Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Amazon > Amazon Certifications > ANS-C01 > ANS-C01 Online Practice Questions and Answers

ANS-C01 Online Practice Questions and Answers

Questions 4

A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for privatecommunication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company's network services team must manage all Amazon Route 53 zones and interface endpoints within a sharedservices AWS account. The company wants to use this centralized model to provide AWS resources with access to AWS Key ManagementService (AWS KMS) without sending traffic over the public internet.What should the network engineer do to meet these requirements?

A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNSname. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associatethe private hosted zone with the spoke VPCs in each AWS account.

B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNSname. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate eachprivate hosted zone with the shared services AWS account.

C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNSname. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associateeach private hosted zone with the shared services AWS account.

D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNSname. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associatethe private hosted zone with the spoke VPCs in each AWS account.

Buy Now

Correct Answer: A

Option A is the correct answer because it creates a private hosted zone in the shared services account with an alias record that points to the interface endpoint, and associates the private hosted zone with the spoke VPCs in each AWS account. Disabling the private DNS name of the interface endpoint ensures that DNS resolution of the endpoint is restricted to the Amazon Route 53 private hosted zone. This option creates a centralized model for managing interface endpoints and Route 53 zones in a shared services AWS account, which simplifies administration and reduces complexity.

Questions 5

A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited anapplication vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched areplacement EC2 instance that contains the updated application.The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise througha notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreadingmalware.Which solution will meet this requirement with the LEAST operational effort?

A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.

B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.

C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for trafficinspection.

D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.

Buy Now

Correct Answer: A

This solution involves using Amazon GuardDuty to monitor network traffic and analyze DNS requests and VPC flow logs for suspicious activity. This will allow the company to identify when an application is spreading malware by monitoring the network traffic patterns associated with the instance. GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. It requires minimal setup and configuration and can be integrated with other AWS services for automated remediation. This solution requires the least operational effort compared to the other options

Questions 6

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an AmazonCloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticatedcustomers.The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A networkengineer must design a solution that gives the web application the ability to identify authorized customers.What is the MOST operationally efficient solution that meets these requirements?

A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customizedheader to inform the web application of an authenticated customer request.

B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Configure the ALB listener toinsert a customized header to inform the web application of an authenticated customer request.

C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edgefunction also to insert a customized header to inform the web application of an authenticated customer request.

D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST requestpayload. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

Buy Now

Correct Answer: C

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-functions.html

Questions 7

A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are inan Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprisecustomers will connect to the application over HTTPS from office locations.The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customersmust be able to access the application with the least amount of latency.Which change should a network engineer make in the infrastructure to meet these requirements?

A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.

B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution's origin.

C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an accelerator endpoint.

D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to the ALB.

Buy Now

Correct Answer: C

Global static IP - Simplify allowlisting in enterprise firewalling and IoT use cases https://aws.amazon.com/global-accelerator/

Questions 8

A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that aredeployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premisesservers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longerbe needed.What should a network engineer do to meet these requirements with the LEAST amount of configuration?

A. Set up an AWS Site-to-Site VPN connection between on premises and AWS. Deploy an Amazon Route 53 Resolver outbound endpoint inthe Region that is hosting the VPC.

B. Set up an AWS Direct Connect connection with a private VIF. Deploy an Amazon Route 53 Resolver inbound endpoint and a Route 53Resolver outbound endpoint in the Region that is hosting the VPC.

C. Set up an AWS Client VPN connection between on premises and AWS. Deploy an Amazon Route 53 Resolver inbound endpoint in theVPC.

D. Set up an AWS Direct Connect connection with a public VIF. Deploy an Amazon Route 53 Resolver inbound endpoint in the Region that ishosting the VPC. Use the IP address that is assigned to the endpoint for connectivity to the on-premises DNS servers.

Buy Now

Correct Answer: A

Setting up an AWS Site-to-Site VPN connection between on premises and AWS would enable a secure and encrypted connection over the public internet1. Deploying an Amazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC would enable forwarding of DNS queries for on-premises servers to the on-premises DNS servers2. This would allow EC2 instances in the VPC to resolve names of on-premises servers during the migration period. After the migration period, the Route 53 Resolver outbound endpoint can be deleted with minimal configuration changes.

Questions 9

A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a sharedservices VPC, and a VPN connection to the company's on-premises environment. A network engineer needs to implement a transit gatewaywith the following requirements:. Application VPCs must be isolated from each other.. Bidirectional communication must be allowed between the application VPCs and the on-premises network.. Bidirectional communication must be allowed between the application VPCs and the shared services VPC.The network engineer creates the transit gateway with options disabled for default route table association and default route tablepropagation. The network engineer also creates the VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designing a solution that needs the least number of transitgateway route tables.Which combination of actions should the network engineer perform to accomplish this goal? (Choose two.)

A. Configure a separate transit gateway route table for on premises. Associate the VPN attachment with this transit gateway route table.Propagate all application VPC attachments to this transit gateway route table.

