Amazon ANS-C01 AWS Certified Advanced Networking - Specialty Exam Practice Test

Page: 1 / 14
Total 290 questions
Question 1

A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.

The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams.

The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes.

Which combination of steps should the network engineer take to meet these requirements? (Choose three.)



Answer : A, B, D

To meet the requirements of updating the DNS registration process while maximizing cost-effectiveness and minimizing configuration changes, the network engineer should take the following steps:

Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created (Option B).

Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain (Option D).

Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access (Option A).

These steps will allow service creators to register their DNS records while keeping costs low and minimizing configuration changes.


Question 2

A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway.

A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on the traffic must be logged in a central log account.

Which solution will meet these requirements with the LEAST administrative overhead?



Answer : A


Question 3

A company has an application that hosts personally identifiable information (PII) of users. All connections to the application must be secured by HTTPS with TLS certificates that implement Elliptic Curve Cryptography (ECC).

The application uses stateful connections between the web tier and the end users. Multiple instances host the application. A network engineer must implement a solution that offloads TLS connections to a load balancer.

Which load-balancing solution will meet these requirements?



Answer : D


Question 4

A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM)in its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within the top-level pool.

A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account.

Which solution will meet these requirements?



Answer : B


Question 5

A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses a NAT gateway. The company wants to transition to IPv6.

A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The network engineer deploys a new Amazon EC2 instance that has an IPv6 address into one of the subnets. During testing, the network engineer discovers that the new EC2 instance is not able to communicate with an IPv4-only service through the internet. The network engineer needs to enable the IPv6 EC2 instance to communicate with the IPv4-only service.

Which solution will meet this requirement?



Answer : A

Understanding the Issue: The IPv6-only EC2 instance cannot communicate with IPv4-only services because IPv6 and IPv4 are not directly compatible. To bridge this gap, DNS64 and NAT64 are used together. However, AWS NAT gateways do not natively support NAT64, but you can use DNS64 to translate IPv4 DNS records (A records) into IPv6-compatible addresses (AAAA records).

DNS64 for IPv6-Only Subnets: DNS64 is a service that synthesizes AAAA records for IPv4-only services. This allows IPv6-only clients to resolve IPv4 addresses as IPv6-compatible addresses, enabling communication through the NAT gateway.

NAT Gateway with Route Table Updates: The NAT gateway enables outbound communication from private subnets to the internet. Updating the route tables for IPv6-only subnets to send traffic through the NAT gateway ensures that the IPv6 EC2 instance can reach IPv4 services.


Question 6

A real estate company is using Amazon Workspaces to provide corporate managed desktop service to its real estate agents around the world. These Workspaces are deployed in seven VPCs. Each VPC is in a different AWS Region.

According to a new requirement, the company's cloud-hosted security information and events management (SIEM) system needs to analyze DNS queries generated by the Workspaces to identify the target domains that are connected to the Workspaces. The SIEM system supports poll and push methods for data and log collection.

Which solution should a network engineer implement to meet these requirements MOST cost-effectively?



Answer : D


Question 7

A company uses AWS Site-to-Site VPN connections to encrypt traffic between the company's on-premises location and a single VPC. The Site-to-Site VPN connections use two 1 Gbps AWS Direct Connect connections with public VIFs. The company plans to add 15 additional VPCs in the same AWS Region.

The company must maintain the same level of encryption that the Site-to-Site VPN connections currently provide for each connection between the on-premises location and the new VPCs. The new connections must not use public IP addresses. The bandwidth of the Site-to-Site VPN connections will remain less than the current provisioned speed.

Which combination of steps will meet these requirements with LEAST operational overhead? (Choose three.)



Answer : A, C, E

The transit gateway allows for scalable and centralized routing between multiple VPCs and on-premises networks. Associating it with a Direct Connect gateway enables private connectivity over the existing Direct Connect connections, which is more efficient than creating separate Direct Connect VIFs for each new VPC.

Assigning a private IP CIDR block to the transit gateway ensures that all traffic is routed securely and avoids the use of public IPs, which meets the requirement for private connectivity.

A transit VIF to the Direct Connect gateway provides encrypted communication using a private IP VPN. This configuration ensures encryption similar to the Site-to-Site VPN connections while leveraging private IPs and the existing Direct Connect infrastructure.


Page:    1 / 14   
Total 290 questions