1. Home
  2. Amazon
  3. ANS-C01

AWS Certified Advanced Networking - Specialty (ANS-C01)

Exam Details

  • Exam Code
    :ANS-C01
  • Exam Name
    :AWS Certified Advanced Networking - Specialty (ANS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :240 Q&As
  • Last Updated
    :Apr 24, 2025

Amazon Amazon Certifications ANS-C01 Questions & Answers

  • Question 91:

    A company hosts its IT infrastructure in an on-premises data center. The company wants to migrate the infrastructure to the AWS Cloud inphases. A network engineer wants to set up a 10 Gbps AWS Direct Connect dedicated connection between the on-premises data center andVPCs. The company's network provider needs 3 months to provision the Direct Connect connection.In the meantime, the network engineer implements a temporary solution by deploying an AWS Siteto-Site VPN connection that terminates toa virtual private gateway. The network engineer observes that the bandwidth of the Site-to-Site VPN connection is capped at 1.25 Gbpsdespite a powerful customer gateway device.What should the network engineer do to improve the VPN connection bandwidth before the implementation of the Direct Connect connection?

    A. Contact AWS Support to request a bandwidth quota increase for the existing Site-to-Site VPN connection.

    B. Discuss the issue with the hardware vendor. Buy a bigger and more powerful customer gateway device that has faster encryption anddecryption capabilities.

    C. Create several additional Site-to-Site VPN connections that terminate on the same virtual gateway. Configure equal-cost multi-path(ECMP) routing to use all the VPN connections simultaneously.

    D. Create a transit gateway. Attach the VPCs to the transit gateway. Create several additional Site-to-Site VPN connections that terminateon the transit gateway. Configure equal-cost multi-path (ECMP) routing to use all the VPN connections simultaneously.

  • Question 92:

    A company has business operations in the United States and in Europe. The company's public applications are running on AWS and use threetransit gateways. The transit gateways are located in the us-west-2, us-east-1, and eu-central-1 Regions. All the transit gateways areconnected to each other in a full mesh configuration.The company accidentally removes the route to the eu-central-1 VPCs from the us-west-2 transit gateway route table. The company alsoaccidentally removes the route to the us-west-2 VPCs from the eu-central-1 transit gateway route table.How can a network engineer identify the misconfiguration with the LEAST operational overhead?

    A. Use the Route Analyzer feature for AWS Transit Gateway Network Manager.

    B. Use the AWSSupport-SetupIPMonitoringFromVPC AWS Systems Manager Automation runbook. Push network telemetry data to AmazonCloudWatch Logs for analysis.

    C. Use VPC flow logs in eu-central-1 and us-west-2 to analyze the missing routes.

    D. Use Amazon VPC Traffic Mirroring in eu-central-1 or us-west-2 to take packet captures and troubleshoot the connectivity issues.

  • Question 93:

    A consulting company manages AWS accounts for its customers. One of the company's customers needs to add intrusion prevention for itsenvironment without having to re-architect the environment. The customer's environment includes five VPCs in two AWS Regions in the UnitedStates. VPC-to-VPC connectivity is achieved through VPC peering. The customer does not plan to increase the number of VPCs within the next2 years. The solution must accommodate unencrypted traffic.Which solution will meet these requirements?

    A. Configure VPC security groups and network ACLs.

    B. Use an AWS Network Firewall centralized deployment model in each VPC.

    C. Use an AWS Network Firewall distributed deployment model in each VPC.

    D. Deploy AWS Shield in each VPC.

  • Question 94:

    A company is deploying a web application into two AWS Regions. The company has one VPC in each Region. Each VPC has three Amazon EC2instances as web servers behind an Application Load Balancer (ALB). The company already has configured an Amazon Route 53 public hostedzone for example.com. Users will access the application by using the fully qualified domain name (FQDN) of app.example.com.The company needs a DNS solution that allows global users to access the application. The solution must route the users' requests to theRegion that provides the lowest response time. The solution must fail over to the Region that provides the next-lowest response time if theapplication is unavailable in the initially intended Region.Which solution will meet these requirements?

    A. For each ALB, create an A record that has a geolocation routing policy to route app.example.com to the IP addresses of the ALB.Configure a Route 53 HTTP health check that monitors each ALB by IP address. Associate the health check with the A records.

    B. Create an A record that has a geolocation routing policy to route app.example.com to the IP addresses for both ALBs. Configure aRoute 53 health check that monitors TCP port 80 for each ALB by IP address. Associate the health check with the A records.

    C. Create an A record that has a latency-based routing policy to route app.example.com as an alias to one of the ALBs. Configure a Route53 health check that monitors TCP port 80 for each ALB by IP address. Associate the health check with the A records.

    D. For each ALB, create an A record that has a latency-based routing policy to route app.example.com as an alias to the ALB. Set the valuefor Evaluate Target Health to Yes for the records.

