AWS Certified Advanced Networking – Specialty | 90 Questions & Answers

Free AWS Certified Advanced Networking – Specialty (ANS-C01)

90 Questions & Answers

The AWS Certified Advanced Networking Specialty (ANS-C01) exam is designed for individuals who perform complex networking tasks and have at least five years of hands-on experience architecting and implementing network solutions. This certification validates a candidate’s ability to design, develop, and deploy cloud-based solutions using AWS and advanced networking technologies. It covers topics such as AWS networking architecture, hybrid IT network design, network implementation, and configuration, network security, compliance, and governance, as well as automation and deployment.

Preparing for this exam can be daunting, but with the right resources, it becomes manageable. The “AWS Certified Advanced Networking Specialty (ANS-C01) Past Questions and Answers” is an invaluable study aid for candidates looking to pass the exam. Compiled by experts in the field, this resource includes approximately 90 past questions and detailed answers. Each question is designed to reflect the actual exam format, helping candidates familiarize themselves with the type and style of questions they will encounter.

The questions cover a broad spectrum of the exam topics, ensuring comprehensive preparation. Topics include designing and implementing AWS and hybrid IT network architectures, configuring network integration, automating network management, and ensuring network security and compliance. The answers provided not only give the correct choice but also include explanations and rationales, offering deeper insights into the concepts and reasoning behind each solution. This feature helps in reinforcing the learning and understanding of complex topics.

Using this compilation of past questions and answers allows candidates to identify their strengths and areas needing improvement, making it easier to focus their study efforts effectively. This practice can significantly boost confidence and increase the chances of success on the actual exam. Whether you’re a seasoned network specialist or a newcomer aiming to advance your credentials, this resource is a critical tool in your certification journey.

You must be a registered users to use this 

There are 90 Questions & Answers

0%
0 votes, 0 avg

AWS Certified Advanced Networking Speciality (ANS-C01)

AWS Certified Advanced Networking Specialty (ANS-C01)

Pro AWS Certified Advanced Networking Speciality (ANS-C01) - Complete

Questions will be picked at random from the question bank.

You can use the NEXT button to move to the next question, use the PREV button to move to the previous question, the CLEAR button to clear any answer of your choice and you have the FINISH button to end the exam if you choose to.

Any question not answered before the end of the exam time, will be marked as wrong and the exam will end by itself. So try to attempt all questions on time.

Goodluck!

1 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

1. A company has hundreds of VPCs on AWS. All the VPCs access the public
endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All
the traffic from the VPCs to Amazon S3 and Systems Manager travels through the
NAT gateways. The company's network engineer must centralize access to these
services and must eliminate the need to use public endpoints. Which solution will
meet these requirements with the LEAST operational overhead?

2 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

2. A company is using custom DNS servers that run BIND for name resolution in its
VPCs. The VPCs are deployed across multiple AWS accounts that are part of the
same organization in AWS Organizations. All the VPCs are connected to a transit
gateway. The BIND servers are running in a central VPC and are configured to
forward all queries for an on-premises DNS domain to DNS servers that are
hosted in an on-premises data center. To ensure that all the VPCs use the custom
DNS servers, a network engineer has configured a VPC DHCP options set in all the
VPCs that specifies the custom DNS servers to be used as domain name servers.
Multiple development teams in the company want to use Amazon Elastic File
System (Amazon EFS). A development team has created a new EFS file system but
cannot mount the file system to one of its Amazon EC2 instances. The network
engineer discovers that the EC2 instance cannot resolve the IP address for the EFS
mount point fs-33444567d.efs.us-east-1. Amazonaws.com. The network engineer
needs to implement a solution so that development teams throughout the
organization can mount EFS file systems. Which combination of steps will meet
these requirements? (Choose two.)

3 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

3. An insurance company is planning the migration of workloads from its onpremises data center to the AWS Cloud. The company requires end-to-end
domain name resolution. Bi-directional DNS resolution between AWS and the
existing on-premises environments must be established. The workloads will be
migrated into multiple VPCs. The workloads also have dependencies on each
other, and not all the workloads will be migrated at the same time. Which solution
meets these requirements?

4 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

4. A government contractor is designing a multi-account environment with multiple
VPCs for a customer. A network security policy requires all traffic between any two
VPCs to be transparently inspected by a third-party appliance. The customer wants
a solution that features AWS Transit Gateway. The setup must be highly available
across multiple Availability Zones, and the solution needs to support automated
failover. Furthermore, asymmetric routing is not supported by the inspection
appliances. Which combination of steps is part of a solution that meets these
requirements? (Choose two.)

5 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

5. A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure.
The company is using Route 53 Resolver forwarding rules for authoritative
domains that are hosted on on-premises DNS servers. The company achieves
hybrid network connectivity by using an AWS Site-to-Site VPNconnection. A new
governance policy requires logging for DNS traffic that originates in the AWS
Cloud. The policy also requires the company to query DNS traffic to identify the
source IP address of the resources that the query originated from, along with the
DNS name that was requested. Which solution will meet these requirements?

6 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

6. A company has deployed Amazon EC2 instances in private subnets in a VPC. The
EC2 instances must initiate any requests that leave the VPC, including requests to
the company's on-premises data center over an AWS Direct Connect connection.
No resources outside the VPC can be allowed to open communications directly to
the EC2 instances. The on-premises data center's customer gateway is configured
with a stateful firewall device that filters for incoming and outgoing requests to
and from multiple VPCs. In addition, the company wants to use a single IP match
rule to allow all the communications from the EC2 instances to its data center
from a single IP address. Which solution will meet these requirements with the
LEAST amount of operational overhead?

