| PDF + Test Engine |
|
||
| Test Engine |
|
||
|
|
Here are Amazon ANS-C01 PDF available features:
| 290 questions with answers | Updation Date : 16 Jul, 2026 |
| 1 day study required to pass exam | 100% Passing Assurance |
| 100% Money Back Guarantee | Free 3 Months Updates |
A company has an AWS environment that includes multiple VPCs that are connected by a transit gateway. The company wants to use a certificate-based AWS Site-to-Site VPN connection to establish connectivity between an on-premises environment and the AWS environment. The company does not have a static public IP address for the on-premises environment. Which combination of steps should the company take to establish VPN connectivity between the transit gateway and the on-premises environment? (Choose two.)
A.Create a public certificate in AWS Certificate Manager (ACM).
B.Create a private certificate in AWS Certificate Manager (ACM).
C.Configure the Site-to-Site VPN tunnels to use the pre-shared key (PSK).
D.Create a customer gateway. Specify the current dynamic IP address of the customer gatewaydevice's external interface.
E.Create a customer gateway. Do not specify the IP address of the customer gateway device.
A company has two teams: Team A and Team B. Team A has VPCs that run in Account A.The team uses a transit gateway (TGW-A) to route traffic between workloads that run in the different VPCs. Similarly, Team Ð’ has VPCs that run in Account B. Team Ð’ uses a different transit gateway (TGW-B) to route traffic between workloads that run in the different VPCs. The company's network team manages the routing for Team A and Team Ð’. The network team wants to retire TGW-B and use a single transit gateway to manage routing for the VPCs of both teams. Which solution will meet this requirement with the LEAST operational overhead?
A.Create a resource share for TGW-A Share TGW-A with Account B. Create VPC attachments for theVPCs in Account Ð’. Configure routing for the VPCs in TGW-A route tables. Update the route tables ofthe VPCs in Account Ð’ to forward traffic to TGWA.Delete TGW-B attachments and TGW-B
A. Share TGW-A with Account Ð’. Replicate the TGW-Bconfiguration to TGW-A to automatically start routing changes for the VPCs in Account Ð’. DeleteTGW-B when routing changes are complete.
C.Create a new transit gateway (TGW-C) in AccountA. Create a resource share for TGW-C. ShareTGW-C with Account B. Create VPC attachments for the VPCs in Account A and Account Ð’. Configurerouting for all the VPCs in TGW-C route tables. Update the route tables for the VPCs in Account A andAccount Ð’ to forward traffic to TGW-C. Delete TGW-A attachments and TGW-B attachments. DeleteTGW-A and TGW-B.
D.Create a new transit gateway (TGW-C) in a new account (Account C). Create a resource share forTGW-C. Share TGW-C with Account A and Account B. Create VPC attachments for the VPCs inAccount A and Account Ð’. Configure routing for all the VPCs in TGW-C route tables. Update the routetables for the VPCs in Account A and Account Ð’ to forward traffic to TGW-C. Delete TGW-Aattachments and TGW-B attachments. Delete TGW-A and TGW-B.
A company has several AWS Site-to-Site VPN connections between an on-premises customer gateway and a transit gateway. The company's application uses IPv4 to communicate through the VPN connections. The company has updated the VPC to be dual stack and wants to transition to using IPv6-only for new workloads. When the company tries to communicate through the existing VPN connections, IPv6 traffic fails. Which solution will provide IPv6 support with the LEAST operational overhead?
A.Create a new Site-to-Site VPN connection that supports IPv6.
B.Create a new Site-to-Site VPN connection to a self-managed Amazon EC2 instance that runs opensource software.
C.Update the existing Site-to-Site VPN connections to support IPv6.
D.Update the on-premises customer gateway's public IP address from IPv4 to IPv6.
A company uses transit gateways to route traffic between the company's VPCs. Each transit gateway has a single route table. Each route table contains attachments and routes for the VPCs that are in the same AWS Region as the transit gateway. The route tables in each VPC also contain routes to all the other VPC CIDR ranges that are available through the transit gateways. Some VPCs route to local NAT gateways. The company plans to add many new VPCs soon. A network engineer needs a solution to add new VPC CIDR ranges to the route tables in each VPC. Which solution will meet these requirements in the MOST operationally efficient way?
A.Create a new customer-managed prefix list. Add all VPC CIDR ranges to the new prefix list. Updatethe route tables in each VPC to use the new prefix list ID as the destination and the appropriatetransit gateway ID as the target.
B.Turn on default route table propagation for the transit gateway route tables. Turn onroute propagation for each route table in each VPC.
C.Update the route tables in each VPC to use 0.0.0.010 as the destination and the appropriate transitgateway ID as the target.
D.Turn on default route table association for the transit gateway route tables. Turn on routepropagation for each route table in each VPC.
