A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and thebackend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up tothousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS)duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.Which solution will meet these requirements?
A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listeneron port 443 to forward traffic to the IP addresses of the backend service Pods.
B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPSlistener on port 443 to forward traffic to the IP addresses of the backend service Pods.
C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with anHTTPS listener on port 443 to forward traffic to the target group.
D. Create a target group. Add the EKS managed node group's Auto Scaling group as a target. Create a Network Load Balancer with a TLSlistener on port 443 to forward traffic to the target group.
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC thatincludes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in theenvironment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment.The service provider's API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not wantto permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The networkengineer turns on IPv6 in the VPC and in the private subnets.Which solution will meet these requirements?
A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT gateway.
B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to theNAT instance.
C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-onlyinternet gateway.
D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the securitygroup with the egress-only internet gateway.
A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has adedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location isadvertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to theDirect Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The networkengineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table.The network engineer must resolve this issue in the most operationally efficient manner.What should the network engineer do to meet these requirements?
A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gatewayof the VPC.
B. Change the router configurations to summarize the advertised routes.
C. Open a support ticket to increase the quota on advertised routes to the VPC route table.
D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application mustalways be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change tothe EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever achange is made to the security group. The solution also must notify the network engineer when the change affects the connection.Which solution will meet these requirements?
A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create analarm to notify the network engineer.
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow logrecords to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarmto notify the network engineer
C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as thedestination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to thesecurity group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNStopic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when achange to the security group occurs.
D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instancesas the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change tothe security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to theSNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function whena change to the security group occurs.
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. Theapplication will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store correspondingmetadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (AmazonSQS) queue.A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve newobjects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with newwatermarked objects. The company does not want public IP addresses on the EC2 instances.Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?
A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create aninternet gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internetgateway.
B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internetgateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway
C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints forAmazon S3 and DynamoDB.
D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints forAmazon S3 and DynamoDB.
A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited anapplication vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched areplacement EC2 instance that contains the updated application.The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise througha notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreadingmalware.Which solution will meet this requirement with the LEAST operational effort?
A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.
B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for trafficinspection.
D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.
A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Regiononly. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an AutoScaling group behind an Application Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. TheALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that isassociated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP addressranges.Which solution will meet these requirements in the MOST operationally efficient manner?
A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated. Update theDynamoDB table with the new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IPaddress ranges and security groups from the DynamoDB table to update the security groups. Deploy this solution in all accounts.
B. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use Amazon EventBridge (Amazon CloudWatch Events)rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix list. Deploy thissolution in all accounts.
C. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share the prefix list across different accounts by using AWSResource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address range. Update theprefix list with the new IP address range when the company adds a new partner.
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated. Update the S3 bucket withthe new IP address range when the company adds a new partner. Invoke an AWS Lambda function to read new IP address ranges andsecurity groups from the S3 bucket to update the security groups. Deploy this solution in all accounts.
A company has set up hybrid connectivity between its VPCs and its on-premises data center. The company has the on-premises.example.comsubdomain configured at its DNS server in the on-premises data center. The company is using the aws.example.com subdomain for workloadsthat run on AWS across different VPCs and accounts. Resources in both environments can access each other by using IP addresses. Thecompany wants workloads in the VPCs to be able to access resources on premises by using the on-premises.example.com DNS names.Which solution will meet these requirements with MINIMUM management of resources?
A. Create an Amazon Route 53 Resolver outbound endpoint. Configure a Resolver rule that conditionally forwards DNS queries for on-premises.example.com to the on-premises DNS server. Associate the rule with the VPCs.
B. Create an Amazon Route 53 Resolver inbound endpoint and a Resolver outbound endpoint. Configure a Resolver rule that conditionallyforwards DNS queries for on-premises.example.com to the on-premises DNS server. Associate the rule with the VPCs.
C. Launch an Amazon EC2 instance. Install and configure BIND software to conditionally forward DNS queries for on-premises.example.com to the on-premises DNS server. Configure the EC2 instance's IP address as a custom DNS server in each VPC.
D. Launch an Amazon EC2 instance in each VPC. Install and configure BIND software to conditionally forward DNS queries for on-premises.example.com to the on-premises DNS server. Configure the EC2 instance's IP address as a custom DNS server in each VPC.
A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnetsbehind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful managementapplication for administration that will run on EC2 instances that are in a separate Auto Scaling group.The company wants to access the management application by using the same URL as the web application, with a path prefix of/management.The protocol, hostname, and port number must be the same for the web application and the management application. Access to themanagement application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS CertificateManager (ACM) will protect the web application.Which combination of steps should a network engineer take to meet these requirements? (Choose two.)
A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /managementprefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management applicationtarget group if there is a match. Edit the management application target group and enable stickiness.
B. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the/management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the managementapplication target group if there is not a match. Enable group-level stickiness in the rule attributes.
C. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /managementprefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the managementapplication target group if there is a match. Enable group-level stickiness in the rule attributes.
D. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the/management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the webapplication target group if there is not a match.
E. Forward all requests to the web application target group. Edit the web application target group and disable stickiness.
A company has a 2 Gbps AWS Direct Connect hosted connection from the company's office to a VPC in the ap-southeast-2 Region. A networkengineer adds a 5 Gbps Direct Connect hosted connection from a different Direct Connect location in the same Region. The hostedconnections are connected to different routers from the office with an iBGP session running in between the routers.The network engineer wants to ensure that the VPC uses the 5 Gbps hosted connection to route traffic to the office. Failover to the 2 Gbpshosted connection must occur when the 5 Gbps hosted connection is down.Which solution will meet these requirements?
A. Configure an outbound BGP policy from the router that is connected to the 2 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.
B. Advertise a longer prefix route from the router that is connected to the 2 Gbps connection.
C. Advertise a less specific route from the router that is connected to the 5 Gbps connection.
D. Configure an outbound BGP policy from the router that is connected to the 5 Gbps connection. Advertise routes with a longer AS_PATHattribute to AWS.