AWS Certified Advanced Networking Specialty Exam Notes and Practice Tests

You didn’t pass this time, but that’s okay. Take this as an opportunity to identify areas for improvement. Review the materials, focus on your weak spots, and you’ll be even more prepared for your next attempt.
Great work! You passed this practice test. Keep reinforcing your knowledge, and you’ll be confident and ready for the real AWS exam.

Current
Review
Answered
You're Right!
Incorrect

Question 1 of 65

1. Question
A company has deployed multiple Amazon VPCs across two AWS Regions. The company requires full interconnectivity between the VPCs and an on-premises data center, while maintaining low latency and high throughput. The architecture must also support future growth. What is the best solution to meet these requirements?
- Use AWS Transit Gateway in each Region and establish a Transit Gateway Peering Connection between the Regions. Use AWS Direct Connect for on-premises connectivity.
- Use VPC peering connections between all VPCs and establish a VPN connection between the data center and each VPC.
- Use an AWS Direct Connect Gateway for on-premises connectivity and VPC Endpoint Services for inter-VPC communication.
- Use AWS VPN CloudHub to connect all VPCs and establish Direct Connect connectivity to the on-premises data center.
Correct

Incorrect
Question 2 of 65

2. Question
A company hosts a website in two AWS Regions to improve availability. Amazon Route 53 is used to route traffic between the Regions. The company requires a DNS solution that routes traffic to the closest Region and automatically switches to the other Region in the event of a failure. Which Route 53 configuration meets these requirements?
- Geolocation routing policy with failover.
- Latency routing policy with health checks.
- Weighted routing policy with failover.
- Multivalue answer routing policy.
Correct

Incorrect
Question 3 of 65

3. Question
A company has a VPC with a CIDR block of 10.0.0.0/16. The company’s workloads have outgrown the available IP addresses. What steps should a network engineer take to expand the IP range?
- Create a new VPC with a larger CIDR block and migrate workloads.
- Add a new CIDR block, such as 10.1.0.0/16, to the existing VPC.
- Increase the VPC CIDR block to 10.0.0.0/8.
- Use secondary IP addresses on EC2 instances within the existing CIDR block.
Correct

Incorrect
Question 4 of 65

4. Question
A company requires a hybrid network with a secure, high-performance connection between its on-premises data center and AWS. The company also requires backup connectivity in case the primary connection fails. What is the best solution?
- Establish an AWS Direct Connect connection as the primary and an AWS Site-to-Site VPN as the backup.
- Use AWS Site-to-Site VPN with dual tunnels and BGP for failover.
- Use two AWS Direct Connect connections in an active/active configuration.
- Establish a single Direct Connect connection and configure redundant NAT gateways for backup.
Correct

Incorrect
Question 5 of 65

5. Question
A company operates a latency-sensitive application deployed in multiple AWS Regions. Users should always be routed to the closest Region for optimal performance, and failover must occur automatically. What service should be used?
- Amazon CloudFront.
- AWS Global Accelerator.
- Amazon Route 53 with latency routing policy.
- AWS Transit Gateway with VPC attachments.
Correct

Incorrect
Question 6 of 65

6. Question
An application hosted on AWS Elastic Beanstalk has been updated to include a second EC2 instance and an Application Load Balancer (ALB). Users are now frequently prompted to log in again, even though their sessions should remain active for hours. What configuration change can address this issue?
- Configure cross-zone load balancing on the ALB.
- Enable Sticky Sessions for the target group.
- Configure path-based routing rules on the ALB.
- Add a listener rule to forward cookies to backend instances.
Correct

Incorrect
Question 7 of 65

7. Question
A network engineer enabled VPC Flow Logs to diagnose connectivity issues between an application server and a database server in separate subnets. The logs show ACCEPT for requests sent to the database instance but REJECT for responses returning to the application server. What could be causing this issue?
- Outbound traffic is restricted by the database instance’s network ACL.
- The security group of the application instance is blocking inbound responses.
- The database instance’s security group is blocking outbound traffic.
- The application instance’s network ACL is blocking inbound traffic.
Correct

