Q1.Refer to the image.
You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as
VPC A: 10.0.0.0/16
VPC B: 192.168.0.0/16
VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10.
Instances i-3 and i-4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4
are in the subnet 192.168.1.0/24.
i-3 must be able to communicate with i-1
i-4 must be able to communicate with i-2
i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Select two.)
- A: Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
- B: Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
- C: Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
- D: Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
- E: Create two route tables: one with a route for destination VPC A, and another for destination VPC C.
solution: B, D
Q2.A legacy, on-premises web application cannot be load balances effectively. There are both planned and
unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot
handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further
disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-
monitoring needs. Which of the following designs will meet these requirements?
- A: Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
- B: Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
- C: Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.
- D: Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.
Q3.An organization processes consumer information submitted through its website. The organization's security
policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and
as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted
PII. A single service within the production VPC must decrypt the PII by leveraging an iAM role.
Which combination of services will support these requirement? (Select two.)
- A: Amazon Aurora in a private subnet
- B: Amazon CloudFront using AWS Lambda@Edge
- C: Customer-managed MySQL with Transparent Data Encryption
- D: Application Load Balancer using HTTPS listeners and targets
- E: AWS Key Management Services
solution: C, E
Q4.A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The
Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to
run in a subnet in the VPC.
Which of the following actions meet the requirements? (Select two.)
- A: The Lambda function needs an IAM role to access Amazon SQS
- B: The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the
public SQS API.
- C: The Lambda function must be assigned a public IP address to access the public Amazon SQS API.
- D: The ElastiCache server outbound security group rules must be configured to permit the Lambda function's
- E: The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.
solution: A, C
Q5.You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the
requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the
whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any
Which of the following solutions should you deploy? (Select two.)
- A: Include s3.amazonaws.com in the whitelist.
- B: Create a VPC endpoint for S3.
- C: Run Squid proxy on a NAT instance.
- D: Deploy a NAT gateway into your VPC.
- E: Utilize a security group to restrict access.
solution: D, E
Q6.Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx
server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client's IP
address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?
- A: Modify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the
- B: Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.
- C: Use X-Forwarded-For with security groups to apply the Geographic Restriction.
- D: Modify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic
Q7.You run a well-architected, multi-AZ application in the eu-central-1 (Frankfurt) AWS region. The application is
hosted in a VPC and is only accesses from the corporate network. To support large volumes of data transfer
and administration of the application, you use a single 10-Gbps AWS Direct Connect connection with multiple
private virtual interfaces. As part of a review, you decide to improve the resilience of your connection to AWS
and make sure that any additional connectivity does not share the same Direct Connect routers at AWS. You
need to provide the best levels of resilience to meet the application's needs.
Which two options should you consider? (Select two.)
- A: Install a second 10-Gbps Direct Connect connection to the same Direct Connection location.
- B: Deploy an IPsec VPN over a public virtual interface on a new 10-Gbps Direct Connect connection.
- C: Install a second 10-Gbps Direct Connect connection to a Direct Connect location in eu-west-1.
- D: Deploy an IPsec VPN over the Internet to the eu-west-1 region for diversity.
- E: Install a second 10-Gbps Direct Connect connection to a second Direct Connect location for eu-central-1.
solution: B, C
Q8.You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your
cluster members in one region must be able to connect to each other. This security group uses a self-
referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the
cluster. You need to make this database comply with out-of-region disaster recovery requirements and ensure
that the network traffic between the nodes is encrypted when travelling between regions. How should you
enable secure cluster communication while deploying additional cluster members in another AWS region?
- A: Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster
security group rules that reference each other's security group-id in each region.
- B: Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster
security group CIDR-based rules that correspond with the VPC CIDR in the other region.
- C: Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region,
and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
- D: Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region,
and create cluster security group rules that reference each other's security group-id in each region.
Q9.You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to
budget requirements, you can only provision a single Direct Connect port. You have two border gateway routers
at your on-premises data center that can peer with the Direct Connect routers for redundancy.
Which two design methodologies, in combination, will achieve this connectivity? (Select two.)
- A: Terminate the Direct Connect circuit on a L2 border switch, which in turn has trunk connections to the two
- B: Create two Direct Connect private VIFs for the same VPC, each with a different peer IP.
- C: Terminate the Direct Connect circuit on any of the one routers, which in turn will have an IBGP session with
the other router.
- D: Create one Direct Connect private VIF for the VPC with two customer peer IPs.
- E: Provision two VGWs for the VPC and create one Direct Connect private VIF per VGW.
solution: A, D
Q10.Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone "awscloud:internal"?
from the corporate network. An AWS Direct Connect connection with a private virtual interface is configured to
provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an
Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS
Resolver has standard root server hints configured and conditional forwarding for "awscloud.internal"? to the IP
From your PC on the corporate network, you query the DNS server at 192.168.10.5 for www.amazon.com. The
query is successful and returns the appropriate response. When you query for "server.awscloud.internal"?, the
query times out. You receive no response.
How should you enable successful queries for "server.awscloud.internal"??
- A: Attach an internet gateway to the VPC and create a default route.
- B: Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True
- C: Relocate the BIND DNS Resolver to the corporate network.
- D: Update the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.