7 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

7. A company is building its website on AWS in a single VPC. The VPC has public
subnets and private subnets in two Availability Zones. The website has static
content such as images. The company is using Amazon S3 to store the content.
The company has deployed a fleet of Amazon EC2 instances as web servers in a
private subnet. The EC2 instances are in an Auto Scaling group behind an
Application Load Balancer. The EC2 instances will serve traffic, and they must pull
content from an S3 bucket to render the webpages. The company is using AWS
Direct Connect with a public VIF for on-premises connectivity to the S3 bucket. A
network engineer notices that traffic between the EC2 instances and Amazon S3 is
routing through a NAT gateway. As traffic increases, the company's costs are
increasing. The network engineer needs to change the connectivity to reduce the
NAT gateway costs that result from the traffic between the EC2 instances and
Amazon S3. Which solution will meet these requirements?

8 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

8. A company is developing an application in which IoT devices will report
measurements to the AWS Cloud. The application will have millions of end users.
The company observes that the IoT devices cannot support DNS resolution. The
company needs to implement an Amazon EC2 Auto Scaling solution so that the
IoT devices can connect to an application endpoint without using DNS. Which
solution will meet these requirements MOST cost-effectively?

9 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

9. A company is deploying an application. The application is implemented in a series
of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The
company will use the Fargate launch type for its tasks. The containers will run
workloads that require connectivity initiated over an SSL connection. Traffic must
be able to flow to the application from other AWS accounts over private
connectivity. The application must scale in a manageable way as more consumers
use the application. Which solution will meet these requirements?

10 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

10. A company uses AWS Direct Connect to connect its corporate network to multiple
VPCs in the same AWS account and the same AWS Region. Each VPC uses its own
private VIF and its own virtual LAN on the Direct Connect connection. The
company has grown and will soon surpass the limit of VPCs and private VIFs for
each connection. What is the MOST scalable way to add VPCs with on-premises
connectivity?

11 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

11. A company hosts a public hosted zone in Amazon Route 53. The company wants
to configure DNS Security Extensions (DNSSEC) signing for the public hosted
zone. All the company's business-critical applications are running in the us-west-2
Region. The company has created a symmetric, customer managed, single-Region
key in us-west-2 by using AWS Key Management Service (AWS KMS). A network
engineer finds that the existing AWS KMS key cannot be used to create a keysigning key (KSK). How can the network engineer resolve this issue?

12 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

12. An Australian ecommerce company hosts all of its services in the AWS Cloud and
wants to expand its customer base to the United States (US). The company is
targeting the western US for the expansion. The company's existing AWS
architecture consists of four AWS accounts with multiple VPCs deployed in the apsoutheast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2.
There are dedicated VPCs for each application service. The company also has VPCs
for centralized security features such as proxies, firewalls, and logging. The
company plans to duplicate the infrastructure from ap-southeast-2 to the us-west1 Region. A network engineer must establish connectivity between the various
applications in the two Regions. The solution must maximize bandwidth, minimize
latency and minimize operational overhead. Which solution will meet these
requirements?

13 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

13. A company has deployed an AWS Network Firewall firewall into a VPC. A network
engineer needs to implement a solution to deliver Network Firewall flow logs to
the company's Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster
in the shortest possible time. Which solution will meet these requirements?

14 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

14. A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming
release of a new application. The application is hosted in a VPC in the AWS Cloud. The company's
current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit
gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site
VPN. The company's on-premises devices have been updated to support the new IPv6
requirements. The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR
block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has
launched new Amazon EC2 instances for the new application in the updated subnets. When
updating the hybrid network to support IPv6 the network engineer must avoid making any changes
to the current infrastructure. The network engineer also must block direct access to the instances'
new IPv6 addresses from the internet. However, the network engineer must allow outbound
internet access from the instances. What is the MOST operationally efficient solution that meets
these requirements?

15 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

15. A company has deployed a critical application on a fleet of Amazon EC2 instances behind an
Application Load Balancer. The application must always be reachable on port 443 from the public
internet. The application recently had an outage that resulted from an incorrect change to the EC2
security group. A network engineer needs to automate a way to verify the network connectivity
between the public internet and the EC2 instances whenever a change is made to the security
group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?

16 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

16. A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent
incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain
access to the instance. The company fixed the application and launched a replacement EC2 instance
that contains the updated application. The attacker used the compromised application to spread
malware over the internet. The company became aware of the compromise through a notification
from AWS. The company needs the ability to identify when an application that is deployed on an
EC2 instance is spreading malware. Which solution will meet this requirement with the LEAST
operational effort?

17 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

17. A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1.
VPC-A is attached to a transit gateway (TGW-A) that is connected to an onpremises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that
is configured for an AWS Direct Connect gateway. The company also has a staging
VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2
Region in Account 2. A network engineer must implement connectivity between
VPC-B and the on-premises data center in Dublin. Which solutions will meet these
requirements? (Choose two.)

18 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

18. A company has hundreds of Amazon EC2 instances that are running in two
production VPCs across all Availability Zones in the us-east-1 Region. The
production VPCs are named VPC A and VPC B. A new security regulation requires
all traffic between production VPCs to be inspected before the traffic is routed to
its final destination. The company deploys a new shared VPC that contains a
stateful firewall appliance and a transit gateway with a VPC attachment across all
VPCs to route traffic between VPC A and VPC B through the firewall appliance for
inspection. During testing, the company notices that the transit gateway is
dropping the traffic whenever the traffic is between two Availability Zones. What
should a network engineer do to fix this issue with the LEAST management
overhead?

19 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

19. A company hosts a web application on Amazon EC2 instances behind an
Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront
distribution. The company wants to implement a custom authentication system
that will provide a token for its authenticated customers. The web application
must ensure that the GET/POST requests come from authenticated customers
before it delivers the content. A network engineer must design a solution that
gives the web application the ability to identify authorized customers. What is the
MOST operationally efficient solution that meets these requirements?

