AWS ANS-C01: Advanced Networking Specialty Practice Exam

What the AWS ANS-C01 exam covers

• Network Design75 questions
• Network Implementation81 questions
• Network Management and Operations96 questions
• Network Security, Compliance, and Governance76 questions

Free AWS ANS-C01 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 328.

1. Question 1Network Design

   A company centralizes interface VPC endpoints in a shared-services VPC to avoid duplicating per-AZ endpoint hourly charges in dozens of spoke VPCs. How do spokes reach these endpoints, and what is the trade-off?

   • ASpokes reach the central endpoints via Transit Gateway, saving endpoint hourly costs but adding TGW data-processing charges that you must weigh against the savingsCorrect
   • BSpokes use a gateway endpoint shared over peering at no cost
   • CEach spoke must still create its own duplicate interface endpoints
   • DCentralized endpoints are reachable for free from any VPC with no data charges
   ✓ Correct answer: A

   AWS networking architecture requires careful planning of VPC design, subnet allocation, routing strategies, and security controls. Understanding the trade-offs between different services—such as the cost of Transit Gateway data-processing versus endpoint duplication, or NAT gateway overhead versus NAT instances—is essential for building cost-efficient networks. The choice of connectivity method (Direct Connect vs VPN), endpoint type (gateway vs interface), and inspection strategy directly impacts both operational costs and performance characteristics.

   Why the other options are wrong

   • BSpokes use a gateway endpoint shared over peering at no cost is incorrect because this resource carries costs that must be factored into the architecture.
   • CEach spoke must still create its own duplicate interface endpoints is incorrect because this option does not provide the technical solution described in the correct answer.
   • DCentralized endpoints are reachable for free from any VPC with no data charges is incorrect because this resource carries costs that must be factored into the architecture.
2. Question 2Network Management and Operations

   You want to reduce VPC Flow Logs storage cost while still capturing meaningful records for occasional analysis of accepted and rejected flows. Which configuration lowers cost the most while retaining useful data?

   • ADeliver Flow Logs to S3 with a longer maximum aggregation interval (10 minutes) and apply S3 lifecycle rules to transition older logs to cheaper storage classesCorrect
   • BStore Flow Logs in a provisioned-IOPS EBS volume
   • CEnable Traffic Mirroring instead of Flow Logs to save storage
   • DUse the 1-minute aggregation interval and store everything in CloudWatch Logs indefinitely
   ✓ Correct answer: A

   Network design in AWS involves balancing multiple factors: availability across AZs, cost optimization through resource consolidation, security requirements including encryption and inspection, and performance metrics like throughput and latency. Each component adds layers of complexity that must be carefully evaluated against the overall architecture goals.

   Why the other options are wrong

   • BStore Flow Logs in a provisioned-IOPS EBS volume is incorrect because this option does not provide the technical solution described in the correct answer.
   • CEnable Traffic Mirroring instead of Flow Logs to save storage is incorrect because this option does not provide the technical solution described in the correct answer.
   • DUse the 1-minute aggregation interval and store everything in CloudWatch Logs indefinitely is incorrect because this option does not provide the technical solution described in the correct answer.
3. Question 3Network Management and OperationsSelect all that apply

   A single instance is hitting DNS throttling against the Amazon-provided resolver (base+2 address). Which TWO facts about Route 53 Resolver limits in a VPC are correct? (Choose TWO)

   • AThere is a per-ENI packets-per-second limit to the Amazon-provided DNS (commonly cited around 1024 packets per second per network interface)Correct
   • BQueries to the base+2 resolver are unlimited and never throttled
   • CThe Amazon-provided DNS limit is per VPC, not per ENI, and cannot be worked around
   • DTo scale or forward DNS you can use Route 53 Resolver endpoints, which provide higher per-ENI query throughputCorrect
   ✓ Correct answer: A, D

   To scale or forward DNS you can use Route 53 Resolver endpoints, which provide higher per-ENI query throughput. AWS provides multiple mechanisms for achieving network objectives, but each comes with specific constraints and trade-offs. Understanding when to use consolidated resources versus distributed resources, when to inspect traffic centrally versus locally, and when to pay for premium services versus managing additional operational overhead is fundamental to AWS networking expertise.

   Why the other options are wrong

   • BQueries to the base+2 resolver are unlimited and never throttled is incorrect because this option does not provide the technical solution described in the correct answer.
   • CThe Amazon-provided DNS limit is per VPC, not per ENI, and cannot be worked around is incorrect because this option does not provide the technical solution described in the correct answer.
4. Question 4Network Security, Compliance, and Governance

   A security group references another security group as its source. An admin assumes this works even across a VPC peering connection. What is the gotcha?

