B. AWS Direct Connect provides private connectivity between customer environments and AWS.

C. Amazon CloudFront is a Content Distribution Network (CDN) that operates from AWS edge locations.

D. AWS Regions contain two or more Availability Zones. Availability Zones contain one or more data centers. Edge locations are located throughout the Internet.

D. AWS Regions contain two or more Availability Zones. Availability Zones contain one or more data centers. A region contains a cluster of two or more data centers.

A. AWS Regions contain two or more Availability Zones. Availability Zones contain one or more data centers. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another zone can handle requests.

C. Amazon Virtual Private Cloud (Amazon VPC) allows customers to create a logically-isolated network within an AWS Region.

A. AWS Shield provides DDoS mitigation. AWS Shield Standard is available to all customers at no additional charge.

A. The AWS global infrastructure is operated by a single company, Amazon.

B. Amazon VPC is an isolated, logical portion of an AWS Region that you define.

B. The mapping service maintains topology information about every resource in a VPC.

D. When you create an Amazon VPC, you choose the IPv4 address range to use. You may optionally enable IPv6 on your Amazon VPC.

B. Amazon Route 53 is a managed Domain Name System (DNS) service. You may register domains using Amazon Route 53.

A. AWS Direct Connect lets you create a dedicated network connection between your location and AWS. AWS Direct Connect provides a more consistent network experience than the Internet.

C. AWS WAF allows you to create web Access Control Lists (ACLs) to protect your Amazon CloudFront and Elastic Load Balancing (for example, Application Load Balancer) environments.

B. Elastic Load Balancing provides application traffic distribution among healthy Amazon EC2 instances in your Amazon Virtual Private Cloud (Amazon VPC).

C. You need two public subnets (one for each Availability Zone) and two private subnets (one for each Availability Zone). Therefore, you need four subnets.

B. The NAT gateway uses an IPv4 Elastic IP address when it performs many-to-one address translation. In order for the traffic to route to the Internet, the NAT gateway must be placed in a public subnet with a route to an Internet gateway.

D. Placement groups are designed to provide the highest performance network between Amazon Elastic Compute Cloud (Amazon EC2) instances.

A. When you create an Amazon VPC, a route table is created by default. You must manually create subnets and an Internet gateway.

A. You may only have one Internet gateway for each Amazon VPC.

B. Security groups are stateful, whereas network ACLs are stateless.

D. A customer gateway is the customer side of a VPN connection, and an Internet gateway connects a network to the Internet. A Virtual Private Gateway (VGW) is the Amazon side of a VPN connection.

D. Attaching an elastic network interface associated with a different subnet to an instance can make the instance dual-homed.

C. Each Amazon VPN connection provides two IPsec tunnel endpoints.

D. VPC endpoints are private access to otherwise public services. This access method does not decrease performance or increase availability. In addition, the services are still available through public APIs unless service-specific configurations, such as Amazon Simple Storage Service (Amazon S3) bucket policies, have been configured to limit access to VPC endpoints.

D. This is expected behavior when you limit access to a VPC endpoint. It is possible that a proxy also blocks access. The objects are still there. The VPC endpoint policy does not have a condition that applies specifically to the console, and endpoint policies do not restrict which resources can access buckets. In order to enable access to Amazon S3 buckets through the AWS Management Console, you must allow public access.

C, D. AWS PrivateLink applies source Network Address Translation (NAT), so the source IP will not be natively available. VPC peering allows bidirectional communication, but it does not allow better performance or scalability. AWS PrivateLink is unidirectional only. AWS PrivateLink does support more spoke VPCs than VPC peering. AWS PrivateLink will not increase the performance; that only comes from adding more resources.

A, B. AWS PrivateLink only supports TCP traffic. It is possible to use the IPv4 address of an AWS PrivateLink endpoint as opposed to the DNS name. There is no inherit authentication for VPC endpoints, other than what is defined at an application level. You cannot create a VPN through an AWS PrivateLink because it does not support IPsec.

A, D. DNS must be enabled for Amazon S3 endpoints to function. Amazon S3 endpoints do not require IP addresses. Endpoints also are not affected by private or public subnets. Amazon S3 endpoints do require a route in the routing table.

