diff --git a/README.md b/README.md index 18c2ee0..72e5867 100644 --- a/README.md +++ b/README.md @@ -134,7 +134,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 56 | [A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched a replacement EC2 instance that contains the updated application. The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware. Which solution will meet this requirement with the LEAST operational effort?](#a-company-is-running-multiple-workloads-on-amazon-ec2-instances-in-public-subnets-in-a-recent-incident-an-attacker-exploited-an-application-vulnerability-on-one-of-the-ec2-instances-to-gain-access-to-the-instance-the-company-fixed-the-application-and-launched-a-replacement-ec2-instance-that-contains-the-updated-application-the-attacker-used-the-compromised-application-to-spread-malware-over-the-internet-the-company-became-aware-of-the-compromise-through-a-notification-from-aws-the-company-needs-the-ability-to-identify-when-an-application-that-is-deployed-on-an-ec2-instance-is-spreading-malware-which-solution-will-meet-this-requirement-with-the-least-operational-effort) | 57 | [A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB. The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users report that they can log in but that they cannot use the application. Every new web request restarts the login process. What should a network engineer do to resolve this issue?](#a-company-deploys-a-new-web-application-on-amazon-ec2-instances-the-application-runs-in-private-subnets-in-three-availability-zones-behind-an-application-load-balancer-alb-security-auditors-require-encryption-of-all-connections-the-company-uses-amazon-route-53-for-dns-and-uses-aws-certificate-manager-acm-to-automate-ssltls-certificate-provisioning-ssltls-connections-are-terminated-on-the-alb-the-company-tests-the-application-with-a-single-ec2-instance-and-does-not-observe-any-problems-however-after-production-deployment-users-report-that-they-can-log-in-but-that-they-cannot-use-the-application-every-new-web-request-restarts-the-login-process-what-should-a-network-engineer-do-to-resolve-this-issue) | 58 | [A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response. Which configuration change should a network engineer implement to resolve this issue?](#a-company-recently-migrated-its-amazon-ec2-instances-to-vpc-private-subnets-to-satisfy-a-security-compliance-requirement-the-ec2-instances-now-use-a-nat-gateway-for-internet-access-after-the-migration-some-long-running-database-queries-from-private-ec2-instances-to-a-publicly-accessible-third-party-database-no-longer-receive-responses-the-database-query-logs-reveal-that-the-queries-successfully-completed-after-7-minutes-but-that-the-client-ec2-instances-never-received-the-response-which-configuration-change-should-a-network-engineer-implement-to-resolve-this-issue) -| 59 | [A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company is using Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. The company achieves hybrid network connectivity by using an AWS Site-to-Site VPNconnection. A new governance policy requires logging for DNS traffic that originates in the AWS Cloud. The policy also requires the company to query DNS traffic to identify the source IP address of the resources that thequery originated from, along with the DNS name that was requested. Which solution will meet these requirements?](#a-company-is-using-amazon-route-53-resolver-for-its-hybrid-dns-infrastructure-the-company-is-using-route-53-resolver-forwarding-rules-for-authoritative-domains-that-are-hosted-on-on-premises-dns-servers-the-company-achieves-hybrid-network-connectivity-by-using-an-aws-site-to-site-vpnconnection-a-new-governance-policy-requires-logging-for-dns-traffic-that-originates-in-the-aws-cloud-the-policy-also-requires-the-company-to-query-dns-traffic-to-identify-the-source-ip-address-of-the-resources-that-thequery-originated-from-along-with-the-dns-name-that-was-requested-which-solution-will-meet-these-requirements) +| 59 | [A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company is using Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. The company achieves hybrid network connectivity by using an AWS Site-to-Site VPNconnection. A new governance policy requires logging for DNS traffic that originates in the AWS Cloud. The policy also requires the company to query DNS traffic to identify the source IP address of the resources that the query originated from, along with the DNS name that was requested. Which solution will meet these