A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data center in Dublin. Which solutions will meet these requirements? (Choose two.)

1. A. Configure inter-Region VPC peering between VPC-A and VPC-
2. B. Add the required VPC peering route
3. C. Add the VPC-B CIDR block in the allowed prefixes on the Direct Connect gateway association.
4. D. Associate TGW-B with the Direct Connect gatewa
5. E. Advertise the VPC-B CIDR block under the allowed prefixes.
6. F. Configure another transit VIF on the Direct Connect connection and associate TGW-
7. G. Advertise the VPC-B CIDR block under the allowed prefixes.
8. H. Configure inter-Region transit gateway peering between TGW-A and TGW-
9. I. Add the peering routes in the transit gateway route table
10. J. Add both the VPC-A and the VPC-B CIDR block under the allowed prefix list in the Direct Connect gateway association.
11. K. Configure an AWS Site-to-Site VPN connection over the transit VIF to TGW-B as a VPN attachment.

Correct Answer: BC
* B. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes. This will allow traffic from VPC-B to be sent over the Direct Connect connection to the on-premises data center via TGW-B. C. Configure another transit VIF on the Direct Connect connection and associate TGW-B. Advertise the VPC-B CIDR block under theallowed prefixes. This will enable the use of the Direct Connect connection for VPC-B's traffic by connecting TGW-B to the Direct Connect gateway.

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.
A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.
Which solution will meet these requirements?

1. A. Create an internet gateway and a NAT gateway in the VP
2. B. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
3. C. Create an internet gateway and a NAT instance in the VP
4. D. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
5. E. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables topointIPv6 traffic to the egress-only internet gateway.
6. F. Create an egress-only internet gateway in the VP
7. G. Configure a security group that denies all inbound traffi
8. H. Associate the security group with the egress-only internet gateway.

Correct Answer: C

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

1. A. Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254
2. B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
3. C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
4. D. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

Correct Answer: C
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
To view all categories of instance metadata from within a running instance, use the following URI.
http://169.254.169.254/latest/meta-data/

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.
Which route table configurations on the transit gateway will meet these requirements?

1. A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VP
2. B. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
3. C. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VP
4. D. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.
5. E. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
6. F. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disable
7. G. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.

Correct Answer: A

A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve new objects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with new watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?

1. A. Place the EC2 instances in a public subne
2. B. Disable the Auto-assign Public IP option while launching the EC2 instance
3. C. Create an internet gatewa
4. D. Attach the internet gateway to the VP
5. E. In the public subnet's route table, add a default route that points to the internet gateway.
6. F. Place the EC2 instances in a private subne
7. G. Create a NAT gateway in a public subnet in the same Availability Zon
8. H. Create an internet gatewa
9. I. Attach the internet gateway to the VP
10. J. In the public subnet's route table, add a default route that points to the internet gateway
11. K. Place the EC2 instances in a private subne
12. L. Create an interface VPC endpoint for Amazon SQ
13. M. Creategateway VPC endpoints for Amazon S3 and DynamoDB.
14. N. Place the EC2 instances in a private subne
15. O. Create a gateway VPC endpoint for Amazon SQS.Create interface VPC endpoints for Amazon S3 and DynamoDB.

Correct Answer: C