Amazon ANS-C01 Question Answers

What is Amazon ANS-C01?

Amazon ANS-C01 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Specialty Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the Amazon AWS Certified Advanced Networking - Specialty Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon ANS-C01 Practice Questions. Passing Amazon AWS Certified Advanced Networking - Specialty will be your ticket to a better future!

Pass with Amazon ANS-C01 Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing Amazon AWS Certified Advanced Networking - Specialty is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon ANS-C01 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Specialty certification is all about having the right information. Hence, we filled our Amazon ANS-C01 Dumps with all the necessary data you need to pass. These carefully curated sets of Amazon AWS Certified Advanced Networking - Specialty Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon ANS-C01 Braindumps now!

We aim to provide all AWS Certified Specialty certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon ANS-C01 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Amazon ANS-C01 PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the Amazon AWS Certified Advanced Networking - Specialty candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Specialty solutions. Amazon ANS-C01 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon ANS-C01 Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].

Question # 1

A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linuxbasednetwork appliance in a highly available architecture. The network engineer isconfiguring the new launch template for the Auto Scaling group.In addition to the primary network interface the network appliance requires a secondnetwork interface that will be used exclusively by the application to exchange traffic withhosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the secondnetwork interface.How can the network engineer implement the required architecture?

A. Configure the two network interfaces in the launch template. Define the primary networkinterface to be created in one of the private subnets. For the second network interface,select one of the public subnets. Choose the BYOIP pool ID as the source of public IPaddresses.
B. Configure the primary network interface in a private subnet in the launch template. Usethe user data option to run a cloud-init script after boot to attach the second networkinterface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling groupwhen an instance is launching. In the Lambda function, assign a network interface to anAWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary networkinterface. Use the user data option to run a cloud-init script to allocate a second networkinterface and to associate an Elastic IP address from the BYOIP pool.

Show Answer

---

Question # 2

A company is planning to migrate an internal application to the AWS Cloud. The applicationwill run on Amazon EC2 instances in one VPC. Users will access the application from thecompany's on-premises data center through AWS VPN or AWS Direct Connect. Users willuse private domain names for the application endpoint from a domain name that isreservedexplicitly for use in the AWS Cloud.Each EC2 instance must have automatic failover to another EC2 instance in the sameAWS account and the same VPC. A network engineer must design a DNS solution that willnot exposethe application to the internet.Which solution will meet these requirements?

A. Assign public IP addresses to the EC2 instances. Create an Amazon Route 53 privatehosted zone for the AWS reserved domain name. Associate the private hosted zone withthe VPC. Create a Route 53 Resolver outbound endpoint. Configure conditional forwardingin the on-premises DNS resolvers to forward all DNS queries for the AWS domain tothe outbound endpoint IP address for Route 53 Resolver. In the private hosted zone,configure primary and failover records that point to the public IP addresses of the EC2instances. Create an Amazon CloudWatch metric and alarm to monitor the application'shealth. Set up a health check on the alarm for the primary application endpoint.
B. Place the EC2 instances in private subnets. Create an Amazon Route 53 public hostedzone for the AWS reserved domain name. Associate the public hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the public hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
C. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances.Create an Amazon CloudWatch metric and alarm to monitor the application's health. Set upa health check on the alarm for the primary application endpoint.
D. Place the EC2 instances in private subnets. Create an Amazon Route 53 private hostedzone for the AWS reserved domain name. Associate the private hosted zone with theVPC. Create a Route 53 Resolver inbound endpoint. Configure conditional forwarding inthe on-premises DNS resolvers to forward all DNS queries for the AWS domain to theinbound endpoint IP address for Route 53 Resolver. In the private hosted zone, configureprimary and failover records that point to the IP addresses of the EC2 instances. Setup Route 53 health checks on the private IP addresses of the EC2 instances.

Show Answer

---

Question # 3

A company is using an Amazon CloudFront distribution that is configured with anApplication Load Balancer (ALB) as an origin. A network engineer needs to implement asolution that requiresall inbound traffic to the ALB to come from CloudFront. The network engineer mustimplement the solution at the network layer rather than in the application.Which solution will meet these requirements in the MOST operationally efficient way?

A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix listfor CloudFront.
B. Add an inbound rule to the network ACLs that are associated with the ALB's subnets.Use the AWS managed prefix list for CloudFront as the source in the rule.
C. Configure CloudFront to add a custom HTTP header to the requests that CloudFrontsends to the ALB.
D. Associate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allowtraffic from the CloudFront IP set. Automatically update the CloudFront IP set by using anAWS Lambda function.

