A. Only IPsec is a supported VPN protocol.

C. To vertically-scale, you need to change the instance type to a larger instance. Setting up a standby instance and moving the IP to this instance will result in the least amount of downtime. The downtime will be equal to the time required for the instance to re-create Internet Protocol Security (IPsec) tunnels and establish Border Gateway Protocol (BGP) neighbor relationships. This will be done automatically, or it will have to be initiated manually by you depending on the software on the Amazon EC2 instance. If you stop an existing instance and change its instance type, you also suffer the additional downtime required to boot an instance.

D. AWS Direct Connect supports 1000BASE-LX or 10GBASE-LR connections over single mode fiber using Ethernet transport. Your device must support 802.1Q VLANs; however, the use of 802.1Q is required for creating the virtual interface. It is not required for creating the connection.

A. A LOA-CFA provides details of the port assignment on the AWS side of the cross-connect with full demarcation and interface details. It is the customer’s responsibility to provide details for their end of the cross-connect. No other region or customer information is provided on the document.

A, B. Setting up AWS Direct Connect private VIF will enable connectivity to the VPC. Using the connectivity Network Load Balancer will load balance traffic to servers in the VPC and those on-premises.

A. The test VPC can be accessed directly over private VIF. It is not a good practice to access Amazon EC2 instances using public IPs when a more secure alternative exists. Option C is possible, but it induces additional latencies.

B. The minimum size subnet that you can have in a VPC is /28. A /27 Classless Inter-Domain Routing (CIDR) may contain two /28 subnets.

C. When you provision a VPC, each route table has an immutable local route that allows all subnets to route traffic to one another.

C. You cannot add different RFC1918 CIDR ranges to an existing VPC, and you also cannot use new CIDR ranges on existing subnets. In addition, NAT Gateways will not support custom NAT. The only option presented that works is peering to a new VPC.

D. This is the easiest way to ensure that content in an Amazon S3 bucket is only accessed by Amazon CloudFront.

A, B. When using an RTMP distribution for Amazon CloudFront, you need to provide both your media files and a media player to your end users with your distribution. You need two types of distributions: a web distribution to serve the media player and an RTMP distribution for the media files.

D. Enhanced networking can help reduce jitter and network performance. Placement groups and lower latency will not assist with flows leaving the VPC. Network interfaces do not affect network performance. An Application Load Balancer will not assist with performance issues.

B. Using more than one instance will increase the performance because any given flow to Amazon S3 will be limited to 25 Gbps. Moving the instance will not increase Amazon S3 bandwidth. Placement groups will not increase Amazon S3 bandwidth either. Amazon S3 cannot be natively placed behind a Network Load Balancer.

B, E. AWS CloudFormation change sets are computed from the differences between an existing stack and a new template. This can be subsequently applied to update the stack. AWS CloudFormation does not inspect the underlying resources to see if they have been altered. Change sets cannot be edited or reversed.

D. A stack can have an IAM service role attached to it that specifies the actions that AWS CloudFormation is allowed to perform while managing the stack. If the stack does not have an attached IAM service role, then the stack uses the caller’s credentials—those of the unprivileged user in this case. Stack policies can also allow resources to be preserved, but all actions are permitted without a policy. If the user did not have permission to call CloudFormation:UpdateStack, then the error would have occurred before any resource updates were attempted.

B. DNS resolution is supported over VPC peering connections; however, DNS resolution must be enabled for the peering connection.

B. To improve the accuracy of geolocation routing, Amazon Route 53 supports the edns-client-subnet extension of EDNS0.

D. When you associate an Amazon CloudFront distribution with an AWS Lambda@Edge function, Amazon CloudFront intercepts requests and responses at Amazon CloudFront edge locations. Lambda@Edge functions execute in response to Amazon CloudFront events in the region or edge location that is closest to your customer.

D. Security groups control access to Amazon RDS.

A. AWS edge locations classify and prioritize traffic to mitigate the impact of malicious actors.

C. Network ACL rules can deny traffic.

D. The PCI DSS audit report contains statements about guest-to-guest separation in the AWS hypervisor. If this guest-to-guest separation assurance is insufficient for your own threat model, Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Instances are also available.

B. Sticky sessions will enable a session to be kept with the same web server to facilitate stateful connections.

D. Because you can access the instance but not the Internet, there is not a default route to the Internet through the on-premises network.

B. VPC peering connections are not transitive.