Incorrect
Question 8 of 65

8. Question
A network engineer is troubleshooting connectivity to an EC2 instance that consistently returns a “request timed out” error. The public IP of the client is 198.51.100.12, and the private IP of the EC2 instance is 10.0.1.25. VPC Flow Logs reveal the following: eni-123456abc, 198.51.100.12, 10.0.1.25, ACCEPT; eni-123456abc, 10.0.1.25, 198.51.100.12, REJECT. What configuration could resolve this issue?
- Modify the inbound rules of the EC2 security group.
- Update the outbound rules of the VPC network ACL.
- Add a route to the instance’s route table for the client IP.
- Check the outbound rules of the EC2 security group.
Correct

Incorrect
Question 9 of 65

9. Question
A network engineer is configuring a public virtual interface (VIF) for an AWS Direct Connect connection. They want to ensure only routes from the same Region are imported. What configuration will achieve this?
- Use a BGP filter to allow only routes tagged with 7224:8000.
- Configure the router to import only routes with the 7224:9100 tag.
- Allow routes with a path length of less than 5.
- Filter routes with the NO_ADVERTISE BGP community tag.
Correct

Incorrect
Question 10 of 65

10. Question
A company is deploying an API with Amazon API Gateway to serve customers across multiple Regions using a custom domain name. How should the company ensure the API is accessible with minimal latency?
- Use an edge-optimized API endpoint and configure latency-based routing in Route 53.
- Configure regional API endpoints and Route 53 latency-based records for each Region.
- Deploy private API endpoints in each Region and use VPC interface endpoints.
- Set up weighted DNS records in Route 53 to balance traffic across the Regions.
Correct

Incorrect
Question 11 of 65

11. Question
A company’s VPC with a CIDR block of 192.168.1.0/24 has run out of IP addresses. What is the best way to ensure new resources can be launched?
- Add a secondary CIDR block of 192.168.2.0/24 and launch new resources in this range.
- Add a secondary CIDR block of 192.168.1.128/25 and create new subnets.
- Expand the VPC CIDR block to 192.168.0.0/23 to include more addresses.
- Assign Elastic IPs for new resources to bypass the CIDR limit.
Correct

Incorrect
Question 12 of 65

12. Question
Which IP addresses are reserved by AWS for DNS resolution in a VPC with the CIDR block 10.0.0.0/16? (Select TWO.)
- 169.254.169.253
- 10.0.0.1
- 169.254.169.254
- 10.0.0.2
- 10.0.0.53
Correct

Incorrect
Question 13 of 65

13. Question
A company’s VPC connects to an on-premises data center via a Site-to-Site VPN and Direct Connect. What is the BGP route selection order from MOST to LEAST preferred?
- Static routes, VPN BGP routes, Direct Connect BGP routes, longest prefix match.
- Longest prefix match, Direct Connect BGP routes, VPN BGP routes, static routes.
- Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
- VPN BGP routes, Direct Connect BGP routes, static routes, longest prefix match.
Correct

Incorrect
Question 14 of 65

14. Question
A company streams weather data into a source VPC and needs to simultaneously distribute it to multiple data analysis VPCs for processing. What is the best configuration?
- Set up VPC Peering and configure multicast routing with Transit Gateway.
- Use Kinesis Data Streams to push data to S3, and allow analysis VPCs to access the data.
- Enable Transit Gateway Multicast and attach all VPCs as participants.
- Deploy a Direct Connect Gateway and attach all VPCs as multicast receivers.
Correct

Incorrect
Question 15 of 65

15. Question
A company plans to use a Site-to-Site VPN to connect its on-premises network to four VPCs in an AWS Region with full transitive routing between all entities. Which solution meets the requirement?
- Use a transit gateway with attachments for the VPCs and the VPN, and configure routes to point to the transit gateway.
- Deploy a Direct Connect gateway with attachments for the VPN and VPCs, and configure static routes.
- Establish VPC peering between all VPCs and configure a VPN attachment to each VPC.
- Deploy a transit VPC and configure a Site-to-Site VPN for the on-premises connection.
Correct