Show Answer

---

Question # 4

A company's AWS architecture consists of several VPCs. The VPCs include a sharedservices VPC and several application VPCs. The company has established networkconnectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS forinternally hosted domains on premises. The applications also must be able to resolve localVPC domain names and domains that are hosted in Amazon Route 53 private hostedzones.What should a network engineer do to meet these requirements?

A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC. Update each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreateforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPUpdate each application VPC's DHCPconfiguration to point DNS resolution to the new Resolver endpoint.
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Createforwarding rules for the on-premises hosted domains. Associate the rules with the newResolver endpoint and each application VPC.

Show Answer

---

Question # 5

A company has an AWS Site-to-Site VPN connection between its existing VPC and onpremisesnetwork. The default DHCP options set is associated with the VPC. The companyhas an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWSSecrets Manager through a private VPC endpoint. An on-premises application providesinternal RESTful API service that can be reached by URL (https://api.example.internal).Two on-premises Windows DNS servers provide internal DNS resolution.The application on the EC2 instance needs to call the internal API service that is deployedin the on-premises environment. When the application on the EC2 instance attempts to callthe internal API service by referring to the hostname that is assigned to the service, the callfails. When a network engineer tests the API service call from the same EC2 instance byusing the API service's IP address, the call is successful.What should the network engineer do to resolve this issue and prevent the same problemfrom affecting other resources in the VPC?

A. Create a new DHCP options set that specifies the on-premises Windows DNS servers.Associate the new DHCP options set with the existing VPC. Reboot the Amazon Linux 2EC2 instance.
B. Create an Amazon Route 53 Resolver rule. Associate the rule with the VPC. Configurethe rule to forward DNS queries to the on-premises Windows DNS servers if the domainname matches example.internal.
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the servicedomain name (api.example.internal) to the IP address of the internal API service.
D. Modify the local /etc/resolv.conf file in the Amazon Linux 2 EC2 instance in the VPC.Change the IP addresses of the name servers in the file to the IP addresses of thecompany's on-premises Windows DNS servers.

Show Answer

---

Question # 6

A company is hosting an application on Amazon EC2 instances behind an Application LoadBalancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recentchange to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The networkengineer must implement a solution that remediates noncompliant changes to securitygroups.Which solution will meet these requirements?

A. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.
B. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
C. Configure Amazon GuardDuty to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Configure AWSOpsWorks for Chef to remediate noncompliant security groups.
D. Configure an AWS Config rule to detect inconsistencies between the desired securitygroup configuration and the current security group configuration. Create an AWS SystemsManager Automation runbook to remediate noncompliant security groups.

Show Answer

---

Question # 7

A company is deploying third-party firewall appliances for traffic inspection and NATcapabilities in its VPC. The VPC is configured with private subnets and public subnets. Thecompany needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?

A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
B. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.
C. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with a single network interface in a private subnet. Use a NAT gatewayto send the traffic to the internet after inspection.
D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure thefirewall appliances with two network interfaces: one network interface in a private subnetand another network interface in a public subnet. Use the NAT functionality on the firewallappliances to send the traffic to the internet after inspection.

Show Answer

---

Question # 8

A company has a hybrid cloud environment. The company’s data center is connected tothe AWS Cloud by an AWS Direct Connect connection. The AWS environment includesVPCs that are connected together in a hub-and-spoke model by a transit gateway. TheAWS environment has a transit VIF with a Direct Connect gateway for on-premisesconnectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company isrunning a backend application in one of the VPCs.The company uses a message-oriented architecture and employs Amazon Simple QueueService (Amazon SQS) to receive messages from other applications over a privatenetwork. A network engineer wants to use an interface VPC endpoint for Amazon SQS forthis architecture. Client services must be able to access the endpoint service from onpremises and from multiple VPCs within the company's AWS infrastructure.Which combination of steps should the network engineer take to ensure that the clientapplications can resolve DNS for the interface endpoint? (Choose three.)

A. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned on.
B. Create the interface endpoint for Amazon SQS with the option for private DNS namesturned off.
C. Manually create a private hosted zone for sqs.us-east-1.amazonaws.com. Addnecessary records that point to the interface endpoint. Associate the private hosted zoneswith other VPCs.
D. Use the automatically created private hosted zone for sqs.us-east-1.amazonaws.comwith previously created necessary records that point to the interface endpoint. Associatethe private hosted zones with other VPCs.
E. Access the SQS endpoint by using the public DNS name sqs.us-east-1 amazonaws.comin VPCs and on premises.
F. Access the SQS endpoint by using the private DNS name of the interface endpoint.sqs.us-east-1.vpce.amazonaws.com in VPCs and on premises.