B, E. Inbound security groups do not define outbound policy. In addition, the NAT instance could have an iptables rule or similar firewall rule for 8080. It is possible for NAT instances to run out of ports, but it is nearly impossible for multiple instances to simultaneously run out of ports for 8080 because they support 65,000 ports. Network ACLs inbound block inbound ports, not outbound ports in this case. It is also possible for the server to be blocking the addresses or method you are using to access port 8080.

C. Transitive routing prevents instances from communicating across transitively peered VPCs. If instances are configured to use a proxy, then the destination IP on each hop is an instance in the peered VPC. You cannot define a route to a network interface in a peered VPC.

C, D. AWS PrivateLink does not use prefix lists. Instances do not need additional interfaces to use VPC endpoints. Instances do need to support DNS and to use the correct entry. Security groups can block access to private services. A route table with AWS PrivateLink will not have IP addresses.

A, D. You cannot create new CIDR ranges if you are at the maximum allowed routes. Subnets and VPCs do not affect new CIDR ranges. There are limitations on valid CIDR ranges based on the original CIDR range defined. Other VPCs do not create dependencies on adding. The VPC is new and so would not be peered with any other VPCs.

D. The routing, subnets, and new CIDR range are valid. New CIDR ranges must be more specific than existing routes, which is the case here. CIDR ranges do not need to be contiguous.

C, D. AWS PrivateLink can scale to this use case, as well as provide central services. Another option is to access these services over the Internet, provided that authentication and encryption are strong. VPC peering does not work with thousands of VPCs. Security groups cannot be referenced without an associated peering connection. You cannot create a VPN between two VGWs because neither will initiate a connection.

C. You cannot add different RFC1918 CIDR ranges to an existing VPC, and you also cannot use new CIDR ranges on existing subnets. In addition, NAT Gateways will not support custom NAT. The only option presented that works is peering to a new VPC.

B. This is a test of transitive routing rules. The only connection that has an external source from the perspective of VPC routing and an external destination is the virus scan. Traffic within the VPN stays on the instance and can route. The API request is sourced from an instance in the peered VPC and the destination is an instance. While the web request appears to be an external source and destination, the packet is tunneled, so VPC sees it as a new flow, where the source is the network interface of the VPN server.

A, D. The Network Load Balancer and interface VPC endpoints are accessible over AWS Direct Connect. Gateway VPC endpoints require a proxy. The AWS metadata service isn’t a network interface, so it could work through a proxy but would return results specific to the proxy.

C. The one large VPC approach and the replication approach do not meet the organizational requirements. Cross-account network interfaces will not scale, and you do not route code. This leaves AWS PrivateLink, which provides scalability and meets the requirements.

A, C. Auto-assigned addresses are not eligible for recall. You can only recall Elastic IP addresses the account has owned. Tagging is not necessary. It is possible to recall Elastic IP addresses in some scenarios. The Elastic IP address is not related to an instance number because it won’t be automatically associated with an instance but rather returned to the account.

A, E. VGW is the managed VPN endpoint for your Amazon VPC. Alternatively, you can terminate VPN on an Amazon EC2 instance.

B. Two tunnels are required: one to each of the Virtual Private Gateway’s (VGW) endpoints.

B, C. When you create a dynamic tunnel, BGP is used. When you create a static tunnel, static routes are used.

D. In an Amazon EC2-based VPN termination option, you are responsible for maintaining all infrastructure from the operating system level up. AWS is responsible for maintaining the underlying hardware and Hypervisor.

A. The Source/Destination Check attribute controls whether source destination checking is enabled on the instance. Disabling this attribute enables an instance to handle network traffic that isn’t specifically destined for the instance. Because this Amazon EC2 instance will handle and route traffic to all Amazon EC2 instances in the VPC in this case, this check has to be disabled.

C. Virtual Private Gateway supports only IPSEC VPN protocol. Options B and D are not supported. Option A while supported is not mandatory.

B. Option A is wrong as VGW doesn’t support client to site VPN. Option C while a valid choice has management overhead associated with implementing and maintaining the automation described. Option D achieves less availability when compared to option B.

B. Unlike site-to-site VPN, AWS currently doesn’t offer a managed gateway endpoint for this type of VPN setup. You will have to use an Amazon EC2 instance as a client-to-site VPN gateway.

C. SSL or Transport Layer Security (TLS) works at the application layer and encrypts all TCP traffic. SSL is a more efficient algorithm than IPsec and is easier to deploy/use. By using SSL, you can also encrypt only the traffic for the application that requires it, whereas with IPsec all traffic is encrypted. Option D is incorrect as it covers encryption at rest while the question is about achieving encryption in motion.

