Home/ Practice/ ANS-C01 Questions/ Page 1

AWS ANS-C01 Free Practice Questions — Page 1

Advanced Networking - Specialty • 5 questions • Answers & explanations included

Question 1

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements?

A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, Configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, Configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.
C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target. Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.
D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.
Show Answer & Explanation

Correct Answer: A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, Configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

Network Load Balancer (NLB) with TCP listener on port 443 is the correct choice because the traffic must not be decrypted between client and backend (end-to-end encryption). NLB operates at Layer 4 and passes through encrypted gRPC/TCP traffic without decryption, allowing mutual TLS authentication to occur directly between client and backend pods. The AWS Load Balancer Controller enables the NLB to forward traffic directly to pod IP addresses using IP target mode. Option B (ALB with HTTPS listener) is incorrect because ALB terminates TLS connections, decrypting traffic at the load balancer level, which violates the requirement. Options C and D target the node group's Auto Scaling group rather than individual pods, which is less efficient and doesn't leverage the Kubernetes integration properly.

Question 2

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes. Which solution will meet these requirements?

A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.
B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X-Forwarded-For request header with traffic to the targets.
C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets.
D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets.
Show Answer & Explanation

Correct Answer: A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets.

Application Load Balancer (ALB) with HTTPS listener supports path-based routing rules to route requests to different target groups based on URL paths. ALB handles TLS termination (offloading TLS processing from web servers) and automatically includes the X-Forwarded-For header, which preserves the original client IP address for logging purposes. This single ALB can handle all routing needs. Option B suggests multiple HTTPS listeners for each domain, which is unnecessary - a single listener with path-based routing suffices for URL-based routing. Options C and D use Network Load Balancer, which doesn't support path-based or host-based routing rules - NLB operates at Layer 4 and cannot inspect HTTP/HTTPS URLs for routing decisions.

Question 3

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS. The company is planning to use an AWS Global Accelerator accelerator and Configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint. Which solution will meet these requirements?

A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
C. Configure the ALB in a public subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
Show Answer & Explanation

Correct Answer: C. Configure the ALB in a public subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.

The ALB must be in a public subnet with an internet gateway to allow Global Accelerator to reach it. By configuring the ALB's security group to only allow traffic from the accelerator's IP addresses (which are static and documented), direct internet access to the ALB is blocked while allowing access through Global Accelerator. Option A has contradictory configuration - an internet gateway without routes makes the subnet effectively private, preventing Global Accelerator from reaching the ALB. Option B (private subnet) prevents Global Accelerator from accessing the ALB endpoint. Option D incorrectly places the ALB in a private subnet with an internet gateway, which is contradictory - private subnets by definition don't route to internet gateways.

Question 4

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?

A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway.
B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.
D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
Show Answer & Explanation

Correct Answer: C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPC. Create VPC endpoints in each application VPC.

AWS PrivateLink (VPC endpoint services) provides the most secure, scalable solution with granular access controls. The central VPC exposes services through endpoint services, and each business unit creates VPC endpoints in their application VPCs. This provides private connectivity without IP overlap issues, allows service-level access control, and scales easily as new business units are added. Each endpoint connection can be individually accepted or rejected. Option A (transit gateway with full mesh) provides connectivity but doesn't offer granular service-level controls and creates unnecessary connectivity between application VPCs. Option B (VPC peering) becomes complex to manage as business units grow and lacks granular service controls. Option D (transit VPC with VPN) is an older pattern that's more complex and less secure than PrivateLink.

Question 5

A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS. A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem. Which solution will meet these requirements?

A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps.
C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection.
D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.
Show Answer & Explanation

Correct Answer: A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection.

VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress metrics show throughput per VIF (Virtual Interface), allowing identification of which business unit (VIF) is causing the spike. Creating a new 10 Gbps dedicated connection and shifting traffic allows for capacity increase without downtime during migration. This approach identifies the problem and provides a solution. Option B suggests upgrading the existing connection, but Direct Connect upgrades require downtime. Option C and D reference ConnectionBpsIngress/ConnectionPpsEgress, which show aggregate connection metrics, not per-VIF metrics needed to identify the specific business unit. Option C also incorrectly suggests upgrading to a "hosted connection," which is typically smaller capacity and managed differently.

Ready for the Full ANS-C01 Experience?

Access all 53 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →