A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally efficient solution that meets these requirements?

1. A. Use the ALB to inspect the authorized token inside the GET/POST request payloa
2. B. Use an AWS Lambda function to insert a customized header to inform the web application of an authenticated customer request.
3. C. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payloa
4. D. Configure the ALB listener to insert a customized header to inform the web application of an authenticated customer request.
5. E. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payloa
6. F. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.
7. G. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payloa
8. H. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

Correct Answer: C

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

1. A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
2. B. Set up AWS WAF on all network components.
3. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
4. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
5. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
6. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct Answer: DEF
To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps:
Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D).
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E).
Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F).
These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks.

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet ofapplication servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.
What design will use the LEAST amount of IP space, while allowing for this growth?

1. A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.
2. B. Use one /29 subnet for the Network Load Balance
3. C. Add another VPC CIDR to the VPC to allow for future growth.
4. D. Use two /28 subnets for a Network Load Balancer in different Availability Zones.
5. E. Use one /28 subnet for an Application Load Balance
6. F. Add another VPC CIDR to the VPC to allow for future growth.

Correct Answer: C

A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an
on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit.
Which solution will meet these requirements?

1. A. Create a Direct Connect public VI
2. B. Set up an IPsec VPN connection over the public VIF to access Amazon S3. Use HTTPS for communication.
3. C. Create an IPsec VPN connection over the transit VI
4. D. Create a VPC and attach the VPC to the transit gatewa
5. E. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.
6. F. Create a VPC and attach the VPC to the transit gatewa
7. G. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.
8. H. Create a Direct Connect public VI
9. I. Set up an IPsec VPN connection over the public VIF to the transit gatewa
10. J. Create an attachment for Amazon S3. Use HTTPS for communication.

Correct Answer: B

An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

1. A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
2. B. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
3. C. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
4. D. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
5. E. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listener
6. F. Create an AWS Global Accelerator accelerator in front of the AL
7. G. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
8. H. Place the EC2 instances behind an Amazon CloudFront distributio
9. I. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Correct Answer: B