Show Answer

---

Question # 9

A company has two business units (BUs). The company operates in the us-east-1 Regionand the us-west-1 Region. The company plans to extend to more Regions in the future.Each BU hasa VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit gateways in both Regions are peered.The company will create several more BUs in the future and will need to isolate some ofthe BUs from the other BUs. The company wants to migrate to an architecture toincorporate moreRegions and BUs.Which solution will meet these requirements with the MOST operational efficiency?

A. Create a new transit gateway for each new BU in each Region. Peer the new transitgateways with the existing transit gateways. Update the route tables to control trafficbetween BUs.
B. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Usesegment actions to control traffic between segments.
C. Create an AWS Cloud WAN core network with an edge location in both Regions.Configure a segment for each BU with VPC attachments to the new BU VPCs. Configurethe segments to isolate attachments to control traffic between segments.
D. Attach new VPCs to the existing transit gateways. Update route tables to control trafficbetween BUs.

Show Answer

---

Question # 10

A company has deployed a new web application on Amazon EC2 instances behind anApplication Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scalinggroup. Enterprise customers from around the world will use the application. Employees ofthese enterprise customers will connect to the application over HTTPS from officelocations.The company must configure firewalls to allow outbound traffic to only approved IPaddresses. The employees of the enterprise customers must be able to access theapplication with the least amount of latency.Which change should a network engineer make in the infrastructure to meet theserequirements?

A. Create a new Network Load Balancer (NLB). Add the ALB as a target of the NLB.
B. Create a new Amazon CloudFront distribution. Set the ALB as the distribution’s origin.
C. Create a new accelerator in AWS Global Accelerator. Add the ALB as an acceleratorendpoint.
D. Create a new Amazon Route 53 hosted zone. Create a new record to route traffic to theALB.

Show Answer

---

Question # 11

A global company runs business applications in the us-east-1 Region inside a VPC. One ofthe company's regional offices in London uses a virtual private gateway for an AWS Siteto-Site VPN connection tom the VPC. The company has configured a transit gateway andhas set up peering between the VPC and other VPCs that various departments in thecompany use.Employees at the London office are experiencing latency issues when they connect to thebusiness applications.What should a network engineer do to reduce this latency?

A. Create a new Site-to-Site VPN connection. Set the transit gateway as the targetgateway. Enable acceleration on the new Site-to-Site VPN connection. Update the VPNdevice in the London office with the new connection details.
B. Modify the existing Site-to-Site VPN connection by setting the transit gateway as thetarget gateway. Enable acceleration on the existing Site-to-Site VPN connection.
C. Create a new transit gateway in the eu-west-2 (London) Region. Peer the new transitgateway with the existing transit gateway. Modify the existing Site-to-Site VPN connectionby setting the new transit gateway as the target gateway.
D. Create a new AWS Global Accelerator standard accelerator that has an endpoint of theSite-to-Site VPN connection. Update the VPN device in the London office with the newconnection details.

Show Answer

---

Question # 12

A company is migrating an existing application to a new AWS account. The company willdeploy the application in a single AWS Region by using one VPC and multiple AvailabilityZones. The application will run on Amazon EC2 instances. Each Availability Zone will haveseveral EC2 instances. The EC2 instances will be deployed in private subnets.The company's clients will connect to the application by using a web browser with theHTTPS protocol. Inbound connections must be distributed across the Availability Zonesand EC2 instances. All connections from the same client session must be connected to thesame EC2 instance. The company must provide end-to-end encryption for all connectionsbetween the clients and the application by using the application SSL certificate.Which solution will meet these requirements?

A. Create a Network Load Balancer. Create a target group. Set the protocol to TCP and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for thelistener. Deploy SSL certificates to the EC2 instances.
B. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPand the port to 80 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTPSlistener. Set the default action to forward to the target group. Use AWS Certificate Manager(ACM) to create a certificate for the listener.
C. Create a Network Load Balancer. Create a target group. Set the protocol to TLS and theport to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2instances as targets. Create a listener. Set the protocol to TLS and the port to 443 for thelistener. Use AWS Certificate Manager (ACM) to create a certificate for the application.
D. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPSand the port to 443 for the target group. Turn on session affinity (sticky sessions) with anapplication-based cookie policy. Register the EC2 instances as targets. Create an HTTP listener. Set the port to 443 for the listener. Set the default action to forward to the targetgroup.

