A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?

1. A. Create an Amazon S3 bucke
2. B. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluste
3. C. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda functio
4. D. Configure flow logs for the firewal
5. E. Set the S3 bucket as the destination.
6. F. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
7. G. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
8. H. Configure flow logs for the firewal
9. I. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
10. J. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destinatio
11. K. Configure flow logs for the firewal
12. L. Set the Kinesis data stream as the destination for the Network Firewall flow logs.

Correct Answer: B
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-usin

A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.
Which change should a network engineer implement to meet these requirements?

1. A. Update the DNS Firewall VPC configuration to disable fail open for the VPC.
2. B. Update the DNS Firewall VPC configuration to enable fail open for the VPC.
3. C. Create a new DHCP options set with parameter dns_firewall_fail_open=fals
4. D. Associate the new DHCP options set with the VPC.
5. E. Create a new DHCP options set with parameter dns_firewall_fail_open=tru
6. F. Associate the new DHCP options set with the VPC.

Correct Answer: B

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway.
The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage.
Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

1. A. Enable VPC flow logs on the NAT gateway's elastic network interfac
2. B. Publish the logs to a log group in Amazon CloudWatch Log
3. C. Use CloudWatch Logs Insights to query and analyze the logs.
4. D. Enable NAT gateway access log
5. E. Publish the logs to a log group in Amazon CloudWatch Log
6. F. Use CloudWatch Logs Insights to query and analyze the logs.
7. G. Configure Traffic Mirroring on the NAT gateway's elastic network interfac
8. H. Send the traffic to an additional EC2 instanc
9. I. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
10. J. Enable VPC flow logs on the NAT gateway's elastic network interfac
11. K. Publish the logs to an Amazon S3 bucke
12. L. Create a custom table for the S3 bucket in Amazon Athena to describe the log structur
13. M. Use Athena to query and analyze the logs.
14. N. Enable NAT gateway access log
15. O. Publish the logs to an Amazon S3 bucke
16. P. Create a custom table for the S3 bucket in Amazon Athena to describe the log structur
17. Q. Use Athena to query and analyze the logs.

Correct Answer: AD
To investigate the increased usage of a NAT gateway in a VPC architecture with ALBs and backend EC2 instances, a network engineer can use the following options:
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
(Option A)
Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. (Option D)
These options allow for detailed analysis of traffic through the NAT gateway to identify the source of increased usage.

A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com to host the VPC resources.
The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The company's on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement? (Choose three.)

1. A. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the outbound endpoint.
2. B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
3. C. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
4. D. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
5. E. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
6. F. Configure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.

Correct Answer: BCE
To replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints in a hybrid architecture where on-premises applications need to communicate with applications running in a VPC, a network engineer should take the following steps:
Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint. (Option C)
Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint. (Option B)
Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver. (Option E)
These steps will allow for seamless replacement of the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints and enable communication between on-premises and VPC applications.

A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?

1. A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual applianc
2. B. Add routes that are more specific to point to the primary SD-WAN virtual appliance.
3. C. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
4. D. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
5. E. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

Correct Answer: A