Incorrect
Question 16 of 65

16. Question
A gaming application uses both TCP and UDP protocols and requires connections to be distributed across multiple EC2 instances in different Availability Zones. How should a network engineer configure the Network Load Balancer?
- Create a Network Load Balancer with a single listener for both TCP and UDP protocols. Use a single target group configured for TCP_UDP.
- Create a Network Load Balancer with separate listeners for TCP and UDP protocols. Use two target groups configured for the respective protocols.
- Create a Network Load Balancer with a TCP_UDP listener. Use two target groups for TCP and UDP protocols on the same instances.
- Create a Network Load Balancer with separate listeners for TCP and UDP protocols. Use a single target group configured for both protocols.
Correct

Incorrect
Question 17 of 65

17. Question
A security team needs to monitor unauthorized connection attempts to a malicious IP address that has been blocked using a Network ACL. What is the MOST cost-effective way to achieve this?
- Enable VPC Flow Logs for rejected traffic, send logs to CloudWatch, and create a CloudWatch alarm for rejected connections to the IP.
- Use GuardDuty with a custom threat list containing the IP address. Use EventBridge to send notifications for matching events.
- Create a VPC Flow Log for all traffic and configure a metric filter in CloudWatch for rejected traffic to the IP.
- Enable VPC Traffic Mirroring and monitor rejected traffic logs using an external SIEM tool.
Correct

Incorrect
Question 18 of 65

18. Question
A company with dual Direct Connect connections wants to minimize failover time when switching from the primary to the backup connection. How can this be achieved?
- Configure BFD on the virtual private gateway with a detection interval of 200 ms and a multiplier of 3.
- Enable Dead Peer Detection (DPD) with a detection interval of 500 ms and a multiplier of 2.
- Set BGP keep-alive to 200 ms and the hold timer to 600 ms on the company's routers.
- Configure BFD on the company router with a detection interval of 300 ms and a multiplier of 3.
Correct

Incorrect
Question 19 of 65

19. Question
A company wants to access application logs stored in an S3 bucket in the us-west-2 Region over a Direct Connect connection in the us-east-1 Region. What configuration should the company use?
- Create a public virtual interface in the us-west-2 Region and establish a BGP session.
- Use a Direct Connect gateway to route traffic between the Regions over a private virtual interface.
- Establish a VPN connection over Direct Connect to the us-west-2 Region's virtual private gateway.
- Configure a transit virtual interface to connect the Direct Connect location with the S3 bucket in us-west-2.
Correct

Incorrect
Question 20 of 65

20. Question
A VPC using CIDR block 192.168.0.0/16 is running out of IP addresses. Which additional CIDR blocks can be added? (Select TWO.)
- 10.1.0.0/16
- 172.31.0.0/20
- 192.168.128.0/17
- 192.168.1.0/24
- 192.169.0.0/16
Correct

Incorrect
Question 21 of 65

21. Question
A network engineer needs a cost-effective solution to monitor traffic flows in a VPC and log ACCEPT and REJECT traffic for analysis. What should they configure?
- VPC Flow Logs with CloudWatch as the destination for logs.
- VPC Traffic Mirroring for critical ENIs in the subnet.
- Use packet capture tools on each EC2 instance.
- Enable CloudTrail logging for network events.
Correct

Incorrect
Question 22 of 65

22. Question
A company has replaced its NTP server with one that uses a new IP address. How should the VPC be updated to reflect this change?
- Associate a new DHCP options set with the updated NTP server IP.
- Modify the route table to include a route to the new NTP server.
- Update the user data script for all EC2 instances.
- Add the new NTP server IP to the security group ingress rules.
Correct

Incorrect
Question 23 of 65

23. Question
A security team needs to monitor multiple AWS accounts for malicious activity without direct access to each account. What is the most efficient way to achieve this?
- Enable GuardDuty in a central administrator account and link all monitored accounts.
- Use Security Hub to aggregate findings from monitored accounts into a single account.
- Deploy a centralized VPC Traffic Mirroring solution for all monitored accounts.
- Use Amazon Macie for all accounts and configure cross-account data sharing.
Correct