requirements?](#a-company-is-using-amazon-route-53-resolver-for-its-hybrid-dns-infrastructure-the-company-is-using-route-53-resolver-forwarding-rules-for-authoritative-domains-that-are-hosted-on-on-premises-dns-servers-the-company-achieves-hybrid-network-connectivity-by-using-an-aws-site-to-site-vpnconnection-a-new-governance-policy-requires-logging-for-dns-traffic-that-originates-in-the-aws-cloud-the-policy-also-requires-the-company-to-query-dns-traffic-to-identify-the-source-ip-address-of-the-resources-that-the-query-originated-from-along-with-the-dns-name-that-was-requested-which-solution-will-meet-these-requirements) | 60 | [A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection. What is the MOST scalable way to add VPCs with on-premises connectivity?](#a-company-uses-aws-direct-connect-to-connect-its-corporate-network-to-multiple-vpcs-in-the-same-aws-account-and-the-same-aws-region-each-vpc-uses-its-own-private-vif-and-its-own-virtual-lan-on-the-direct-connect-connection-the-company-has-grown-and-will-soon-surpass-the-limit-of-vpcs-and-private-vifs-for-each-connection-what-is-the-most-scalable-way-to-add-vpcs-with-on-premises-connectivity) | 61 | [A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server. How should the network engineer set up the Direct Connect connection to meet these requirements?](#a-network-engineer-is-designing-a-hybrid-architecture-that-uses-a-1-gbps-aws-direct-connect-connection-between-the-companys-data-center-and-two-aws-regions-us-east-1-and-eu-west-1-the-vpcs-in-us-east-1-are-connected-by-a-transit-gateway-and-need-to-access-several-on-premises-databases-according-to-company-policy-only-one-vpc-in-eu-west-1-can-be-connected-to-one-on-premises-server-the-on-premises-network-segments-the-traffic-between-the-databases-and-the-server-how-should-the-network-engineer-set-up-the-direct-connect-connection-to-meet-these-requirements) | 62 | [A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead. Which solution will meet these requirements?](#a-company-has-deployed-an-application-in-a-vpc-that-uses-a-nat-gateway-for-outbound-traffic-to-the-internet-a-network-engineer-notices-a-large-quantity-of-suspicious-network-traffic-that-is-traveling-from-the-vpc-over-the-internet-to-ip-addresses-that-are-included-on-a-deny-list-the-network-engineer-must-implement-a-solution-to-determine-which-aws-resources-are-generating-the-suspicious-traffic-the-solution-must-minimize-cost-and-administrative-overhead-which-solution-will-meet-these-requirements) @@ -158,10 +158,10 @@ We are so thankful for every contribution, which makes sure we can deliver top-n | 80 | [A company has a hybrid cloud environment. The company's data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity. The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is running a backend application in one of the VPCs. The company uses a message-oriented architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive messages from other applications over a private network. A network engineer wants to use an interface VPC endpoint for Amazon SQS for this architecture. Client services must be able to access the endpoint service from on premises and from multiple VPCs within the company's AWS infrastructure. Which combination of steps should the network engineer take to ensure that the client applications can resolve DNS for the interface endpoint? (Choose three.)](#a-company-has-a-hybrid-cloud-environment-the-companys-data-center-is-connected-to-the-aws-cloud-by-an-aws-direct-connect-connection-the-aws-environment-includes-vpcs-that-are-connected-together-in-a-hub-and-spoke-model-by-a-transit-gateway-the-aws-environment-has-a-transit-vif-with-a-direct-connect-gateway-for-on-premises-connectivity-the-company-has-a-hybrid-dns-model-the-company-has-configured-amazon-route-53-resolver-endpoints-in-the-hub-vpc-to-allow-bidirectional-dns-traffic-flow-the-company-is-running-a-backend-application-in-one-of-the-vpcs-the-company-uses-a-message-oriented-architecture-and-employs-amazon-simple-queue-service-amazon-sqs-to-receive-messages-from-other-applications-over-a-private-network-a-network-engineer-wants-to-use-an-interface-vpc-endpoint-for-amazon-sqs-for-this-architecture-client-services-must-be-able-to-access-the-endpoint-service-from-on-premises-and-from-multiple-vpcs-within-the-companys-aws-infrastructure-which-combination-of-steps-should-the-network-engineer-take-to-ensure-that-the-client-applications-can-resolve-dns-for-the-interface-endpoint-choose-three) | 81 | [A company's network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources. Which solution will meet these