Domain 1.1: Network Connectivity

An enterprise has 50 VPCs across two AWS Regions. They need to establish transitive routing between all VPCs and their on-premises data center via a single AWS Direct Connect connection. Which architecture provides the MOST scalable solution?

A company requires a hybrid network architecture. They have a 10 Gbps AWS Direct Connect connection. For compliance reasons, all traffic over the Direct Connect connection must be encrypted at the MAC level. How can this be achieved?

An architect is designing a secure VPC architecture. The VPC contains private subnets with EC2 instances that need to download software patches from Amazon S3 and access Amazon DynamoDB. The instances must NOT have internet access. Which TWO solutions provide the MOST secure and cost-effective connectivity? (Select TWO)

An architect is designing a hybrid cloud network. The on-premises data center has a 1 Gbps AWS Direct Connect connection. The architect needs to ensure high availability. If the Direct Connect connection fails, traffic must automatically failover to a backup connection. Which THREE options provide a valid backup strategy? (Select THREE)

An enterprise is designing a multi-account strategy using AWS Control Tower. They need to implement centralized egress to the internet for all member accounts to inspect traffic using a third-party firewall appliance. Which THREE architectural components are required? (Select THREE)

An enterprise is designing a hybrid DNS resolution strategy. They have an on-premises data center connected to AWS via Direct Connect. They need on-premises servers to resolve DNS names of AWS resources (like RDS endpoints), and AWS EC2 instances to resolve on-premises hostnames. Which THREE components are required to build this architecture? (Select THREE)

An organization is migrating their on-premises data center to AWS. They have a strict requirement that all data in transit between their on-premises network and AWS must be encrypted. They are provisioning a 10 Gbps AWS Direct Connect connection. Which THREE options can satisfy the encryption-in-transit requirement? (Select THREE)

An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, private connection with consistent network performance. Which AWS service should they use?

A global financial institution is migrating its core banking application to AWS. The application requires strict network isolation, centralized egress inspection, and the ability to route traffic between 100+ VPCs across two AWS Regions. What is the MOST scalable architecture?

A company has a hybrid architecture with a 10 Gbps AWS Direct Connect connection. They need to encrypt all traffic in transit over the Direct Connect link between their on-premises routers and AWS. Which solution meets this requirement with the LEAST operational overhead?

A company is designing a hybrid network architecture. They have two on-premises data centers and three AWS Regions. They want to use AWS Direct Connect. They need to ensure that traffic between the two on-premises data centers can route through the AWS network backbone. Which TWO actions must the architect take to enable this? (Select TWO)

An enterprise is implementing a centralized egress architecture using AWS Network Firewall. They have a Transit Gateway connecting multiple spoke VPCs to a central Security VPC. Which TWO routing configurations are required to ensure all internet-bound traffic from spoke VPCs is inspected by the Network Firewall? (Select TWO)

An architecture requires connecting a VPC to an on-premises data center via AWS VPN. The on-premises firewall only supports policy-based VPNs. Which TWO limitations must the architect consider? (Select TWO)

An architect is designing a hybrid cloud architecture. On-premises applications need to resolve DNS names of AWS resources hosted in Amazon Route 53 Private Hosted Zones. Conversely, AWS resources need to resolve on-premises DNS names. Which service should the architect use?

An enterprise has 100 VPCs across 5 AWS Regions. They need to establish a highly available, transitive network architecture connecting all VPCs and three on-premises data centers. Which solution provides the MOST scalable architecture with the lowest operational overhead?

A global enterprise requires a dedicated, private connection between their on-premises data center and AWS. They need 10 Gbps bandwidth and MACsec encryption. Which solution meets these requirements?

An enterprise uses AWS Transit Gateway to connect 50 VPCs. They want to inspect all internet-bound traffic from these VPCs using third-party firewall appliances. What is the MOST scalable architecture?

A company has a multi-account structure in AWS Organizations. They want to share a central AWS Transit Gateway with all accounts in a specific Organizational Unit (OU). What is the MOST efficient way to achieve this?

A company is designing a hybrid network architecture. They have two on-premises data centers and three AWS Regions. They need to ensure highly available connectivity. If one Direct Connect connection fails, traffic must automatically route through a backup connection. Which TWO actions should the architect take? (Select TWO)

An enterprise wants to establish a dedicated, private connection to AWS. They require high availability and encryption in transit. Which THREE components are required to build a highly available, encrypted hybrid network? (Select THREE)

A global enterprise is redesigning its network architecture across 50 AWS accounts. They require transitive routing between all VPCs and three on-premises data centers. The solution must support up to 10 Gbps of encrypted traffic per data center, minimize operational overhead, and ensure that traffic between VPCs in the same region does not traverse the internet. Which architecture meets these requirements MOST cost-effectively?

A company is designing a hybrid network architecture. They have two on-premises data centers and three AWS Regions. They need to ensure that if any single Direct Connect connection fails, traffic automatically reroutes to the other data center's connection. They also want to use the AWS network backbone to route traffic between the two on-premises data centers. Which combination of steps will achieve this? (Select TWO)

A global media company is designing a new content delivery architecture. They have users worldwide uploading large video files (up to 50 GB) to an S3 bucket in the us-east-1 region. Users are complaining about slow upload speeds. The company also streams these videos globally and wants to minimize latency for viewers. Which combination of solutions will address these issues? (Select TWO)

An enterprise is migrating a legacy monolithic application to AWS. The application hardcodes IP addresses for its database connections. The database is being migrated to Amazon RDS. The enterprise cannot change the application code immediately, but needs to complete the migration. How can the Solutions Architect route the hardcoded IP traffic to the new RDS instance?

