| Exam Code | ANS-C01 |
| Exam Name | Amazon AWS Certified Advanced Networking - Specialty |
| Questions | 290 Questions Answers With Explanation |
| Update Date | June 13,2026 |
| Price |
Was : |
Prepare Yourself Expertly for ANS-C01 Exam:
Our team of highly skilled and experienced professionals is dedicated to delivering up-to-date and precise study materials in PDF format to our customers. We deeply value both your time and financial investment, and we have spared no effort to provide you with the highest quality work. We ensure that our students consistently achieve a score of more than 95% in the Amazon ANS-C01 exam. You provide only authentic and reliable study material. Our team of professionals is always working very keenly to keep the material updated. Hence, they communicate to the students quickly if there is any change in the ANS-C01 dumps file. The Amazon ANS-C01 exam question answers and ANS-C01 dumps we offer are as genuine as studying the actual exam content.
You can reach out to our agents at any time for guidance; we are available 24/7. Our agent will provide you information you need; you can ask them any questions you have. We are here to provide you with a complete study material file you need to pass your ANS-C01 exam with extraordinary marks.
Pass4surexams provide trusted study material. If you want to meet a sweeping success in your exam you must sign up for the complete preparation at Pass4surexams and we will provide you with such genuine material that will help you succeed with distinction. Our experts work tirelessly for our customers, ensuring a seamless journey to passing the Amazon ANS-C01 exam on the first attempt. We have already helped a lot of students to ace IT certification exams with our genuine ANS-C01 Exam Question Answers. Don't wait and join us today to collect your favorite certification exam study material and get your dream job quickly.
Enroll with confidence at Pass4surexams, and not only will you access our comprehensive Amazon ANS-C01 exam question answers and dumps, but you will also benefit from a remarkable offer – 90 days of free updates. In the dynamic landscape of certification exams, our commitment to your success doesn't waver. If there are any changes or updates to the Amazon ANS-C01 exam content during the 90-day period, rest assured that our team will promptly notify you and provide the latest study materials, ensuring you are thoroughly prepared for success in your exam."
Quality is the heart of our service that's why we offer our students real exam questions with 100% passing assurance in the first attempt. Our ANS-C01 dumps PDF have been carved by the experienced experts exactly on the model of real exam question answers in which you are going to appear to get your certification.
A company ran out of IP address space in one of the Availability Zones in an AWS Region that thecompany uses. The Availability Zone that is out of space is assigned the10.10.1.0 CIDR block. The company manages its networking configurations in an AWSCloudFormation stack. The company's VPC is assigned the 10.10.0.0 CIDRblock and has available capacity in the 10.10.1.0 CIDR block.How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?
A.Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormationstack. Change the CidrBlock property to 10.10.1.0.
B.Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0.
C.Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to10.10.0.0. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0 for the Availability Zone.
D.Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0.
A company has multiple firewalls and ISPs for its on-premises data center. The company has a singleAWS Site-to-Site VPN connection from the company's on-premises data center to a transit gateway.A single ISP services the Site-to-Site VPN connection. Multiple VPCs are attached to the transitgateway.A customer gateway that the Site-to-Site VPN connection uses fails. Connectivity is completely lost,but the company's network team does not receive a notification.The network team needs to implement redundancy within a week in case a single customer gatewayfails again. The team wants to use an Amazon CloudWatch alarm to send notifications to an AmazonSimple Notification Service (Amazon SNS) topic if any tunnel of the Site-to-Site VPN connectionfails. Which solution will meet these requirements MOST cost-effectively?
A. Replace the existing customer gateway with a new router. Create a new Site-to-Site VPNconnection to the transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarmfor the VPN connection. Use a value of 0 for the alarm
B. Use a second customer gateway and a second ISP. Create a new Site-to-Site VPN connection to thetransit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPNconnection. Use a value of less than 1 for the alarm.
C. Add an AWS Direct Connect connection to the existing Site-to-Site VPN connection to the transitgateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPN connection.Use a value of failed for the alarm.
