Amazon Networking Core exam – Questions and Answers

Networking Core Knowledge Badge Assessment

Question category	Total questions
AWS Networking  Basics	5
Subnets, Gateways, and Route Tables Explained	2
Configuring and Deploying VPCs with Multiple Subnets	4
AWS Network Connectivity Options	4
Amazon Route 53 – Basics	2
Amazon Route 53 – Basics of Domain Name System	2
Introduction to Amazon CloudFront	1
Introduction to AWS Global Accelerator	2
Introduction to Amazon Direct Connect	2
AWS Networking Practical Approaches	4
Getting Started with Application Load Balancer	3
Getting Started with Gateway Load Balancer	3
Getting Started with Network Load Balancer (NLB)	3
Configure and Deploy AWS PrivateLink	2
Configure and Deploy AWS Client VPN	2
Introduction to Amazon API Gateway	2
Service Fundamentals	4
Technology	1

1) You are deploying a private Software-as-a-Service (SaaS) database application to build highly scalable and secure service for your customers.
What load balancer type should be used when creating an AWS PrivateLink endpoint service?

• Application Load Balancer
• Classic Load Balancer
• Network Load Balancer
• Gateway Load Balancer

2) You are part of a small team inside AnyCompany, and you’ve taken the task to deploy a single testing application to AWS as a proof of concept for future migrations, as most of your applications are not on the cloud. The company is managing the corporate DNS domain anycompany.com in an external DNS provider, and you want to make the application available in app.anycompany.com by using AWS’ native DNS service Route 53, as it’s one of the services you want to test.
How can you accomplish this task with minimum administrative overhead and costs?

• Create a Public Hosted Zone for app.anycompany.com in Route 53. Then create an A record on the anycompany.com DNS zone pointing to the hosted zone created in Route 53.
• Register the app.anycompany.com domain in Route 53. The service will automatically create a Public Hosted Zone, making app.anycompany.com resolvable on the internet.
• Create a Public Hosted Zone for anycompany.com on Route 53. Then, migrate the domain to AWS to properly test the DNS capabilities of Route 53.
• Create a Public Hosted Zone for app.anycompany.com in Route 53. Then delegate the subdomain from the parent domain to this hosted zone using a NS record.

3) As an application engineer for AnyCompany, you are responsible for deploying an application in AWS running on EC2 instances in a Virtual Private Cloud.
How many EC2 instances are required to ensure that the application is resilient?

• At least 2 EC2 instances in 2 separate Availability Zones which are large enough to handle the full CPU, memory and storage load of the application are required.
• EC2 instances are designed to be entirely fault tollerant, so one instance is all that is required.
• You should migrate your application to containers and host it using AWS Fargate, as EC2 instances are not resilient.
• Have at least one EC2 instance in every availability zone of the region.

4) A customer reported that an internet-facing Network Load Balancer(NLB) was only resolving to one IP address even though the load balancer was enabled on two Availability Zones. They are required to keep all the target servers in a single Availability Zone.
What configuration change could help customer to show all NLB IP’s upon DNS resolution?

• Enable Cross-zone load balancing.
• Enable Client IP preservation.
• Update the IP address type to dual stack.
• No need to change any NLB configuration as this is related to some targets in the target group failing health check.

5) Your company currently has multiple VPCs distributed in multiple AWS regions and uses an AWS Direct Connect connection to connect the on-premises resources and AWS. To improve reliability, they decide to add an AWS Direct Connect connection at another Direct Connect location with active/passive load distribution over different connections.
When using the BGP protocol to distribute routes between AWS and on-premises, which BGP attribute should be used to achieve this active/passive load distribution for inbound traffic to on-premises?

• BGP AS-PATH
• BGP Local Preference
• BGP community tags
• BGP Weight

6) Your company already has a domain (anycompany.com) managed by Route53. You have deployed a simple web application on a public-facing EC2 instance. Your manager needs to access the web application but wants to use the address demo.anycompany.com rather than the IP address.
Which is the simplest solution?

• Create an A record in Route 53 using the EC2 public IP as the value.
• Create a TXT record in Route 53 using the EC2 public IP as the value.
• Use a load balancer in front and then use an ALIAS record pointing to the DNS entry of the load balancer.
• Create a CNAME record in Route 53 using the EC2 public IP as the value.

