AWS Certified Advanced Networking – Specialty Dump 01

Your organization’s corporate website must be available on http://www.acme.com and acme.com.
How should you configure Amazon Route 53 to meet this requirement?

  • A. Configure acme.com with an ALIAS record targeting the ELB. http://www.acme.com with an ALIAS record targeting the ELB.
  • B. Configure acme.com with an A record targeting the ELB. http://www.acme.com with a CNAME record targeting the acme.com record.
  • C. Configure acme.com with a CNAME record targeting the ELB. http://www.acme.com with a CNAME record targeting the acme.com record.
  • D. Configure acme.com using a second ALIAS record with the ELB target. http://www.acme.com using a PTR record with the acme.com record target.

Note: Two things in play here. First, DNS standard forbids creating CNAME records on root (aka. naked / apex) domain names. (If you are curious: Standard requires that CNAME to be the only record on a domain, but the root domain is also responsible for SOA record.) Second, ELB exposes domain names to seamlessly hide the IP addresses, so you need to point to those domain names.

Since CNAME cannot be used, you are left with ALIAS, which is an extension to DNS added by Route 53 that allows pointing root domains to other domains.


You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.
Which action is required to support a successful Amazon EMR cluster launch?

  • A. Add a conditional forwarder to the Amazon-provided DNS server.
  • B. Enable seamless domain join for the Amazon EMR cluster.
  • C. Launch an AD connector for the internal domain.
  • D. Configure an Amazon Route 53 private zone for the EMR cluster.

Note: This is a poorly worded textbook question.

https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/


You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.
Which two AWS Services cloud you leverage to build an automated notification system? (Choose two.)

  • A. Internet gateway
  • B. VPC Flow Logs
  • C. AWS CloudTrail
  • D. Lambda
  • E. AWS Inspector

Note: A = wrong, nonsense. C = wrong, CloudTrail is for recording configuration API calls. E = wrong, Inspector is for OS vulnerability scanning and network reachability test.


Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publicly routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF).
The security team is calling this new connection a “backdoor”, and you have been asked to clarify the risk to the company.
Which concern from the security team is valid and should be addressed?

  • A. AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.
  • B. Direct Connect customers with a Public VIF in the same region could directly reach the router.
  • C. EC2 instances in the same region with access to the Internet could directly reach the router.
  • D. The S3 service could reach the router through a pre-configured VPC Endpoint.

A = wrong, a public VIF does not advertise routes to the Internet, but only routes to AWS services. B = wrong, public VIF routes are not shared by customers in the same region. D = wrong, this has nothing to do with VPC endpoint.

This is also a textbook question. In official study guide, pp. 138.


Your organization uses a VPN to connect to your VPC but must upgrade to a 1-G AWS Direct Connect connection for stability and performance. Your telecommunications provider has provisioned the circuit from your data center to an AWS Direct Connect facility and needs information on how to cross-connect
(e.g., which rack/port to connect).
What is the AWS-recommended procedure for providing this information?

  • A. Create a support ticket. Provide your AWS account number and telecommunications company’s name and where you need the Direct Connect connection to terminate.
  • B. Create a new connection through your AWS Management Console and wait for an email from AWS with information.
  • C. Ask your telecommunications provider to contact AWS through an AWS Partner Channel. Provide your AWS account number.
  • D. Contact an AWS Account Manager and provide your AWS account number, telecommunications company’s name, and where you need the Direct Connect connection to terminate.

Note: Human factors like asking Support, contacting your account manager, asking your provider, etc. are almost never correct answers in exams. AWS prefers self-service at least in exams.

Letter of Authorization and Connecting Facility Assignment (LOA-CFA) is in the email you receive containing information for ordering a cross connection.


A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN.
According to the organization’s security team, the VPN must meet the following requirements:
– AES 128-bit encryption
– SHA-1 hashing
– User access via SSL VPN
– PFS using DH Group 2
– Ability to maintain/rotate keys and passwords
– Certificate-based authentication
Which solution should you recommend so that the organization meets the requirements?

  • A. AWS hardware VPN between the virtual private gateway and customer gateway
  • B. A third-party VPN solution deployed from AWS Marketplace
  • C. A private MPLS solution from an international carrier
  • D. AWS hardware VPN between the virtual private gateways in each region

Note: This might seem confusing as “hardware VPN” actually means AWS site-to-site VPN, i.e. the one with Virtual Private Gateway (VGW), Customer Gateway (CGW) and a VPN connection in between. AES-128, SHA-1, PFS-DG2, certificates are all supported, but no SSL VPN and no password rotation (only certificate rotation).

This is a rare case that both answers with minor variations (A and D) are wrong.