D. Use a second customer gateway with the existing ISP. Create a new Site-to-Site VPN connection tothe transit gateway. For each VPN connection, set up a CloudWatch TunnelState alarm for the VPNconnection. Use a value of unavailable for the alarm.
A company operates in the us-east-1 Region and the us-west-1 Region. The company is designing asolution to connect an on-premises data center to the company's AWS environment in us-east-1. Thesolution uses two AWS Direct Connect connections.Traffic from us-west-1 to the data center needs to traverse the Direct Connect connections. Anetwork engineer needs to set up active-passive functionality across the two Direct Connectconnections by using a Direct Connect gateway to influence inbound traffic from VPCs that are in uswest1 to the data center.Which solution will meet these requirements?
A. At the data center, set the local preference for the primary connection to be higher than the localpreference for the secondary connection.
B. Use AS path prepending to set the AS path on the primary connection to be longer than the ASpath on the secondary connection.
C. Use local preference BGP community tags to apply the 7224:7300 local preference BGPcommunity tag to the prefixes for the primary connection. Apply the 7224:7100 local preference BGPcommunity tag to the prefixes for the secondary connection.
D. Use local preference BGP community tags to apply the 7224:9300 local preference BGPcommunity tag to the prefixes for the primary connection. Apply the 7224:9100 local preference BGPcommunity tag to the prefixes for secondary connection.
A company runs an application across multiple AWS Regions and multiple Availability Zones. Thecompany needs to expand to a new AWS Region. Low latency is critical to the functionality of theapplication.A network engineer needs to gather metrics for the latency between the existing. Regions and thenew Region. The network engineer must gather metrics for at least the previous 30 days.Which solution will meet these requirements?
A. Configure an AWS Network Access Analyzer Network Access Scope, and use the analysis to reviewthe latency.
B. Set up AWS Network Manager Infrastructure Performance. Publish network performance metricsto Amazon CloudWatch.
C. Use an Amazon VPC Reachability Analyzer path to review the latency.
D. Set up VPC Flow Logs. Publish log metrics to Amazon CloudWatch.
A company is establishing hybrid cloud connectivity from an on-premises environment to AWS in theus-east-1 Region. The company is using a 10 Gbps AWS Direct Connect dedicated connection. Thecompany has two accounts in AWS. Account A has transit gateways in four AWS Regions. Account Ð’has transit gateways in three Regions. The company does not plan to expand.To meet security requirements the company's accounts must have separate cloud infrastructure.Which solution will meet these requirements MOST cost-effectively?
A.Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM)to share the Direct Connect gateway with each account. Create a transit VIF for AccountA.Associatethe four transit gateways in Account A to the Direct Connect gateway. Create a transit VIF for AccountB.Associate the three transit gateways in Account Ð’ to the Direct Connect gateway.
B. Create one Direct Connect gateway in us-east-1 for AccountA. Create a second Direct Connectgateway in us-east-1 for Account B. Create a transit VIF for AccountA. Associate the four transitgateways in Account A to the Direct Connect gateway in AccountA. Create a transit VIF for Account B.Associate the three transit gateways in Account Ð’ to the Direct Connect gateway in Account Ð’.
C. Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM)to share the Direct Connect gateway with each account. Create a transit VIF for AccountA. Associatethe four transit gateways in Account A to the Direct Connect gateway. Order a new 10 Gbps DirectConnect dedicated connection for Account B. Create a transit VIF on the new Direct Connect connection for Account B. Associate the three transit gateways in Account Ð’ to the Direct Connectgateway.
D. Create one Direct Connect gateway in us-east-1 for AccountA. Create a second Direct Connectgateway in us-east-1 for Account B. Create a transit VIF for AccountA. Associate the four transitgateways in Account A to the Direct Connect gateway in AccountA. Order a new 10 Gbps DirectConnect dedicated connection for Account Ð’. Create a transit VIF on the new Direct Connectconnection for Account Ð’. Associate the three transit gateways in Account Ð’ to the Direct Connectgateway in Account Ð’.