7) A gaming company hosts weekend gaming marathons for its customers. The game servers are hosted on multiple EC2 instances. As their cloud architect, you want to ensure an experience of minimal lag and effective distribution of the incoming network traffic across the various servers.
Which of the following BEST describes the primary usage of a Network Load Balancer in AWS that would address this requirement?

• Caching static content from the web applications to reduce the load on the origin servers.
• Managing session state of web applications by storing session cookies.
• Distributing incoming network traffic across multiple EC2 instances for low latency and high throughput
• Analyzing and monitoring application traffic for potential security threats.

8) Your company wants to move all its infrastructure to the AWS Cloud and has the domain name for its website registered with another registrar.
Which AWS service will allow domain name registration and transfer?

• Amazon Route 53
• AWS Marketplace
• Amazon VPC
• AWS CloudFront

9) A customer has configured a 10 GBps AWS Direct Connect Connection.
Which parameter is unique to the creation of a private virtual interface?

• Virtual Private Gateway Id (VGW)
• AWS Direct Connect Connection Id
• VLAN
• Virtual Interface Name

10) Your company wants to migrate ten workloads from on-premises to the AWS cloud. Some of the supporting services will be retained on-premises. The migration team has estimated needing at least 3 Gbps of network throughput between the data center and AWS.
Which AWS services can link your on-premises network to your AWS VPC with at least 3 Gbps of network throughput? (Select TWO)

• AWS Direct Connect
• AWS Site-to-Site VPNs connected to a Virtual Private Gateway
• AWS Client VPN
• VPC Peering
• AWS Site-to-Site VPNs connected to an AWS Transit Gateway

11) Your company uses AWS Direct Connect to connect your locations around the world to your resources, such as Amazon VPCs running inside AWS. You also need to send data between these locations without interacting with any AWS resources.
Which AWS Direct Connect feature should you use?

• AWS Transit Gateway
• AWS Cloud WAN
• Border Gateway Protocol (BGP)
• AWS Direct Connect SiteLink

12) AnyCompany wants to use a fleet of 3rd party firewalls in an Amazon VPC for traffic inspection. They have decided to use the AWS Gateway load balancer to improve the availability and scalability of the firewall appliances.
Which protocol does the Gateway Load Balancer (GWLB) use to talk to the firewall appliances?

• GRE
• MACSEC
• Geneve
• IPSEC

13) AnyCompany is a startup planning to launch a web-based application with anticipated heavy traffic and needs to handle it without performance degradation while ensuring data security and application availability. The application consists of web and application servers and a database.
Which of the following deployment strategies will BEST handle these requirements?

• Set up a single VPC, create a subnet per AZ, and put all components inside those subnets to maximize network performance. Use Auto Scaling for the web and application servers and Amazon RDS for the database server.
• Set up a single VPC and create a public subnet in each AZ for the web servers and a private subnet in each AZ for the application and database servers. Use Elastic Load Balancing to distribute traffic and AWS Auto Scaling to adjust the number of web and application servers as required.
• Set up a single VPC, and in each AZ create a public subnet for the web servers and a second public subnet for the application servers. Use Amazon DynamoDB as a serverless database to handle high traffic.
• Set up a single VPC, create one public subnet for web servers, and another public subnet for the application servers. Use Amazon RDS in a private subnet for the database.

14) A global company has a website with multiple languages and serves static content, such as articles, videos, and images, to users worldwide. They are experiencing slow loading times and want to improve the performance and delivery of their content to their users.
Which AWS service should the company use to meet its goal?

• AWS Global Accelerator
• Amazon CloudFront
• Amazon Elastic Load Balancer
• Amazon Route 53

15) You are a network engineer at a company with hundreds of AWS accounts. You need to provide a single point of egress for Internet traffic and have created an AWS account with an Internet Gateway and a NAT Gateway attached to a VPC.
Which option would provide the most efficient and scalable connectivity to connect and route traffic through the egress VPC?

