AWS Certified Advanced Networking Specialty ANS-C01 Practice Exam

AWS Certified Advanced Networking Specialty ANS-C01 practice exam is completely free for all users. This means that you can access our high-quality exam material without having to spend a dime. With our practice exam, you can test your knowledge and skills, identify areas where you need to improve, and boost your confidence before taking the real exam. Additionally, We have actual exam version. It includes actual exam questions and answers that have been verified by IT cloud experts, ensuring that you are receiving the most accurate and up-to-date information available. Plus, our exam is frequently updated to ensure that it remains in sync with the real exam, giving you the confidence you need to succeed on test day. So why wait? Sign up for our AWS Certified Advanced Networking Specialty ANS-C01 actual exam version today and get started on your path to success!

AWS Certified Advanced Networking Specialty ANS-C01 Actual Exam

101. The Security department has mandated that all outbound traffic from a VPC toward an on-premises data center must go through a security appliance that runs on an Amazon EC2 instance. Which of the following maximizes network performance on AWS? (Choose two.)

A. Support for the enhanced networking drivers
B. Support for sending traffic over the Direct Connect connection
C. The instance sizes and families supported by the security appliance
D. Support for placement groups within the VPC
E. Security appliance support for multiple elastic network interfaces

102. A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC. Which of the following is the MOST reliable solution?

A. Create an inbound rule in the VPC network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the Network Packets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
B. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.
C. Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.
D. Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero

103. A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting. Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected. What is causing this issue?

A. The NAT gateway does not support fragmented packets.
B. The internet gateway only supports an MTU of 1500 bytes.
C. An Amazon EC2 instance expects to communicate with an MTU of 9001.
D. The security group on the instances does not allow PMTUD.

104. A company has an application running in an Amazon VPC that must be able to communicate with on-premises resources in a data center. Network traffic between AWS and the data center will initially be minimal, but will increase to more than 10 Gbps over the next few months. The company’s goal is to launch the application as quickly as possible. The Network Engineer has been asked to design a hybrid IT connectivity solution. What should be done to meet these requirements?

A. Submit a 1 Gbps AWS Direct Connect connection request, then increase the number of Direct Connect connections, as needed.
B. Allocate elastic IPs to Amazon EC2 instances for temporary access to on-premises resources, then provision AWS VPN connections between an Amazon VPC and the data center.
C. Provision an AWS VPN connection between an Amazon VPC and the data center, then submit an AWS Direct Connect connection request. Later, cut over from the VPN connection to one or more Direct Connect connections, as needed.
D. Provision a 100 Mbps AWS Direct Connect connection between an Amazon VPC and the data center, then submit a Direct Connect connection request. Later, cut over from the hosted connection to one or more Direct Connect connections, as needed.

105. A company has recently established an AWS Direct Connect connection from its on-premises data center to AWS. A Network Engineer has blocked all traffic destined for Amazon S3 over the company’s gateway to the internet from its on-premises firewall. S3 traffic should only traverse the Direct Connect connection. Currently, no one in the on-premises data center can access Amazon S3. Which solution will resolve this connectivity issue?

A. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3.
B. Establish an S3 VPC endpoint for the company’s Amazon VPC. Configure a private virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop
C. Configure a public virtual interface on the Direct Connect connection. Update the on-premises routing tables to choose Direct Connect as the preferred next hop for traffic destined for Amazon S3
D. Configure a public virtual interface on the Direct Connect connection. Establish an AWS managed VPN over the connection. Update the on-premises routing tables to choose the VPN connection as the preferred next hop.

106. A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company’s on-premises router for this Direct Connect connection. Which of the following actions will require the LEAST amount of configuration overhead on the customer router?

A. Configure private virtual interfaces for the VPC resources and for Amazon S3.
B. Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3.
C. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3.
D. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3.

107. A company has two redundant AWS Direct Connect connections to a VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second. What should be done to meet this requirement?

A. Configure BGP on the company’s router with a keep-alive to 300 ms and the BGP hold timer to 900 ms.
B. Enable Bidirectional Forwarding Detection (BFD) on the company’s router with a detection minimum interval of 300 ms and a BFD liveness detection multiplier of 3.
C. Enable Dead Peer Detection (DPD) on the company’s router with a detection minimum interval of 300 ms and a DPD liveness detection multiplier of 3.
D. Enable Bidirectional Forwarding Detection (BFD) echo mode on the company’s router and disable sending the Internet Control Message Protocol (ICMP) IP packet requests.

108. A company’s Network Engineering team is solely responsible for deploying VPC infrastructure using AWS CloudFormation. The company wants to give its Developers the ability to launch applications using CloudFormation templates so that subnets can be created using available CIDR ranges. What should be done to meet these requirements?

A. Create a CloudFormation templates with Amazon EC2 resources that rely on cfn-init and cfn-signals to inform the stack of available CIDR ranges.
B. Create a CloudFormation template with a custom resource that analyzes traffic activity in VPC Flow Logs and reports on available CIDR ranges.
C. Create a CloudFormation template that references the Fn:Cidr intrinsic function within a subnet resource to select an available CIDR range.
D. Create a CloudFormation template with a custom resource that uses AWS Lambda and Amazon DynamoDB to manage available CIDR ranges.

109. A company’s web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries. Which action should be taken to block more IP addresses, without compromising the existing security requirements?

A. Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.
B. Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.
C. Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.
D. Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

110. A company is using AWS to host all of its applications. Each application is isolated in its own Amazon VPC. Different environments such as Development, Test, and Production are also isolated in their own VPCs. The Network Engineer needs to automate VPC creation to enforce the company’s network and security standards. Additionally, the CIDR range used in each VPC needs to be unique. Which solution meets all of these requirements?