A. The IP addresses of the VGW endpoints are automatically generated. These IP addresses are used to terminate the VPN connections.

C. The VGW provides connectivity to your Amazon VPC. The Internet gateway provides access to the Internet. VPC endpoints are for specific AWS Cloud services. A peering connection is used to connect to other VPCs.

A. AWS Direct Connect requires the use of BGP to exchange routing information.

D. One is the minimum number of connections in a LAG.

D. AWS Direct Connect supports public and private VIFs.

A. Each AWS Direct Connect location has a minimum of two devices for resilience, meaning that a resilient connection can be established at a single location if desired.

C. One hundred prefixes can be announced over a private VIF.

A. A LAG behaves as a single Layer 2 connection. Each provisioned (VIF) spans the LAG but requires only a single BGP session.

B. Local routes to the VPC are always the highest priority route. Amazon VPC does not allow you to have more specific routing than the VPC Classless Inter-Domain Routing (CIDR) range.

B. A customer can define and allocate a VIF to another AWS account. This configuration is a hosted VIF.

D. The only mechanism to stop billing on an AWS Direct Connect connection is to delete the connection itself. Even with all the VIFs deleted, you are still charged the port-hour fees for the connection.

A, E. There are two types of hosted zones: private and public. A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more Amazon VPCs. A public hosted zone is a container that holds information about how you want to route traffic on the Internet for a domain.

D. Amazon Route 53 can route queries to a variety of AWS resources. It is important to know what resources are not applicable, such as AWS CloudFormation and AWS OpsWorks.

C. If you want to stop sending traffic to a resource, you can change the weight for that record to 0.

A. If you associate a health check with a multivalue answer record, Amazon Route53 responds to Domain Name System (DNS) queries with the corresponding IP address only when the health check is healthy. If you do not associate a health check with a multivalue answer record, Amazon Route53 always considers the record to be healthy.

D. You get access to Amazon Route 53 traffic flow through the AWS Management Console. The console provides you with a visual editor that helps you create complex decision trees.

D. You can enable this function using a multivalue answer routing policy.

A. Classic Load Balancer and Application Load Balancer IP addresses may change as the load balancers scale. Referencing them by their IP addresses instead of DNS names may result in some load balancer endpoints being underutilized or sending traffic to incorrect endpoints.

B. When the enableDnsHostname attribute is set to true, Amazon will auto-assign DNS hostnames to Amazon EC2 instances.

D. enableDnsHostnames indicates whether the instances launched in the VPC will receive a public DNS hostname. enableDnsSupport indicates whether the DNS resolution is supported for the VPC. Both must be set to true for your Amazon EC2 instances to receive DNS hostnames within your VPC.

B. Network Load Balancer has support for static IP addresses for the load balancer. You can also assign one Elastic IP address per Availability Zone enabled for the load balancer.

C. A CDN is a globally distributed network of caching servers that speed up the downloading of web pages and other content. CDNs use DNS geolocation to determine the geographic location of each request for a web page or other content.

D. If the content is already in the edge location with the lowest latency, Amazon CloudFront delivers it immediately. If the content is not currently in that edge location, Amazon CloudFront retrieves it from the origin server to deliver.

A, B, C. Amazon CloudFront is optimized to work with other AWS Cloud services as the origin server, including Amazon S3 buckets, Amazon S3 static websites, Amazon EC2 instances, and Elastic Load Balancing load balancers. Amazon CloudFront also works seamlessly with any non-AWS origin server, such as an existing on-premises web server.

B. Objects expire from the cache after 24 hours by default.

D. This feature removes the object from every Amazon CloudFront edge location regardless of the expiration period that you set for that object on your origin server.

A. You control which requests are served by which origin and how requests are cached using a feature called cache behaviors.

D. When streaming with Amazon CloudFront and using either of those protocols, Amazon CloudFront will break video into smaller chunks that are cached in the Amazon CloudFront network for improved performance and scalability.

C. When you add alternate domain names, you can use the wildcard * at the beginning of a domain name instead of specifying subdomains individually.

D. To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) Region.

D. To invalidate objects, you can specify either the path for individual objects or a path that ends with the * wildcard, which might apply to one object or many objects.