20 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

20. A real estate company is building an internal application so that real estate agents
can upload photos and videos of various properties. The application will store
these photos and videos in an Amazon S3 bucket as objects and will use Amazon
DynamoDB to store corresponding metadata. The S3 bucket will be configured to
publish all PUT events for new object uploads to an Amazon Simple Queue Service
(Amazon SQS) queue. A compute cluster of Amazon EC2 instances will poll the
SQS queue to find out about newly uploaded objects. The cluster will retrieve new
objects, perform proprietary image and video recognition and classification
update metadata in DynamoDB and replace the objects with new watermarked
objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST costeffectively as application usage increases?

21 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

21. A company plans to deploy a two-tier web application to a new VPC in a single
AWS Region. The company has configured the VPC with an internet gateway and
four subnets. Two of the subnets are public and have default routes that point to
the internet gateway. Two of the subnets are private and share a route table that
does not have a default route. The application will run on a set of Amazon EC2
instances that will be deployed behind an external Application Load Balancer. The
EC2 instances must not be directly accessible from the internet. The application
will use an Amazon S3 bucket in the same Region to store data. The application
will invoke S3 GET API operations and S3 PUT API operations from the EC2
instances. A network engineer must design a VPC architecture that minimizes data
transfer cost. Which solution will meet these requirements?

22 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

22. A company is planning to use Amazon S3 to archive financial data. The data is
currently stored in an on-premises data center. The company uses AWS Direct
Connect with a Direct Connect gateway and a transit gateway to connect to the
on-premises data center. The data cannot be transported over the public internet
and must be encrypted in transit. Which solution will meet these requirements?

23 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

23. A company is deploying a new application on AWS. The application uses dynamic
multicasting. The company has five VPCs that are all attached to a transit gateway
Amazon EC2 instances in each VPC need to be able to register dynamically to
receive a multicast transmission. How should a network engineer configure the
AWS resources to meet these requirements?

24 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

24. A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link
aggregation group (LAG) bundle to connect to five VPCs that are deployed in the
us-east-1 Region. Each VPC serves a different business unit and uses its own
private VIF for connectivity to the on-premises environment. Users are reporting
slowness when they access resources that are hosted on AWS. A network engineer
finds that there are sudden increases in throughput and that the Direct Connect
connection becomes saturated at the same time for about an hour each business
day. The company wants to know which business unit is causing the sudden
increase in throughput. The network engineer must find out this information and
implement a solution to resolve the problem. Which solution will meet these
requirements?

25 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

25. A company operates its IT services through a multi-site hybrid infrastructure. The
company deploys resources on AWS in the us-east-1 Region and in the eu-west-2
Region. The company also deploys resources in its own data centers that are
located in the United States (US) and in the United Kingdom (UK). In both AWS
Regions, the company uses a transit gateway to connect 15 VPCs to each other.
The company has created a transit gateway peering connection between the two
transit gateways. The VPC CIDR blocks do not overlap with each other or with IP
addresses used within the data centers. The VPC CIDR prefixes can also be
aggregated either on a Regional level or for the company's entire AWS
environment. The data centers are connected to each other by a private WAN
connection. IP routing information is exchanged dynamically through Interior BGP
(iBGP) sessions. The data centers maintain connectivity to AWS through one AWS
Direct Connect connection in the US and one Direct Connect connection in the UK.
Each Direct Connect connection is terminated on a Direct Connect gateway and is
associated with a local transit gateway through a transit VIF. Traffic follows the
shortest geographical path from source to destination. For example, packets from
the UK data center that are targeted to resources in eu-west-2 travel across the
local Direct Connect connection. In cases of cross-Region data transfers, such as
from the UK data center to VPCs in us-east-1, the private WAN connection must
be used to minimize costs on AWS. A network engineer has configured each
transit gateway association on the Direct Connect gateway to advertise VPCspecific CIDR IP prefixes only from the local Region. The routes toward the other
Region must be learned through BGP from the routers in the other data center in
the original, non-aggregated form. The company recently experienced a problem
with cross-Region data transfers because of issues with its private WAN
connection. The network engineer needs to modify the routing setup to prevent
similar interruptions in the future. The solution cannot modify the original traffic
routing goal when the network is operating normally. Which modifications will
meet these requirements? (Choose two.)

26 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

26. A network engineer must develop an AWS CloudFormation template that can
create a virtual private gateway, a customer gateway, a VPN connection, and static
routes in a route table. During testing of the template, the network engineer notes
that the CloudFormation template has encountered an error and is rolling back.
What should the network engineer do to resolve the error?

27 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

27. A company is using a NAT gateway to allow internet connectivity for private
subnets in a VPC in the us-west-2 Region. After a security audit, the company
needs to remove the NAT gateway. In the private subnets, the company has
resources that use the unified Amazon CloudWatch agent. A network engineer
must create a solution to ensure that the unified CloudWatch agent continues to
work after the removal of the NAT gateway. Which combination of steps should
the network engineer take to meet these requirements? (Choose three.)

28 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

28. A company wants to improve visibility into its AWS environment. The AWS
environment consists of multiple VPCs that are connected to a transit gateway.
The transit gateway connects to an on-premises data center through an AWS
Direct Connect gateway and a pair of redundant Direct Connect connections that
use transit VIFs. The company must receive notification each time a new route is
advertised to AWS from on premises over Direct Connect. What should a network
engineer do to meet these requirements?

29 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

29. A global company operates all its non-production environments out of three AWS
Regions: eu-west-1, us-east-1, and us-west-1. The company hosts all its
production workloads in two on-premises data centers. The company has 60 AWS
accounts and each account has two VPCs in each Region. Each VPC has a virtual
private gateway where two VPN connections terminate for resilient connectivity to
the data centers. The company has 360 VPN tunnels to each data center, resulting
in high management overhead. The total VPN throughput for each Region is 500
Mbps. The company wants to migrate the production environments to AWS. The
company needs a solution that will simplify the network architecture and allow for
future growth. The production environments will generate an additional 2 Gbps of
traffic per Region back to the data centers. This traffic will increase over time.
Which solution will meet these requirements?