   • AReferencing a peer VPC's security group over peering is supported only when both VPCs are in the same Region; cross-Region peering does not support SG referencesCorrect
   • BSG references only work within a single subnet
   • CSecurity groups can never reference another security group
   • DSecurity group references work across any peering, including cross-Region
   ✓ Correct answer: A

   Network design in AWS involves balancing multiple factors: availability across AZs, cost optimization through resource consolidation, security requirements including encryption and inspection, and performance metrics like throughput and latency. Each component adds layers of complexity that must be carefully evaluated against the overall architecture goals.

   Why the other options are wrong

   • BSG references only work within a single subnet is incorrect because this option does not provide the technical solution described in the correct answer.
   • CSecurity groups can never reference another security group is incorrect because this option does not provide the technical solution described in the correct answer.
   • DSecurity group references work across any peering, including cross-Region is incorrect because this option does not provide the technical solution described in the correct answer.
5. Question 5Network Management and Operations

   A NAT gateway starts dropping new connections during a spike and CloudWatch shows ErrorPortAllocation rising. What is the root cause and remedy?

   • ANAT gateways have no connection limits, so the metric is a bug
   • Bport exhaustion: a NAT gateway supports up to ~55,000 simultaneous connections per unique destination (IP+port+protocol); spread load across multiple NAT gateways or destinationsCorrect
   • CThe NAT gateway ran out of Elastic IPs; attach more EIPs to the same gateway
   • DErrorPortAllocation indicates a DNS failure unrelated to NAT
   ✓ Correct answer: B

   AWS networking architecture requires careful planning of VPC design, subnet allocation, routing strategies, and security controls. Understanding the trade-offs between different services—such as the cost of Transit Gateway data-processing versus endpoint duplication, or NAT gateway overhead versus NAT instances—is essential for building cost-efficient networks. The choice of connectivity method (Direct Connect vs VPN), endpoint type (gateway vs interface), and inspection strategy directly impacts both operational costs and performance characteristics.

   Why the other options are wrong

   • ANAT gateways have no connection limits, so the metric is a bug is incorrect because this option does not provide the technical solution described in the correct answer.
   • Cthe NAT gateway ran out of Elastic IPs; attach more EIPs to the same gateway is incorrect because this option does not provide the technical solution described in the correct answer.
   • DErrorPortAllocation indicates a DNS failure unrelated to NAT is incorrect because this option does not provide the technical solution described in the correct answer.
6. Question 6Network Implementation

   A Site-to-Site VPN tunnel keeps flapping: it comes up, passes traffic briefly, then drops every few minutes. The customer gateway is behind a firewall doing aggressive idle timeouts. Which configuration improves tunnel stability?

   • ASwitch the VPN to a public VIF
   • BDisable BGP so the tunnel cannot drop
   • Cenable DPD/keepalives and configure the customer gateway to originate periodic traffic or lower the idle timeout so the tunnel stays activeCorrect
   • DAdd a second internet gateway to the VPC
   ✓ Correct answer: C

   AWS networking architecture requires careful planning of VPC design, subnet allocation, routing strategies, and security controls. Understanding the trade-offs between different services—such as the cost of Transit Gateway data-processing versus endpoint duplication, or NAT gateway overhead versus NAT instances—is essential for building cost-efficient networks. The choice of connectivity method (Direct Connect vs VPN), endpoint type (gateway vs interface), and inspection strategy directly impacts both operational costs and performance characteristics.

   Why the other options are wrong

   • ASwitch the VPN to a public VIF is incorrect because this option does not provide the technical solution described in the correct answer.
   • BDisable BGP so the tunnel cannot drop is incorrect because this option does not provide the technical solution described in the correct answer.
   • DAdd a second internet gateway to the VPC is incorrect because this option does not provide the technical solution described in the correct answer.
7. Question 7Network Design

   A consumer cannot connect to a provider service via PrivateLink even though the interface endpoint shows 'available'. The provider recently added a new AZ. What is the most likely cause on the consumer side?

   • AInterface endpoints only work across Regions
   • BPrivateLink requires VPC peering to also be configured
   • CThe consumer's interface endpoint does not have a subnet/ENI in an AZ that the provider's endpoint service supports, or DNS is resolving to an unsupported AZ's endpointCorrect
   • DThe provider must assign the consumer a public IP
   ✓ Correct answer: C

   Security, performance, and cost are interconnected in AWS network design. A secure architecture might require additional encryption overhead, centralized inspection adds processing costs, and high availability might necessitate replication across regions or AZs, each carrying distinct cost implications.

