Advertise more specific prefixes over one Direct Connect connection. 
 
Answer: A E     
 
Explanation 
https://aws.amazon.com/premiumsupport/knowledge-center/active-passive-direct-connect/ 
Question: 11 
   
A company is deploying a new web application that uses a three-tier model with a public-facing Network 
Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company's 
data center. 
There is an AWS Direct Connect connection between the VPC and the company’s data center. Load 
testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are 
required to handle peak loads. 
The Network Engineer needs to design a VPC that has a /24 CIDR assigned to it. 
How should the Engineer allocate subnets across three Availability Zones for each tier? 
 
A.  Network Load Balancer: /29 per subnetWeb: /26 per subnet 
B.  Network Load Balancer: /28 per subnetWeb: /25 per subnet 
C.  Network Load Balancer: /28 per subnetWeb: /27 per subnet 
D.  Network Load Balancer: /28 per subnetWeb: /26 per subnet 
 
Answer: D