Show Answer

---

Question # 13

A company has a global network and is using transit gateways to connect AWS Regionstogether. The company finds that two Amazon EC2 instances in different Regions areunable to communicate with each other. A network engineer needs to troubleshoot thisconnectivity issue.What should the network engineer do to meet this requirement?

A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables and in the VPC route tables. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gatewayroute tables. Verify that the VPC route tables are correct. Use AWS Firewall Manager toanalyze the IP traffic that security group rules and network ACL rules accept or reject in theVPC.
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use VPC flow logs to analyze theIP traffic that security group rules and network ACL rules accept or reject in the VPC.
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables.Verify that the VPC route tables are correct. Use VPC flow logs to analyze the IP traffic thatsecurity group rules and network ACL rules accept or reject in the VPC.

Show Answer

---

Question # 14

A company needs to manage Amazon EC2 instances through command line interfaces forLinux hosts and Windows hosts. The EC2 instances are deployed in an environment inwhich there isno route to the internet. The company must implement role-based access control formanagement of the instances. The company has a standalone on-premises environment.Which approach will meet these requirements with the LEAST maintenance overhead?

A. Set up an AWS Direct Connect connection between the on-premises environment andthe VPC where the instances are deployed. Configure routing, security groups, and ACLs.Connect to the instances by using the Direct Connect connection.
B. Deploy and configure AWS Systems Manager Agent (SSM Agent) on each instance.Deploy VPC endpoints for Systems Manager Session Manager. Connect to the instancesbyusing Session Manager.
C. Establish an AWS Site-to-Site VPN connection between the on-premises environmentand the VPC where the instances are deployed. Configure routing, security groups, andACLs. Connect to the instances by using the Site-to-Site VPN connection.
D. Deploy an appliance to the VPC where the instances are deployed. Assign a public IPaddress to the appliance. Configure security groups and ACLs. Connect to the instances byusing the appliance as an intermediary.

Show Answer

---

Question # 15

A company has workloads that run in a VPC. The workloads access Amazon S3 by usingan S3 gateway endpoint. The company also has on-premises workloads that need toaccess AmazonS3 privately over a VPN connection. The company has established the VPN connection to the VPC.Which solution will provide connectivity to Amazon S3 from the VPC workloads and the onpremisesworkloads in the MOST operationally efficient way?

A. Deploy a proxy fleet of Amazon EC2 instances in the VPC behind an Application LoadBalancer (ALB). Configure the on-premises workloads to use the ALB as the proxy serverto connect to Amazon S3. Configure the proxy fleet to use the S3 gateway endpoint toconnect to Amazon S3.
B. Delete the S3 gateway endpoint. Create an S3 interface endpoint. Deploy a proxy fleetof Amazon EC2 instances in the VPC behind an Application Load Balancer (ALB).Configure the on-premises workloads to use the ALB as the proxy server to connect toAmazon S3. Configure the proxy fleet and the VPC workloads to use the S3 interfaceendpoint to connect to Amazon S3.
C. Create an S3 interface endpoint. Configure an on-premises DNS resolver to resolve theS3 DNS names to the private IP addresses of the S3 interface endpoint. Use the S3interface endpoint to access Amazon S3. Continue to use the S3 gateway endpoint for theVPC workloads to access Amazon S3.
D. Set up an AWS Direct Connect connection. Create a public VIF. Configure on-premisesrouting to route the S3 traffic over the public VIF. Make no changes to the on-premisesworkloads. Continue to use the S3 gateway endpoint for the VPC workloads to accessAmazon S3.

Show Answer

---

Question # 16

A company has deployed its AWS environment in a single AWS Region. The environmentconsists of a few hundred application VPCs, a shared services VPC, and a VPNconnection to the company’s on-premises environment. A network engineer needs toimplement a transit gateway with the following requirements:• Application VPCs must be isolated from each other.• Bidirectional communication must be allowed between the application VPCs and the onpremisesnetwork. • Bidirectional communication must be allowed between the application VPCs and theshared services VPC.The network engineer creates the transit gateway with options disabled for default routetable association and default route table propagation. The network engineer also createsthe VPN attachment for the on-premises network and creates the VPC attachments for theapplication VPCs and the shared services VPC.The network engineer must meet all the requirements for the transit gateway by designinga solution that needs the least number of transit gateway route tables.Which combination of actions should the network engineer perform to accomplish thisgoal? (Choose two.)