30 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

30. A company has created three VPCs: a production VPC, a nonproduction VPC, and
a shared services VPC. The production VPC and the nonproduction VPC must each
have communication with the shared services VPC. There must be no
communication between the production VPC and the nonproduction VPC. A
transit gateway is deployed to facilitate communication between VPCs. Which
route table configurations on the transit gateway will meet these requirements?

31 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

31. A network engineer is designing the architecture for a healthcare company's
workload that is moving to the AWS Cloud. All data to and from the on-premises
environment must be encrypted in transit. All traffic also must be inspected in the
cloud before the traffic is allowed to leave the cloud and travel to the on-premises
environment or to the internet. The company will expose components of the
workload to the internet so that patients can reserve appointments. The
architecture must secure these components and protect them against DDoS
attacks. The architecture also must provide protection against financial liability for
services that scale out during a DDoS event. Which combination of steps should
the network engineer take to meet all these requirements for the workload?
(Choose three.)

32 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

32. An international company provides early warning about tsunamis. The company
plans to use IoT devices to monitor sea waves around the world. The data that is
collected by the IoT devices must reach the company's infrastructure on AWS as
quickly as possible. The company is using three operation centers around the
world. Each operation center is connected to AWS through Its own AWS Direct
Connect connection. Each operation center is connected to the internet through at
least two upstream internet service providers. The company has its own providerindependent (PI) address space. The IoT devices use TCP protocols for reliable
transmission of the data they collect. The IoT devices have both landline and
mobile internet connectivity. The infrastructure and the solution will be deployed
in multiple AWS Regions. The company will use Amazon Route 53 for DNS
services. A network engineer needs to design connectivity between the IoT devices
and the services that run in the AWS Cloud. Which solution will meet these
requirements with the HIGHEST availability?

33 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

33. A gaming company is planning to launch a globally available game that is hosted
in one AWS Region. The game backend is hosted on Amazon EC2 instances that
are part of an Auto Scaling group. The game uses the gRPC protocol for
bidirectional streaming between game clients and the backend. The company
needs to filter incoming traffic based on the source IP address to protect the
game. Which solution will meet these requirements?

34 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

34. A data analytics company has a 100-node high performance computing (HPC)
cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in
the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to
perform several DNS queries to resolve and connect to Amazon RDS databases,
Amazon S3 buckets, and on-premises data stores that are accessible through AWS
Direct Connect. The HPC cluster can increase in size by five to seven times during
the company's peak event at the end of the year. The company is using two
Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are
configured to forward queries to the default VPC resolver for Amazon Route 53
hosted domains and to the on-premises DNS servers for other on-premises
hosted domain names. The company notices job failures and finds that DNS
queries from the HPC cluster nodes failed when the nodes tried to resolve RDS
and S3 bucket endpoints. Which architectural change should a network engineer
implement to provide the DNS service in the MOST scalable way?

35 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

35. A company manages resources across VPCs in multiple AWS Regions. The
company needs to connect to the resources by using its internal domain name. A
network engineer needs to apply the aws.example.com DNS suffix to all resources.
What must the network engineer do to meet this requirement?

36 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

36. An ecommerce company is hosting a web application on Amazon EC2 instances to
handle continuously changing customer demand. The EC2 instances are part of an
Auto Scaling group. The company wants to implement a solution to distribute
traffic from customers to the EC2 instances. The company must encrypt all traffic
at all stages between the customers and the application servers. No decryption at
intermediate points is allowed. Which solution will meet these requirements?

37 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

37. A company has multiple VPCs in the us-east-1 Region. The company has deployed
a website in one of the VPCs. The company wants to implement split-view DNS so
that the website is accessible internally from the VPCs and externally over the
internet with the same domain name, example.com. Which solution will meet
these requirements?

38 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

38. A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS
Direct Connect connection between the company's data center and two AWS
Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a
transit gateway and need to access several on-premises databases. According to
company policy, only one VPC in eu-west-1 can be connected to one on-premises
server. The on-premises network segments the traffic between the databases and
the server. How should the network engineer set up the Direct Connect
connection to meet these requirements?

39 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

39. An ecommerce company has a business-critical application that runs on Amazon
EC2 instances in a VPC. The company's development team has been testing a new
version of the application on test EC2 instances. The development team wants to
test the new application version against production traffic to address any
problems that might occur before the company releases the new version across all
servers. Which solution will meet this requirement with no impact on the end
user's experience?

40 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

40. A company uses a hybrid architecture and has an AWS Direct Connect connection
between its on-premises data center and AWS. The company has production
applications that run in the on-premises data center. The company also has
production applications that run in a VPC. The applications that run in the onpremises data center need to communicate with the applications that run in the
VPC. The company is using corp.example.com as the domain name for the onpremises resources and is using an Amazon Route 53 private hosted zone for
aws.example.com to host the VPC resources. The company is using an opensource recursive DNS resolver in a VPC subnet and is using a DNS resolver in the
on-premises data center. The company's on-premises DNS resolver has a
forwarder that directs requests for the aws.example.com domain name to the DNS
resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs
requests for the corp.example.com domain name to the DNS resolver in the onpremises data center. The company has deckled to replace the open-source
recursive DNS resolver with Amazon Route 53 Resolver endpoints. Which
combination of steps should a network engineer take to make this replacement?
(Choose three.)

41 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

41. A company has a hybrid cloud environment. The company's data center is
connected to the AWS Cloud by an AWS Direct Connect connection. The AWS
environment includes VPCs that are connected together in a hub-and-spoke
model by a transit gateway. The AWS environment has a transit VIF with a Direct
Connect gateway for on-premises connectivity. The company has a hybrid DNS
model. The company has configured Amazon Route 53 Resolver endpoints in the
hub VPC to allow bidirectional DNS traffic flow. The company is running a backend
application in one of the VPCs. The company uses a message-oriented
architecture and employs Amazon Simple Queue Service (Amazon SQS) to receive
messages from other applications over a private network. A network engineer
wants to use an interface VPC endpoint for Amazon SQS for this architecture.
Client services must be able to access the endpoint service from on premises and
from multiple VPCs within the company's AWS infrastructure. Which combination
of steps should the network engineer take to ensure that the client applications
can resolve DNS for the interface endpoint? (Choose three.)