A company has two AWS Direct Connect connections between Direct Connect locations and thecompany's on-premises environment in the US. The company uses the connections to communicatewith AWS workloads that run in the us-east-1 Region. The company has a transit gateway thatconnects several VPCs. The Direct Connect connections terminate at a Direct Connect gateway andthe transit VIFs to the transit gateway.The company recently acquired a smaller company that is based in Europe. The newly acquiredcompany has only on-premises workloads. The newly acquired company does notexpect to run workloads on AWS for the next 3 years. However, the newly acquired company requiresconnectivity to the parent company's AWS resources in us-east-1 and to theparent company's on-premises environment in the US. The parent company wants to use two newDirect Connect connections in Europe to provide the required connectivity.Which solution will meet these requirements with the LEAST operational overhead for the newlyacquired company?
A.Associate new transit VIFs to the existing Direct Connect gateway. Configure the new transit VIFsto use Direct Connect SiteLink.
B.Associate new transit VIFs to a new Direct Connect gateway and to a new transit gateway in theeu-west-1 Region. Use transit gateway peering to connect the transit gateways.
C.Associate new private VIFs to the existing Direct Connect gateway. Configure the existing transitVIFs and the new private VIFs to use Direct Connect SiteLink.
D.Associate new private VIFs to a new Direct Connect gateway and to a new VPC in us-east-1.Configure the existing transit VIFs and the new private VIFs to use Direct Connect SiteLink and AWSPrivateLink endpoints in the new VPC
AnyCompany deploys and manages networking resources in its AWS network account, namedAccountA.AnyCompany acquires Example Corp, which has an application that runs behind anApplication Load Balancer (ALB) in Example Corp's AWS account, named Account-B.Example Corp needs to use AWS Global Accelerator to create an accelerator to publish theapplication to users. AnyCompany's networking team will manage the accelerator.Which solution will meet these requirements with the LEAST management overhead?
A.Create an accelerator in Account-Ð’. Use a cross-account role from Account-A to grant thenetworking team access to manage the accelerator.
B.Deploy a Network Load Balancer (NLB) in Account-A to route traffic to the ALB in Account-Ð’.Create an accelerator, and set the NLB as the endpoint in Account-A.
C.Create a cross-account Global Accelerator attachment in Account-Ð’ for the Account-A principal.Create an accelerator in Account-A by using the shared attachment.
D.Create an accelerator in Account-A.Use AWS Resource Access Management (AWS RAM) to sharethe accelerator with Account-Ð’. Associate the ALB in Account-Ð’ with the accelerator in Account-A.
A media company is planning to host an event that the company will live stream to users. Thecompany wants to use Amazon CloudFront.A network engineer creates a primary origin and a secondary origin for CloudFront. The engineerneeds to ensure that the primary origin can fail over to the secondary origin within 15 seconds if adisruption occurs.Which solution will meet this requirement with the LEAST operational overhead?
A.Configure a Lambda@Edge function to check the health status of both origins every 10 seconds.Reroute incoming requests when the origin health status is unhealthy.
B.Create a Network Load Balancer (NLB) in front of both origins Configure the NLB as the origin inCloudFront.
C.Set the CloudFront origin connection timeout value to 5 seconds Set the origin connectionattempts value to 2.
D.Configure a Lambda@Edge function to monitor incoming requests for an origin response. Rerouteincoming requests if no response is received from the primary origin within 10 seconds.
A company wants to analyze TCP internet traffic. The traffic originates from Amazon EC2 instances inthe companys VPC. The EC2 instances initiate connections through a NAT gateway.The company wants to capture data about the traffic including source and destination IP addressesports, and the first 8 bytes of the TCP segments of the traffic. The company needs to collect, store,and analyze all the required data points.Which solution will meet these requirements?
A.Configure the EC2 instances to be VPC traffic mirror sources. Deploy software on the traffic mirrortarget to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch LogsInsights
B.Configure the NAT gateway to be a VPC traffic mirror source. Deploy software on the traffic mirrortarget to forward the data to an Amazon S3 bucket. Analyze the data by using Amazon Athena
C.Turn on VPC Flow Logs for the EC2 instances. Specify the default format and set AmazonCloudWatch Logs as the log destination. Analyze the flow log data by using CloudWatch Logs Insights.