A. Configure a separate transit gateway route table for on premises. Associate the VPNattachment with this transit gateway route table. Propagate all application VPC attachmentsto this transit gateway route table.
B. Configure a separate transit gateway route table for each application VPC. Associateeach application VPC attachment with its respective transit gateway route table. Propagatethe shared services VPC attachment and the VPN attachment to this transit gateway routetable.
C. Configure a separate transit gateway route table for all application VPCs. Associate allapplication VPCs with this transit gateway route table. Propagate the shared services VPCattachment and the VPN attachment to this transit gateway route table.
D. Configure a separate transit gateway route table for the shared services VPC. Associatethe shared services VPC attachment with this transit gateway route table. Propagate allapplication VPC attachments to this transit gateway route table.
E. Configure a separate transit gateway route table for on premises and the sharedservices VPC. Associate the VPN attachment and the shared services VPC attachmentwith this transit gateway route table. Propagate all application VPC attachments to thistransit gateway route table.

Show Answer

---

Question # 17

A company's VPC has Amazon EC2 instances that are communicating with AWS servicesover the public internet. The company needs to change the connectivity so that thecommunicationdoes not occur over the public intemet.The company deploys AWS PrivateLink endpoints in the VPC. After the deployment of thePrivateLink endpoints, the EC2 instances can no longer communicate at all with therequired AWS services.Which combination of steps should a network engineer take to restore communication withthe AWS services? (Select TWO.)

A. In the VPC route table, add a route that has the PrivateLink endpoints as thedestination.
B. Ensure that the enableDnsSupport attribute is set to True for the VPC. Ensure that eachVPC endpoint has DNS support enabled.
C. Ensure that the VPC endpoint policy allows communication.
D. Create an Amazon Route 53 public hosted zone for all services.
E. Create an Amazon Route 53 private hosted zone that includes a custom name for eachservice.

Show Answer

---

Question # 18

An insurance company is planning the migration of workloads from its on-premises datacenter to the AWS Cloud. The company requires end-to-end domain name resolution. BidirectionalDNS resolution between AWS and the existing on-premises environments mustbe established. The workloads will be migrated into multiple VPCs. The workloads alsohave dependencies on each other, and not all the workloads will be migrated at the sametime.Which solution meets these requirements?

A. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC, and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
B. Configure a public hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPC. Define Route 53 Resolver rules to forward requests for the on-premisesdomains to the on-premises DNS resolver. Associate the application VPC private hostedzones with the egress VPC. and share the Route 53 Resolver rules with the applicationaccounts by using AWS Resource Access Manager. Configure the on-premises DNSservers to forward the cloud domains to the Route 53 inbound endpoints.
C. Configure a private hosted zone for each application VPC, and create the requisiterecords. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in anegress VPDefine Route 53 Resolver rules to forward requests for the on-premises domainsto the on-premises DNS resolver. Associate the application VPC private hosted zones withthe egress VPand s

Show Answer

---

Question # 19

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints ofAmazon S3 and AWS Systems Manager through NAT gateways. All the traffic from theVPCs to Amazon S3 and Systems Manager travels through the NAT gateways. Thecompany's network engineer must centralize access to these services and must eliminatethe need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?

A. Create a central egress VPC that has private NAT gateways. Connect all the VPCs tothe central egress VPC by using AWS Transit Gateway. Use the private NAT gateways toconnect to Amazon S3 and Systems Manager by using private IP addresses.
B. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure thatprivate DNS is turned off. Connect all the VPCs to the central shared services VPC byusing AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for eachinterface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNSqueries to the interface VPC endpoints in the shared services VPC.
C. Create a central shared services VPIn the central shared services VPC, create interfaceVPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNSis turned off. Connect all the VPCs to the central shared services VPC by using AWSTransit Gateway. Create an Amazon Route 53 private hosted zone with a full serviceendpoint name for Amazon S3 and Systems Manager. Associate the private hosted zoneswith all the VPCs. Create an alias record in each private hosted zone with the full AWSservice endpoint pointing to the interface VPC endpoint in the shared services VPC.
D. Create a central shared services VPC. In the central shared services VPC, createinterface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all theVPCs to the central shared services VPC by using AWS Transit Gateway. Ensure thatprivate DNS is turned on for the interface VPC endpoints and that the transit gateway iscreated with DNS support turned on.

