NEW QUESTION 1
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Create a central egress VPC that has private NAT gateway
• B. Connect all the VPCs to the central egress VPC by using AWS Transit Gatewa
• C. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.
• D. Create a central shared services VP
• E. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• F. Ensure that private DNS is turned of
• G. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• H. Create an Amazon Route 53 forwarding rule for each interface VPC endpoin
• I. Associate the forwarding rules with all the VPC
• J. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
• K. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• L. Ensure that private DNS is turned of
• M. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• N. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manage
• O. Associate the private hosted zones with all the VPC
• P. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to the interface VPC endpoint in the shared services VPC.
• Q. Create a central shared services VP
• R. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to acces
• S. Connect all the VPCs to the central shared services VPC by using AWS Transit Gatewa
• T. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.

Answer: B

Explanation:
Interface VPC endpoints enable private connectivity between VPCs and supported AWS serviceswithout requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection2. Interface VPC endpoints are powered by AWS PrivateLink, a technology that enables private access to AWS services2. Amazon S3 and AWS Systems Manager support interface VPC endpoin2ts. By turning off private DNS, the interface VPC endpoints can be accessed by using their private IP addresses2. By using Amazon Route 53 forwarding rules, DNS queries can be resolved to the interface VPC endpoints in the shared services VPC3.

NEW QUESTION 2
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.
Which architecture will meet these requirements MOST cost-effectively?

• A. Deploy a Gateway Load Balancer with the firewall appliances as target
• B. Configure the firewall appliances with a single network interface in a private subne
• C. Use a NAT gateway to send the traffic to the internet after inspection.
• D. Deploy a Gateway Load Balancer with the firewall appliances as target
• E. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
• F. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
• G. Deploy a Network Load Balancer with the firewall appliances as target
• H. Configure the firewall appliances with a single network interface in a private subne
• I. Use a NAT gateway to send the traffic to the internet after inspection.
• J. Deploy a Network Load Balancer with the firewall appliances as target
• K. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subne
• L. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.

Answer: B

NEW QUESTION 3
A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS
Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data center in Dublin. Which solutions will meet these requirements? (Choose two.)

• A. Configure inter-Region VPC peering between VPC-A and VPC-
• B. Add the required VPC peering route
• C. Add the VPC-B CIDR block in the allowed prefixes on the Direct Connect gateway association.
• D. Associate TGW-B with the Direct Connect gatewa
• E. Advertise the VPC-B CIDR block under the allowed prefixes.
• F. Configure another transit VIF on the Direct Connect connection and associate TGW-
• G. Advertise the VPC-B CIDR block under the allowed prefixes.
• H. Configure inter-Region transit gateway peering between TGW-A and TGW-
• I. Add the peering routes in the transit gateway route table
• J. Add both the VPC-A and the VPC-B CIDR block under the allowed prefix list in the Direct Connect gateway association.
• K. Configure an AWS Site-to-Site VPN connection over the transit VIF to TGW-B as a VPN attachment.

Answer: BC

Explanation:
* B. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes. This will allow traffic from VPC-B to be sent over the Direct Connect connection to the on-premises data center via TGW-B. C. Configure another transit VIF on the Direct Connect connection and associate TGW-B. Advertise the VPC-B CIDR block under the allowed prefixes. This will enable the use of the Direct Connect connection for VPC-B's traffic by connecting TGW-B to the Direct Connect gateway.

NEW QUESTION 4
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.
How should the network engineer configure routing to meet these requirements?

• A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual applianc
• B. Add routes that are more specific to point to the primary SD-WAN virtual appliance.
• C. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
• D. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
• E. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

Answer: A

NEW QUESTION 5
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
Protocol: TCP
Port: 80 inbound, nothing outbound
The Network ACL for the subnet is configured to allow as follows:
Protocol: TCP
Port: 80 inbound, nothing outbound
When you try to browse to the web server, you receive no response. Which additional step should you take to receive a successful response?

• A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
• B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
• C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
• D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

Answer: D

Explanation:
To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL.https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

NEW QUESTION 6
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

• A. Create a self-signed certificate for service.example.co
• B. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificat
• C. Change the default behavior to redirect HTTP to HTTPS.
• D. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificat
• E. Change the default behavior to redirect HTTP to HTTPS.
• F. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instance
• G. Configure the backend to use this certificate for its HTTPS listene
• H. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
• I. Attach the existing Auto Scaling group to this new target group.
• J. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instance
• K. Configure the backend to use this certificate for its HTTPS listene
• L. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its target
• M. Attach the existing Auto Scaling group to this new target group.
• N. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificat
• O. Modify the CloudFront origin to use the HTTPS protocol onl
• P. Delete the HTTPlistener on the ALB.
• Q. Create a self-signed certificate for service-alb.example.co
• R. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificat
• S. Modify the CloudFront origin to use the HTTPS protocol onl
• T. Delete the HTTP listener on the ALB.

Answer: BDE

NEW QUESTION 7
A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2 instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue.
What should the network engineer do to meet this requirement?