A global enterprise uses AWS Transit Gateway to connect 100 VPCs across two AWS Regions (us-east-1 and eu-west-1). They want to inspect all traffic flowing between the VPCs, as well as traffic going to the internet, using a centralized fleet of third-party firewall appliances. The architecture must be highly available and automatically scale. Which combination of services and configurations should be used? (Select THREE)

An enterprise is building a centralized network egress architecture. All internet-bound traffic from 50 VPCs must be routed through a central Egress VPC. The Egress VPC contains a NAT Gateway. The company wants to ensure that if the NAT Gateway in one Availability Zone fails, traffic automatically routes to a NAT Gateway in another Availability Zone. How should the Transit Gateway and VPC routing be configured?

A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS Regions. They currently use VPC peering, which has become unmanageable. The new architecture must support transitive routing, centralized outbound internet access, and dedicated hybrid connectivity to two on-premises data centers via AWS Direct Connect. Which solution meets these requirements with the LEAST operational overhead?

An architecture team is designing a hybrid network. They have two on-premises data centers and three AWS Regions. They need encrypted, high-throughput connectivity between all on-premises locations and all AWS Regions. The solution must support dynamic routing and minimize the number of point-to-point VPN connections to manage. Which architecture is BEST?

A security architect is reviewing an AWS environment. Applications in VPC A need to access a third-party SaaS service hosted in VPC B (owned by a different AWS account). The SaaS provider requires that traffic must not traverse the public internet. The SaaS service must be highly available, and the consumer (VPC A) must not have access to any other resources in VPC B. Which solution is the MOST secure and scalable?

A company has a hybrid architecture with an AWS Direct Connect connection between their on-premises data center and a VPC. They are deploying a new application in the VPC that requires access to Amazon S3. The security team mandates that traffic to S3 must not traverse the public internet and must not use the Direct Connect connection to route back through on-premises proxies. How should the Architect configure access to S3?

A company is designing a hybrid DNS architecture. They have an on-premises data center and a multi-account AWS environment connected via AWS Direct Connect. On-premises servers need to resolve AWS private hosted zones (e.g., database.internal). AWS resources need to resolve on-premises hostnames (e.g., mainframe.corp.local). The solution must be highly available and centrally managed. Which combination of steps should the Architect take? (Select THREE)

A company has a multi-account environment managed by AWS Control Tower. They want to implement a centralized egress architecture. All outbound internet traffic from the private subnets of 50 member accounts must be routed through a central 'Network' account. The Network account will inspect the traffic using AWS Network Firewall before allowing it to the internet. Which architecture provides the MOST scalable solution?

A global enterprise requires highly available hybrid connectivity between its on-premises data centers in New York and London to AWS VPCs in us-east-1 and eu-west-2. The solution must provide line-rate encryption and protect against a single AWS Direct Connect location failure. Which architecture meets these requirements with the LEAST operational overhead?

An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs are peered. The security team mandates that all inter-VPC traffic must be inspected by a centralized fleet of third-party firewall appliances. How should the architect design this network?

A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW) with all AWS accounts in the organization. They want new accounts to automatically have access to the TGW without manual intervention. What is the MOST efficient solution?

An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global network to route traffic between these two on-premises locations. They have Direct Connect connections in both regions. Which feature should they enable?

A company requires that all API calls to Amazon S3 from their VPC must not traverse the public internet. Furthermore, access to S3 must be restricted to only a specific S3 bucket owned by the company. How should the architect implement this?

A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts across 3 AWS Regions and 4 on-premises data centers. The company requires transitive routing between all VPCs and on-premises networks. Traffic between AWS Regions must be encrypted and traverse the AWS global network. The solution must minimize operational overhead and support up to 50 Gbps of bandwidth per region. Which architecture meets these requirements MOST cost-effectively?

A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connections in a Link Aggregation Group (LAG). They need to ensure that traffic between their on-premises data center and their Amazon VPCs is encrypted in transit. The solution must support at least 5 Gbps of encrypted throughput. Which combination of steps should the Solutions Architect take? (Select TWO)

A company requires a hybrid DNS resolution strategy. On-premises servers must resolve AWS private hosted zones, and Amazon EC2 instances must resolve on-premises domain names. The company has an AWS Direct Connect connection. Which combination of steps will meet these requirements? (Select TWO)

A company is building a machine learning pipeline. Data scientists need to access sensitive datasets stored in Amazon S3. The security team requires that the data scientists' access to S3 must not traverse the public internet. The data scientists use Amazon SageMaker notebook instances deployed in a private VPC subnet. How should the architect secure the S3 access?

An enterprise is building a centralized network inspection architecture using AWS Transit Gateway. They have a dedicated Inspection VPC containing AWS Network Firewall. They want to ensure that traffic between any two application VPCs is routed through the Inspection VPC. How should the Transit Gateway route tables be configured?

A company wants to securely connect its on-premises data center to an Amazon VPC. They require an encrypted connection over the internet. The connection must support dynamic routing using BGP. Which AWS service should they use?