B. Amazon CloudFront can create log files that contain detailed information about every user request that Amazon CloudFront receives. Access logs are available for both web and Real-Time Messaging Protocol (RTMP) distributions. When you enable logging for your distribution, you specify the Amazon S3 bucket in which you want Amazon CloudFront to store log files.

B. AWS Organizations includes an account creation Application Programming Interface (API) that adds new accounts to the organization.

D. An AWS CloudFormation template contains the textual definition of your environment in JSON or YAML format. When you instantiate a template, it is called a stack.

A, B. Removing the human element with respect to creating, operating, managing, and decommissioning your AWS environment significantly contributes to overall security. People make mistakes, people bend the rules, and people can act with malice.

C. Amazon Route 53 stripes its Name Servers across four TLD servers to mitigate the impact of a TLD failure.

B. Origin Access Identity (OAI) is a special Amazon CloudFront user that you can associate with your Amazon S3 bucket to restrict access.

B. AWS Certificate Manager uses AWS KMS to help protect the private key.

C. AWS WAF integrates with Amazon CloudFront, Application Load Balancer, and Amazon Elastic Compute Cloud (Amazon EC2).

C, D. AWS Shield Standard provides protection for all AWS customers against the most common and frequently occurring infrastructure (Layer 3 and Layer 4) attacks, like SYN/User Datagram Protocol (UDP) floods, reflection attacks, and others, to support high availability of your applications on AWS.

A. A VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS Cloud service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect.

B. Security groups are stateful, whereas network ACLs are stateless.

D. Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

D. Amazon VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

A. Configure an Amazon CloudWatch scheduled event to call an AWS Lambda function each hour. The AWS Lambda function processes the threat intelligence data and populates an AWS WAF condition. The AWS WAF is associated with the Application Load Balancer.

A, D. NAT gateways are capable of higher performance than NAT instances. Trying a larger instance type can increase bandwidth capacity to the private subnet instances. Amazon Linux has enhanced networking enabled by default. Only one route can exist for any given prefix.

D. Enhanced networking can help reduce jitter and network performance. Placement groups and lower latency will not assist with flows leaving the VPC. Network interfaces do not affect network performance. An Application Load Balancer will not assist with performance issues.

B. Using more than one instance will increase the performance because any given flow to Amazon S3 will be limited to 5 Gbps. Moving the instance will not increase Amazon S3 bandwidth. Placement groups will not increase Amazon S3 bandwidth either. Amazon S3 cannot be natively placed behind a Network Load Balancer.

A, B. R4 instances use network Input/Output (I/O) credits that allow higher bandwidths when credits are available, which may affect baseline performance tests. In addition, the database may have other application-level impacts on the performance of the TCP stream.

A, C. Operating systems must support the appropriate network driver for the correct instance type. The AMI or instance must be flagged for enhanced networking support in addition to having driver support.

D. Jumbo frames are not supported over the Internet, and VPN will not increase throughput. Increasing the packets per second will most likely reduce throughput. There are additional measures that could be taken instead, such as tweaking operating system Transmission Control Protocol (TCP) stacks, using network accelerators, or changing application mechanics.

C. Placement groups will provide more benefit than other features for applications such as High Performance Computing (HPC) that are extremely sensitive to latency and throughput.

C. Distribute flows across many instances to ensure that the bandwidth of any given flow or instance does not limit overall performance. Enhanced networking can assist with performance, but does not increase scale. BGP and VPC routing also do not increase the scale of data transfer.

A. Amazon EBS Provisioned IOPS will help reduce latency and create more consistent disk performance.

C. Jitter is the variance in delay between packets. You can reduce jitter by making delay more consistent. Enhanced networking and eliminating CPU or disk bottlenecks can help reduce jitter.

C, D. C4 instances support the Intel Virtual Function driver, and C5 instances support the ENA driver. In addition, the instance must be flagged for enhanced networking. There are no specific instance routes in an Amazon Virtual Private Cloud (Amazon VPC).

D. If your throughput is lower, increasing the MTU in your Amazon Virtual Private Cloud (Amazon VPC) can increase performance. Unless there are application issues, using the largest MTU available (9,001 bytes) will help increase performance. Jitter is not typically an issue for throughput. Amazon VPC will treat all packets fairly, without QoS. Using a Network Load Balancer per instance would be inefficient and reduce performance.