• A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route table
• B. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
• C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables.Verify that the VPC route tables are correc
• D. Use AWS Firewall Manager to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
• E. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables.Verify that the VPC route tables are correc
• F. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
• G. Use VPC Reachability Analyzer to analyze routes in the transit gateway route table
• H. Verify that the VPC route tables are correc
• I. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.

Answer: C

Explanation:
Using AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables would enable identification of routing issues between VPCs and transit gateways1. Verifying that the VPC route tables are correct would enable identification of routing issues within a VPC. Using VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC would enable identification of traffic filtering issues within a VPC2. Additionally, using VPC Reachability Analyzer to analyze routes in the transit gateway route tables would enable identification of routing issues between transit gateways in different Regions. VPC Reachability Analyzer is a configuration analysis tool that enables connectivity testing between a source resource and a destination resource in your VPCs.

NEW QUESTION 8
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?

• A. Deploy a new public VIF with encryption on the existing Direct Connect connection
• B. Reroute traffic through the new public VIF.
• C. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs.
• D. Deploy a new pair of 10 GB Direct Connect connections with MACse
• E. Configure MACsec on the edge router
• F. Reroute traffic to the new Direct Connect connection
• G. Decommission the original Direct Connect connections
• H. Deploy a new pair of 10 GB Direct Connect connections with MACse
• I. Deploy a new public VIF on the new Direct Connect connection
• J. Deploy two AWS Site-to-Site VPN connections on top of the new public VI
• K. Reroute traffic from the existing private VIF to the new Site-to-Site connection
• L. Decommission the original Direct Connect connections.

Answer: C

NEW QUESTION 9
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.
How should a network engineer configure the AWS resources to meet these requirements?

• A. Create a static source multicast domain within the transit gatewa
• B. Associate the VPCs and applicable subnets with the multicast domai
• C. Register the multicast senders' network interface with the multicast domai
• D. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
• E. Create a static source multicast domain within the transit gatewa
• F. Associate the VPCs and applicable subnets with the multicast domai
• G. Register the multicast senders' network interface with the multicast domai
• H. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
• I. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway.Associate the VPCs and applicable subnets with the multicast domai
• J. Register the multicast senders' network interface with the multicast domai
• K. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
• L. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway.Associate the VPCs and applicable subnets with the multicast domai
• M. Register the multicast senders' network interface with the multicast domai
• N. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.

Answer: C

NEW QUESTION 10
A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises over Direct Connect.
What should a network engineer do to meet these requirements?

• A. Enable Amazon CloudWatch metrics on Direct Connect to track the received route
• B. Configure a CloudWatch alarm to send notifications when routes change.
• C. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insight
• D. Use Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes change.
• E. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes change.
• F. Enable Amazon CloudWatch Logs on the transit VIFs to track the received route
• G. Create a metric filter Set an alarm on the filter to send notifications when routes change.

Answer: B

Explanation:
https://docs.aws.amazon.com/network-manager/latest/cloudwan/cloudwan-cloudwatch-events.html
To receive notification each time a new route is advertised to AWS from on premises over Direct Connect, a network engineer should onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights and use Amazon EventBridge (Amazon CloudWatch Events) to send notifications when routes change (Option B). This solution allows for real-time monitoring of route changes and automatic notification when new routes are advertised.

NEW QUESTION 11
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.
What should a network engineer do to meet these requirements with the LEAST amount of configuration?

• A. Set up an AWS Site-to-Site VPN connection between on premises and AW
• B. Deploy an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• C. Set up an AWS Direct Connect connection with a private VI
• D. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
• E. Set up an AWS Client VPN connection between on premises and AW
• F. Deploy an Amazon Route 53 Resolver inbound endpoint in the VPC.
• G. Set up an AWS Direct Connect connection with a public VI
• H. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that is hosting the VP
• I. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Answer: A

Explanation:
Setting up an AWS Site-to-Site VPN connection between on premises and AWS would enable a secure and encrypted connection over the public internet1. Deploying an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC would enable forwarding of DNS queries for on-premises servers to the on-premises DNS servers2. This would allow EC2 instances in the VPC to resolve names of on-premises servers during the migration period. After the migration period, the Route 53 Resolver outbound endpoint can be deleted with minimal configuration changes.

NEW QUESTION 12
An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

• A. Use an internet connection.
• B. Set up an AWS VPN connection.
• C. Provision an AWS Direct Connection private virtual interface.
• D. Provision a Direct Connect public virtual interface.

Answer: A

NEW QUESTION 13
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

• A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
• B. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
• C. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listener
• D. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
• E. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listener
• F. Create an AWS Global Accelerator accelerator in front of the AL
• G. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
• H. Place the EC2 instances behind an Amazon CloudFront distributio
• I. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

NEW QUESTION 14
A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use.
Employees at the London office are experiencing latency issues when they connect to the business applications.
What should a network engineer do to reduce this latency?