D.Turn on VPC Flow Logs for the EC2 instances. Specify a custom format and set Amazon S3 as thelog destination. Analyze the flow log data by using Amazon Athena.
A company operates in multiple AWS Regions. The company has deployed transit gateways in eachRegion. The company uses AWS Organizations to operate multiple AWS accounts in one organization.The company needs to capture all VPC flow log data when a new VPC is created. The company needsto send flow logs to a specific Amazon S3 bucket.Which solution will meet these requirements with the LEAST administrative effort?
A.Update IAM permissions for each user to include a condition that ensures users can createVPCs only when VPC Flow Logs is enabled and configured correctly
B.Create a custom AWS Config rule with automatic remediation that verifies VPC Flow Logs isenabled and configured correctly. Apply the AWS Config rule to the organization.
C.Enable VPC Flow Logs on each transit gateway. Configure VPC Flow Logs to send flow logs to thespecified S3 bucket.
D.Deploy a serverless application that uses AWS CloudTrail to monitor for VPC creation events ineach account. Configure the application to apply the correct VPC Flow Logs configuration.
A company has an AWS environment that includes multiple VPCs that are connected by a transitgateway. The company wants to use a certificate-based AWS Site-to-Site VPN connection to establishconnectivity between an on-premises environment and the AWS environment. The company doesnot have a static public IP address for the on-premises environment.Which combination of steps should the company take to establish VPN connectivity between the transit gateway and the on-premises environment? (Choose two.)
A.Create a public certificate in AWS Certificate Manager (ACM).
B.Create a private certificate in AWS Certificate Manager (ACM).
C.Configure the Site-to-Site VPN tunnels to use the pre-shared key (PSK).
D.Create a customer gateway. Specify the current dynamic IP address of the customer gatewaydevice's external interface.
E.Create a customer gateway. Do not specify the IP address of the customer gateway device.
A company has two teams: Team A and Team B. Team A has VPCs that run in AccountA.The teamuses a transit gateway (TGW-A) to route traffic between workloads that run in the different VPCs.Similarly, Team Ð’ has VPCs that run in Account B. Team Ð’ uses a different transit gateway (TGW-B) to route traffic between workloads that run in the different VPCs.The company's network team manages the routing for Team A and Team Ð’. The network team wantsto retire TGW-B and use a single transit gateway to manage routing for the VPCs of both teams.Which solution will meet this requirement with the LEAST operational overhead?
A.Create a resource share for TGW-A Share TGW-A with Account B. Create VPC attachments for theVPCs in Account Ð’. Configure routing for the VPCs in TGW-A route tables. Update the route tables ofthe VPCs in Account Ð’ to forward traffic to TGWA.Delete TGW-B attachments and TGW-B
A. Share TGW-A with Account Ð’. Replicate the TGW-Bconfiguration to TGW-A to automatically start routing changes for the VPCs in Account Ð’. DeleteTGW-B when routing changes are complete.
C.Create a new transit gateway (TGW-C) in AccountA. Create a resource share for TGW-C. ShareTGW-C with Account B. Create VPC attachments for the VPCs in Account A and Account Ð’. Configurerouting for all the VPCs in TGW-C route tables. Update the route tables for the VPCs in Account A andAccount Ð’ to forward traffic to TGW-C. Delete TGW-A attachments and TGW-B attachments. DeleteTGW-A and TGW-B.
D.Create a new transit gateway (TGW-C) in a new account (Account C). Create a resource share forTGW-C. Share TGW-C with Account A and Account B. Create VPC attachments for the VPCs inAccount A and Account Ð’. Configure routing for all the VPCs in TGW-C route tables. Update the routetables for the VPCs in Account A and Account Ð’ to forward traffic to TGW-C. Delete TGW-Aattachments and TGW-B attachments. Delete TGW-A and TGW-B.
