AWS Certified Advanced Networking – Specialty Dump 03

A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider’s public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing.
Which of the following actions should improve the connectivity issues? (Choose two.)

  • A. Allocate additional elastic IP addresses to the NAT gateway.
  • B. Request that the third-party service provider implement HTTP keepalive.
  • C. Implement TCP keepalive on the client instances.
  • D. Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.
  • E. Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.

An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.
What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

  • A. Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.
  • B. Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.
  • C. Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.
  • D. Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

A = wrong, dynamic routing in use. B = wrong, VPCs are not transitive. C = wrong, VGW cannot advertise CIDR from other VPCs.

A Network Engineer needs to create a public virtual interface on the company’s AWS Direct Connect connection and only import routes which originated from the same region as the Direct Connect location.
What action should accomplish this?

  • A. Configure a prefix list on the customer router containing the AWS IP address ranges for the specific region.
  • B. Configure a filter on the company’s router to only import routes with the 7224:8100 BGP community attribute.
  • C. Configure a filter on the company’s router to only import routes without a BGP community attribute and a maximum path length of 3.
  • D. Configure a filter in the console and only allow routes advertised by AWS without a BGP community attribute and a maximum path length of 3.

A = wrong, too complex and requires updates. C and D = wrong, in contrast, DX only advertises prefixes with minimum path length of 3.

Note: this is a textbook question.

An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.
Which architecture will support this deployment while allowing for future expansion?

  • A. A VPC with a /16 CIDR and one /21 subnet
  • B. A VPC with a /20 CIDR and two /21 subnets
  • C. A VPC with a /16 CIDR and one /22 subnet
  • D. A VPC with a /20 CIDR and two /23 subnets

A and C = wrong, WorkSpaces requires two subnets in different AZs to operate, as they are backed up AWS managed directory, which requires two subnets. D = wrong, /23 gives you 500+ IPs, but two subnets are for HA purposes, you will want each of them be able to accommodate all your desktops in case one is down.

Note: even though there are two network interfaces attached to each desktop, only one (the Internet accessing one) is placed in your subnets and consumes one IP address from your subnets, the management interface (for streaming desktop video and operation) is attached to AWS managed VPC not visible to you. Behind the scene, AWS also creates two subnets in the managed VPC just as you did, to provide same HA capability. A larger VPC CIDR would be a better answer, but since we could add more CIDR to the VPC, expansion is less of a problem.