Show Answer

---

Question # 20

A company uses a 1 Gbps AWS Direct Connect connection to connect its AWSenvironment to its on-premises data center. The connection provides employees withaccess to an application VPC that is hosted on AWS. Many remote employees use acompany-provided VPN to connect to the data center. These employees are reportingslowness when they access the application during business hours. On-premises usershave started to report similar slowness while they are in the office.The company plans to build an additional application on AWS. On-site and remoteemployees will use the additional application. After the deployment of this additionalapplication, the company will need 20% more bandwidth than the company currently uses.With the increased usage, the company wants to add resiliency to the AWS connectivity. Anetwork engineer must review the current implementation and must make improvementswithin a limited budget.What should the network engineer do to meet these requirements MOST cost-effectively?

A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate theadditional traffic load from remote employees and the additional application. Create a linkaggregation group (LAG).
B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the onpremisesrouting for the remote employees to connect to the Site-to-Site VPN connection.
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees toconnect to Workspaces.
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps DirectConnect hosted connections. Create an AWS Client VPN endpoint in the application VPC.Instruct the remote employees to connect to the Client VPN endpoint.

Show Answer

---

Question # 21

A company’s network engineer needs to design a new solution to help troubleshoot anddetect network anomalies. The network engineer has configured Traffic Mirroring.However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the trafficmirror target. The EC2 instance hosts tools that the company’s security team uses toanalyze the traffic. The network engineer needs to design a highly available solution thatcan scale to meet the demand of the mirrored traffic.Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB,deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring only duringnon-business hours.
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB.deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring asnecessary.
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirrortarget. Behind the ALB. deploy a fleet of EC2 instances in an Auto Scaling group. UseTraffic Mirroring only during active events or business hours.

Show Answer

---

Question # 22

A company has established connectivity between its on-premises data center in Paris,France, and the AWS Cloud by using an AWS Direct Connect connection. The companyuses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets inseveral VPCs that are attached to the transit gateway.The company recently acquired another corporation that hosts workloads on premises inan office building in Tokyo, Japan. The company needs to migrate the workloads from theTokyo office to AWS. These workloads must have access to the company's existingworkloads in Paris. The company also must establish connectivity between the Tokyo officebuilding and the Paris data center.In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnetsfor migration of the workloads. The workload migration must be completed in 5 days. Theworkloads cannot be directly accessible from the internet.Which set of steps should a network engineer take to meet these requirements?

A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into.2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyooffice and the Paris workloads.4. Create peering connections between the Tokyo VPC and the Paris VPCs.5. Configure a VPN connection between the Paris data center and the Tokyo office byusing existing routers.
B. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transitgateway.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
C. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transitgateway with the Tokyo VPC.2. Create peering connections between the Tokyo transit gateway and the Paris transitgateway.3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyotransit gateway as the target.4. Configure routing on both transit gateways to allow data to flow between sites and theVPCs.
D. 1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transitgateway.2. Create an association between the Paris transit gateway and the Tokyo VPC.3. Configure routing on the Paris transit gateway to allow data to flow between sites andthe VPCs.

Show Answer

---

Question # 23

A company has been using an outdated application layer protocol for communicationamong applications. The company decides not to use this protocol anymore and mustmigrate all applications to support a new protocol. The old protocol and the new protocolare TCP-based, but the protocols use different port numbers.After several months of work, the company has migrated dozens of applications that run onAmazon EC2 instances and in containers. The company believes that all the applicationshave been migrated, but the company wants to verify this belief. A network engineer needsto verify that no application is still using the old protocol.Which solution will meet these requirements without causing any downtime?

A. Use Amazon Inspector and its Network Reachability rules package. Wait until theanalysis has finished running to find out which EC2 instances are still listening to the oldport.
B. Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internet traffic to filter out occasions when the sameport is used as an ephemeral port.
C. Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use AmazonAthena to query the data and to filter for the port number that is used by the old protocol.
D. Inspect all security groups that are assigned to the EC2 instances that host theapplications. Remove the port of the old protocol if that port is in the list of allowed ports.Verify that the applications are operating properly after the port is removed from thesecurity groups.

Show Answer

---

Question # 24

A company is developing an application in which IoT devices will report measurements tothe AWS Cloud. The application will have millions of end users. The company observesthat the IoT devices cannot support DNS resolution. The company needs to implement anAmazon EC2 Auto Scaling solution so that the IoT devices can connect to an applicationendpoint without using DNS.Which solution will meet these requirements MOST cost-effectively?

A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer(NLB). Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALB. Set
up the IoT devices to connect to the IP addresses of the NLB.
B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB)endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALSetup the IoT devices to connect to the IP addresses of the accelerator.
C. Use a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach theAuto Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses ofthe NLB.
D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB)endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the NLB.Set up the IoT devices to connect to the IP addresses of the accelerator.

