ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 45 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 45
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?

  • A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create an alarm to notify the network engineer.
  • B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarm to notify the network engineer
  • C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
  • D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by zaazanuna at March 19, 2023, 12:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rhinozD
Highly Voted 1 year, 11 months ago
Selected Answer: D
refer this link. https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/
upvoted 8 times
...
cutedragonster
Highly Voted 2 years ago
Selected Answer: D
C is not correct because security group is not a valid source
upvoted 6 times
vikasj1in
1 year, 1 month ago
That's right. Reference link here to find out the proper source & destination - https://docs.aws.amazon.com/vpc/latest/reachability/how-reachability-analyzer-works.html#source-and-destination-resources
upvoted 2 times
...
...
Spaurito
Most Recent 5 months, 3 weeks ago
Reviewing the link provided shows the example of the IGW as a source and EC2 and a destination. D is the best choice as a security group is an path component not a Src/Dst resource.
upvoted 1 times
...
arturogomezb
9 months, 3 weeks ago
source NAT gateway in VPC reachability no simulates conection EC2 -> Nat gateway , but NAT gateway --> EC2 , then it´s possible to change outbound SG rules and no afect to VPC reachability but afect to EC2 --> NAT gateway. In my opinion the option A is ok.
upvoted 1 times
arturogomezb
9 months, 3 weeks ago
Sorry, it´s wrong , the option is D, the conexión to check is from internet NAT gateway --> EC2
upvoted 1 times
...
...
Raphaello
1 year ago
Selected Answer: D
Correct answer is D. IGW and EC2 are valid Reachability Analyzer source/destination.
upvoted 1 times
...
marfee
1 year, 2 months ago
I think that it's correcty answer is D.
upvoted 2 times
...
MarcosSantos
1 year, 3 months ago
In this question I would go with letter A. Because with this alarm that we created from Cloudwatch logs, we were able to integrate it with an SNS topic. And that in a simpler way. The link you provided: https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ Apparently it notifies via SNS and also returns the sg port to the way it was before the rule was removed. But the question focused on just notifying, and not that if any change in the sg occurs, return the port.
upvoted 2 times
...
Arad
1 year, 5 months ago
Selected Answer: D
D is correct answer.
upvoted 2 times
...
demoras
1 year, 10 months ago
Selected Answer: D
D- Internet gateway is a valid source
upvoted 2 times
...
ITgeek
2 years ago
Selected Answer: D
D is correct
upvoted 2 times
...
ohcan
2 years ago
Selected Answer: D
D correct. A or B are missing the SNS part. C wrong source
upvoted 4 times
MarcosSantos
1 year, 3 months ago
By creating the Clouwatch alarm, we can integrate it with an sns topic
upvoted 1 times
...
...
TicDcNess
2 years ago
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html Example section at the end metric filter and alarm for a flow log should be A
upvoted 2 times
...
ILOVEVODKA
2 years ago
https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ D - for sure
upvoted 5 times
...
fojta
2 years ago
Selected Answer: C
By using a security group as the source for the Reachability Analyzer path, you can ensure that traffic originating from any IP address within that security group is able to reach the application on the specified port. This allows you to test connectivity from multiple potential sources, rather than just a single IP address.
upvoted 2 times
[Removed]
1 year, 9 months ago
Security group is a valid source for VPC Reachability Analyzer path. You can use Reachability Analyzer to determine whether a destination resource in your virtual private cloud (VPC) is reachable from a source resource. When the destination is not reachable, Reachability Analyzer identifies the blocking component. Paths can be blocked by configuration issues in a security group, network ACL, route table, or load balancer https://docs.aws.amazon.com/vpc/latest/reachability/what-is-reachability-analyzer.html
upvoted 1 times
...
...
Jotoval
2 years ago
should be D, c is not possible the sources are Instances Internet gateways Network interfaces Transit gateways Transit gateway attachments VPC endpoint services VPC endpoints VPC peering connections VPN gateways
upvoted 5 times
...
ILOVEVODKA
2 years ago
https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/
upvoted 1 times
...
study_aws1
2 years ago
It should be option D) The question requires - "automate a way to verify the network connectivity between the public internet and the EC2 instances", not just on failed connections. By implementing automated reachability assessment using Reachability Analyzer, application issues due to connectivity problems are detected quickly. Below post demonstrates an automated method to verify network connectivity between VPC elements after an infrastructure change is made, and alert administrators in the event reachability has been affected. https://aws.amazon.com/blogs/networking-and-content-delivery/automating-connectivity-assessments-with-vpc-reachability-analyzer/ Application load Balancer is supported as intermediary path in the reachability analyzer It is option D)
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago