AWS Certified Advanced Networking Specialty (ANS-C01)
Exam Notes & Practice Tests

A company has deployed multiple Amazon VPCs across two AWS Regions. The company requires full interconnectivity between the VPCs and an on-premises data center, while maintaining low latency and high throughput. The architecture must also support future growth. What is the best solution to meet these requirements?

A company hosts a website in two AWS Regions to improve availability. Amazon Route 53 is used to route traffic between the Regions. The company requires a DNS solution that routes traffic to the closest Region and automatically switches to the other Region in the event of a failure. Which Route 53 configuration meets these requirements?

A company has a VPC with a CIDR block of 10.0.0.0/16. The company’s workloads have outgrown the available IP addresses. What steps should a network engineer take to expand the IP range?

A company requires a hybrid network with a secure, high-performance connection between its on-premises data center and AWS. The company also requires backup connectivity in case the primary connection fails. What is the best solution?

A company operates a latency-sensitive application deployed in multiple AWS Regions. Users should always be routed to the closest Region for optimal performance, and failover must occur automatically. What service should be used?

An application hosted on AWS Elastic Beanstalk has been updated to include a second EC2 instance and an Application Load Balancer (ALB). Users are now frequently prompted to log in again, even though their sessions should remain active for hours. What configuration change can address this issue?

A network engineer enabled VPC Flow Logs to diagnose connectivity issues between an application server and a database server in separate subnets. The logs show ACCEPT for requests sent to the database instance but REJECT for responses returning to the application server. What could be causing this issue?

A network engineer is troubleshooting connectivity to an EC2 instance that consistently returns a “request timed out” error. The public IP of the client is 198.51.100.12, and the private IP of the EC2 instance is 10.0.1.25. VPC Flow Logs reveal the following: eni-123456abc, 198.51.100.12, 10.0.1.25, ACCEPT; eni-123456abc, 10.0.1.25, 198.51.100.12, REJECT. What configuration could resolve this issue?

A network engineer is configuring a public virtual interface (VIF) for an AWS Direct Connect connection. They want to ensure only routes from the same Region are imported. What configuration will achieve this?

A company is deploying an API with Amazon API Gateway to serve customers across multiple Regions using a custom domain name. How should the company ensure the API is accessible with minimal latency?

A company’s VPC with a CIDR block of 192.168.1.0/24 has run out of IP addresses. What is the best way to ensure new resources can be launched?

Which IP addresses are reserved by AWS for DNS resolution in a VPC with the CIDR block 10.0.0.0/16? (Select TWO.)

A company’s VPC connects to an on-premises data center via a Site-to-Site VPN and Direct Connect. What is the BGP route selection order from MOST to LEAST preferred?

A company streams weather data into a source VPC and needs to simultaneously distribute it to multiple data analysis VPCs for processing. What is the best configuration?

A company plans to use a Site-to-Site VPN to connect its on-premises network to four VPCs in an AWS Region with full transitive routing between all entities. Which solution meets the requirement?

A gaming application uses both TCP and UDP protocols and requires connections to be distributed across multiple EC2 instances in different Availability Zones. How should a network engineer configure the Network Load Balancer?

A security team needs to monitor unauthorized connection attempts to a malicious IP address that has been blocked using a Network ACL. What is the MOST cost-effective way to achieve this?

A company with dual Direct Connect connections wants to minimize failover time when switching from the primary to the backup connection. How can this be achieved?

A company wants to access application logs stored in an S3 bucket in the us-west-2 Region over a Direct Connect connection in the us-east-1 Region. What configuration should the company use?

A VPC using CIDR block 192.168.0.0/16 is running out of IP addresses. Which additional CIDR blocks can be added? (Select TWO.)

A network engineer needs a cost-effective solution to monitor traffic flows in a VPC and log ACCEPT and REJECT traffic for analysis. What should they configure?

A company has replaced its NTP server with one that uses a new IP address. How should the VPC be updated to reflect this change?

A security team needs to monitor multiple AWS accounts for malicious activity without direct access to each account. What is the most efficient way to achieve this?

A company plans to migrate DNS records to Route 53, using example.com for public services and private.example.com for internal services in a VPC. What is the best way to implement this?

An application in a private subnet uses a Direct Connect connection to route all traffic, including outbound internet traffic, through an on-premises proxy server. EC2 instances are unable to connect to external web services. What should the network engineer do to resolve this?

A company plans to deploy 1,000 Amazon Workspaces across two Availability Zones. The architecture must support Multi-AZ deployment and accommodate future growth. What is the most appropriate configuration?

A retail website on EC2 instances behind an Application Load Balancer (ALB) must be accessible at example.com and www.example.com. The DNS zone is hosted in Route 53. What records should the network engineer create?

An application behind an Auto Scaling group needs to send sensitive metrics to CloudWatch over private IP addresses without public endpoint exposure. How can this requirement be met?

A consultant is configuring logging for an application behind a load balancer to capture the client’s source IP address. What behavior can be expected by default? (Select TWO.)

A company must migrate 100 virtual machines (VMs) to AWS using AWS SMS within 14 days, leveraging a 1 Gbps internet connection during non-peak hours. Each VM averages 20 GB. What is the best migration approach?

A company requires 99.9% SLA for Direct Connect connections to its VPC. What is the most cost-effective solution?

Remote offices will use Amazon Workspaces. Which firewall configuration supports streaming of Workspaces desktops?

An organization’s web application in a VPC must be accessible to other VPCs within the same Region without using the internet. What is the best solution?

An EC2-based application behind an Application Load Balancer (ALB) frequently experiences timeouts during large file uploads. What steps can mitigate this issue? (Select TWO.)

A network engineer must log all IP traffic in a VPC and run SQL queries against the log data. What solution should be implemented?

A company is designing a microservices application to run on Amazon ECS. The application requires multiple services accessed through different paths, all behind a single Elastic Load Balancer. Additionally, the application must log the client’s source IP address. What should the network engineer configure? (Select TWO.)

A network engineer is setting up an AWS Site-to-Site VPN connection and must update firewall rules to allow the required traffic. Which types of traffic should be permitted? (Select TWO.)

A company has two data centers connected to a virtual private gateway attached to a VPC. The data centers have the following CIDR blocks: Data Center A: 192.168.10.0/24; Data Center B: 192.168.20.0/24. What route table entry should the network engineer configure for traffic destined to the data centers?

A VPC with CIDR block 10.0.0.0/16 requires multiple subnets, each supporting at least 2,000 assignable IP addresses. Which subnet mask should the network engineer choose?

A network provider has provisioned a circuit for Direct Connect and needs cross-connect information. How can the network engineer provide this information?

A company is deploying an application in an Amazon VPC that needs to communicate with on-premises servers. The initial traffic is low but is expected to exceed 5 Gbps within six months. What connectivity solution should the network engineer implement?

An RDS MySQL instance requires encryption in transit for connections from application servers. What steps should the network engineer take?

A company uses CloudFormation templates to deploy VPCs with varying CIDR blocks. What intrinsic function should the engineer use to return a range of CIDR addresses?

A three-tier application in a VPC requires minimal public exposure. The web and application tiers are hosted in EC2 instances, and the database tier uses DynamoDB. Which architecture meets these requirements?

A website served through CloudFront uses country-specific subdomains (us.example.com, uk.example.com). Requests to example.com must redirect users to the correct subdomain based on their location. How should the network engineer achieve this?

A company is establishing hybrid cloud connectivity using AWS Direct Connect (DX). The DX connection must access multiple VPCs and a private Amazon S3 bucket within the same Region. What configuration minimizes customer router setup?

A company is running an application on Amazon EC2 and connecting to on-premises servers via Direct Connect. To ensure consistent performance and in-transit encryption, what is the best solution?

Two companies are collaborating, and Company B requires static public IP addresses to whitelist for accessing Company A’s EC2 application over a custom TCP port. How should the architecture be designed?

To analyze the frequency of DNS queries in an Amazon Route 53 public hosted zone, what steps should the engineer take?

A network administrator must update the domain name provided by DHCP to a custom subdomain for EC2 instances. What is the best approach?

A company deploys a retail website using CloudFront. To safeguard against DDoS, SQL injection, and XSS attacks, what AWS services should be used? (Select TWO.)

A high-performance computing (HPC) application in a cluster placement group requires optimized network throughput. How can the network engineer achieve this?

A network engineer must encrypt data in transit for a web application behind an Elastic Load Balancer. What options should be implemented? (Select TWO.)

A VPC with CIDR block 10.0.0.0/22 must have 10 subnets, each supporting at least 50 hosts. What subnet mask should the engineer choose?

To prevent unauthorized configuration changes to an Application Load Balancer, management requests auditing and notifications for changes. What actions should be taken?

A company must replace a failed on-premises Network Attached Storage (NAS) device with an AWS Storage Gateway file gateway. The fastest deployment option is required. What should the company do?

A company has deployed multiple Amazon VPCs connected via AWS Transit Gateway. Private subnet instances require internet access through NAT gateways. How can the company reduce NAT gateway costs while maintaining redundancy?

A financial institution requires sub-millisecond latency between its New York data center and AWS services in us-east-1. How can the institution achieve this without deploying dedicated private links?

A VPC uses default network ACLs in Subnet A and custom ACLs in Subnet B. Instances in both subnets must connect over TCP port 443. What configurations are required? (Select TWO.)

Instances in a newly added Availability Zone are healthy but do not receive traffic from an Application Load Balancer. What action should the engineer take?

How can a network engineer automate VPC creation while ensuring unique CIDR ranges and adherence to corporate standards?

A consultant creates VPCs in different accounts with overlapping CIDR blocks. How can this be automated and standardized across accounts?

How should a company load balance traffic to EC2 instances for multiple subdomains, such as api.example.com and mobile.example.com, using a cost-effective solution?

A network ACL is configured to block traffic to 192.168.0.0/24, but no outbound traffic is allowed from a subnet. What is the likely issue?

A VPC's virtual private gateway prefers AWS Direct Connect routes over VPN routes. How can this behavior be explained?