• Transit Gateway
• PrivateLink
• IPSEC VPN
• VPC Peering

16) You have deployed a multi-player game to be deployed in only one AWS region. Your end users are globally distributed. You want to ensure that end users get the best experience despite internet latency.
What is the simplest and most effective solution here?

• AWS Global Accelerator
• IPSec VPN
• DirectConnect
• Client VPN

17) You have been asked to create a global network using AWS Cloud WAN.
Which of the following AWS Cloud WAN components do you create first?

• A Core Network. (An AWS Cloud WAN network managed by AWS.)
• A Transit Gateway.
• A Core Network Edge (Regional Connection point) for each AWS Region you want to connect.
• A Global Network. (A high-level container for your networking objects.)

18) A financial services company bought a SaaS application from the AWS Marketplace. The SaaS application is available through AWS PrivateLink and shall be consumed by the company’s existing stock broker service. This service and its integration is business-critical and thus requires a design which is secure and highly available at the same time.
Which option would BEST meet the above requirements?

• Create an interface VPC endpoint in the consumer VPC and enable all availability zones.
• Create an interface endpoint in the default VPC and enable single availability zone.
• Establish a VPC Peering connection between the consumer VPC and the VPC of the SaaS application.
• Attach a gateway endpoint to the consumer VPC and point the routes in your route tables at it.

19) You have found that Amazon EC2 instance in a VPC is resolving to a different IP address for the domain name corp.anycompany.org compared to servers that are on-premises and using public DNS resolvers. The EC2 instance is using the Route 53 resolver.
What could be the cause of this behavior?

• The EC2 instance running the Route 53 resolver is misconfigured.
• The Route 53 resolver is malfunctioning – contact AWS Support.
• The VPC is configured with a Route 53 Private Hosted zone that has a record for corp.anycompany.org.
• The public hosted zone for corp.anycompany.org in Route 53 is using an incorrect NS record.

20) An Application team requires their Amazon EC2 instances to be connected with Amazon S3. They are concerned about security as they do not want the application to have access to the public internet.
Which service would support this requirement with the LOWEST cost?

• AWS Site-to-Site VPN
• AWS Direct Connect
• Gateway VPC endpoint
• Interface VPC endpoint

21) AnyCompany is hosting an application on EC2 instances behind an Application Load Balancer. While troubleshooting, an engineer wants to find the IP address of the client making requests to the application.
How can the engineer find the client IP address while observing traffic on the target instance behind the ALB?

• X-Forwarded-For is enabled by default on the load balancer. Just ensure customer’s instances can process the X-Forwarded-For information.
• Proxy-Protocol header is enabled by default on the load balancer. Just ensure customer’s instances can process the Proxy Protocol information.
• Enable Proxy-Protocol header on the load balancer.
• Enable X-Forwarded-For on the load balancer.

22) A logistics company has a web application hosted on an EC2 instance in VPC A. They want to securely access it from their own VPC B, so only the connections initiated from VPC B to VPC A are allowed.
Which of the following options offers the BEST one-way access pattern?

• Virtual Private Gateway
• Internet Gateway
• VPC Peering
• AWS PrivateLink

23) AnyCompany is deploying a new web application consisting of a single web server and a single SQL server hosted on EC2 instances. The web server should have access to the SQL server, and external internet users will access the web server. The company wants to ensure the SQL server is not accessible from the internet.
Which of the following options best meets the requirements?

• Create a single VPC, and two public subnets for the web server and SQL server. Create one security group for the web and SQL servers with appropriate rules to allow traffic to the EC2 instances.
• Create a single VPC and create two private subnets each for the web server and SQL server. Create two NACLs, one for each EC2 server (web and SQL).
• Create a single VPC, and two public subnets for the web server and SQL server. Create one NACL for the web and SQL servers with appropriate rules to allow traffic to the EC2 instances.
• Create a single VPC and one public subnet for the web server and a private subnet for the SQL server. Create two security groups, one for each server (web and SQL), with the web security group allowing traffic from the internet. The SQL server security group only allows web server Security Group traffic.

24) Anycustomer has a growing business that requires scaling the Layer 4 traffic routing to the network appliances within a short timeframe.
As a solutions architect, what would be your recommendation?