Incorrect
Question 24 of 65

24. Question
A company plans to migrate DNS records to Route 53, using example.com for public services and private.example.com for internal services in a VPC. What is the best way to implement this?
- Create a public hosted zone for example.com and a private hosted zone for private.example.com. Associate the VPC with the private zone.
- Create a single public hosted zone for both example.com and private.example.com. Use conditional forwarding for private records.
- Set up separate public hosted zones for example.com and private.example.com. Add NS records to link them.
- Configure Route 53 Resolver endpoints to manage private records for private.example.com.
Correct

Incorrect
Question 25 of 65

25. Question
An application in a private subnet uses a Direct Connect connection to route all traffic, including outbound internet traffic, through an on-premises proxy server. EC2 instances are unable to connect to external web services. What should the network engineer do to resolve this?
- Add a NAT Gateway and route all internet-bound traffic through the NAT Gateway.
- Configure the VPC route table to direct internet traffic through the proxy server.
- Update proxy settings on the EC2 instances to point to the on-premises proxy.
- Modify the Direct Connect connection to allow direct outbound internet access.
Correct

Incorrect
Question 26 of 65

26. Question
A company plans to deploy 1,000 Amazon Workspaces across two Availability Zones. The architecture must support Multi-AZ deployment and accommodate future growth. What is the most appropriate configuration?
- Create two private subnets with a /22 subnet mask in each AZ.
- Create two public subnets with a /21 subnet mask in each AZ.
- Use a single private subnet with a /20 subnet mask.
- Use two private subnets with a /24 subnet mask and enable subnet sharing.
Correct

Incorrect
Question 27 of 65

27. Question
A retail website on EC2 instances behind an Application Load Balancer (ALB) must be accessible at example.com and www.example.com. The DNS zone is hosted in Route 53. What records should the network engineer create?
- ALIAS record for example.com pointing to the ALB and CNAME record for www.example.com pointing to example.com.
- ALIAS record for example.com and ALIAS record for www.example.com both pointing to the ALB.
- A record for example.com pointing to the ALB’s IP address and a CNAME record for www.example.com.
- A CNAME record for example.com pointing to the ALB and a CNAME record for www.example.com.
Correct

Incorrect
Question 28 of 65

28. Question
An application behind an Auto Scaling group needs to send sensitive metrics to CloudWatch over private IP addresses without public endpoint exposure. How can this requirement be met?
- Configure a VPC interface endpoint for CloudWatch.
- Set up a NAT gateway for internet connectivity and route traffic through it.
- Deploy CloudWatch agent with custom encryption for sensitive metrics.
- Use a VPC gateway endpoint for CloudWatch Logs.
Correct

Incorrect
Question 29 of 65

29. Question
A consultant is configuring logging for an application behind a load balancer to capture the client’s source IP address. What behavior can be expected by default? (Select TWO.)
- With a Network Load Balancer, the client’s source IP is recorded.
- With an Application Load Balancer, the client’s source IP is recorded.
- With a Network Load Balancer, the source IP of the load balancer is recorded.
- With an Application Load Balancer, the source IP of the load balancer node is recorded.
- With a Network Load Balancer, the client’s source IP is recorded if IP mode is enabled for the target group.
Correct

Incorrect
Question 30 of 65

30. Question
A company must migrate 100 virtual machines (VMs) to AWS using AWS SMS within 14 days, leveraging a 1 Gbps internet connection during non-peak hours. Each VM averages 20 GB. What is the best migration approach?
- Use the internet connection and throttle uploads during peak hours.
- Configure Transfer Acceleration for the S3 bucket used by AWS SMS.
- Deploy AWS Direct Connect and schedule the migration.
- Use AWS Snowball Edge to migrate the data and complete the process using AWS SMS.
Correct

Incorrect
Question 31 of 65

31. Question
A company requires 99.9% SLA for Direct Connect connections to its VPC. What is the most cost-effective solution?
- Provision two connections in different Direct Connect locations and enable active/passive failover with BGP.
- Create additional virtual interfaces (VIFs) on the same Direct Connect connection and enable active/active mode with BGP.
- Deploy two connections in the same Direct Connect location and configure active/active mode.
- Use four connections across two Direct Connect locations with active/active failover.
Correct