A. Use AWS CloudFormation to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.
B. Use AWS OpsWorks to deploy the VPC infrastructure and a custom resource to request a CIDR range from an external IP address management (IPAM) service.
C. Use the VPC wizard in the AWS Management Console. Type in the CIDR blocks for the VPC and subnets.
D. Create the VPCs using AWS CLI and use the dry-run flag to validate if the current CIDR range is in use.

111. You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 × 7 for this particular connection, as real-time data is passed continually backwards and forwards between your onprem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company’s ability to attract investors and expansion into new markets. Select the correct network configuration that best facilitates your company’s continued growth plans.

A. Provision a Direct Connect connection – between your service provider’s data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required.
B. Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option.
C. Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option.
D. Provision a Direct Connect connection – between your existing service provider’s data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface

112. Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway. What configuration change should you make to ensure that these instances can reach the patch server?

A. Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway. B. Configure an outbound rule on the application server instance security group for the Git repository.
C. Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
D. Configure an inbound rule on the application server instance security group for the Git repository.

113. You are architecting an HPC solution in AWS. The system consists of a cluster of EC2 instances that require low-latency communications between them. Which method should you use to set up a cluster to meet these requirements?

A. Create a VPC with one subnet in a single Availability Zone. Keep the size of the subnet equal to the number of instances required in the cluster. Launch instances for the cluster in this small subnet to guarantee low-latency network performance.
B. Create a placement group. Choose an EC2 instance type compatible with placement groups for the cluster. Launch instances for the cluster in the placement group.
C. Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach all instances to an Amazon EBS PIOPS volume. Implement a shared memory system across all instances in the cluster, using this shared EBS volume to minimize latency of communication.
D. Choose an EC2 instance type that offers enhanced networking. Attach a 10-Gbps non-blocking elastic network interface to the instances. Configure the elastic network interface to optimize network performance to reduce latency.

114. Your company has decided to use AWS WorkSpaces for its hosted desktop solution. Your company has an existing AD of about 57,000 users, and you want to minimize authentication traffic from AWS to your datacenter. Your company has a lot of personnel changes, and it is crucial that these changes are reflected reliably. What two steps should you take? (Choose two.)

A. Deploy Hosted AD in AWS.
B. Deploy an AD Connector in AWS.
C. Create a DX connection between the datacenter and AWS.
D. Create a VPN between the datacenter AWS.

115. You are a network admin of a US company called Webby Widgets that is expanding to Europe. The company has a website that serves dynamic and static content. You have been instructed to ensure the European clients receive the least latency possible, no matter where in Europe they live, while still allowing the US clients to receive the same user experience and performance they have been accustomed to. You have also been instructed to ensure both countries use the same URL to access the site and keep costs low. What two things should you do? (Choose two.)

A. Deploy three VPCs; one for the US, one for the EU, and one as a central VPC that hosts an Elastic Load Balancer that will distribute traffic between the US and EU VPCs.
B. Create two A records: eu.webbywidgets.com that points to the EU resources and us.webbywidgets.com that points to the US resources.
C. Use the Traffic Flow policy creator to create the perfect routing policy.
D. Create a CloudFront distribution to serve the static content from an S3 bucket.

116. Your company has signed up to trial AWS WorkSpaces. You aren’t sure you’re going to keep it, but you want to try it out to see if it works for your organization of 112 users. You need to deploy it with as little work and up-front expense as possible while still allowing access to your Active Directory for authentication. What two things should you do? (Choose two.)

A. Create a VPN connection.
B. Create an AD connector
C. Setup AWS hosted Microsoft AD
D. Create a Direct Connect connection to AWS.

117. You have a hybrid infrastructure and you have configured your own DNS server on an EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. You need your data center to be able to resolve Route 53 queries in your private hosted zone. What do you need to do to accomplish this?

A. Disable the source/destination check flag for the DNS instance.
B. Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.
C. Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.
D. Configure the VPC DHCP option set in the VPC to point to the EC2 DNS server.

118. Your company has a DX connection and you just added a new VPC and Private VIF to which you have connected to your DX link. You copied the settings from the other VPC to ensure it’s the same. Once you connected the new VIF, you began seeing problems with connectivity to both VPCs. You checked to make sure you didn’t use the same CIDR with each VPC, so what could be the problem?

A. You used the same VLAN ID for both connections.
B. You overloaded your DX circuit.
C. Your MPLS provider does not allow traffic to two VPCs.
D. You can only connect one VIF to a DX circuit.

119. You have a server that serves www, FTP, and mail. You need to access this server using www.yourname.com, ftp.yourname.com, and mail.yourname.com. You want to ensure an IP change results in the least number of other changes. What is the best solution?

A. Create PTR records and point the IP address of the server back to www, ftp, and mail.
B. Create an A record pointing to the server’s IP address and create CNAME records for www, ftp, and mail and point those to the A record.
C. Create an A record for www, ftp and mail, and point it to the ALIAS of the server.
D. Create CNAME records for www, ftp, and mail and point those to the A record already provided to the instance by AWS.

120. You have 4 Direct Connect connections from your datacenter. Site A advertises 172.16.0.0/16 AS 65000, Site B advertises 172.16.0.128/25 AS 65000 65000 65000, Site C advertises 172.0.0.0/8 AS 65000 and Site D advertises 172.16.0.0/24 AS 65000. Which site will AWS choose to reach your network?

A. Site A: 172.16.0.0/16 AS 65000
B. Site B: 172.16.0.128/25 AS 65000 65000 65000
C. Site C: 172.0.0.0/8 AS 65000
D. Site D: 172.16.0.0/24 AS 65000