• Deploy Application Load Balancer to route the traffic.
• Replace the virtual appliances with AWS Network Firewall.
• Deploy Network Load balancer to route the traffic.
• Deploy Gateway Load Balancer to support Layer 4 virtual appliance, and can scale as needed.

25) You have deployed an application to an auto-scaling group of EC2 Instances. An application load balancer routes traffic to the auto-scaling group. The target protocol of the health check in the target group is configured to be HTTP on the default port 80. You learn from the lead application developer that the health check page of the application is available on HTTP port 8081.
What should you do to implement this type of health check?

• Disable health checks on the target group.
• Navigate to advanced health settings in the target group, override the health check port to use port 8081, and ensure you have the correct health check path.
• Change the listener port on the target group to use port 80.
• This is not possible. An application load balancer’s health check can only be configured on the same port as the listener(s).

26) Your organization is deploying Amazon VPC Lattice to make it easier for your developers to connect their services to other services.
Which tool or service is used to provide authentication and authorization?

• Amazon VPC Network Access Analyzer
• Network Access Control Lists (NACL)
• AWS Identity and Access Management (IAM)
• AWS Verified Access

27) The networking team of a company has a requirement to encrypt network traffic between their router and AWS router in a Direct Connect location.
What feature should the networking team use to achieve this?

• It is necessary to add a third-party feature to the AWS Direct Connect link to encrypt it.
• Based on the VIF used in the AWS Direct Connect link, the encryption feature be activated.
• MAC Security (MACsec)
• No feature is necessary as AWS Direct Connect links are encrypted by default.

28) As a network engineer, you are configuring an Application Load Balancer to route Layer 7 traffic from the internet to the Amazon EC2 instance deployed in the private subnet behind the ALB. You have attached an Internet Gateway to the VPC.
Which configuration will enable the ALB to route traffic from the internet to the subnet?

• The ALB configuration scheme needs to be set to ‘Internet-facing’
• Remove the Internet Gateway.
• The ALB configuration scheme needs to be set to ‘Internal’.
• The ALB needs to be replaced by an NLB to route traffic from internet to the private subnet.

29) A network engineer is asked to configure AWS Client VPN for remote users so they can access applications hosted inside of the Amazon VPC. The connection should only be used to access the application, not the internet.
What step should the network engineer take to achieve this requirement?

• Enable split-tunnel for Internet Gateway attached to the Amazon VPC.
• Add a default route 0.0.0.0/0 in the Client VPN endpoint’s route table.
• Add a default route 0.0.0.0/0 in the VPC’s default route table.
• Enable split-tunnel during the creation process of AWS Client VPN endpoint.

30) You are a new solutions architect working for AnyCompany and have been tasked with designing a secure environment to host a new application in AWS. You want to leverage the AWS Cloud Adoption Framework to inform your design.
According to the Security Perspective, what is the first step you should take?

• Think about the geographical location where you will host the data.
• Think about incident response requirements.
• Think about the data you are going to be protecting.
• Think about the required perimeter controls.

31) Your company uses AWS Cloud WAN to make your wide area network easier to manage. You want to empower others in your company to attach resources to your network and automatically associate them with the right network segments.
What approaches can you use to identify which attachments receive which policies? (Select THREE)

• Apply network access control lists (NACLs) to groups of attachments.
• Apply security groups to the network attachments.
• Create a NAT Gateway in a public subnet and add a default route to Cloud WAN.
• Use metadata associated with attachments to automatically map them to network segments
• Apply Tags to attachments to automatically map them to network segments
• Manually associate new attachments with network segments.

32) A customer is experiencing issues with their network application availability. Upon examination, the engineer notices that the virtual appliances malfunctioned and dropped out of the network. As a result, the end users are experiencing disconnects and loss of application availability.
How do you improve the virtual appliance availability for the customer?

• Replace the current virtual appliances with new virtual appliances that are state of the art and would prevent the failures.
• Replace the virtual appliances with AWS Network Firewall.
• Deploy a Gateway Load Balancer to reroute traffic from the unhealthy virtual appliance to a healthy instance through graceful failover.
• Add new virtual appliances to the network and see if the availability improves for the customer.

