AWS Certified Advanced Networking – Specialty Dump 02

Your organization needs to resolve DNS entries stored in an Amazon Route 53 private zone “awscloud:internal” from the corporate network. An AWS Direct
Connect connection with a private virtual interface is configured to provide access to a VPC with the CIDR block 192.168.0.0/16. A DNS Resolver (BIND) is configured on an Amazon Elastic Compute Cloud (EC2) instance with the IP address 192.168.10.5 within the VPC. The DNS Resolver has standard root server hints configured and conditional forwarding for “awscloud.internal” to the IP address 192.168.0.2.
From your PC on the corporate network, you query the DNS server at 192.168.10.5 for http://www.amazon.com. The query is successful and returns the appropriate response. When you query for “server.awscloud.internal”, the query times out. You receive no response.
How should you enable successful queries for “server.awscloud.internal”?

  • A. Attach an internet gateway to the VPC and create a default route.
  • B. Configure the VPC settings for enableDnsHostnames and enableDnsSupport as True.
  • C. Relocate the BIND DNS Resolver to the corporate network.
  • D. Update the security group for the EC2 instance at 192.168.10.5 to allow UDP Port 53 outbound.

Note: This is a textbook question. To use Route 53 private hosted zones, you have to enable both enableDnsHostnames and enableDnsSupport.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support


A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Choose two.)

  • A. Use Local Pref to control outbound traffic.
  • B. Use AS Prepending to control inbound traffic.
  • C. Use eBGP multi-hop between loopback interfaces.
  • D. Use BGP Communities to control outbound traffic.
  • E. Advertise more specific prefixes over one Direct Connect connection.

Note: This is a good question. It asks how to weigh DX connections differently. Many are tempted to pick A and B as prescribed in this blog as it is most likely to come up in Google when you search for the keywords. However, the blog does not account for private ASN with public VIF, which forbids AS prepending. AS prepending is only for private ASN + private VIF, or public ASN + public VIF.

With this more recent blog, we can see this point being re-articulated. Route specificity is always a good option.

C = wrong, total nonsense, multi-hop is for connecting 2 BGP routers that are not directly connected. D = wrong, BGP Communities are for returning / inbound / incoming traffic, not for outbound traffic, for outbound traffic, Local Pref is in effect.

Do note there is a LOCAL_PREF attribute (which is local to the AS), but also a dubious Local Preference Community (which is a predefined prefix that gets sent to peers). THEY ARE DIFFERENT.


You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.
How should you configure your on-premises BGP peer to meet these requirements?

  • A. Configure AS-Prepending on your BGP session
  • B. Summarize your prefix announcement to less than 100
  • C. Announce a default route to the VPC over the BGP session
  • D. Enable route propagation on the VPC route table

A = wrong, AS-Prepending is not for weighing identical routes, not for separating different routes. C = wrong, this would send Internet traffic to corporate network. D = wrong, VPC has a limit of 100 routes for BGP propagated routes.

This is also a textbook question where answer could been seen under section “Private Virtual Interface” of the official study guide.


You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.
Which of the following will improve transmission quality?

  • A. Enable enhanced networking
  • B. Select G2 instance types
  • C. Enable jumbo frames
  • D. Use multiple elastic network interfaces

B = wrong, G2 does not have enhanced networking. C = wrong, jumbo frames are not good for Internet-bound traffic. D = wrong, does not improve network performance in any way.


You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1″”Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.
Which design should you choose?

  • A. Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
  • B. Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
  • C. Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
  • D. Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.

A = wrong, inter-region connectivity is limited to public VIFs, i.e. to access public AWS APIs using DX, not for VPC access, you need DX Gateway for that. B = wrong, required bandwidth exceeds Internet bandwidth. D = wrong, VPC peering is not transitive, which means the new VPC will not be able to access corporate network and vice versa, you need Transit Gateway for that.

The catch is, normally you would use a private VIF (VGW) to directly access your VPC over DX, however, to use AWS Site-to-Site VPN (or IPSec VPN as called in this question) to access your VPC, you need public VIFs, because the IP address for the VPN will be a public IP address.

Do remember for traffic entering / leaving a VPC, you have options of: IGW, VGW, TGW and peering. VGW and TGW could be used over DX directly using private / transit VIFs, or, be used with Site-to-Site VPN over the Internet / DX public VIFs.

This is also a textbook question.

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-vpn.html


Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?

  • A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
  • B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
  • C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
  • D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.

Note: One dedicated DX connection can have 50 VIFs, and VIFs can connect to VPCs in different accounts, i.e. “Hosted VIFs“. The target account will have to accept this VIF in order for the DX account to download configuration that will allow connecting to the VPC in target account.

A and B = wrong, too expensive and slow. D = wrong, VPC peering is not transitive. You could also have answered this question simply by elimination.


An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPC with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.
What is the MOST simple and secure architecture that will achieve the organization’s goal?

  • A. Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • B. Use the existing VPC and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • C. Create a new VPC without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • D. Create a new VPC without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.

Note: You need NAT or endpoint to access KMS from private subnets.


A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain “example.com” should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain “dev.example.com” should reside on-premises. The administrator has decided to use Amazon
Route 53 to achieve this scenario.
What procedurals steps must be taken to implement the solution?

  • A. Use a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com
  • B. Use a Route 53 public and private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • C. Use a Route 53 public hosted zone for example.com and perform subdomain delegation for dev.example.com
  • D. Use a Route 53 private hosted zone for example.com and perform subdomain delegation for dev.example.com

Note: This is a textbook question.

Split-view means resources within VPC gets its own set or subset of DNS records, which is achieved by creating both public and private hosted zones on the same domain. You may also create private hosted zones for subdomains, whichever is more specific prevails. Creating different hosted zones is delegation so no need to delegate again, save that private hosted zone is not allowed to delegate its records further.

B and C = wrong, anyone on the Internet will see private records, there is no split. D = wrong, example.com will not be accessible by Internet targets.

On-premise targets will need a resolver to access private hosted zone. Since no resolver is mentioned in answers we may take it as granted.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-considerations.html#hosted-zone-private-considerations-delegating-subdomain


A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct
Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

  • A. Use a Network Load Balancer to automatically preserve the source IP address.
  • B. Use a Network Load Balancer and enable the X-Forwarded-For attribute.
  • C. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
  • D. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.

Note: This is a textbook question. NLB only preserves source IP automatically when targets are EC2 instances. On-premises targets are IP targets, which requires ProxyProtocol to capture source IP.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol


A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.
What steps must be taken to order the cross-connect at the Direct Connect location?

  • A. Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.
  • B. Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.
  • C. Obtain one LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The Facility Operator will ensure that the cross-connect is installed.
  • D. Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.

A and C = wrong, LOA/CFA is provided by AWS. D = wrong, you need LOA/CFA for new DX connections.


An organization’s Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.
What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

  • A. Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.
  • B. Provision a private virtual interface for each VPC connection.
  • C. Enable VPC Flow Logs for each VPC.
  • D. Use AWS KMS to encrypt traffic between on-premises and AWS.
  • E. Provision a VPN connection to each VPC over the internet.

Note: B seems to be reasonable as AWS has the habit of encrypting everything, but no, DX does not encrypt data in-transit, you need Site-to-Site VPN for that.