Amazon Web Services certsexpert aws Certified Professional Sap-c02 Amazon Web Services Study Notes by Amyra q84 vce pdf

Page: 27 / 50

Exam Name:	AWS Certified Solutions Architect - Professional
Exam Code:	SAP-C02 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Professional
Questions:	674 Q&A's	Shared By:	amyra

Question 108

A company in the United States (US) has acquired a company in Europe. Both companies use the AWS Cloud. The US company has built a new application with a microservices architecture. The US company is hosting the application across five VPCs in the us-east-2 Region. The application must be able to access resources in one VPC in the eu-west-1 Region. However, the application must not be able to access any other VPCs. The VPCs in both Regions have no overlapping CIDR ranges. All accounts are already consolidated in one organization in AWS Organizations. Which solution will meet these requirements MOST cost-effectively?

Options:

Create one transit gateway in eu-west-1. Attach the VPCs in us-east-2 and the VPC in eu-west-1 to the transit gateway. Create the necessary route entries in each VPC so that the traffic is routed through the transit gateway.

Create one transit gateway in each Region. Attach the involved subnets to the regional transit gateway. Create the necessary route entries in the associated route tables for each subnet so that the traffic is routed through the regional transit gateway. Peer the two transit gateways.

Create a full mesh VPC peering connection configuration between all the VPCs. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.

Create one VPC peering connection for each VPC in us-east-2 to the VPC in eu-west-1. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.

Discussion

Question 109

A company is planning to migrate its applications from an on-premises data center to AWS. The on-premises data center has an AWS Direct Connect connection. The company needs to test IPv6 connectivity in the VPC so that the applications can communicate with more customers worldwide.

A solutions architect has created a VPC with an IPv6 CIDR block.

Which networking configurations will meet these requirements? (Select TWO.)

Options:

Launch an Amazon EC2 instance into a public subnet. Associate an IPv6 address with the instance during launch. Configure a security group, a network ACL, and route tables for IPv6 communication. Associate a virtual private gateway in the VPC with a Direct Connect gateway.

Launch an Amazon EC2 instance into a private subnet. Associate an IPv6 address with the instance during launch. Configure a security group, a network ACL, and route tables for IPv6 communication. Create a route that directs all IPv6 traffic from the private subnet to a NAT gateway.

Launch an Amazon EC2 instance into a public subnet. Associate an IPv6 address with the instance during launch. Configure a security group, a network ACL, and route tables for IPv6 communication. Create a route that directs all IPv6 traffic from the public subnet to an internet gateway.

Discussion

Answer:

C, E

Explanation:

The requirement is to test IPv6 connectivity in an AWS VPC. When a VPC is associated with an IPv6 CIDR block, subnets can be configured to assign IPv6 addresses to resources, and routing must be correctly configured to allow IPv6 traffic to flow.

For public IPv6 connectivity, IPv6 traffic must be routed through an internet gateway. Unlike IPv4, IPv6 addresses are globally routable by default, and there is no concept of NAT for IPv6 egress through a NAT gateway. Therefore, for an EC2 instance in a public subnet that needs inbound and outbound IPv6 connectivity, the subnet route table must include a route that sends IPv6 traffic (::/0) to an internet gateway. Option C correctly describes this configuration and is a standard pattern for enabling IPv6 access for public subnets.

For private subnets that require outbound-only IPv6 connectivity (for example, instances that must initiate connections to the internet but must not accept inbound connections), AWS provides an egress-only internet gateway. An egress-only internet gateway allows outbound IPv6 traffic while blocking unsolicited inbound IPv6 traffic, similar in intent to how a NAT gateway is used for IPv4. Option E correctly uses an egress-only internet gateway for IPv6 traffic from a private subnet, making it the correct choice for private IPv6 connectivity testing.

Option A focuses on Direct Connect integration. Although Direct Connect can support IPv6, associating a virtual private gateway with a Direct Connect gateway is not required simply to test IPv6 connectivity to customers worldwide. This option also does not explicitly configure IPv6 internet routing and therefore does not directly meet the stated requirement.

Option B is incorrect because NAT gateways do not support IPv6. NAT gateways are IPv4-only services, so routing IPv6 traffic to a NAT gateway is not a valid configuration.

Option D is also incorrect because NAT instances do not provide a supported or recommended solution for IPv6 traffic. NAT-based designs are intended for IPv4 address translation and are not used for IPv6 connectivity in AWS.

Therefore, using an internet gateway for public IPv6 subnets and an egress-only internet gateway for private IPv6 subnets is the correct and supported approach.

[References:AWS documentation on IPv6 addressing in Amazon VPC, including requirements for internet gateways and egress-only internet gateways.AWS documentation describing that NAT gateways and NAT instances are IPv4-only and are not used for IPv6 traffic., , , , ]

Question 110

A company ' s solutions architect needs to provide secure Remote Desktop connectivity to users for Amazon EC2 Windows instances that are hosted in a VPC. The solution must integrate centralized user management with the company ' s on-premises Active Directory. Connectivity to the VPC is through the internet. The company has hardware that can be used to establish an AWS Site-to-Site VPN connection.

Which solution will meet these requirements MOST cost-effectively?

Options:

Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory.Deploy an EC2 instance as a bastion host in the VPC. Ensure that the EC2 instance is joined to the domain. Use the bastion host to access the target instances through RDP.

Configure AWS IAM Identity Center (AWS Single Sign-On) to integrate with the on-premises Active Directory by using the AWS Directory Service for MicrosoftActive Directory AD Connector. Configure permission sets against user groups for access to AWS Systems Manager. Use Systems Manager Fleet Manager toaccess the target instances through RDP.

Implement a VPN between the on-premises environment and the target VPC. Ensure that the target instances are joined to the on-premises Active Directory domain over the VPN connection. Configure RDP access through the VPN. Connect from the company ' s network to the target instances.

Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory.Deploy a Remote Desktop Gateway on AWS by using an AWS Quick Start. Ensure that the Remote Desktop Gateway is joined to the domain. Use the Remote Desktop Gateway to access the target instances through RDP.

Discussion

Question 111

A company developed a pilot application by using AWS Elastic Beanstalk and Java. To save costs during development, the company ' s development team deployed the application into a single-instance environment. Recent tests indicate that the application consumes more CPU than expected. CPU utilization is regularly greater than 85%, which causes some performance bottlenecks.

A solutions architect must mitigate the performance issues before the company launches the application to production.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Create a new Elastic Beanstalk application. Select a load-balanced environment type. Select all Availability Zones. Add a scale-out rule that will run if the maximum CPU utilization is over 85% for 5 minutes.

Create a second Elastic Beanstalk environment. Apply the traffic-splitting deployment policy. Specify a percentage of incoming traffic to direct to the new environment in the average CPU utilization is over 85% for 5 minutes.

Modify the existing environment ' s capacity configuration to use a load-balanced environment type. Select all Availability Zones. Add a scale-out rule that will run if the average CPU utilization is over 85% for 5 minutes.

Select the Rebuild environment action with the load balancing option Select an Availability Zones Add a scale-out rule that will run if the sum CPU utilization is over 85% for 5 minutes.