A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Region only. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an Auto Scaling group behind an Application
Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.
When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that is associated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP address ranges.
Which solution will meet these requirements in the MOST operationally efficient manner?

1. A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be update
2. B. Update the DynamoDB table with the new IP address range when the company adds a new partne
3. C. Invoke an AWS Lambda function to read new IP address ranges and security groups from the DynamoDB table to update the security group
4. D. Deploy this solution in all accounts.
5. E. Create a new prefix lis
6. F. Add all allowed IP address ranges to the prefix lis
7. G. Use Amazon EventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix lis
8. H. Deploy this solution in all accounts.
9. I. Create a new prefix lis
10. J. Add all allowed IP address ranges to the prefix lis
11. K. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address rang
12. L. Update the prefix list with the new IP address range when the company adds a new partner.
13. M. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be update
14. N. Update the S3 bucket with the new IP address range when the company adds a new partne
15. O. Invoke an AWS Lambda function to read new IP address ranges and security groups from the S3 bucket to update the security group
16. P. Deploy this solution in all accounts.

Correct Answer: C
Creating a new prefix list and adding all allowed IP address ranges to the prefix list would enable grouping of CIDR blocks that can be referenced in security group rules3. Sharing the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM)would enable central management of the partner network IP address ranges5. Updating security groups to use the prefix list instead of the partner IP address range would enable simplification of security group rules3. Updating the prefix list with the new IP address range when the company adds a new partner would enable automatic propagation of the changes to all security groups that use the prefix list3.

A global company operates all its non-production environments out of three AWS Regions: eu-west-1,
us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps.
The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers. This traffic will increase over time.
Which solution will meet these requirements?

1. A. Set up an AWS Direct Connect connection from each data center to AWS in each Regio
2. B. Create and attach private VIFs to a single Direct Connect gatewa
3. C. Attach the Direct Connect gateway to all the VPC
4. D. Remove the existing VPN connections that are attached directly to the virtual private gateways.
5. E. Create a single transit gateway with VPN connections from each data cente
6. F. Share the transit gateway with each account by using AWS Resource Access Manager (AWS RAM). Attach the transit gateway to each VP
7. G. Remove the existing VPN connections that are attached directly to the virtual private gateways.
8. H. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data cente
9. I. Share the transit gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPRemove the existing VPN connections that are attached directly to the virtual private gateways.
10. J. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VP
11. K. Create new VPN connections from each data center to the transit VPC
12. L. Terminate the original VPN connections that are attached to all the original VPC
13. M. Retain the new VPN connection to the new transit VPC in each Region.

Correct Answer: C

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet.
The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event.
Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

1. A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances.
2. B. Set up AWS WAF on all network components.
3. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
4. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
5. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
6. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets.

Correct Answer: DEF
To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps:
Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D).
Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E).
Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F).
These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks.

An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed.
Which solution will meet these requirements?

1. A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the AL
2. B. Configure the Auto Scaling group to register instances with the ALB's target group.
3. C. Create an Amazon CloudFront distributio
4. D. Configure the distribution with a custom SSL/TLS certificat
5. E. Set the Auto Scaling group as the distribution's origin.
6. F. Create a Network Load Balancer (NLB). Add a TCP listener to the NL
7. G. Configure the Auto Scaling group to register instances with the NLB's target group.
8. H. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group.

Correct Answer: C
To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at all stages between the customers and the application servers without decryption at intermediate points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution allows for end-to-end encryption of traffic without decryption at intermediate points.