A company runs a workload in a single VPC on AWS. The companys architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources. After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access. The security group currently uses the following rules: Inbound - Rule 1 Protocol: TCP Port: 443 Source: 0.0.0.0/0 Inbound - Rule 2 Protocol: TCP Port: 443 Source: VPC CIDR Outbound - Rule 1 Protocol: All Port: All Destination: 0.0.0.0/0 Which rule or rules should the company remove to meet with these requirements?
A.Outbound - Rule 2
B.Inbound - Rule 1 and Outbound - Rule 1
C.Inbound - Rule 2 and Outbound - Rule 1
D.Outbound - Rule 1
A company deployed an application in two AWS Regions in one AWS account. The company has one VPC in each Region. The VPCs use non-overlapping private CIDR ranges. The company needs to connect both VPCs to a single on-premises data center to test the application. The application requires up to 800 Mbps of throughput. A network engineer needs to establish connectivity between the VPCs and the on-premises data center. Which solution will meet this requirement with the LEAST operational overhead?
A.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure static routes in the VPC route tables and inthe data center router
B.Order a 2 Gbps Direct Connect connection for the data center. Configure a virtual private gatewayin each VPC. Create a private VIF for each virtual private gateway, and associate the virtual privategateways with the Direct Connect connection. Configure Open Shortest Path First (OSPF) routingbetween the private VIF and the data center
C.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWS SitetoSite VPN connection between the data center and each VPC. Configure static routes in each VPCroute table to point to the subnets in the data center.
D.Configure a customer gateway and a virtual private gateway in each VPC. Configure an AWSSiteto- Site VPN connection between the data center and each VPC. Configure BGP routing betweentheVPCs and the data center.
A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses a NAT gateway. The company wants to transition to IPv6. A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The network engineer deploys a new Amazon EC2 instance that has an IPv6 address into one of the subnets. During testing, the network engineer discovers that the new EC2 instance is not able to communicate with an IPv4-only service through the internet. The network engineer needs to enable the IPv6 EC2 instance to communicate with the IPv4-only service. Which solution will meet this requirement?
A.Enable DNS64 for the IPv6-only subnets. Update the route tables for the IPv6-only subnets to sendtraffic through the NAT gateway.
B.Enable NAT64 for the testing VPC. Reconfigure the existing NAT gateway to support IPv6.
C.Enable DNS64 for the new EC2 instance. Create a new egress-only internet gateway that supportsIPv6.
D.Enable NAT64 for each route table. Create a new NAT gateway that supports both IPv4 and IPv6.
A company has a transit gateway in a single AWS account. The company sends flow logs for the transit gateway to an Amazon CloudWatch Logs log group. The company created an AWS Lambda function to analyze the logs. The Lambda function sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generates traffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, and total amount of dropped packets. The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda function must automatically prevent the traffic that is identified in each notification from leaving a VPC by applying a network ACL to the transit gateway attachment subnets in the VPC that generates the traffic. Which solution will meet these requirements?
A.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an outbound rule by using thedestination IP addresses in the network ACL.
B.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an inbound rule by using thesource IP addresses in the network ACL.
C.Configure the existing Lambda function to add the source IP addresses of the dropped traffic toeach SNS notification. Configure the new Lambda function to create an outbound rule by using the source IP addresses in the network ACL.
D.Configure the existing Lambda function to add the destination IP addresses of the dropped trafficto each SNS notification. Configure the new Lambda function to create an inbound rule by using thedestination IP addresses in the network ACL.
A company has multiple AWS Site-to-Site VPN connections between an on-premises environment and multiple VPCs. The Site-to-Site VPN connections use virtual private gateways and are configured with IPv4 addresses. The company hosts several internal applications in the VPCs. Application users have reported that the applications are performing slowly. A network engineer notices excessive latency in the network path that the VPN connections use. The network engineer needs to resolve the excessive latency. Which solution will meet this requirement?
A.Use AWS Global Accelerator to deploy an accelerator on the existing Site-to-Site VPN connections.
B.Deploy a transit gateway and a new accelerated Site-to-Site VPN connection.
C.Replace the existing Site-to-Site VPN connections with new Site-to-Site VPN connections that useIPv6.
D.Replace the existing Site-to-Site VPN connections with AWS PrivateLink connections.
A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company's applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups. A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances. Which solution will meet this requirement with the LEAST implementation and administrative effort?
A.Create a network ACL for each application. Reference the network ACL in the stateful rule group.
B.Create a prefix list for each application. Reference the prefix list in the stateful rule group.
C.Create an AWS Lambda function that queries the EC2 instance tags for each application name andthen updates the stateful rule group with the IP address of each instance.
D.Create a resource group for each application name. Reference the Amazon Resource Name (ARN)for the resource groups in the stateful rule group.