A company has several AWS Site-to-Site VPN connections between an on-premises customergateway and a transit gateway. The company's application uses IPv4 to communicate through theVPN connections.The company has updated the VPC to be dual stack and wants to transition to using IPv6-only for newworkloads. When the company tries to communicate through the existing VPN connections, IPv6traffic fails.Which solution will provide IPv6 support with the LEAST operational overhead?
A.Create a new Site-to-Site VPN connection that supports IPv6.
B.Create a new Site-to-Site VPN connection to a self-managed Amazon EC2 instance that runs opensource software.
C.Update the existing Site-to-Site VPN connections to support IPv6.
D.Update the on-premises customer gateway's public IP address from IPv4 to IPv6.
A company uses transit gateways to route traffic between the company's VPCs. Each transit gatewayhas a single route table. Each route table contains attachments and routes for the VPCs that are inthe same AWS Region as the transit gateway. The route tables in each VPC also contain routes to allthe other VPC CIDR ranges that are available through the transit gateways. Some VPCs route to localNAT gateways.The company plans to add many new VPCs soon. A network engineer needs a solution to add newVPC CIDR ranges to the route tables in each VPC.Which solution will meet these requirements in the MOST operationally efficient way?
A.Create a new customer-managed prefix list. Add all VPC CIDR ranges to the new prefix list. Updatethe route tables in each VPC to use the new prefix list ID as the destination and the appropriatetransit gateway ID as the target.
B.Turn on default route table propagation for the transit gateway route tables. Turn onroute propagation for each route table in each VPC.
C.Update the route tables in each VPC to use 0.0.0.010 as the destination and the appropriate transitgateway ID as the target.
D.Turn on default route table association for the transit gateway route tables. Turn on routepropagation for each route table in each VPC.
A company runs a workload in a single VPC on AWS. The companys architecture contains severalinterface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS KeyManagement Service (AWS KMS). The endpoints are configured to use a shared security group. Thesecurity group is not used for any other workloads or resources.After a security review of the environment, the company determined that the shared security groupis more permissive than necessary. The company wants to make the rules associated with thesecurity group more restrictive. The changes to the security group rules must not prevent theresources in the VPC from using AWS services through interface VPC endpoints. The changesmust prevent unnecessary access.The security group currently uses the following rules:Inbound - Rule 1Protocol: TCPPort: 443Source: 0.0.0.0/0Inbound - Rule 2Protocol: TCPPort: 443Source: VPC CIDROutbound - Rule 1Protocol: AllPort: AllDestination: 0.0.0.0/0Which rule or rules should the company remove to meet with these requirements?
A.Outbound - Rule 2
B.Inbound - Rule 1 and Outbound - Rule 1
C.Inbound - Rule 2 and Outbound - Rule 1
D.Outbound - Rule 1
A company deployed an application in two AWS Regions in one AWS account. The company has oneVPC in each Region. The VPCs use non-overlapping private CIDR ranges.The company needs to connect both VPCs to a single on-premises data center to test the application.The application requires up to 800 Mbps of throughput. A network engineer needs to establishconnectivity between the VPCs and the on-premises data center.Which solution will meet this requirement with the LEAST operational overhead?
A.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure static routes in the VPC route tables and inthe data center router
B.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure Open Shortest Path First (OSPF) routingbetween the private VIF and the data center
C.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWS SitetoSite VPN connection between the data center and each VPC. Configure static routes in each VPCroute table to point to the subnets in the data center.
D.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWSSiteto- Site VPN connection between the data center and each VPC. Configure BGP routing betweentheVPCs and the data center.
A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses aNAT gateway. The company wants to transition to IPv6.A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The networkengineer deploys a new Amazon EC2 instance that has an IPv6 address into one of the subnets.During testing, the network engineer discovers that the new EC2 instance is not able tocommunicate with an IPv4-only service through the internet. The network engineer needs to enablethe IPv6 EC2 instance to communicate with the IPv4-only service.Which solution will meet this requirement?
A.Enable DNS64 for the IPv6-only subnets. Update the route tables for the IPv6-only subnets to sendtraffic through the NAT gateway.
B.Enable NAT64 for the testing VPC. Reconfigure the existing NAT gateway to support IPv6.