• A. Create a new Site-to-Site VPN connectio
• B. Set the transit gateway as the target gatewa
• C. Enable acceleration on the new Site-to-Site VPN connectio
• D. Update the VPN device in the London office with the new connection details.
• E. Modify the existing Site-to-Site VPN connection by setting the transit gateway as the target gateway.Enable acceleration on the existing Site-to-Site VPN connection.
• F. Create a new transit gateway in the eu-west-2 (London) Regio
• G. Peer the new transit gateway with the existing transit gatewa
• H. Modify the existing Site-to-Site VPN connection by setting the new transit gateway as the target gateway.
• I. Create a new AWS Global Accelerator standard accelerator that has an endpoint of the Site-to-Site VPN connectio
• J. Update the VPN device in the London office with the new connection details.

Answer: A

Explanation:
Enabling acceleration for a Site-to-Site VPN connection uses AWS Global Accelerator to route traffic from the on-premises network to an AWS edge location that is closest to the customer gateway device1. AWS Global Accelerator optimizes the network path, using the congestion-free AWS global network to route traffic to the endpoint that provides the best application performance2. Setting the transit gateway as the target gateway enables connectivity between the on-premises network and multiple VPCs that are attached to the transit gateway3.

NEW QUESTION 15
A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.
A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.
Which solution will meet these requirements?

• A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
• B. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
• C. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
• D. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• E. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuratio
• F. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
• G. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuratio
• H. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.

Answer: D

Explanation:
Configuring an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration would enable evaluation of the compliance status of the security groups based on predefined or custom rules3. Creating an AWS Systems Manager Automation runbook to remediate noncompliant security groups would enable automation of the remediation process2. Additionally, configuring AWS Config to trigger the runbook when a noncompliant change is detected would enable timely and consistent remediation of security group changes.

NEW QUESTION 16
A company has several production applications across different accounts in the AWS Cloud. The company operates from the us-east-1 Region only. Only certain partner companies can access the applications. The applications are running on Amazon EC2 instances that are in an Auto Scaling group behind an Application
Load Balancer (ALB). The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is in a public subnet and allows inbound traffic only from partner network IP address ranges over port 80.
When the company adds a new partner, the company must allow the IP address range of the partner network in the security group that is associated with the ALB in each account. A network engineer must implement a solution to centrally manage the partner network IP address ranges.
Which solution will meet these requirements in the MOST operationally efficient manner?

• A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be update
• B. Update the DynamoDB table with the new IP address range when the company adds a new partne
• C. Invoke an AWS Lambda function to read new IP address ranges and security groups from the DynamoDB table to update the security group
• D. Deploy this solution in all accounts.
• E. Create a new prefix lis
• F. Add all allowed IP address ranges to the prefix lis
• G. Use Amazon EventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function to update security groups whenever a new IP address range is added to the prefix lis
• H. Deploy this solution in all accounts.
• I. Create a new prefix lis
• J. Add all allowed IP address ranges to the prefix lis
• K. Share the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM). Update security groups to use the prefix list instead of the partner IP address rang
• L. Update the prefix list with the new IP address range when the company adds a new partner.
• M. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be update
• N. Update the S3 bucket with the new IP address range when the company adds a new partne
• O. Invoke an AWS Lambda function to read new IP address ranges and security groups from the S3 bucket to update the security group
• P. Deploy this solution in all accounts.

Answer: C

Explanation:
Creating a new prefix list and adding all allowed IP address ranges to the prefix list would enable grouping of CIDR blocks that can be referenced in security group rules3. Sharing the prefix list across different accounts by using AWS Resource Access Manager (AWS RAM)would enable central management of the partner network IP address ranges5. Updating security groups to use the prefix list instead of the partner IP address range would enable simplification of security group rules3. Updating the prefix list with the new IP address range when the company adds a new partner would enable automatic propagation of the changes to all security groups that use the prefix list3.

NEW QUESTION 17
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

• A. Create one hosted connectio
• B. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direc
• C. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• D. Create one hosted connectio
• E. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• F. Create one dedicated connectio
• G. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
• H. Create one dedicated connectio
• I. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Answer: B

Explanation:
This solution meets the requirements of the company by using a single Direct Connect connection with two VIFs, one connected to the transit gateway in us-east-1 and the other connected to the VPC in eu-west-1. Two Direct Connect gateways are used, one for each VIF, to route traffic from the Direct Connect location to the corresponding AWS Region along the path that has the lowest latency. This setup ensures that traffic between the VPCs in us-east-1 and on-premises databases is routed through the transit gateway, while traffic between the VPC in eu-west-1 and the on-premises server is routed directly through the private VIF.

NEW QUESTION 18
A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have been updated to support the new IPv6 requirements.
The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.
When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer must allow outbound internet access from the instances.
What is the MOST operationally efficient solution that meets these requirements?

• A. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering addres
• B. Create a new VPN connection that supports IPv6 connectivit
• C. Add an egress-only internet gatewa
• D. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices
• E. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering addres
• F. Update the existing VPN connection to support IPv6 connectivit
• G. Add an egress-only internet gatewa
• H. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.
• I. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering addres
• J. Create a new VPN connection that supports IPv6 connectivit
• K. Add an egress-only internet gatewa
• L. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.
• M. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering addres
• N. Create a new VPN connection that supports IPv6 connectivit
• O. Add a NAT gatewa
• P. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.

Answer: B

NEW QUESTION 19
......