An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

1. A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
2. B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
3. C. Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
4. D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.

Correct Answer: C
https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

1. A. The NAT gateway does not support UDP traffic.
2. B. The authentication server is not accepting traffic.
3. C. The NAT gateway cannot allocate more ports.
4. D. The NAT gateway is launched in a private subnet.

Correct Answer: C
Ref:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
"A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch."

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.
Which solution will meet these requirements?

1. A. Install the AWS Load Balancer Controller for Kubernete
2. B. Using that controller, configure a NetworkLoad Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
3. C. Install the AWS Load Balancer Controller for Kubernete
4. D. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
5. E. Create a target grou
6. F. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
7. G. Create a target grou
8. H. Add the EKS managed node group’s Auto Scaling group as a targe
9. I. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.

Correct Answer: B
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-gro

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the ‘Remote’ (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:
AWSTemplateFormation Version: 2010-09-09 Parameters:
Originating VCId: Type: String RemoteVPCId: Type: String
RemoteVPCAccountId: Type: String Resources:
newVPCPeeringConnection:
Type: ‘AWS::EC2::VPCPeeringConnection’
Properties:
VpcdId: !Ref OriginatingVPCId PeerVpcId: !Ref RemoteVPCId PeerOwnerId: !Ref RemoteVPCAccountId
Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

1. A. Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup
2. B. Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”
3. C. Resources:newEC2Route:Type: AWS::EC2::Route
4. D. Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”
5. E. Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn

Correct Answer: CE
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_EC2.html

An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers.
The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services.
A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud.
Which solution will meet these requirements with the HIGHEST availability?

1. A. Set up an Amazon CloudFront distribution with origin failove
2. B. Create an origin group for each Region where the solution is deployed.
3. C. Set up Route 53 latency-based routin
4. D. Add latency alias record
5. E. For the latency alias records, set the value of Evaluate Target Health to Yes.
6. F. Set up an accelerator in AWS Global Accelerato
7. G. Configure Regional endpoint groups andhealth checks.
8. H. Set up Bring Your Own IP (BYOIP) addresse
9. I. Use the same PI addresses for each Region where the solution is deployed.

Correct Answer: B
https://aws.amazon.com/blogs/iot/automate-global-device-provisioning-with-aws-iot-core-and-amazon-route-53