An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations.
Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: “There are not enough free addresses in subnet ‘subnet-12345677’ to satisfy the requested number of instances.”
What action will resolve the availability problem?

1. A. Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CID
2. B. Include the new subnet in the Auto Scaling group.
3. C. Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CID
4. D. Include the new subnet in the Auto Scaling group.
5. E. Resize the IPv6 CIDR on each of the existing subnet
6. F. Modify the Auto Scaling group maximum number of instances.
7. G. Add a secondary IPv4 CIDR to the Amazon VP
8. H. Assign secondary IPv4 address space to each of the existing subnets.

Correct Answer: B

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.
What should the network engineer do to meet this requirement?

1. A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
2. B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
3. C. Associate an AWS WAF web ACL with the ALB
4. D. and create a security rule to enforce forward secrecy (FS)
5. E. Change the ALB security policy to a policy that supports forward secrecy (FS)

Correct Answer: D

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

1. A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
2. B. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
3. C. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
4. D. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
5. E. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listener
6. F. Create an AWS Global Accelerator accelerator in front of the AL
7. G. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
8. H. Place the EC2 instances behind an Amazon CloudFront distributio
9. I. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Correct Answer: B

A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?

1. A. Create a new VPC for the SD-WAN hub virtual applianc
2. B. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
3. C. Configure BGP over the IPsec VPN connections
4. D. Assign a new CIDR block to the transit gatewa
5. E. Create a new VPC for the SD-WAN hub virtual applianc
6. F. Attach the new VPC to the transit gateway with a VPC attachmen
7. G. Add a transit gateway Connect attachmen
8. H. Create a Connect peer and specify the GRE and BGP parameter
9. I. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
10. J. Create a new VPC for the SD-WAN hub virtual applianc
11. K. Attach the new VPC to the transit gateway with a VPC attachmen
12. L. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gatewa
13. M. Configure BGP over the IPsec VPN connections.
14. N. Assign a new CIDR block to the transit gatewa
15. O. Create a new VPC for the SD-WAN hub virtual applianc
16. P. Attach the new VPC to the transit gateway with a VPC attachmen
17. Q. Add a transit gateway Connect attachmen
18. R. Create a Connect peer and specify the VXLAN and BGP parameter
19. S. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Correct Answer: D

A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?

1. A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Log
2. B. Create a CloudWatch Logs metric filter for the log group for rejected traffi
3. C. Create an alarm to notify the network engineer.
4. D. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Log
5. E. Create a CloudWatch Logs metric filter for the log group for all traffi
6. F. Create an alarm to notify the network engineer
7. G. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the sourc
8. H. Specify the EC2 instances as the destinatio
9. I. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connectio
10. J. Createan AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security groupoccurs.
11. K. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the sourc
12. L. Specify the EC2 instances as the destinatio
13. M. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connectio
14. N. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fai
15. O. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.

Correct Answer: C