A, C, E. AWS Direct Connect offers lower latency and more control over monitoring than VPN or Internet connections offer. QoS can be configured on the circuit connected to AWS Direct Connect, but not within the AWS networks. This typically means that the service provider network will honor Differentiated Services Code Point (DSCP) bits, but any egress packets from AWS will be dropped equally. Similarly, jumbo frames can be configured, but this would not offer any performance benefit because jumbo frames are only supported within an Amazon Virtual Private Cloud (Amazon VPC).

A, D, E, G. Amazon CloudWatch metrics and host metrics will be the most efficient way to determine bottlenecks. Packet captures and the other options can help in some situations, but they are not the most efficient. Elastic network interfaces do not affect whether a workload is network bound.

A, D. VPN instances should support enhanced networking for the highest performance possible. IPsec as a protocol can reduce throughput, putting more pressure on both packets per second and bandwidth. The VGW is managed by AWS. IPsec as a protocol doesn’t function through a Network Load Balancer due to non-Transmission Control Protocol (TCP) protocols like Encapsulating Security Protocol (ESP) and User Datagram Protocol (UDP).

B. A single placement group is specific to one Availability Zone, which would reduce availability.

A, C. It is important to support enhanced networking for instances with networking requirements. In addition, the instance sizes and families that the operating system supports will largely define its maximum throughput and bandwidth.

D. The Network Load Balancer will be able to provide lower latency and faster scaling for TCP traffic than the Classic Load Balancer. Both the Application Load Balancer and Amazon CloudFront options require sharing the private key with others. You cannot configure enhanced networking on Elastic Load Balancing.

C. Using AWS Direct Connect is the most accurate answer. AWS Direct Connect does not provide native encryption. VPN connections do not scale individually per connection. Latency is not something you can manage reliably with TCP tuning or network appliances.

D. MTUs allow for applications to send more data per packet, which can increase throughput. Jumbo frames are enabled in a VPC by default and work outside of placement groups.

C. DPDK is a set of libraries and tools used to reduce networking overhead in the operating system.

D. Elastic network interfaces do not have an effect on network performance for any instance that supports enhanced networking.

B. Multicast traffic requires Layer 2 switching and routing infrastructure that are not present in a VPC. It is best to redesign the application components and provide low latency with a placement group.

D. Bandwidth is the maximum data transfer rate at any point in the network.

D. TCP has congestion management protocols built-in and will adapt to traffic changes. UDP does not, so it will not natively adapt to changing network conditions.

C. AWS CloudFormation can detect syntax errors but not semantic errors. If a service call it makes returns an error, then the stack creation or update process stops. By default, AWS CloudFormation rolls back the stack to the previous state.

A. AWS CloudFormation is not aware that the route must wait for the gateway attachment to finish first, so this dependency must be explicitly stated. The order of resources is irrelevant in a template. Waiting may help reduce the errors, but it does not provide a guarantee and may make create or update operations unnecessarily slower.

D. AWS CloudFormation deletes every resource except those that have a DeletionPolicy of Retain. It does not have a way to detect whether resources are in use (this may prevent a resource from being deleted, but AWS CloudFormation will still attempt to do so). Tags beginning with aws: cannot be altered by users.

A, E. AWS CodePipeline can monitor AWS CodeCommit, public GitHub repositories, and ZIP file bundles on Amazon S3. Repositories stored elsewhere must be published to Amazon S3 as a ZIP bundle.

C. The Amazon CloudWatch Logs agent can be installed on an instance to monitor log files. When data is added to a log file, the agent sends them to Amazon CloudWatch Logs where they can be aggregated into a single log group.

D. Parameters are the most straightforward way to make a template reusable. The other solutions can be made to work, but they introduce unnecessary complexity into the template.

C. Creating a change set will show how a new template differs from the current stack state. Executing the change set ensures that only those changes are executed. The execution will be rejected if the stack changed since the change set was generated. Executing the template instead may overwrite intermediate changes. The ValidateTemplate API only verifies the syntactic correctness of the template. Approval actions are used with AWS CodePipeline—not AWS CloudFormation.

A. A version control system such as Git provides a history of changes made to the source code and allows you to create branches for experimental development. Amazon S3 versioning only allows linear changes and does not provide visualization capabilities. AWS CloudFormation and AWS CodePipeline do not record history.

D. AWS CloudFormation cannot detect this semantic error. Resource creation is unordered except when there is a dependency, so the order in which the subnets are created is indeterminate. When an error is encountered, AWS CloudFormation attempts to roll back the update.