requirements?](#a-companys-network-engineer-builds-and-tests-network-designs-for-vpcs-in-a-development-account-the-company-needs-to-monitor-the-changes-that-are-made-to-network-resources-and-must-ensure-strict-compliance-with-network-security-policies-the-company-also-needs-access-to-the-historical-configurations-of-network-resources-which-solution-will-meet-these-requirements) | 82 | [A gaming company is planning to launch a globally available game that is hosted in one AWS Region. The game backend is hosted on Amazon EC2 instances that are part of an Auto Scaling group. The game uses the gRPC protocol for bidirectional streaming between game clients and the backend. The company needs to filter incoming traffic based on the source IP address to protect the game. Which solution will meet these requirements?](#a-gaming-company-is-planning-to-launch-a-globally-available-game-that-is-hosted-in-one-aws-region-the-game-backend-is-hosted-on-amazon-ec2-instances-that-are-part-of-an-auto-scaling-group-the-game-uses-the-grpc-protocol-for-bidirectional-streaming-between-game-clients-and-the-backend-the-company-needs-to-filter-incoming-traffic-based-on-the-source-ip-address-to-protect-the-game-which-solution-will-meet-these-requirements) -| 83 | [A company has multiple VPCs in the us-east-1 Region. The company has deployed a website in one ofthe VPCs. The company wants to implement split-view DNS so that the website is accessible internallyfrom the VPCs and externally over the internet with the same domain name, example.com. Which solution will meet these requirements?](#a-company-has-multiple-vpcs-in-the-us-east-1-region-the-company-has-deployed-a-website-in-one-ofthe-vpcs-the-company-wants-to-implement-split-view-dns-so-that-the-website-is-accessible-internallyfrom-the-vpcs-and-externally-over-the-internet-with-the-same-domain-name-examplecom-which-solution-will-meet-these-requirements) +| 83 | [A company has multiple VPCs in the us-east-1 Region. The company has deployed a website in one of the VPCs. The company wants to implement split-view DNS so that the website is accessible internally from the VPCs and externally over the internet with the same domain name, example.com. Which solution will meet these requirements?](#a-company-has-multiple-vpcs-in-the-us-east-1-region-the-company-has-deployed-a-website-in-one-of-the-vpcs-the-company-wants-to-implement-split-view-dns-so-that-the-website-is-accessible-internally-from-the-vpcs-and-externally-over-the-internet-with-the-same-domain-name-examplecom-which-solution-will-meet-these-requirements) | 84 | [A company has developed a new web application that processes confidential data that is hosted onAmazon EC2 instances. The application needs to scale and must use certificates to authenticate clients. The application is configured to request a client's certificate and will validate the certificate as part of the initial handshake. Which Elastic Load Balancing (ELB) solution will meet these requirements?](#a-company-has-developed-a-new-web-application-that-processes-confidential-data-that-is-hosted-onamazon-ec2-instances-the-application-needs-to-scale-and-must-use-certificates-to-authenticate-clients-the-application-is-configured-to-request-a-clients-certificate-and-will-validate-the-certificate-as-part-of-the-initial-handshake-which-elastic-load-balancing-elb-solution-will-meet-these-requirements) -| 85 | [A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the dataprivately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect theon-premises data center to a VPC. The network engineer plans to use this Direct Connect connection forthe hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture?](#a-company-collects-a-high-volume-of-shipping-data-and-stores-the-data-in-an-on-premises-data-center-a-network-engineer-wants-to-use-amazon-s3-to-store-the-data-during-the-first-phase-of-a-migration-to-aws-during-this-phase-an-application-that-resides-in-the-data-center-will-need-to-access-the-dataprivately-in-an-s3-bucket-that-the-company-created-the-company-has-set-up-an-aws-direct-connect-connection-with-a-private-vif-to-connect-theon-premises-data-center-to-a-vpc-the-network-engineer-plans-to-use-this-direct-connect-connection-forthe-hybrid-cloud-setup-the-solution-must-be-highly-available-what-should-the-network-engineer-do-next-to-implement-this-architecture) -| 86 | [A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. Thethree VPCs are an application VPC, a backend VPC, and an inspection VPC. The application VPC and thebackend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared servicesVPC. All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances tocomply with a security policy that mandates traffic inspection. There are no overlapping IP addressesacross the three VPCs. A network engineer must ensure that traffic between the application VPC and thebackend VPC can route through the inspection VPC's stateful firewalls. Which solution will meet these requirements?](#a-company-is-designing-infrastructure-on-aws-with-three-vpcs-connected-to-a-transit-gateway-thethree-vpcs-are-an-application-vpc-a-backend-vpc-and-an-inspection-vpc-the-application-vpc-and-thebackend-vpc-have-compute-instances-deployed-in-availability-zone-a-and-availability-zone-b-stateful-firewalls-are-deployed-in-the-same-availability-zones-in-the-inspection-vpc-which-is-a-shared-servicesvpc-all-traffic-is-routed-through-the-inspection-vpc-through-the-stateful-layer-7-virtual-firewall-appliances-tocomply-with-a-security-policy-that-mandates-traffic-inspection-there-are-no-overlapping-ip-addressesacross-the-three-vpcs-a-network-engineer-must-ensure-that-traffic-between-the-application-vpc-and-thebackend-vpc-can-route-through-the-inspection-vpcs-stateful-firewalls-which-solution-will-meet-these-requirements) +| 85 | [A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the data privately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect theon-premises data center to a VPC. The network engineer plans to use this Direct Connect connection forthe hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture?](#a-company-collects-a-high-volume-of-shipping-data-and-stores-the-data-in-an-on-premises-data-center-a-network-engineer-wants-to-use-amazon-s3-to-store-the-data-during-the-first-phase-of-a-migration-to-aws-during-this-phase-an-application-that-resides-in-the-data-center-will-need-to-access-the-data-privately-in-an-s3-bucket-that-the-company-created-the-company-has-set-up-an-aws-direct-connect-connection-with-a-private-vif-to-connect-theon-premises-data-center-to-a-vpc-the-network-engineer-plans-to-use-this-direct-connect-connection-forthe-hybrid-cloud-setup-the-solution-must-be-highly-available-what-should-the-network-engineer-do-next-to-implement-this-architecture) +| 86 | [A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. Thethree VPCs are an application VPC, a backend VPC, and an inspection VPC. The application VPC and the backend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared servicesVPC. All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances to comply with a security policy that mandates traffic inspection. There are no overlapping IP addresses across the three VPCs. A network engineer must ensure that traffic between the application VPC and the backend VPC can route through the inspection VPC's stateful firewalls. Which solution will meet these requirements?](#a-company-is-designing-infrastructure-on-aws-with-three-vpcs-connected-to-a-transit-gateway-thethree-vpcs-are-an-application-vpc-a-backend-vpc-and-an-inspection-vpc-the-application-vpc-and-the-backend-vpc-have-compute-instances-deployed-in-availability-zone-a-and-availability-zone-b-stateful-firewalls-are-deployed-in-the-same-availability-zones-in-the-inspection-vpc-which-is-a-shared-servicesvpc-all-traffic-is-routed-through-the-inspection-vpc-through-the-stateful-layer-7-virtual-firewall-appliances-to-comply-with-a-security-policy-that-mandates-traffic-inspection-there-are-no-overlapping-ip-addresses-across-the-three-vpcs-a-network-engineer-must-ensure-that-traffic-between-the-application-vpc-and-the-backend-vpc-can-route-through-the-inspection-vpcs-stateful-firewalls-which-solution-will-meet-these-requirements) | 87 | [A company hosts a public hosted zone in Amazon Route 53. The company wants to configure DNS Security Extensions (DNSSEC) signing for the public hosted zone. All the company's business-critical applications are running in the us-west-2 Region. The company has created a symmetric, customer managed, single-Region key in us-west-2 by using AWS Key Management Service (AWS KMS). A network engineer finds that the existing AWS KMS key cannot be used to create a key-signing key (KSK). How can the network engineer resolve this issue?](#a-company-hosts-a-public-hosted-zone-in-amazon-route-53-the-company-wants-to-configure-dns-security-extensions-dnssec-signing-for-the-public-hosted-zone-all-the-companys-business-critical-applications-are-running-in-the-us-west-2-region-the-company-has-created-a-symmetric-customer-managed-single-region-key-in-us-west-2-by-using-aws-key-management-service-aws-kms-a-network-engineer-finds-that-the-existing-aws-kms-key-cannot-be-used-to-create-a-key-signing-key-ksk-how-can-the-network-engineer-resolve-this-issue) | 