42 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

42. A company collects a high volume of shipping data and stores the data in an onpremises data center. A network engineer wants to use Amazon S3 to store the
data during the first phase of a migration to AWS. During this phase, an
application that resides in the data center will need to access the data privately in
an S3 bucket that the company created. The company has set up an AWS Direct
Connect connection with a private VIF to connect theon-premises data center to a
VPC. The network engineer plans to use this Direct Connect connection forthe
hybrid cloud setup. The solution must be highly available. What should the
network engineer do next to implement this architecture?

43 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

43. A company has deployed an application in a VPC that uses a NAT gateway for
outbound traffic to the internet. A network engineer notices a large quantity of
suspicious network traffic that is traveling from the VPC over the internet to IP
addresses that are included on a deny list. The network engineer must implement
a solution to determine which AWS resources are generating the suspicious traffic.
The solution must minimize cost and administrative overhead. Which solution will
meet these requirements?

44 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

44. A company has expanded its network to the AWS Cloud by using a hybrid
architecture with multiple AWS accounts. The company has set up a shared AWS
account for the connection to its on-premises data centers and the company
offices. The workloads consist of private web-based services for internal use. These
services run in different AWS accounts. Office-based employees consume these
services by using a DNS name in an on-premises DNS zone that is named
example.internal. The process to register a new service that runs on AWS requires
a manual and complicated change request to the internal DNS. The process
involves many teams. The company wants to update the DNS registration process
by giving the service creators access that will allow them to register their DNS
records. A network engineer must design a solution that will achieve this goal. The
solution must maximize cost-effectiveness and must require the least possible
number of configuration changes. Which combination of steps should the network
engineer take to meet these requirements? (Choose three.)

45 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

45. A banking company is successfully operating its public mobile banking stack on
AWS. The mobile banking stack is deployed in a VPC that includes private subnets
and public subnets. The company is using IPv4 networking and has not deployed
or supported IPv6 in the environment. The company has decided to adopt a thirdparty service provider's API and must integrate the API with the existing
environment. The service provider's API requires the use of IPv6. A network
engineer must turn on IPv6 connectivity for the existing workload that is deployed
in a private subnet. The company does not want to permit IPv6 traffic from the
public internet and mandates that the company's servers must initiate all IPv6
connectivity. The network engineer turns on IPv6 in the VPC and in the private
subnets. Which solution will meet these requirements?

46 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

46. A network engineer has deployed an Amazon EC2 instance in a private subnet in a
VPC. The VPC has no public subnet. The EC2 instance hosts application code that
sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The
subnet has the default network ACL with no modification applied. The EC2
instance has the default security group with no modification applied. The SQS
queue is not receiving messages. Which of the following are possible causes of
this problem? (Choose two.)

47 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

47. A company is planning a migration of its critical workloads from an on-premises
data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS
Direct Connect dedicated connection from the on-premises data center to a VPC
that is attached to a transit gateway. The migration must occur over encrypted
paths between the on-premises data center and the AWS Cloud. Which solution
will meet these requirements while providing the HIGHEST throughput?

48 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

48. A company has stateful security appliances that are deployed to multiple
Availability Zones in a centralized shared services VPC. The AWS environment
includes a transit gateway that is attached to application VPCs and the shared
services VPC. The application VPCs have workloads that are deployed in private
subnets across multiple Availability Zones. The stateful appliances in the shared
services VPC inspect all east west (VPC-to-VPC) traffic. Users report that inter-VPC
traffic to different Availability Zones is dropping. A network engineer verified this
claim by issuing Internet Control Message Protocol (ICMP) pings between
workloads in different Availability Zones across the application VPCs. The network
engineer has ruled out security groups, stateful device configurations and network
ACLs as the cause of the dropped traffic. What is causing the traffic to drop?

49 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

49. A retail company is running its service on AWS. The company's architecture
includes Application Load Balancers (ALBs) in public subnets. The ALB target
groups are configured to send traffic to backend Amazon EC2 instances in private
subnets. These backend EC2 instances can call externally hosted services over the
internet by using a NAT gateway. The company has noticed in its billing that NAT
gateway usage has increased significantly. A network engineer needs to find out
the source of this increased usage. Which options can the network engineer use to
investigate the traffic through the NAT gateway? (Choose two.)

50 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

50. A company is planning to deploy many software-defined WAN (SD-WAN) sites.
The company is using AWS Transit Gateway and has deployed a transit gateway in
the required AWS Region. A network engineer needs to deploy the SD-WAN hub
virtual appliance into a VPC that is connected to the transit gateway. The solution
must support at least 5 Gbps of throughput from the SD-WAN hub virtual
appliance to other VPCs that are attached to the transit gateway. Which solution
will meet these requirements?

51 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

51. An IoT company sells hardware sensor modules that periodically send out
temperature, humidity, pressure, and location data through the MQTT messaging
protocol. The hardware sensor modules send this data to the company's onpremises MQTT brokers that run on Linux servers behind a load balancer. The
hardware sensor modules have been hardcoded with public IP addresses to reach
the brokers. The company is growing and is acquiring customers across the world.
The existing solution can no longer scale and is introducing additional latency
because of the company's global presence. As a result, the company decides to
migrate its entire infrastructure from on premises to the AWS Cloud. The company
needs to migrate without reconfiguring the hardware sensor modules that are
already deployed across the world. The solution also must minimize latency. The
company migrates the MQTT brokers to run on Amazon EC2 instances. What
should the company do next to meet these requirements?