Show Answer

---

Question # 25

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises,and Example Corp's infrastructure is completely in the AWS Cloud. Thecompanies are using AWS Direct Connect with AWS Transit Gateway to establishconnectivity between each other. Example Corp has deployed a new application across two Availability Zones in a VPC withno internet gateway. The CIDR range for the VPC is 10.0.0.0/16. ExampleCorp needs to access an application that is deployed on premises by AnyCompany.Because of compliance requirements, Example Corp must access the applicationthrough a limited contiguous block of approved IP addresses (10.1.0.0/24).A network engineer needs to implement a highly available solution to achieve this goal. Thenetwork engineer starts by updating the VPC to add a new CIDR range of10.1.0.0/24.What should the network engineer do next to meet the requirements?

A. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IPaddress range. Create a public NAT Sateway in each of the newsubnets. Update the route tables that are associated with other subnets to route applicationtraffic to the public NAT gateway in the corresponding AvailabilityZone. Add a route to the route table that is associated with the subnets of the public NATgateways to send traffic destined for the application to the transitgateway.
B. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IPaddress range. Create a private NAT gateway in each of the newsubnets. Update the route tables that are associated with other subnets to route applicationtraffic to the private NAT gateway in the correspondingAvailability Zone. Add a route to the route table that is associated with the subnets of theprivate NAT gateways to send traffic destined for the application tothe transit gateway.
C. In the VPC, create a subnet that uses the allowed IP address range. Create a privateNAT gateway in the new subnet. Update the route tables that areassociated with other subnets to route application traffic to the private NAT gateway. Add aroute to the route table that is associated with the subnet of theprivate NAT gateway to send traffic destined for the application to the transit gateway.
D. In the VPC, create a subnet that uses the allowed IP address range. Create a publicNAT gateway in the new subnet. Update the route tables that areassociated with other subnets to route application traffic to the public NAT gateway. Add aroute to the route table that is associated with the subnet of thepublic NAT gateway to send traffic destined for the application to the transit gateway.

Show Answer

---

Question # 26

A company’s network engineer builds and tests network designs for VPCs in adevelopment account. The company needs to monitor the changes that are made tonetwork resources and must ensure strict compliance with network security policies. Thecompany also needs access to the historical configurations of network resources.Which solution will meet these requirements?

A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custompattern to monitor the account for changes. Configure the rule to invoke an AWS Lambdafunction to identify noncompliant resources. Update an Amazon DynamoDB table with thechanges that are identified.
B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke anAWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDBtable with the changes that are identified.
C. Record the current state of network resources by using AWS Config. Create rules thatreflect the desired configuration settings. Set remediation for noncompliant resources.
D. Record the current state of network resources by using AWS Systems ManagerInventory. Use Systems Manager State Manager to enforce the desired configurationsettings and to carry out remediation for noncompliant resources.

Show Answer

---

Question # 27

A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. Thecompany has attached the VPCs in each Region to a transit gateway in that Region. Thecompany alsohas set up inter-Region peering connections between the transit gateways.The company wants to use AWS Direct Connect to provide access from its on-premiseslocation for only four VPCs across the three Regions. The company has provisioned fourDirectConnect connections at two Direct Connect locations.Which combination of steps will meet these requirements MOST cost-effectively? (SelectTHREE.)

A. Create four virtual private gateways. Attach the virtual private gateways to the fourVPCs.
B. Create a Direct Connect gateway. Associate the four virtual private gateways with theDirect Connect gateway.
C. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFswith the Direct Connect gateway.
D. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFswith the four virtual private gateways.
E. Create four private VIFs on each Direct Connect connection to the Direct Connectgateway.
F. Create an association between the Direct Connect gateway and the transit gateways.

Show Answer

---

Question # 28

A company has several production applications across different accounts in the AWSCloud. The company operates from the us-east-1 Region only. Only certain partnercompanies can access the applications. The applications are running on Amazon EC2instances that are in an Auto Scaling group behind an Application Load Balancer (ALB).The EC2 instances are in private subnets and allow traffic only from the ALB. The ALB is ina public subnet and allows inbound traffic only from partner network IP address ranges over port 80.When the company adds a new partner, the company must allow the IP address range ofthe partner network in the security group that is associated with the ALB in each account. Anetwork engineer must implement a solution to centrally manage the partner network IPaddress ranges.Which solution will meet these requirements in the MOST operationally efficient manner?