   Why the other options are wrong

   • AInterface endpoints only work across Regions is incorrect because this option does not provide the technical solution described in the correct answer.
   • BPrivateLink requires VPC peering to also be configured is incorrect because AWS Config audits resource compliance but does not enforce network security policies centrally.
   • DThe provider must assign the consumer a public IP is incorrect because this option does not provide the technical solution described in the correct answer.
8. Question 8Network Management and Operations

   After a CloudFormation deployment, a previously working route to the Transit Gateway is gone and a stack update did not touch routing. Drift detection reports the route table as 'MODIFIED'. What likely happened and how do you prevent recurrence?

   • ACloudFormation randomly deletes routes during drift detection
   • BThe Transit Gateway expired the route after 24 hours
   • Csomeone manually edited the route table out-of-band causing drift; remediate by updating via the stack and prevent it with restrictive IAM/SCPs and stack policiesCorrect
   • DDrift detection automatically removes manual routes
   ✓ Correct answer: C

   AWS networking architecture requires careful planning of VPC design, subnet allocation, routing strategies, and security controls. Understanding the trade-offs between different services—such as the cost of Transit Gateway data-processing versus endpoint duplication, or NAT gateway overhead versus NAT instances—is essential for building cost-efficient networks. The choice of connectivity method (Direct Connect vs VPN), endpoint type (gateway vs interface), and inspection strategy directly impacts both operational costs and performance characteristics.

   Why the other options are wrong

   • ACloudFormation randomly deletes routes during drift detection is incorrect because this option does not provide the technical solution described in the correct answer.
   • BThe Transit Gateway expired the route after 24 hours is incorrect because this option does not provide the technical solution described in the correct answer.
   • DDrift detection automatically removes manual routes is incorrect because this option does not provide the technical solution described in the correct answer.
9. Question 9Network Security, Compliance, and Governance

   An auditor needs an immutable, tamper-evident record of who changed network resources such as security groups and route tables across all Regions and accounts. Which configuration provides this?

   • ARoute 53 query logging
   • BCloudFront real-time logs
   • CVPC Flow Logs aggregated to CloudWatch
   • DAn organization CloudTrail trail delivering to a centralized S3 bucket with log file validation enabledCorrect
   ✓ Correct answer: D

   AWS networking architecture requires careful planning of VPC design, subnet allocation, routing strategies, and security controls. Understanding the trade-offs between different services—such as the cost of Transit Gateway data-processing versus endpoint duplication, or NAT gateway overhead versus NAT instances—is essential for building cost-efficient networks. The choice of connectivity method (Direct Connect vs VPN), endpoint type (gateway vs interface), and inspection strategy directly impacts both operational costs and performance characteristics.

   Why the other options are wrong

   • ARoute 53 query logging is incorrect because Route 53 is a DNS service and does not provide network logging or monitoring capabilities.
   • BCloudFront real-time logs is incorrect because this option does not provide the technical solution described in the correct answer.
   • CVPC Flow Logs aggregated to CloudWatch is incorrect because this option does not provide the technical solution described in the correct answer.
10. Question 10Network Implementation

    You must implement private DNS for an interface VPC endpoint so that the standard public service hostname resolves to the endpoint's private IPs inside the VPC. Which setting enables this?

    • AAdding a NAT gateway for the endpoint
    • BAttaching an internet gateway to the endpoint subnet
    • CEnabling Private DNS on the interface endpoint (requires enableDnsSupport and enableDnsHostnames on the VPC)Correct
    • DCreating a public hosted zone for the service
    ✓ Correct answer: C

    AWS provides multiple mechanisms for achieving network objectives, but each comes with specific constraints and trade-offs. Understanding when to use consolidated resources versus distributed resources, when to inspect traffic centrally versus locally, and when to pay for premium services versus managing additional operational overhead is fundamental to AWS networking expertise.

    Why the other options are wrong

    • AAdding a NAT gateway for the endpoint is incorrect because this option does not provide the technical solution described in the correct answer.
    • BAttaching an internet gateway to the endpoint subnet is incorrect because this option does not provide the technical solution described in the correct answer.
    • DCreating a public hosted zone for the service is incorrect because this option does not provide the technical solution described in the correct answer.

AWS ANS-C01 practice exam FAQ