52 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

52. A company is using an AWS Site-to-Site VPN connection from the company's onpremises data center to a virtual private gateway in the AWS Cloud Because of
congestion, the company is experiencing availability and performance issues as
traffic travels across the internet before the traffic reaches AWS. A network
engineer must reduce these issues for the connection as quickly as possible with
minimum administration effort. Which solution will meet these requirements?

53 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

53. A company is creating new features for its ecommerce website. These features will
use several microservices that are accessed through different paths. The
microservices will run on Amazon Elastic Container Service (Amazon ECS). The
company requires the use of HTTPS for all of its public websites. The application
requires the customer's source IP addresses. A network engineer must implement
a load balancing strategy that meets these requirements. Which combination of
actions should the network engineer take to accomplish this goal? (Choose two.)

54 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

54. A company has two AWS accounts one for Production and one for Connectivity. A
network engineer needs to connect the Production account VPC to a transit
gateway in the Connectivity account. The feature to auto accept shared
attachments is not enabled on the transit gateway. Which set of steps should the
network engineer follow in each AWS account to meet these requirements?

55 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

55. A global delivery company is modernizing its fleet management system. The
company has several business units. Each business unit designs and maintains
applications that are hosted in its own AWS account in separate application VPCs
in the same AWS Region. Each business unit's applications are designed to get
data from a central shared services VPC. The company wants the network
connectivity architecture to provide granular security controls. The architecture
also must be able to scale as more business units consume data from the central
shared services VPC in the future. Which solution will meet these requirements in
the MOST secure manner?

56 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

56. A security team is performing an audit of a company's AWS deployment. The security team is
concerned that two applications might be accessing resources that should be blocked by network
ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes
Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin
for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster
Autoscaler configured. The security team needs to determine which POD IP addresses are
communicating with which services throughout the VPC. The security team wants to limit the
number of flow logs and wants to examine the traffic from only the two applications. Which
solution will meet these requirements with the LEAST operational overhead?

57 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

57. A company has multiple AWS accounts. Each account contains one or more VPCs.
A new security guideline requires the inspection of all traffic between VPCs. The
company has deployed a transit gateway that provides connectivity between all
VPCs. The company also has deployed a shared services VPC with Amazon EC2
instances that include IDS services for stateful inspection. The EC2 instances are
deployed across three Availability Zones. The company has set up VPC
associations and routing on the transit gateway. The company has migrated a few
test VPCs to the new solution for traffic inspection. Soon after the configuration of
routing, the company receives reports of intermittent connections for traffic that
crosses Availability Zones. What should a network engineer do to resolve this
issue?

58 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

58. A development team is building a new web application in the AWS Cloud. The
main company domain, example.com, is currently hosted in an Amazon Route 53
public hosted zone in one of the company's production AWS accounts. The
developers want to test the web application in the company's staging AWS
account by using publicly resolvable subdomains under the example.com domain
with the ability to create and delete DNS records as needed. Developers have full
access to Route 53 hosted zones within the staging account, but they are
prohibited from accessing resources in any of the production AWS accounts.
Which combination of steps should a network engineer take to allow the
developers to create records under the example com domain? (Choose two.)

59 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

59. A company has two on-premises data center locations. There is a companymanaged router at each data center. Each data center has a dedicated AWS Direct
Connect connection to a Direct Connect gateway through a private virtual
interface. The router for the first location is advertising 110 routes to the Direct
Connect gateway by using BGP, and the router for the second location is
advertising 60 routes to the Direct Connect gateway by using BGP. The Direct
Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable
from various locations in either data center. The network engineer checks the VPC
route table and sees that the routes from the first data center location are not
being populated into the route table. The network engineer must resolve this issue
in the most operationally efficient manner. What should the network engineer do
to meet these requirements?

60 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

60. A company has deployed a web application on AWS. The web application uses an
Application Load Balancer (ALB) across multiple Availability Zones. The targets of
the ALB are AWS Lambda functions. The web application also uses Amazon
CloudWatch metrics for monitoring. Users report that parts of the web application
are not loading properly. A network engineer needs to troubleshoot the problem.
The network engineer enables access logging for the ALB. What should the
network engineer do next to determine which errors the ALB is receiving?

61 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

61. A company's network engineer needs to design a new solution to help
troubleshoot and detect network anomalies. The network engineer has configured
Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2
instance that is the traffic mirror target. The EC2 instance hosts tools that the
company's security team uses to analyze the traffic. The network engineer needs
to design a highly available solution that can scale to meet the demand of the
mirrored traffic. Which solution will meet these requirements?

62 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

62. A company hosts an application on Amazon EC2 instances behind an Application
Load Balancer (ALB). The company recently experienced a network security breach.
A network engineer must collect and analyze logs that include the client IP
address, target IP address, target port, and user agent of each user that accesses
the application. What is the MOST operationally efficient solution that meets these
requirements?

63 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

63. A media company is implementing a news website for a global audience. The
website uses Amazon CloudFront as its content delivery network. The backend
runs on Amazon EC2 Windows instances behind an Application Load Balancer
(ALB). The instances are part of an Auto Scaling group. The company's customers
access the website by using service example com as the CloudFront custom
domain name. The CloudFront origin points to an ALB that uses servicealb.example.com as the domain name. The company's security policy requires the
traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security
requirement? (Choose three.)

64 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

64. A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2
instances within a VPC in the AWS Cloud. All of the provider's customers also have
their environments in the AWS Cloud. A recent design meeting revealed that the
customers have IP address overlap with the provider's AWS deployment. The
customers have stated that they will not share their internal IP addresses and that
they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements?
(Choose two.)

65 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

65. A company is deploying a new application in the AWS Cloud. The company wants
a highly available web server that will sit behind an Elastic Load Balancer. The load
balancer will route requests to multiple target groups based on the URL in the
request. All traffic must use HTTPS. TLS processing must be offloaded to the load
balancer. The web server must know the user's IP address so that the company can
keep accurate logs for security purposes. Which solution will meet these
requirements?

