An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

1. A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
2. B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
3. C. Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
4. D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Correct Answer: C
https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.
The on-premises data center's customer gateway is configured with a stateful firewall device thatfilters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?

1. A. Create a VPN connection over the Direct Connect connection by using the on-premises firewal
2. B. Use the firewall to block all traffic from on premises to AW
3. C. Allow a stateful connection from the EC2 instances to initiate the requests.
4. D. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instance
5. E. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.
6. F. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deploye
7. G. Specify the NAT gateway type as privat
8. H. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
9. I. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed.Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

Correct Answer: C

A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.
The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams.
The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

1. A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access.
2. B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VP
3. C. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS server
4. D. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created.
5. E. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers.
6. F. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWSaccount to resolve queries for this domain.
7. G. Launch two Amazon EC2 instances in the shared AWS accoun
8. H. Install BIND on each instanc
9. I. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS accoun
10. J. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS server
11. K. Set the forwarding IP addresses to the IP addresses of the BIND servers.
12. L. Create a private hosted zone in the shared AWS account for each account that runs the service.Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC.

Correct Answer: ABD
To meet the requirements of updating the DNS registration process while maximizing cost-effectiveness and minimizing configuration changes, the network engineer should take the following steps:
Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint’s IP addresses that were created (Option B).
Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain (Option D).
Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access (Option A).
These steps will allow service creators to register their DNS records while keeping costs low and minimizing configuration changes.

A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.
The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency.
How should the network engineer design the network architecture to meet these requirements?

1. A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VI
2. B. Associate the transit gateway in us-east-1 with the same Direct Connect gatewa
3. C. Enable SiteLink for the transit VIF and the private VIF.
4. D. Connect the VPC in eu-west-2 to a new transit gatewa
5. E. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VI
6. F. Associate the transit gateway in us-east-1 with the same Direct Connect gatewa
7. G. Enable SiteLink for both transit VIF
8. H. Peer the two transit gateways.
9. I. Connect the VPC in eu-west-2 to a new transit gatewa
10. J. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VI
11. K. Create a new Direct Connect gatewa
12. L. Associate the transit gateway in us-east-1 with the new Direct Connect gatewa
13. M. Enable SiteLink for both transit VIF
14. N. Peer the two transit gateways.
15. O. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VI
16. P. Create a new Direct Connect gatewa
17. Q. Associate the transit gateway in us-east-1 with the new Direct Connect gatewa
18. R. Enable SiteLink for the transit VIF and the private VIF.

Correct Answer: C

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?

1. A. Configure the two network interfaces in the launch templat
2. B. Define the primary network interface to be created in one of the private subnet
3. C. For the second network interface, select one of the public subnet
4. D. Choose the BYOIP pool ID as the source of public IP addresses.
5. E. Configure the primary network interface in a private subnet in the launch templat
6. F. Use the user data option to run a cloud-init script after boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
7. G. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launchin
8. H. In the Lambda function, assign a network interface to an AWS Global Accelerator endpoint.
9. I. During creation of the Auto Scaling group, select subnets for the primary network interfac
10. J. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.

Correct Answer: D
During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
This solution meets all of the requirements stated in the question. The primary network interface can be configured in a private subnet during creation of the Auto Scaling group. The user data option can be used to run a cloud-init script that will allocate a second network interface and associate an Elastic IP address from the BYOIP pool with it.