A. The stack policy can prevent resources from being modified, deleted, or replaced when a stack is updated. The IAM service role will also effectively do this, but it will also prohibit other subnets from being deleted. DeletionPolicy only applies when the AWS CloudFormation stack is being deleted—not the resource itself. Tags starting with aws: cannot be modified.

C, D. Amazon AppStream 2.0 and Amazon WorkSpaces are both AWS Cloud services that support end-user connectivity into applications running within a VPC.

B. There are two adapters connected to each WorkSpace instance: one in a customer Virtual Private Cloud (VPC) and another in an AWS-managed VPC.

B, C. AWS Lambda requires NAT to connect to the Internet. Public IP addresses cannot be assigned to an AWS Lambda function.

A, B, D. Internet connectivity is not a requirement for Amazon EMR; however, Amazon S3 connectivity, DNS hostnames, and private IP addresses are required.

D. AWS Lambda is an AWS Cloud service that allows for serverless code execution.

B, C. A NAT gateway or public IP with an Internet gateway attached to the VPC is required for Internet connectivity within Amazon WorkSpaces. Both options require user configuration and are not set up by default.

B. Amazon RDS is the AWS service that provides managed database instances.

A. A Multi-AZ deployment requires two subnets in order to provide high availability for Amazon RDS.

C. AWS Elastic Beanstalk can automatically provision and scale an infrastructure on behalf of a user.

D. AWS Elastic Beanstalk deploys the infrastructure automatically. Custom Virtual Private Clouds (VPCs) and security groups can be used but are not required.

A, B. AWS Database Migration Service (AWS DMS) facilitates replication between different database engines. Direct connectivity between the databases is not required.

C. Amazon Redshift requires an IP for each node in the cluster, plus one additional IP for the leader node.

D. Only the Amazon RDS hostname (or a CNAME to it) should be used to connect. It will be updated in the event of a failover.

A. An AWS Direct Connect public VIF allows private connectivity from on-premises to AWS Cloud services.

B. Host-based IPS/IDS is a more scalable solution and does not impose challenges regarding high availability and throughput scalability that inline IPS/IDS gateways impose. It is also more cost effective because it does not require inline gateways to be run.

A. VGW is a managed endpoint.

A. You can use a VPN/routing software on the Amazon EC2 instance that supports packet manipulation based on QoS markings. Using separate Amazon EC2 VPN instances will not help because the traffic from the VPC to on-premises can only use one Amazon EC2 instance as a gateway. Using two VPCs will not work because the traffic from the VPC to the on-premises gateway will not have QoS and so will contend for the same router resources.

D. Only interface VPC endpoints can be accessed over AWS Direct Connect.

A. To send all traffic via a VPC, you will have to proxy all traffic via Amazon EC2 instances. AWS Storage Gateway supports HTTP proxy in the file gateway mode.

A. You can use a public VIF to access Amazon DynamoDB. You can use Amazon DynamoDB client libraries to encrypt traffic as it is being written to the database. VPN is not required.

B. You can reduce latency by setting up a local hub in the Singapore region. Traffic would then flow from the spoke VPC in the Mumbai region to the hub in the Singapore region and then to the spoke in the Singapore region. GRE should be used over IPsec for reduced latencies because GRE does not encrypt data, resulting in faster packet processing.

C. AWS Direct Connect private VIF will enable connectivity from on-premises Amazon EC2 instances to the on-premises Active Directory server.

C. Transit VPC should not be used for basic hybrid IT connectivity. It should be leveraged only for special scenarios, such as inline packet inspection.

B. Sticky sessions will enable a session to be kept with the same web server to facilitate stateful connections.

D. Because you can access the instance but not the Internet, there is not a default route to the Internet through the on-premises network.

C. NAT gateways need to be in a public subnet to enable communication with the Internet.

B. All but a NAT gateway is required for Internet connectivity from a public subnet.

A. There is a limit of 50 VPC peering connections per VPC by default.

E. Answers A through D are all possible misconfigurations.

C, D. Both Domain Name System (DNS) settings must be enabled on a VPC for a private hosted zone to work correctly.

D. Some AWS Cloud services rely on the existence of a default VPC. There is an option to create a new default VPC.

C. Network ACL rules can deny traffic.

A, B. Flow logs and packet captures are two ways to record the source and destination IP addresses of traffic.