66 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

66. A company has deployed a new web application on Amazon EC2 instances behind
an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto
Scaling group. Enterprise customers from around the world will use the
application. Employees of these enterprise customers will connect to the
application over HTTPS from office locations. The company must configure
firewalls to allow outbound traffic to only approved IP addresses. The employees
of the enterprise customers must be able to access the application with the least
amount of latency. Which change should a network engineer make in the
infrastructure to meet these requirements?

67 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

67. A company is migrating many applications from two on-premises data centers to
AWS. The company's network team is setting up connectivity to the AWS
environment. The migration will involve spreading the applications across two
AWS Regions: us-east-1 and us-west-2. The company has set up AWS Direct
Connect connections at two different locations. Direct Connect connection 1 is to
the first data center and is at a location in us-east-1. Direct Connect connection 2
is to the second data center and is at a location in us-west-2. The company has
connected both Direct Connect connections to a single Direct Connect gateway by
using transit VIFs. The Direct Connect gateway is associated with transit gateways
that are deployed in each Region. All traffic to and from AWS must travel through
the first data center. In the event of failure, the second data center must take over
the traffic. How should the network team configure BGP to meet these
requirements?

68 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

68. A company's network engineer is designing a hybrid DNS solution for an AWS
Cloud workload. Individual teams want to manage their own DNS hostnames for
their applications in their development environment. The solution must integrate
the application-specific hostnames with the centrally managed DNS hostnames
from the on-premises network and must provide bidirectional name resolution.
The solution also must minimize management overhead. Which combination of
steps should the network engineer take to meet these requirements? (Choose
three.)

69 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

69. A company is migrating an existing application to a new AWS account. The
company will deploy the application in a single AWS Region by using one VPC and
multiple Availability Zones. The application will run on Amazon EC2 instances. Each
Availability Zone will have several EC2 instances. The EC2 instances will be
deployed in private subnets. The company's clients will connect to the application
by using a web browser with the HTTPS protocol. Inbound connections must be
distributed across the Availability Zones and EC2 instances. All connections from
the same client session must be connected to the same EC2 instance. The
company must provide end-to-end encryption for all connections between the
clients and the application by using the application SSL certificate. Which solution
will meet these requirements?

70 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

70. A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all
domains except domains that are on an approved list. The company is concerned
that if DNS Firewall is unresponsive, resources in the VPC might be affected if the
network cannot resolve any DNS queries. To maintain application service level
agreements, the company needs DNS queries to continue to resolve even if Route
53 Resolver does not receive a response from DNS Firewall. Which change should
a network engineer implement to meet these requirements?

71 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

71. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS
service. Specify the NLB in the service definition. Create a VPC endpoint service
for the NLB. Share the VPC endpoint service with other AWS accounts.

72 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

72. A company has deployed a software-defined WAN (SD-WAN) solution to
interconnect all of its offices. The company is migrating workloads to AWS and
needs to extend its SD-WAN solution to support connectivity to these workloads.
A network engineer plans to deploy AWS Transit Gateway Connect and two SDWAN virtual appliances to provide this connectivity. According to company
policies, only a single SD-WAN virtual appliance can handle traffic from AWS
workloads at a given time. How should the network engineer configure routing to
meet these requirements?

73 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

73. A company is designing infrastructure on AWS with three VPCs connected to a
transit gateway. Thethree VPCs are an application VPC, a backend VPC, and an
inspection VPC. The application VPC and the backend VPC have compute
instances deployed in Availability Zone A and Availability Zone B. Stateful firewalls
are deployed in the same Availability Zones in the inspection VPC, which is a
shared servicesVPC. All traffic is routed through the inspection VPC through the
stateful layer 7 virtual firewall appliances to comply with a security policy that
mandates traffic inspection. There are no overlapping IP addresses across the
three VPCs. A network engineer must ensure that traffic between the application
VPC and the backend VPC can route through the inspection VPC's stateful
firewalls. Which solution will meet these requirements?

74 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

74. A company's network engineer builds and tests network designs for VPCs in a
development account. The company needs to monitor the changes that are made
to network resources and must ensure strict compliance with network security
policies. The company also needs access to the historical configurations of
network resources. Which solution will meet these requirements

75 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

75. A company delivers applications over the internet. An Amazon Route 53 public
hosted zone is the authoritative DNS service for the company and its internet
applications, all of which are offered from the same domain name. A network
engineer is working on a new version of one of the applications. All the
application's components are hosted in the AWS Cloud. The application has a
three-tier design. The front end is delivered through Amazon EC2 instances that
are deployed in public subnets with Elastic IP addresses assigned. The backend
components are deployed in private subnets from RFC1918. Components of the
application need to be able to access other components of the application within
the application's VPC by using the same host names as the host names that are
used over the public internet. The network engineer also needs to accommodate
future DNS changes, such as the introduction of new host names or the retirement
of DNS entries. Which combination of steps will meet these requirements?
(Choose three.)

76 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

76. A company is hosting an application on Amazon EC2 instances behind a Network
Load Balancer (NLB). A solutions architect added EC2 instances in a second
Availability Zone to improve the availability of the application. The solutions
architect added the instances to the NLB target group. The company's operations
team notices that traffic is being routed only to the instances in the first
Availability Zone. What is the MOST operationally efficient solution to resolve this
issue?

77 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

77. A network engineer must provide additional safeguards to protect encrypted data
at Application Load Balancers (ALBs) through the use of a unique random session
key. What should the network engineer do to meet this requirement?

78 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

78. A company recently migrated its Amazon EC2 instances to VPC private subnets to
satisfy a security compliance requirement. The EC2 instances now use a NAT
gateway for internet access. After the migration, some long-running database
queries from private EC2 instances to a publicly accessible third-party database no
longer receive responses. The database query logs reveal that the queries
successfully completed after 7 minutes but that the client EC2 instances never
received the response. Which configuration change should a network engineer
implement to resolve this issue?