Incorrect
Question 32 of 65

32. Question
Remote offices will use Amazon Workspaces. Which firewall configuration supports streaming of Workspaces desktops?
- Allow outbound traffic on ports 4172 and 4195 (UDP/TCP) and open inbound ephemeral ports for return traffic.
- Open inbound traffic on ports 80 and 443 (UDP/TCP) and allow outbound ephemeral ports.
- Allow inbound traffic on ports 4172 and 4195 (UDP/TCP) and open outbound ephemeral ports.
- Open outbound traffic on ports 80 and 443 (UDP/TCP) and inbound ephemeral ports.
Correct

Incorrect
Question 33 of 65

33. Question
An organization’s web application in a VPC must be accessible to other VPCs within the same Region without using the internet. What is the best solution?
- Deploy an internal Application Load Balancer and use VPC peering for connectivity.
- Use an internal Network Load Balancer and interface VPC endpoints.
- Deploy a CloudFront distribution with origin access restrictions.
- Establish Gateway VPC endpoints to connect with the service.
Correct

Incorrect
Question 34 of 65

34. Question
An EC2-based application behind an Application Load Balancer (ALB) frequently experiences timeouts during large file uploads. What steps can mitigate this issue? (Select TWO.)
- Increase the idle timeout on the ALB.
- Enable HTTP keep-alive on the backend EC2 instances.
- Configure cross-zone load balancing for the ALB.
- Enable HTTP keep-alive on the ALB.
- Increase the buffer size on the EC2 web server.
Correct

Incorrect
Question 35 of 65

35. Question
A network engineer must log all IP traffic in a VPC and run SQL queries against the log data. What solution should be implemented?
- Enable VPC Flow Logs to send data to CloudWatch Logs and query using CloudWatch Logs Insights.
- Use packet capture tools to collect data and analyze logs stored in S3 with Athena.
- Enable VPC Flow Logs with data sent to S3 and query using Athena.
- Use VPC Traffic Mirroring to capture packets and analyze using CloudWatch Contributor Insights.
Correct

Incorrect
Question 36 of 65

36. Question
A company is designing a microservices application to run on Amazon ECS. The application requires multiple services accessed through different paths, all behind a single Elastic Load Balancer. Additionally, the application must log the client’s source IP address. What should the network engineer configure? (Select TWO.)
- Use an Application Load Balancer with host-based routing rules.
- Capture client IP addresses using the X-Forwarded-For header.
- Use a Gateway Load Balancer with a custom header for IP tracking.
- Deploy a Network Load Balancer with target groups for each path.
- Enable Proxy Protocol version 2 on the Load Balancer.
Correct

Incorrect
Question 37 of 65

37. Question
A network engineer is setting up an AWS Site-to-Site VPN connection and must update firewall rules to allow the required traffic. Which types of traffic should be permitted? (Select TWO.)
- UDP port 500
- IP Protocol 50
- TCP port 4500
- UDP port 4500
- IP Protocol 51
Correct

Incorrect
Question 38 of 65

38. Question
A company has two data centers connected to a virtual private gateway attached to a VPC. The data centers have the following CIDR blocks: Data Center A: 192.168.10.0/24; Data Center B: 192.168.20.0/24. What route table entry should the network engineer configure for traffic destined to the data centers?
- Destination: 192.168.0.0/16, Target: vgw-xxxx
- Destination: 192.168.10.0/24, Target: vgw-xxxx
- Destination: 192.168.10.0/24, Target: igw-xxxx
- Destination: 192.168.0.0/24, Target: igw-xxxx
Correct

Incorrect
Question 39 of 65

39. Question
A VPC with CIDR block 10.0.0.0/16 requires multiple subnets, each supporting at least 2,000 assignable IP addresses. Which subnet mask should the network engineer choose?
- /21
- /22
- /23
- /24
Correct

Incorrect
Question 40 of 65

40. Question
A network provider has provisioned a circuit for Direct Connect and needs cross-connect information. How can the network engineer provide this information?
- Submit a connection request in the AWS Management Console and download the LOA-CFA once approved.
- Create a Direct Connect gateway and use the connection ID to request cross-connect details from AWS Support.
- Open a case with an AWS Technical Account Manager (TAM) to retrieve the LOA-CFA document.
- Provision a private virtual interface and request the LOA-CFA through the AWS CLI.
Correct