You have three VPCs: A, B, and C. VPCs A and C are both peered with VPC B. The IP address ranges are as follows:
✑ VPC A: 10.0.0.0/16
✑ VPC B: 192.168.0.0/16
✑ VPC C: 10.0.0.0/16
Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i-4 in VPC B have the IP addresses
192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24.
– i-3 must be able to communicate with i-1
– i-4 must be able to communicate with i-2
– i-3 and i-4 are able to communicate with i-1, but not with i-2.
Which two steps will fix this problem? (Choose two.)

  • A. Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
  • B. Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
  • C. Change the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
  • D. Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
  • E. Create two route tables: one with a route for destination VPC A, and another for destination VPC C.

Note: This is a textbook question. B = wrong, the mask will not take the tailing 16 into account, write it down in binary and you will see. C = wrong, this will not solve the problem of overlapping CIDR. D = wrong, this will enable access to both VPC from both i-3 and i-4, which is not the intention of separating access.

https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html


A legacy, on-premises web application cannot be load balanced effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?

  • A. Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.
  • B. Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.
  • C. Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.
  • D. Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.

Note: When you see extremely large traffic with source IP preservation, then go for NLB. ALB may store source IP in HTTP header though.


An organization processes consumer information submitted through its website. The organization’s security policy requires that personally identifiable information
(PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.
Which combination of services will support these requirements? (Choose two.)

  • A. Amazon Aurora in a private subnet
  • B. Amazon CloudFront using AWS Lambda@Edge
  • C. Customer-managed MySQL with Transparent Data Encryption
  • D. Application Load Balancer using HTTPS listeners and targets
  • E. AWS Key Management Services

Note: This is a good question, but also a simple one. A and C are immediately out as they have nothing todo with data encryption by the user and application. D seems to do in-transit encryption but it does not encrypt the data, as soon as the data hits the frontend servers, they will gain access.

It is more of a scenario where data needs to be encrypted at the edge, with KMS, so no service without access to KMS may decrypt the data. You grant access to KMS with IAM roles.


Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client’s IP address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?

  • A. Modify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic Restriction.
  • B. Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.
  • C. Use X-Forwarded-For with security groups to apply the Geographic Restriction.
  • D. Modify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.

A = wrong, record source IP in log won’t help application serve content according to the IP. B = wrong, not scalable, plus that application won’t do dynamic content. C = wrong, HTTP header is level 7, while security group is level 4, this is nonsense.


You run a well-architected, multi-AZ application in the eu-central-1 (Frankfurt) AWS region. The application is hosted in a VPC and is only accessed from the corporate network. To support large volumes of data transfer and administration of the application, you use a single 10-Gbps AWS Direct Connect connection with multiple private virtual interfaces. As part of a review, you decide to improve the resilience of your connection to AWS and make sure that any additional connectivity does not share the same Direct Connect routers at AWS. You need to provide the best levels of resilience to meet the application’s needs.
Which two options should you consider? (Choose two.)

  • A. Install a second 10-Gbps Direct Connect connection to the same Direct Connection location.
  • B. Deploy an IPsec VPN over a public virtual interface on a new 10-Gbps Direct Connect connection.
  • C. Install a second 10-Gbps Direct Connect connection to a Direct Connect location in eu-west-1.
  • D. Deploy an IPsec VPN over the Internet to the eu-west-1 region for diversity.
  • E. Install a second 10-Gbps Direct Connect connection to a second Direct Connect location for eu-central-1.

Note: This is a good question. Point one, if you request multiple ports in same location, you get them on different routers, this is a courtesy of AWS to provide resilience by default. Point two, if you are worried about losing connection to one location, provision a connection in a second location in the same region for extra resilience.

B = wrong, this is private access, use private VIF (i.e. VGW or DX Gateway). C = wrong, this is cross-region private access, which requires DX Gateway (not mentioned), additionally, cross-region resilience is not useful for this application as it runs in a VPC, i.e. it stays in a single region, if the region is down, the application will not be accessible, which renders the connection in remote region useless. D = wrong, it is connecting to the wrong region, also VPN over the Internet is not as secure as a DX connection.


You have to set up an AWS Direct Connect connection to connect your on-premises to an AWS VPC. Due to budget requirements, you can only provision a single
Direct Connect port. You have two border gateway routers at your on-premises data center that can peer with the Direct Connect routers for redundancy.
Which two design methodologies, in combination, will achieve this connectivity? (Choose two.)

  • A. Terminate the Direct Connect circuit on a L2 border switch, which in turn has trunk connections to the two routers.
  • B. Create two Direct Connect private VIFs for the same VPC, each with a different peer IP.
  • C. Terminate the Direct Connect circuit on any of the one routers, which in turn will have an IBGP session with the other router.
  • D. Create one Direct Connect private VIF for the VPC with two customer peer IPs.
  • E. Provision two VGWs for the VPC and create one Direct Connect private VIF per VGW.

C = wrong, no redundancy provided. D = wrong, each VIF can only have one peer IP. E = wrong, each VPC can only have one VGW attached.