C. Peering carries a $0.01 per-GB charge for traffic leaving or entering a VPC; therefore, a single flow would cost $0.02 in each direction. Being in the same Availability Zone does not affect pricing.

B. Because the data transfer is to another region, you will be charged for egress from the source region.

B. The VGW IPsec endpoints are considered AWS public IPs, and the resource is owned by you. The reduced AWS Direct Connect rate applies because of these factors.

B. Your on-premises data center is not within AWS public IP address range, so data transfer is metered as Internet-in, which is not charged.

B. Budgets enable forecasting and allow you to set alarms to trigger on current billing.

B. Charges start when the connection becomes available for the first time, or 90 days from creation, whichever occurs first.

C. Active session charge is used as a component of Load Balancer Capacity Units (LCUs) in Elastic Load Balancing, not NAT gateway.

A. Data transfer from Amazon S3 to Amazon CloudFront is not charged.

B. The bucket owner always pays for data transfer from their bucket. In this particular example, they pay Internet-out rates.

B. The Availability Zone does not affect the pricing when communicating via public IP, so the charge is at the regional data transfer rate.

A, C. Security groups and network ACLs permit or deny traffic. These determinations are reflected in Amazon VPC Flow Log data.

D. Amazon Inspector supports evaluation durations between 15 minutes and 24 hours.

A. AWS Artifact provides on-demand access to AWS security and compliance documents, also known as audit artifacts.

A. IAM uses a PARC access model.

A. The AWS CloudTrail record digest uses SHA-256 for hashing.

B. AWS accepts requests via an authenticated, online web form and via email.

D. Authorization may be requested for a maximum of 90 days per request.

C. AWS is responsible for maintaining Amazon VPC separation assurance; however, the customer is responsible for configuring subnets, security groups, NACLs, and other application-layer mechanisms appropriately.

C. The AWS Organizations SCP is applied to member account root users in addition to IAM users.

D. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

A. Amazon Route 53 weighted policies provide the most control over how much traffic is directed to specific application resources. Failover policies would not support a gradual migration, and latency-based and geolocation policies offer limited administrative control about which requests get directed at specific application resources.

A. VPN connections typically reuse existing on-premises VPN equipment and Internet connections. AWS Direct Connect requires a new circuit to be provisioned. Options C and D are options for providing access to individual applications or AWS services, not for connecting networks.

D. Amazon Route 53 geolocation policies provide the ability to direct users based on their geographic location, and are therefore the only way to direct customers to applications based on their locality. Weighted and failover policies are indiscriminate of location. Latency-based policies operate based on end-user latency, which often is correlated to end-user location, but not always.

A. AWS WAF can be integrated with Application Load Balancer for blocking IP addresses at scale. Network ACLs can deny traffic but not to the required scale. AWS Shield and Amazon VPC AWS PrivateLink do not provide capabilities for denying network traffic.

A. In this scenario, the network requirements for on-premises network connectivity are exceeding the network capacity of Amazon EC2 instances operating outside of a placement group. This requirement eliminates Options B and D. Option C provides a different interface for interacting with on-premises resources, but it does not reduce the amount of traffic that must traverse the network. AWS Direct Connect connections will allow on-premises connectivity to scale beyond individual Amazon EC2 instance network limitations, and AWS Direct Connect gateway will provide a similar experience as a transit VPC for all attached VPCs.

C. Option A is not highly available. Option B disables cross-region traffic, which is not the desired outcome. Option D is not possible. This leaves option C as the best answer.

B. Amazon Route 53 latency-based policies will route a request to the closest location based on client latency. Weighted and failover policies are indiscriminate of location. Geolocation is indiscriminate of end-user latency.

C. AWS Direct Connect public Virtual Interfaces (VIF) support on-premises access to AWS APIs. All of the other options require additional infrastructure and configuration, which can introduce additional complexity and variability into the network design.

C, D. Amazon Route 53 geolocation policies are suited for directing user traffic to location-specific services. Failover policies are useful for sending requests to a redundant, backup location in the event that the primary site fails its health checks.

D. NAT Gateways provide a highly-scalable network egress option for Amazon EC2 instances in private networks. Egress-only Internet Gateways provide IPv6 egress traffic. Neither transit VPCs nor Amazon EC2 NAT instances are as scalable as NAT Gateways.

A. Replicating your users and permissions to a VPC peered shared services network is the only option that will reduce on-premises network traffic. All of the other options continue to send all authentication and authorization traffic to on-premises resources.