Incorrect
Question 41 of 65

41. Question
A company is deploying an application in an Amazon VPC that needs to communicate with on-premises servers. The initial traffic is low but is expected to exceed 5 Gbps within six months. What connectivity solution should the network engineer implement?
- Start with a Site-to-Site VPN and upgrade to Direct Connect when traffic increases.
- Deploy a 10 Gbps Direct Connect connection from the start.
- Use Elastic IP addresses on EC2 instances and configure an IPsec VPN for connectivity.
- Deploy two 1 Gbps Direct Connect connections with BGP for load balancing.
Correct

Incorrect
Question 42 of 65

42. Question
An RDS MySQL instance requires encryption in transit for connections from application servers. What steps should the network engineer take?
- Enable encryption in transit through the RDS Management Console and restart the instance.
- Download AWS’s public TLS certificate and configure application connections to use the certificate.
- Add a custom SSL certificate to the RDS instance and enforce encryption in connections.
- Take a snapshot of the instance, restore it to a new instance, and enable encryption in transit.
Correct

Incorrect
Question 43 of 65

43. Question
A company uses CloudFormation templates to deploy VPCs with varying CIDR blocks. What intrinsic function should the engineer use to return a range of CIDR addresses?
- Fn::Select
- Fn::Cidr
- Fn::Sub
- Fn::GetAtt
Correct

Incorrect
Question 44 of 65

44. Question
A three-tier application in a VPC requires minimal public exposure. The web and application tiers are hosted in EC2 instances, and the database tier uses DynamoDB. Which architecture meets these requirements?
- Public subnets for web and application tiers; private subnets for DynamoDB.
- Private subnets for web and application tiers; a DynamoDB VPC endpoint for database access.
- Public subnets for web tier; private subnets for application tier and DynamoDB.
- Public subnets for all tiers with strict security group rules for access.
Correct

Incorrect
Question 45 of 65

45. Question
A website served through CloudFront uses country-specific subdomains (us.example.com, uk.example.com). Requests to example.com must redirect users to the correct subdomain based on their location. How should the network engineer achieve this?
- Use a Lambda@Edge viewer request function to generate location-based redirects.
- Configure an origin request policy in CloudFront for header-based routing.
- Set up path-based routing rules for subdomains within CloudFront behaviors.
- Use a Lambda@Edge origin response function to send redirects based on headers.
Correct

Incorrect
Question 46 of 65

46. Question
A company is establishing hybrid cloud connectivity using AWS Direct Connect (DX). The DX connection must access multiple VPCs and a private Amazon S3 bucket within the same Region. What configuration minimizes customer router setup?
- Configure a private VIF for VPCs and a public VIF for S3.
- Use a private VIF to a Direct Connect gateway for VPCs and a separate public VIF for S3.
- Use a private VIF to a Direct Connect gateway for both VPCs and S3.
- Configure dedicated private VIFs for each VPC and S3 separately.
Correct

Incorrect
Question 47 of 65

47. Question
A company is running an application on Amazon EC2 and connecting to on-premises servers via Direct Connect. To ensure consistent performance and in-transit encryption, what is the best solution?
- Use a public VIF over Direct Connect and establish a VPN connection for encryption.
- Enable Direct Connect MACsec encryption for in-transit data.
- Configure a private VIF and establish an IPSec VPN over Direct Connect.
- Use AWS Direct Connect Gateway and enable data encryption with AWS KMS.
Correct

Incorrect
Question 48 of 65

48. Question
Two companies are collaborating, and Company B requires static public IP addresses to whitelist for accessing Company A’s EC2 application over a custom TCP port. How should the architecture be designed?
- Use a Network Load Balancer with Elastic IPs for each subnet containing EC2 instances.
- Deploy an Application Load Balancer with HTTPS and Elastic IPs for public access.
- Use a Gateway Load Balancer and assign Elastic IPs to the target groups.
- Use a Network Load Balancer with TCP listeners and Elastic IPs on the EC2 instances.
Correct