79 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

79. A company has an AWS Direct Connect connection between its on-premises data
center in the United States (US) and workloads in the us-east-1 Region. The
connection uses a transit VIF to connect the data center to a transit gateway in useast-1. The company is opening a new office in Europe with a new on-premises
data center in England. A Direct Connect connection will connect the new data
center with some workloads that are running in a single VPC in the eu-west-2
Region. The company needs to connect the US data center and us-east-1 with the
Europe data center and eu-west-2. A network engineer must establish full
connectivity between the data centers and Regions with the lowest possible
latency. How should the network engineer design the network architecture to
meet these requirements?

80 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

80. A company's network engineer is designing an active-passive connection to AWS
from two on-premises data centers. The company has set up AWS Direct Connect
connections between the on-premises data centers and AWS. From each location,
the company is using a transit VIF that connects to a Direct Connect gateway that
is associated with a transit gateway. The network engineer must ensure that traffic
from AWS to the data centers is routed first to the primary data center. The traffic
should be routed to the failover data center only in the case of an outage. Which
solution will meet these requirements?

81 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

81. A software company offers a software-as-a-service (SaaS) accounting application
that is hosted in the AWS Cloud The application requires connectivity to the
company's on-premises network. The company has two redundant 10 GB AWS
Direct Connect connections between AWS and its on-premises network to
accommodate the growing demand for the application. The company already has
encryption between its on-premises network and the colocation. The company
needs to encrypt traffic between AWS and the edge routers in the colocation
within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST
operational overhead?

82 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

82. A company has developed a new web application that processes confidential data
that is hosted onAmazon EC2 instances. The application needs to scale and must
use certificates to authenticate clients. The application is configured to request a
client's certificate and will validate the certificate as part of the initial handshake.
Which Elastic Load Balancing (ELB) solution will meet these requirements?

83 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

83. A company is migrating its containerized application to AWS. For the architecture
the company will have an ingress VPC with a Network Load Balancer (NLB) to
distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service
(Amazon EKS) cluster. The front end of the application will determine which user is
requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC
will include an NLB that distributes traffic to the services pods in an EKS cluster.
The company is concerned about overall cost. User traffic will be responsible for
more than 10 TB of data transfer from the ingress VPC to services VPCs every
month. A network engineer needs to recommend how to design the
communication between the VPCs. Which solution will meet these requirements at
the LOWEST cost?

84 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

84. A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a
Linux-based network appliance in a highly available architecture. The network
engineer is configuring the new launch template for the Auto Scaling group. In
addition to the primary network interface the network appliance requires a second
network interface that will be used exclusively by the application to exchange
traffic with hosts over the internet. The company has set up a Bring Your Own IP
(BYOIP) pool that includes an Elastic IP address that should be used as the public
IP address for the second network interface. How can the network engineer
implement the required architecture?

85 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

85. A company hosts its ecommerce application on Amazon EC2 instances behind an
Application Load Balancer. The EC2 instances are in a private subnet with the
default DHCP options set. Internet connectivity is through a NAT gateway that is
configured in the public subnet. A third-party audit of the security infrastructure
identifies a DNS exfiltration vulnerability. The company must implement a highly
available solution that protects against this vulnerability. Which solution will meet
these requirements MOST cost-effectively?

86 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

86. A company has developed an application on AWS that will track inventory levels of
vending machines and initiate the restocking process automatically. The company
plans to integrate this application with vending machines and deploy the vending
machines in several markets around the world. The application resides in a VPC in
the us-east-1 Region. The application consists of an Amazon Elastic Container
Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The
communication from the vending machines to the application happens over
HTTPS. The company is planning to use an AWS Global Accelerator accelerator
and configure static IP addresses of the accelerator in the vending machines for
application endpoint access. The application must be accessible only through the
accelerator and not through a direct connection over the internet to the ALB
endpoint. Which solution will meet these requirements?

87 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

87. A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service
(Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these
requirements?

88 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

88. A network engineer needs to standardize a company's approach to centralizing
and managing interface VPC endpoints for private communication with AWS
services. The company uses AWS Transit Gateway for inter-VPC connectivity
between AWS accounts through a hub-and-spoke model. The company's network
services team must manage all Amazon Route 53 zones and interface endpoints
within a shared services AWS account. The company wants to use this centralized
model to provide AWS resources with access to AWS Key Management Service
(AWS KMS) without sending traffic over the public internet. What should the
network engineer do to meet these requirements?

89 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

89. A global company runs business applications in the us-east-1 Region inside a VPC. One of the
company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN
connection tom the VPC. The company has configured a transit gateway and has set up peering
between the VPC and other VPCs that various departments in the company use. Employees at the
London office are experiencing latency issues when they connect to the business applications. What
should a network engineer do to reduce this latency?

90 / 90

Category: AWS Certified Advanced Networking Speciality (ANS-C01)

90. A company deploys a new web application on Amazon EC2 instances. The
application runs in private subnets in three Availability Zones behind an
Application Load Balancer (ALB). Security auditors require encryption of all
connections. The company uses Amazon Route 53 for DNS and uses AWS
Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS
connections are terminated on the ALB. The company tests the application with a
single EC2 instance and does not observe any problems. However, after
production deployment, users report that they can log in but that they cannot use
the application. Every new web request restarts the login process. What should a
network engineer do to resolve this issue?

Your score is

0%

 

Attempt the free version of AWS Certified Advanced Networking (ANS-C01)

Free AWS Certified Advanced Networking (ANS-C01) Questions & Answers

AWS Certified Cloud Practitioner -100 Questions & Answers (Part 2)

AWS Certified Cloud Practitioner -100 Questions & Answers (Part 1)

Free AWS Certified Cloud Practitioner Questions & Answers

Leave a Comment

Your email address will not be published. Required fields are marked *

error: Content is protected !!
Scroll to Top