C.Enable DNS64 for the new EC2 instance. Create a new egress-only internet gateway that supportsIPv6.
D.Enable NAT64 for each route table. Create a new NAT gateway that supports both IPv4 and IPv6.
A company has a transit gateway in a single AWS account. The company sends flow logs for thetransit gateway to an Amazon CloudWatch Logs log group.The company created an AWS Lambda function to analyze the logs. The Lambda function sends anotification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generatestraffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, andtotal amount of dropped packets.The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda functionmust automatically prevent the traffic that is identified in each notification from leaving a VPC byapplying a network ACL to the transit gateway attachment subnets in the VPC that generates thetraffic.Which solution will meet these requirements?
A.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an outbound rule by using thedestination IP addresses in the network ACL.
B.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an inbound rule by using thesource IP addresses in the network ACL.
C.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an outbound rule by using the source IP addresses in the network ACL.
D.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an inbound rule by using thedestination IP addresses in the network ACL.
A company has multiple AWS Site-to-Site VPN connections between an on-premises environmentand multiple VPCs. The Site-to-Site VPN connections use virtual private gateways and are configuredwith IPv4 addresses. The company hosts several internal applications in the VPCs.Application users have reported that the applications are performing slowly. A network engineernotices excessive latency in the network path that the VPN connections use. The network engineerneeds to resolve the excessive latency.Which solution will meet this requirement?
A.Use AWS Global Accelerator to deploy an accelerator on the existing Site-to-Site VPN connections.
B.Deploy a transit gateway and a new accelerated Site-to-Site VPN connection.
C.Replace the existing Site-to-Site VPN connections with new Site-to-Site VPN connections that useIPv6.
D.Replace the existing Site-to-Site VPN connections with AWS PrivateLink connections.
A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in thesame AWS account. Each VPC contains Amazon EC2 instances that host the company's applications.Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in AutoScaling groups.A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling grouplaunches and terminates EC2 instances.Which solution will meet this requirement with the LEAST implementation and administrative effort?
A.Create a network ACL for each application. Reference the network ACL in the stateful rule group.
B.Create a prefix list for each application. Reference the prefix list in the stateful rule group.
C.Create an AWS Lambda function that queries the EC2 instance tags for each application name andthen updates the stateful rule group with the IP address of each instance.
D.Create a resource group for each application name. Reference the Amazon Resource Name (ARN)for the resource groups in the stateful rule group.
A company hosts application servers on premises and on Amazon EC2 instances in a VPC. Theapplication servers access data that is hosted in an Amazon S3 bucket through the public internet.The EC2 instances in the VPC use an AWS Site-to-Site VPN for connectivity with the on-premisesapplication servers.New company regulations state that all traffic between the application servers and the S3 bucketmust remain private and must not use public IP addresses.Which solution will meet these requirements MOST cost-effectively?
A.Configure an S3 gateway endpoint Modify the route table with the appropriate route for theendpoint. Access the S3 bucket through the gateway endpoint from the EC2 instances.
B.Configure an S3 interface endpoint. Update the on-premises servers and EC2 instances to use theinterface endpoint DNS name to access the S3 bucket.
C.Configure an S3 interface endpoint. Update the on-premises servers to use the interface endpointDNS name to access the S3 bucket. Configure an S3 gateway endpoint. Modify the route table so thatthe EC2 instances use the gateway endpoint.
D.Configure an S3 gateway endpoint. Modify the route table with the appropriate route for theendpoint. Use an S3 bucket policy to restrict access to the gateway endpoint. Configure a proxyserver fleet behind a Network Load Balancer in the VPC so that the on-premises servers can accessthe S3 bucket.
A company uses AWS Site-to-Site VPN connections to encrypt traffic between the company's onpremiseslocation and a single VPC. The Site-to-Site VPN connections use two 1 Gbps AWS DirectConnect connections with public VIFs. The company plans to add 15 additional VPCs in the sameAWS Region.The company must maintain the same level of encryption that the Site-to-Site VPN connectionscurrently provide for each connection between the on-premises location and the new VPCs. The newconnections must not use public IP addresses. The bandwidth of the Site-to-Site VPN connections willremain less than the current provisioned speed.Which combination of steps will meet these requirements with LEAST operational overhead?(Choose three.)
