A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

1. A. * 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gatewa
2. B. Provide the Connectivity account I
3. C. Enable the feature to allow external accounts* 2. In the Connectivity account: Accept the resource.* 3. In the Connectivity account: Create an attachment to the VPC subnets.* 4. In the Production account: Accept the attachmen
4. D. Associate a route table with the attachment.
5. E. * 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnet
6. F. Provide the Connectivity account I
7. G. Enable the feature to allow external accounts.* 2. In the Connectivity account: Accept the resource.* 3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.* 4. In the Connectivity account: Accept the attachmen
8. H. Associate a route table with the attachment.
9. I. * 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnet
10. J. Provide the Production account I
11. K. Enable the feature to allow external accounts.* 2. In the Production account: Accept the resource.* 3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.* 4. In the Production account: Accept the attachmen
12. L. Associate a route table with the attachment.
13. M. * 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gatewa
14. N. Provide the Production account ID Enable the feature to allow external accounts.* 2. In the Production account: Accept the resource.* 3. In the Production account: Create an attachment to the VPC subnets.* 4. In the Connectivity account: Accept the attachmen
15. O. Associate a route table with the attachment.

Correct Answer: A
step 1: In the Production account, create a resource share in AWS Resource Access Manager for the transit gateway and provide the Connectivity account ID. Enabling the feature to allow external accounts is also required to share resources between accounts. Step 2: In the Connectivity account, accept the shared resource. This action will allow the Production account to use the transit gateway in the Connectivity account. Step 3: In the Connectivity account, create an attachment to the VPC subnets. This attachment will enable communication between the VPC in the Production account and the transit gateway in the Connectivity account. Step 4: In the Production account, accept the attachment and associate a route table with the attachment. This will enable the VPC to route traffic through the transit gateway to other resources in the Connectivity account.

A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer configure the AWS resources to meet these requirements?

1. A. Create a static source multicast domain within the transit gatewa
2. B. Associate the VPCs and applicable subnets with the multicast domai
3. C. Register the multicast senders' network interface with the multicast domai
4. D. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
5. E. Create a static source multicast domain within the transit gatewa
6. F. Associate the VPCs and applicable subnets with the multicast domai
7. G. Register the multicast senders' network interface with the multicast domai
8. H. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
9. I. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway.Associate the VPCs and applicable subnets with the multicast domai
10. J. Register the multicast senders' network interface with the multicast domai
11. K. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
12. L. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway.Associate the VPCs and applicable subnets with the multicast domai
13. M. Register the multicast senders' network interface with the multicast domai
14. N. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.

Correct Answer: C

A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner.
What should the network engineer do to meet these requirements?

1. A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC.
2. B. Change the router configurations to summarize the advertised routes.
3. C. Open a support ticket to increase the quota on advertised routes to the VPC route table.
4. D. Create an AWS Transit Gatewa
5. E. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.

Correct Answer: B
"If you advertise more than 100 routes each for IPv4 and IPv6 over the BGP session, the BGP session will go into an idle state with the BGP session DOWN."https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

1. A. Create a self-signed certificate for service.example.co
2. B. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificat
3. C. Change the default behavior to redirect HTTP to HTTPS.
4. D. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificat
5. E. Change the default behavior to redirect HTTP to HTTPS.
6. F. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instance
7. G. Configure the backend to use this certificate for its HTTPS listene
8. H. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
9. I. Attach the existing Auto Scaling group to this new target group.
10. J. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instance
11. K. Configure the backend to use this certificate for its HTTPS listene
12. L. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
13. M. Attach the existing Auto Scaling group to this new target group.
14. N. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificat
15. O. Modify the CloudFront origin to use the HTTPS protocol onl
16. P. Delete the HTTPlistener on the ALB.
17. Q. Create a self-signed certificate for service-alb.example.co
18. R. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificat
19. S. Modify the CloudFront origin to use the HTTPS protocol onl
20. T. Delete the HTTP listener on the ALB.

Correct Answer: BDE

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.
Which solution will meet these requirements?

1. A. Install the AWS Load Balancer Controller for Kubernete
2. B. Using that controller, configure a NetworkLoad Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
3. C. Install the AWS Load Balancer Controller for Kubernete
4. D. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
5. E. Create a target grou
6. F. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
7. G. Create a target grou
8. H. Add the EKS managed node group’s Auto Scaling group as a targe
9. I. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.

Correct Answer: B
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-gro