  • Question 95:

    A company plans to run a computationally intensive data processing application on AWS. The data is highly sensitive. The VPC must have nodirect internet access, and the company has applied strict network security to control access.Data scientists will transfer data from the company's on-premises data center to the instances by using an AWS Site-to-Site VPN connection.The on-premises data center uses the network range 172.31.0.0/20 and will use the network range 172.31.16.0/20 in the application VPC.The data scientists report that they can start new instances of the application but that they cannot transfer any data from the on-premisesdata center. A network engineer enables VPC flow logs and sends a ping to one of the instances to test reachability. The flow logs show thefollowing:

    The network engineer must recommend a solution that will give the data scientists the ability to transfer data from the on-premises datacenter.Which solution will meet these requirements?

    A. Modify the security group for the application. Add an inbound rule to allow traffic from the on-premises data center network range tothe application.

    B. Modify the network ACLs for the VPC subnet. Add an inbound rule to allow traffic from the on-premises data center network range to theVPC subnet range.

    C. Modify the network ACLs for the VPC subnet. Add an outbound rule to allow traffic from the VPC subnet range to the on-premises datacenter network range.

    D. Modify the security group for the application. Add an outbound rule to allow traffic from the application to the on-premises data centernetwork range.

  • Question 96:

    A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2instances. A network engineer must design the networking solution for the connectivity and for the application on AWS.The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from theinternet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application.Which configuration will meet these requirements?

    A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table.Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a defaultroute to the NAT gateway. Add routes for the data center subnets

    to the virtual private gateway. Deploy the application to the privatesubnets.

    B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection.Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy theapplication to the private subnets.

    C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection.Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for theon-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.

    D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internetgateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnetsto the virtual private gateway. Deploy the application to the private subnets.

  • Question 97:

    A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility.The company has deployed WorkSpaces in its own AWS account in VPC A. A network engineer decides to provide the security visibility byusing two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC B, in a separateaccount and deploys the two firewall appliances in separate Availability Zones.What should the network engineer do to configure the network connectivity for this solution?

    A. Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWSprincipal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPCendpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables ofVPC A to point the default route to the VPC endpoint.

    B. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWSprincipal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPCendpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables ofVPC A to point the default route to the GWLB endpoint.

    C. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWSprincipal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPCendpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables ofVPC A to point the WorkSpaces subnet to the VPC endpoint.

    D. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWSprincipal ARN of the account that contains the firewall appliances to the principal allow list of the GWLB endpoint. In the WorkSpacesaccount, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modifythe route tables of VPC A to point the default route to the VPC endpoint.

  • Question 98:

    A company deploys a software solution on Amazon EC2 instances that are in a cluster placement group. The solution's UI is a single HTMLpage. The HTML file size is 1,024 bytes. The software processes files that exceed 1,024 MB in size. The software shares files over the networkto clients upon request. The files are shared with the Don't Fragment flag set. Elastic network interfaces of the EC2 instances are set up withjumbo frames.The UI is always accessible from all allowed source IP addresses, regardless of whether the source IP addresses are within a VPC, on theinternet, or on premises. However, clients sometimes do not receive files that they request because the files fail to travel successfully fromthe software to the clients.Which options provide a possible root cause of these failures? (Choose two.)

    A. The source IP addresses are from on-premises hosts that are routed over AWS Direct Connect.

    B. The source IP addresses are from on-premises hosts that are routed over AWS Site-to-Site VPN.

    C. The source IP addresses are from hosts that connect over the public internet.

    D. The security group of the EC2 instances does not allow ICMP traffic.

    E. The operating system of the EC2 instances does not support jumbo frames.

  • Question 99:

    A global film production company uses the AWS Cloud to encode and store its video content before distribution. The company's three globaloffices are connected to the us-east-1 Region through AWS Site-to-Site VPN links that terminate on a transit gateway with BGP routingactivated.The company recently started to produce content at a higher resolution to support 8K streaming. The size of the content files has increased tothree times the size of the content files from the previous format. Uploads of files to Amazon EC2 instances are taking 10 times longer thanthey did with the previous format.Which actions should a network engineer recommend to reduce the upload times? (Choose two.)

    A. Create a second VPN tunnel from each office location to the transit gateway. Activate equal-cost multi-path (ECMP) routing.

    B. Modify the transit gateway to activate Jumbo MTU on the VPN tunnels to each office location.

    C. Replace the existing VPN tunnels with new tunnels that have acceleration activated.

    D. Upgrade each EC2 instance to a modern instance type. Activate Jumbo MTU in the operating system.

    E. Replace the existing VPN tunnels with new tunnels that have IGMP activated.

  • Question 100:

    A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnetsbehind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful managementapplication for administration that will run on EC2 instances that are in a separate Auto Scaling group.The company wants to access the management application by using the same URL as the web application, with a path prefix of/management.The protocol, hostname, and port number must be the same for the web application and the management application. Access to themanagement application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS CertificateManager (ACM) will protect the web application.Which combination of steps should a network engineer take to meet these requirements? (Choose two.)

    A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /managementprefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management applicationtarget group if there is a match. Edit the management application target group and enable stickiness.

    B. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the/management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the managementapplication target group if there is not a match. Enable group-level stickiness in the rule attributes.

    C. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /managementprefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the managementapplication target group if there is a match. Enable group-level stickiness in the rule attributes.

    D. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the/management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the webapplication target group if there is not a match.

    E. Forward all requests to the web application target group. Edit the web application target group and disable stickiness.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.