88 | [A company is migrating many applications from two on-premises data centers to AWS. The company's network team is setting up connectivity to the AWS environment. The migration will involve spreading the applications across two AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct Connect connections at two different locations. Direct Connect connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to the second data center and is at a location in us-west-2. The company has connected both Direct Connect connections to a single Direct Connect gateway by using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in each Region. All traffic to and from AWS must travel through the first data center. In the event of failure, the second data center must take over the traffic. How should the network team configure BGP to meet these requirements?](#a-company-is-migrating-many-applications-from-two-on-premises-data-centers-to-aws-the-companys-network-team-is-setting-up-connectivity-to-the-aws-environment-the-migration-will-involve-spreading-the-applications-across-two-aws-regions-us-east-1-and-us-west-2-the-company-has-set-up-aws-direct-connect-connections-at-two-different-locations-direct-connect-connection-1-is-to-the-first-data-center-and-is-at-a-location-in-us-east-1-direct-connect-connection-2-is-to-the-second-data-center-and-is-at-a-location-in-us-west-2-the-company-has-connected-both-direct-connect-connections-to-a-single-direct-connect-gateway-by-using-transit-vifs-the-direct-connect-gateway-is-associated-with-transit-gateways-that-are-deployed-in-each-region-all-traffic-to-and-from-aws-must-travel-through-the-first-data-center-in-the-event-of-failure-the-second-data-center-must-take-over-the-traffic-how-should-the-network-team-configure-bgp-to-meet-these-requirements) | 89 | [An ecommerce company has a business-critical application that runs on Amazon EC2 instances in a VPC. The company's development team has been testing a new version of the application on test EC2 instances. The development team wants to test the new application version against production traffic to address any problems that might occur before the company releases the new version across all servers. Which solution will meet this requirement with no impact on the end user's experience?](#an-ecommerce-company-has-a-business-critical-application-that-runs-on-amazon-ec2-instances-in-a-vpc-the-companys-development-team-has-been-testing-a-new-version-of-the-application-on-test-ec2-instances-the-development-team-wants-to-test-the-new-application-version-against-production-traffic-to-address-any-problems-that-might-occur-before-the-company-releases-the-new-version-across-all-servers-which-solution-will-meet-this-requirement-with-no-impact-on-the-end-users-experience) @@ -707,7 +707,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n - [x] Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds. - [ ] Close idle TCP connections through the NAT gateway. -### A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company is using Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. The company achieves hybrid network connectivity by using an AWS Site-to-Site VPNconnection. A new governance policy requires logging for DNS traffic that originates in the AWS Cloud. The policy also requires the company to query DNS traffic to identify the source IP address of the resources that thequery originated from, along with the DNS name that was requested. Which solution will meet these requirements? +### A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company is using Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. The company achieves hybrid network connectivity by using an AWS Site-to-Site VPNconnection. A new governance policy requires logging for DNS traffic that originates in the AWS Cloud. The policy also requires the company to query DNS traffic to identify the source IP address of the resources that the query originated from, along with the DNS name that was requested. Which solution will meet these requirements? - [ ] Create VPC flow logs for all VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the IP address and DNS name. - [x] Configure Route 53 Resolver query logging for all VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the IP address and DNS name. @@ -928,7 +928,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n **[⬆ Back to Top](#table-of-contents)** -### A company has multiple VPCs in the us-east-1 Region. The company has deployed a