33) Your company uses AWS Client VPN to provide employees with remote access to resources on AWS. A new server was recently deployed on-premises, and employees also need to remotely access this server. All remote access to this server needs to be encrypted and authenticated for security reasons.
What option would meet this requirement with the LEAST amount of operational overhead?

• Assign the Public IP and deploy the server behind the local firewall.
• Use AWS Direct Connect to connect to this server, so that users can use Client VPN to access this server.
• Install the Open VPN client on this server and use the client-to-client access function of AWS Client VPN to provide remote access.
• Deploy an SSL VPN gateway on-premises to provide remote access, and deploy Microsoft AD to manage users and authentication.

34) You are working as a solutions architect in a financial startup. The CTO instructed you to launch a server on a Reserved EC2 instance in us-west-2 region’s private subnet, which is using IPv6. Due to the financial data that the server contains, the system should be secured to avoid any unauthorized access and to meet compliance requirements.
Which VPC feature allows the EC2 instance to communicate with the internet but prevents inbound traffic?

• Remove the default route 0.0.0.0/0 on the Reserved EC2 Instances.
• NAT Gateway
• Egress-only Internet Gateway
• Route the traffic through ELB.

35) AnyCompany has a large user base and wishes to create a chat application for their community to collaborate. As a solutions architect, you are tasked with building this environment in AWS using serverless technologies. The browser-based chat client needs a persistent bi-directional link with the chat server, so the server can push new messages to the client over a connection the client initially established.
Which AWS services could Anycompany use to create the chat application?

• Create a REST API in API Gateway, use AWS Fargate for the compute backend and Aurora Serverless for application data storage.
• Create an HTTP API in API Gateway, use Lambda for the compute backend and DynamoDB for application data storage. Have the chat clients poll the API regularly for new messages.
• Create a REST API in API Gateway for the incoming requests, and send outgoing chat messages to clients using Amazon SNS. Use Lambda as the compute backend and DynamoDB for application data storage.
• Create a WebSocket API in API Gateway, use Lambda as the compute backend and DynamoDB for application data storage.

36) You have been asked to make it easier to connect, secure, and monitor network communications between the services your developers are building, and you have decided to deploy AWS Lattice.
As the network administrator, what is the first step in deploying Amazon VPC Lattice?

• Define auth policies.
• Define target groups.
• Create a service network.
• Associate clients with services.

37) A team is building an HTML form to be hosted in a public Amazon S3 bucket. The form uses JavaScript to post data to an Amazon API Gateway endpoint. The endpoint is integrated with AWS Lambda functions.
Which steps must be completed for the form to successfully post to the API Gateway and receive a valid response? (Select TWO)

• Configure the S3 bucket to allow cross-origin resource sharing (CORS).
• Request a limit increase for API Gateway.
• Enable cross-origin resource sharing (CORS) in API Gateway.
• Host the form on Amazon EC2 instance.
• Configure the S3 bucket for web hosting.

38) AnyCompany has recently moved its workloads to the AWS cloud. It has implemented a 3-tier architecture with web servers configured in a public subnet and Database servers in a private subnet. Web servers are successfully rendering Anycompany’s website. However, Database servers need to download patches from the Internet and cannot do so.
Which option will allow the Database servers access to the Internet to download patches while preventing any inbound traffic to the Database servers originating from the Internet?

• Create a NAT Gateway in the private subnet and add a default route in the Database route table to point to the newly created NAT Gateway.
• Create an IGW in the Database private subnet and add a default route in the Database route table to point to the newly created IGW.
• Create a NAT Gateway in the public subnet and add a default route in the Database route table to point to the newly created NAT Gateway.
• Create a NAT Gateway in the public subnet and add a default route in the web server route table to point to the newly created NAT Gateway.

39) AnyCompany has three application environments: development, staging, and production. The security team has tasked a network engineer to design a network that provides isolation between the environments. Certain Amazon EC2 instances in each of the environments must be able to communicate with one another without traversing the public internet.
Which design BEST meets the requirements?