B. Configure a separate transit gateway route table for each application VPC. Associate each application VPC attachment with itsrespective transit gateway route table. Propagate the shared services VPC attachment and the VPN attachment to this transit gatewayroute table.

C. Configure a separate transit gateway route table for all application VPCs. Associate all application VPCs with this transit gateway routetable. Propagate the shared services VPC attachment and the VPN attachment to this transit gateway route table.

D. Configure a separate transit gateway route table for the shared services VPC. Associate the shared services VPC attachment with thistransit gateway route table. Propagate all application VPC attachments to this transit gateway route table.

E. Configure a separate transit gateway route table for on premises and the shared services VPC. Associate the VPN attachment and theshared services VPC attachment with this transit gateway route table. Propagate all application VPC attachments to this transit gatewayroute table.

Buy Now

Correct Answer: CE

C: Allows traffic to flow from App VPCs to Shared-Service VPC and to on-premise.

E: Allows traffic to flow from Shared-Service VPC and on-premise to App VPCs. https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-isolated-shared.html

Questions 10

A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company's trading platform includes athird-party pricing service that the EC2 instances communicate with over UDP on port 50000.Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectlyformatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning.The third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricingservice. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoringaccount.Which set of steps should a network engineer take to capture the data and meet these requirements?

A. 1. Configure VPC flow logs to capture the data that flows in the VPC.2. Send the data to an Amazon S3 bucket.3. In the monitoring account, extract the data that flows to the EC2 instance's IP address and filter the traffic for the UDP data.4. Provide the data to the third-party vendor.

B. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of thenew EC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.

C. 1. Configure a traffic mirror filter to capture the UDP data.2. Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface.3. Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the newEC2 instance as the target for the traffic mirror.4. Extract the data by using the packet inspection package.5. Provide the data to the third-party vendor.

D. 1. Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance.2. Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume.3. Export the data from the EBS volume to Amazon S3.4. Provide the data to the third-party vendor.

Buy Now

Correct Answer: C

https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html

Questions 11

A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between theVPCs.The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A networkengineer must implement connectivity between the VPCs.Which solution will meet these requirements with the HIGHEST throughput?

A. Configure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transitgateway.

B. Configure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs.

C. Configure a transit VPConfigure a VPN gateway in each VPCreate an AWS Site-to-Site VPN tunnel from each VPC to the transit VPUseBGP routing to route traffic between the VPCs and the transit VPC.

D. Configure AWS Site-to-Site VPN connections between each VPC. Enable route propagation for each Site-to-Site VPN connection to routetraffic between the VPCs.

Buy Now

Correct Answer: B

VPC peering has no bandwidth limit unlike Transit Gateway (50Gb/s per VPC attachment)

https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf

"No bandwidth limits -- With Transit Gateway, Maximum bandwidth (burst) per Availability Zone per VPC connection is 50 Gbps. VPC peering has no aggregate bandwidth.

Questions 12

A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.

The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.

Which combination of steps should the network engineer take to meet these requirements? (Choose two.)

A. Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.

B. Configure new subnets in two Availability Zones in each VPC. Deploy Network Firewall in each VPC with an endpoint in each Availability Zone.

C. Deploy Network Firewall in each VPUse existing subnets in each of the two Availability Zones to deploy Network Firewall endpoints.

D. Update the route tables that are associated with the private subnets that host the EC2 instances. Add routes to the Network Firewall endpoints.

E. Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.

Buy Now

Correct Answer: BE

Questions 13

A company has a transit gateway in AWS Account A. The company uses AWS Resource Access Manager (AWS RAM) to share the transit gateway so that users in other accounts can connect to multiple VPCs in the same AWS Region. AWS Account B contains a VPC (10.0.0.0/16) with subnet 10.0.0.0/24 in the us-west-2a Availability Zone and subnet 10.0.1.0/24 in the us-west-2b Availability Zone. Resources in these subnets can communicate with other VPCs.

A network engineer creates two new subnets: 10.0.2.0/24 in the us-west-2b Availability Zone and 10.0.3.0/24 in the us-west-2c Availability Zone. All the subnets share one route table. The default route 0.0.0.0/0 is pointing to the transit gateway. Resources in subnet 10.0.2.0/24 can communicate with other VPCs, but resources in subnet 10.0.3.0/24 cannot communicate with other VPCs.

What should the network engineer do so that resources in subnet 10.0.3.0/24 can communicate with other VPCs?

A. In Account B, add 10.0.2.0/24 and 10.0.3.0/24 as the destinations to the route table. Use the transit gateway as the target.

B. In Account B, update the transit gateway attachment. Attach the new subnet ID that is associated with us-west-2c to Account B's VPC.

C. In Account A, create a static route for 10.0.3.0/24 in the transit gateway route tables.

D. In Account A, recreate propagation for 10.0.0.0/16 in the transit gateway route tables.

Buy Now

Correct Answer: C

Exam Code: ANS-C01
Exam Name: AWS Certified Advanced Networking - Specialty (ANS-C01)
Last Update: May 31, 2026
Questions: 285

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.