A.Create a transit gateway and a Direct Connect gateway. Associate the transit gateway with theDirect Connect gateway. Attach all the new VPCs to the transit gateway.
B.For each new VPC, create a new Direct Connect private VIF to a Direct Connect gateway.Associate all VPCs with the Direct Connect gateway.
C.Assign a private IP CIDR block to the transit gateway.
D.Assign a public IP CIDR block to the transit gateway.
E.Create a transit VIF to the Direct Connect gateway. Create a Site-to-Site VPN private IP VPNconnection.Create a public VIF.
F.Create a Site-to-Site VPN public IP VPN connection.
A company has an application VPC and a networking VPC that are connected through VPC peering.The networking VPC contains a Network Load Balancer (NLB). The application VPC contains AmazonEC2 instances that run an application. The EC2 instances are part of a target group that is associatedwith the NLB in the networking VPC.The company configures a third VPC and peers it to the networking VPC. The new VPC contains a newversion of the existing application. The new version of the application runs on new EC2 instances inan application subnet. The new version of the application runs in a different Availability Zone thanthat original version of the application.The company needs to establish connectivity between the NLB and the new version of theapplication.Which combination of steps will meet this requirement? (Choose three.)
A.Register the new application EC2 instances with the NLB by using the instance IDs.
B.Register the new application EC2 instances with the NLB by using instance IP addresses.
C.Configure the NLB in the Availability Zone where the new application EC2 instances run.
D.Configure the NLB to use zonal shift.
E.Configure the network ACL for the application subnet in the new VPC to allow outboundconnections.
F.Configure the network ACL for the application subnet in the new VPC to allow inboundconnections and outbound connections.
A company is migrating its internet VPN connections to dedicated AWS Direct Connect connections.The company needs to set up the Direct Connect connections so that all network communicationsare encrypted in transit.Which combination of steps will meet this requirement? (Choose three.)
A.Create new Direct Connect connections while requesting MACsec ports.
B.Create a MACsec Connectivity Association Key Name (CKN) and Connectivity Association Key(CAK) pair. Associate the pair with each new connection
C.Update the on-premises routers to use MACsec and the shared Connectivity Association Key Name(CKN) and Connectivity Association Key (CAK) pair
D.Create a shared key for an IPsec connection.
E.Configure a new Direct Connect gateway. Associate the shared key with the new Direct Connectgateway.
F.Set up IPsec on the on-premises router. Associate the shared key with the IPsec configuration.
A company runs workloads in multiple VPCs. The company needs to securely access a workload inone of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up anAWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamicrouting for the connection, and communication works properly.Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner createdworkloads that use the additional CIDR range.The company's on-premises network is unable to reach the new workloads. The network engineerneeds to resolve the network connectivity issue and ensure that connectivity will not be affected ifadditional VPC CIDR ranges are added to the VPC in the future.Which solution will meet these requirements with the MOST operational efficiency?
A.Configure route propagation for VPC-A to the VPN attachment route table.
B.Manually update the VPN attachment route table to include the new CIDR range.
C.Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule tomatches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPNattachment route table.
D.Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is anupdate to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachmentroute table. Restart the VPN tunnels.
Be part of the conversation — share your thoughts, reply to others, and contribute your experience.
The study material I'm using focuses a lot on DNS, load balancing, and hybrid cloud networking.
Technical question: what is the role of AWS Transit Gateway in networking?
Most study material says Transit Gateway simplifies connectivity between VPCs and on-premises networks.
Some practice questions about VPC design and network security were very helpful.
Agreed, especially understanding Transit Gateway and routing optimization topics.
I started preparing for the ANS-C01 exam using practice questions. Advanced networking concepts are quite detailed.
Yes, the study material explains hybrid networking, routing, and AWS network services very clearly.
Sun Hao
Some scenario questions about network troubleshooting were interesting.
Frederik Klein
Those usually test routing analysis and network optimization concepts.