• Create only a single VPC and a single subnet so that each environment can communicate. Use only security groups to segment resources.
• Configure three VPCs with unique CIDRs, one for each environment. Create two VPC peering connections and use NACLs and security groups to provide isolation.
• Configure three VPCs, one for each environment. Create one EC2 instance in each VPC running third-party software VPNs. Establish 3 VPN connections to ensure traffic remains encrypted between the VPCs.
• Configure three VPCs with unique CIDRs, one for each environment. Create a VPC peering connection between each VPC (total of 3) and use NACLs and security groups to provide isolation.

40) AnyCompany has a requirement to inspect traffic ingressing/egressing the AWS environment using third-party appliances.
Which load balancer type is most suitable for this requirement?

• Network Load Balancer
• Classic Load Balancer
• Application Load Balancer
• Gateway Load Balancer

41) You are the network engineer for a small company with a web application hosted on an Amazon EC2 instance. The web application communicates with a database hosted on an on-premises server. The company requires an AWS networking service to provide a private and reliable connection between the database and the web application. The security team has a requirement that the network traffic must not traverse the Internet.
Which service would BEST meet the requirements?

• AWS Site-to-Site VPN
• AWS VPC Peering
• AWS Direct Connect
• Amazon CloudFront

42) A company’s critical finance application runs on an Amazon EC2 instance in a VPC. The EC2 instance must publish the custom metrics and application logs to Amazon CloudWatch in the same AWS Region. Connectivity between the Amazon EC2 instance and CloudWatch must not traverse the public internet.
Which of the following options will meet the requirement?

• Establish the VPN connectivity from Amazon EC2.
• Connect the Amazon EC2 Instance to CloudWatch by creating the Interface endpoint.
• Deploy the AWS Transit Gateway and connect Amazon EC2 VPC to AWS Transit Gateway. Configure the route to establish connectivity between Amazon EC2 and Cloudwatch.
• Connect the Amazon EC2 instance to CloudWatch by creating the Gateway endpoint.

43) In an R&D brainstorming session, the CTO of a startup wants to test a new application feature before rolling it out to the public. They want to limit the test to the two regional endpoints in the Middle east: Bahrain and UAE. The required traffic dial percentage is 70:30 (Bahrain:UAE).
Which service can be recommended to the board for this scenario?

• AWS Cloudfront
• AWS Transit Gateway
• AWS Privatelink
• AWS Global Accelerator

44) You are designing a new VPC to support your organization’s migration to the cloud.
Which of the following CIDRs for IP addresses can be assigned to an Amazon VPC?

• 10.0.0.0/30
• 10.0.0.0/27
• 10.0.0.1/32
• 10.0.0.0/29

45) AnyCompany uses a single network load balancer (NLB) which distributes traffic to applications across three availability zones running on EC2 containers. An issue has been identified where containers in one AZ access applications in a different AZ, causing high latency and creating added cost.
What action can be taken to ensure containers will not access applications in a different AZ?

• Deploy the NLB in a single AZ
• Implement Security Groups to restrict cross-AZ traffic.
• Append the availability Zone name to the NLB DNS.
• Enable Cross-Zone traffic

46) Your company decided to migrate its workloads to the AWS cloud. You are working with the Chief Operating officer and need to explain your company’s responsibilities as part of the shared responsibility model.
What are the responsibilities of customers in the AWS Cloud? (Select TWO)

• Patching hypervisor
• Physical network
• Server-side encryption (file system and data)
• Patching operating System
• Physical hardware

47) A recently hired cloud engineer is working on a strategic migration plan for a medium sized retail business that will need to operate in multiple AWS regions. The engineer wants to follow AWS best practices in designing the new AWS environment.
What is the best design practice for VPCs?

• Customers must build a custom VPC as default VPCs do not exist in AWS environments.
• Create a custom VPC for production and development environments and leave the default VPC.
• The default VPC is adequate and is the recommended best practice.
• Delete the default VPC in every region.

48) Your team has been tasked to provide high-throughput and low-latency access to its Amazon S3 buckets.
Which of the following meets the requirements?

• AWS Managed Site to Site VPN with Virtual gateway
• EC2-hosted VPN with VPC gateway endpoints
• AWS Managed Site to Site VPN connection with Gateway endpoint
• Direct Connect with Public VIF