website in one ofthe VPCs. The company wants to implement split-view DNS so that the website is accessible internallyfrom the VPCs and externally over the internet with the same domain name, example.com. Which solution will meet these requirements? +### A company has multiple VPCs in the us-east-1 Region. The company has deployed a website in one of the VPCs. The company wants to implement split-view DNS so that the website is accessible internally from the VPCs and externally over the internet with the same domain name, example.com. Which solution will meet these requirements? - [ ] Change the DHCP options for each VPC to use the IP address of an on-premises DNS server. Create a private hosted zone and a public hosted zone for example.com. Map the private hosted zone to the website's internal IP address. Map the public hosted zone to the website's external IP address. - [x] Create Amazon Route 53 private hosted zones and public hosted zones that have the same name, example.com. Associate the VPCs with the private hosted zone. Create records in each hosted zone that determine how traffic is routed. @@ -946,7 +946,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n **[⬆ Back to Top](#table-of-contents)** -### A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the dataprivately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect theon-premises data center to a VPC. The network engineer plans to use this Direct Connect connection forthe hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture? +### A company collects a high volume of shipping data and stores the data in an on-premises data center. A network engineer wants to use Amazon S3 to store the data during the first phase of a migration to AWS. During this phase, an application that resides in the data center will need to access the data privately in an S3 bucket that the company created. The company has set up an AWS Direct Connect connection with a private VIF to connect theon-premises data center to a VPC. The network engineer plans to use this Direct Connect connection forthe hybrid cloud setup. The solution must be highly available. What should the network engineer do next to implement this architecture? - [ ] Configure an S3 gateway endpoint in the VPC. Update VPC route tables to route traffic to the S3 gateway endpoint. Configure the S3 gateway endpoint DNS name in the on-premises application. - [x] Configure an S3 interface endpoint in the VPC. Configure the S3 interface endpoint DNS name in the on-premises application. @@ -955,7 +955,7 @@ We are so thankful for every contribution, which makes sure we can deliver top-n **[⬆ Back to Top](#table-of-contents)** -### A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. Thethree VPCs are an application VPC, a backend VPC, and an inspection VPC. The application VPC and thebackend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared servicesVPC. All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances tocomply with a security policy that mandates traffic inspection. There are no overlapping IP addressesacross the three VPCs. A network engineer must ensure that traffic between the application VPC and thebackend VPC can route through the inspection VPC's stateful firewalls. Which solution will meet these requirements? +### A company is designing infrastructure on AWS with three VPCs connected to a transit gateway. Thethree VPCs are an application VPC, a backend VPC, and an inspection VPC. The application VPC and the backend VPC have compute instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls are deployed in the same Availability Zones in the inspection VPC, which is a shared servicesVPC. All traffic is routed through the inspection VPC through the stateful layer 7 virtual firewall appliances to comply with a security policy that mandates traffic inspection. There are no overlapping IP addresses across the three VPCs. A network engineer must ensure that traffic between the application VPC and the backend VPC can route through the inspection VPC's stateful firewalls. Which solution will meet these requirements? - [ ] Create IPsec VPN connections between the transit gateway and the virtual firewall appliances. - [ ] Configure Virtual Router Redundancy Protocol (VRRP) on the virtual firewall appliances. diff --git a/images/ebook.jpg b/images/ebook.jpg new file mode 100644 index 0000000..1e3b621 Binary files /dev/null and b/images/ebook.jpg differ diff --git a/images/ebook.png b/images/ebook.png deleted file mode 100644 index 8c326ad..0000000 Binary files a/images/ebook.png and /dev/null differ