Incorrect
Question 49 of 65

49. Question
To analyze the frequency of DNS queries in an Amazon Route 53 public hosted zone, what steps should the engineer take?
- Enable Route 53 query logging and store the logs in Amazon S3.
- Configure CloudWatch Logs as the destination for Route 53 query logs.
- Enable CloudTrail Data Events for DNS queries and log them to Amazon S3.
- Enable detailed metrics for the Route 53 namespace in CloudWatch.
Correct

Incorrect
Question 50 of 65

50. Question
A network administrator must update the domain name provided by DHCP to a custom subdomain for EC2 instances. What is the best approach?
- Create a new DHCP options set with the subdomain and associate it with the VPC.
- Modify the existing DHCP options set with the new domain name.
- Update the Route 53 public hosted zone with the subdomain name.
- Create a private hosted zone for the subdomain and attach it to the VPC.
Correct

Incorrect
Question 51 of 65

51. Question
A company deploys a retail website using CloudFront. To safeguard against DDoS, SQL injection, and XSS attacks, what AWS services should be used? (Select TWO.)
- AWS WAF for application-layer protection.
- AWS Shield Advanced for DDoS protection.
- Amazon Inspector for application vulnerabilities.
- AWS Config for layer 4 protections.
- AWS Trusted Advisor for network traffic analysis.
Correct

Incorrect
Question 52 of 65

52. Question
A high-performance computing (HPC) application in a cluster placement group requires optimized network throughput. How can the network engineer achieve this?
- Set the maximum transmission unit (MTU) to 9001 bytes and enable jumbo frames.
- Use a Network Load Balancer for efficient packet handling.
- Increase the MTU to 1500 bytes and enable ENA support.
- Relocate instances to a spread placement group for better bandwidth.
Correct

Incorrect
Question 53 of 65

53. Question
A network engineer must encrypt data in transit for a web application behind an Elastic Load Balancer. What options should be implemented? (Select TWO.)
- Use an ALB with HTTPS listeners and SSL certificates installed.
- Use an NLB with TCP listeners and terminate SSL on EC2 instances.
- Use an NLB with HTTPS listeners and install SSL certificates on the NLB.
- Configure a Gateway Load Balancer with TLS passthrough to EC2 instances.
- Deploy an ALB with TCP listeners and terminate SSL on the EC2 instances.
Correct

Incorrect
Question 54 of 65

54. Question
A VPC with CIDR block 10.0.0.0/22 must have 10 subnets, each supporting at least 50 hosts. What subnet mask should the engineer choose?
- /26
- /27
- /25
- /28
Correct

Incorrect
Question 55 of 65

55. Question
To prevent unauthorized configuration changes to an Application Load Balancer, management requests auditing and notifications for changes. What actions should be taken?
- Use IAM policies to restrict permissions, enable CloudTrail for API events, and configure AWS Config with SNS notifications.
- Create an IAM role for changes, restrict role access, and enable GuardDuty for configuration monitoring.
- Configure a specific IAM group for ALB changes and enable AWS Config rules for auditing with SES notifications.
- Enable CloudTrail, configure Trusted Advisor checks for ALB, and set up notifications in CloudWatch.
Correct

Incorrect
Question 56 of 65

56. Question
A company must replace a failed on-premises Network Attached Storage (NAS) device with an AWS Storage Gateway file gateway. The fastest deployment option is required. What should the company do?
- Deploy an AWS Site-to-Site VPN connection.
- Use the existing corporate internet connection.
- Order a hosted AWS Direct Connect link.
- Request a dedicated AWS Direct Connect connection.
Correct

Incorrect
Question 57 of 65

57. Question
A company has deployed multiple Amazon VPCs connected via AWS Transit Gateway. Private subnet instances require internet access through NAT gateways. How can the company reduce NAT gateway costs while maintaining redundancy?
- Centralize NAT gateways in an egress VPC and route traffic via the Transit Gateway.
- Deploy one large NAT gateway per VPC and update all route tables.
- Use a single NAT gateway in each VPC and configure cross-VPC peering for traffic.
- Use a centralized NAT gateway in one Region and implement interface VPC endpoints for traffic.
Correct