A. Create an Amazon DynamoDB table to maintain all IP address ranges and securitygroups that need to be updated. Update the DynamoDB table with the new IP addressrange when the company adds a new partner. Invoke an AWS Lambda function to readnew IP address ranges and security groups from the DynamoDB table to update thesecurity groups. Deploy this solution in all accounts.
B. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Use AmazonEventBridge (Amazon CloudWatch Events) rules to invoke an AWS Lambda function toupdate security groups whenever a new IP address range is added to the prefix list. Deploythis solution in all accounts.
C. Create a new prefix list. Add all allowed IP address ranges to the prefix list. Share theprefix list across different accounts by using AWS Resource Access Manager (AWS RAM).Update security groups to use the prefix list instead of the partner IP address range.Update the prefix list with the new IP address range when the company adds a newpartner.
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups thatneed to be updated. Update the S3 bucket with the new IP address range when thecompany adds a new partner. Invoke an AWS Lambda function to read new IP addressranges and security groups from the S3 bucket to update the security groups. Deploy thissolution in all accounts.

Show Answer

---

Question # 29

A company ran out of IP address space in one of the Availability Zones in an AWS Regionthat the company uses. The Availability Zone that is out of space is assigned the10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWSCloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDRblock and has available capacity in the 10.10.1.0/22 CIDR block. How should a network specialist add more IP address space in the existing VPC with theLEAST operational overhead?

A.Update the AWS :: EC2 :: Subnet resource for the Availability Zone in theCloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
B.Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change theCidrBlock property to 10.10.1.0/22.
C.Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock propertyto 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22for the Availability Zone.
D.Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in theCloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.

Show Answer

---

Question # 30

A network engineer is working on a large migration effort from an on-premises data centerto an AWS Control Tower based multi-account environment. The environmenthas a transit gateway that is deployed to a central network services account. The centralnetwork services account has been shared with an organization in AWSOrganizations through AWS Resource Access Manager (AWS RAM).A shared services account also exists in the environment. The shared services accounthosts workloads that need to be shared with the entire organization.The network engineer needs to create a solution to automate the deployment of commonnetwork components across the environment. The solution must provision aVPC for application workloads to each new and existing member account. The VPCs mustbe connected to the transit gateway in the central network services account.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select THREE.)

A. Deploy an AWS Lambda function to the shared services account. Program the Lambdafunction to assume a role in the new and existing member accountsto provision the necessary network infrastructure.
B. Update the existing accounts with an Account Factory Customization (AFC). Select thesame AFC when provisioning new accounts.
C. Create an AWS CloudFormation template that describes the infrastructure that needs tobe created in each account. Upload the template as an AWSService Catalog product to the shared services account.
D. Deploy an Amazon EventBridge rule on a default event bus in the shared servicesaccount. Configure the EventBridge rule to react to AWS Control TowerCreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
E. Create an AWSControlTowerBlueprintAccess role in the shared services account.
F. Create an AWSControlTowerBlueprintAccess role in each member account.

Show Answer

---

Question # 31

A company is migrating an application from on premises to AWS. The company will hostthe application on Amazon EC2 instances that are deployed in a single VPC. During themigration period, DNS queries from the EC2 instances must be able to resolve names ofon-premises servers. The migration is expected to take 3 months After the 3-monthmigration period, the resolution of on-premises servers will no longer be needed.What should a network engineer do to meet these requirements with the LEAST amount ofconfiguration?

A. Set up an AWS Site-to-Site VPN connection between on premises and AWS. Deploy anAmazon Route 53 Resolver outbound endpoint in the Region that is hosting the VPC.
B. Set up an AWS Direct Connect connection with a private VIF. Deploy an Amazon Route53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint in the Regionthat is hosting the VPC.
C. Set up an AWS Client VPN connection between on premises and AWS. Deploy anAmazon Route 53 Resolver inbound endpoint in the VPC.
D. Set up an AWS Direct Connect connection with a public VIF. Deploy an Amazon Route53 Resolver inbound endpoint in the Region that is hosting the VPC. Use the IP addressthat is assigned to the endpoint for connectivity to the on-premises DNS servers.

Show Answer

---

Question # 32

A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud. Which solution will meet these requirements while providing the HIGHEST throughput? 

A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment.  
B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software. 
C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway. 
D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-toSite VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing. 

Show Answer

---

Question # 33

A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs. Which route table configurations on the transit gateway will meet these requirements? 

A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 
B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC. 
C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 
D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs. 

Show Answer

---

Amazon ANS-C01 Frequently Asked Questions