Incorrect
Question 58 of 65

58. Question
A financial institution requires sub-millisecond latency between its New York data center and AWS services in us-east-1. How can the institution achieve this without deploying dedicated private links?
- Deploy AWS Local Zones in New York for compute resources.
- Use AWS Global Accelerator to optimize routing between New York and us-east-1.
- Implement an AWS Site-to-Site VPN over existing fiber connections.
- Use Amazon CloudFront to cache latency-sensitive data in Local Zones.
Correct

Incorrect
Question 59 of 65

59. Question
A VPC uses default network ACLs in Subnet A and custom ACLs in Subnet B. Instances in both subnets must connect over TCP port 443. What configurations are required? (Select TWO.)
- Security group: Allow inbound and outbound traffic on TCP port 443.
- Network ACL: Allow inbound traffic on port 443; allow ephemeral ports for outbound traffic.
- Network ACL: Allow both inbound and outbound traffic on port 443.
- Security group: Inbound traffic on TCP port 443; outbound ephemeral traffic.
- Network ACL: Deny all outbound traffic except TCP port 443.
Correct

Incorrect
Question 60 of 65

60. Question
Instances in a newly added Availability Zone are healthy but do not receive traffic from an Application Load Balancer. What action should the engineer take?
- Enable the new AZ in the ALB configuration.
- Attach Elastic Network Interfaces to instances in the new AZ.
- Create separate target groups for instances in the new AZ.
- Update the route table for the new AZ.
Correct

Incorrect
Question 61 of 65

61. Question
How can a network engineer automate VPC creation while ensuring unique CIDR ranges and adherence to corporate standards?
- Use CloudFormation with the Fn::Cidr intrinsic function.
- Manually define CIDR ranges in each VPC's CloudFormation template.
- Use AWS CLI scripts to deploy and validate CIDR uniqueness.
- Use an external IPAM tool integrated with a CloudFormation custom resource.
Correct

Incorrect
Question 62 of 65

62. Question
A consultant creates VPCs in different accounts with overlapping CIDR blocks. How can this be automated and standardized across accounts?
- Use AWS CloudFormation templates and Resource Access Manager to share common prefix lists.
- Automate deployment with Lambda and reference centralized CIDR ranges.
- Configure VPCs manually and validate CIDR ranges with AWS Trusted Advisor.
- Use the AWS CLI with scripts to deploy VPCs across accounts.
Correct

Incorrect
Question 63 of 65

63. Question
How should a company load balance traffic to EC2 instances for multiple subdomains, such as api.example.com and mobile.example.com, using a cost-effective solution?
- Use an ALB with host-based routing and Route 53 Alias records for subdomains.
- Use a Network Load Balancer with Route 53 Alias records and TCP listeners.
- Deploy individual NLBs for each subdomain with TCP listeners.
- Deploy an ALB with path-based routing and Route 53 Alias records.
Correct

Incorrect
Question 64 of 65

64. Question
A network ACL is configured to block traffic to 192.168.0.0/24, but no outbound traffic is allowed from a subnet. What is the likely issue?
- The ACL does not include an allow rule for all outbound traffic.
- The ACL rule for 192.168.0.0/24 has a low priority number.
- The default deny rule at the end of the ACL is preventing all traffic.
- An allow rule for ephemeral ports is missing.
Correct

Incorrect
Question 65 of 65

65. Question
A VPC's virtual private gateway prefers AWS Direct Connect routes over VPN routes. How can this behavior be explained?
- Static routes have higher precedence over BGP propagated routes.
- Direct Connect BGP routes are preferred due to shorter AS Path length.
- VPN BGP routes are deprioritized in favor of static configurations.
- AWS prioritizes VPN routes unless configured otherwise.
Correct

Incorrect

AWS Certified Advanced Networking Specialty Exam Notes and Practice Tests

AWS Certified Advanced Networking Specialty Exam Notes and Practice Tests – Practice Test #1

Quiz Summary

Information

Results

Results

Domains

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question