Home/ Practice/ ANS-C01 Questions/ Page 2

AWS ANS-C01 Free Practice Questions — Page 2

Advanced Networking - Specialty • 5 questions • Answers & explanations included

Question 6

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud. A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet. Which combination of steps is part of a solution that meets these requirements? (Choose two.)

A. Deploy the SaaS service endpoint behind a Network Load Balancer.
B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
C. Deploy the SaaS service endpoint behind an Application Load Balancer.
D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.
Show Answer & Explanation

Correct Answers: A. Deploy the SaaS service endpoint behind a Network Load Balancer.; B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.

Option A: Network Load Balancer is required for AWS PrivateLink endpoint services - only NLB is supported as the backend for endpoint services. Option B: Creating an endpoint service allows customers to create VPC endpoints in their VPCs to privately connect to the SaaS service without IP address conflicts or internet traversal. PrivateLink handles the overlapping IP addresses issue by using AWS's private network. Option C is incorrect because ALB cannot be used for VPC endpoint services. Option D (VPC peering with NAT) doesn't solve IP overlap issues effectively and requires sharing IP information. Option E (Transit Gateway) requires complex routing and doesn't solve the IP overlap problem as elegantly as PrivateLink.

Question 7

A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet. The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against nancial liability for services that scale out during a DDoS event. Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.)

A. Use traffic Mirroring to copy all traffic to a set of traffic capture appliances.
B. Set up AWS WAF on all network components.
C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses.
D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.
E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.
F. Configure AWS Shield Advanced and ensure that it is configured on all public assets
Show Answer & Explanation

Correct Answers: D. Use AWS Direct Connect with MACsec support for connectivity to the cloud.; E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection.; F. Configure AWS Shield Advanced and ensure that it is configured on all public assets

Option D: AWS Direct Connect with MACsec provides encrypted connectivity for traffic between on-premises and AWS, meeting the encryption in transit requirement. Option E: Gateway Load Balancers enable insertion of third-party firewall appliances for inline traffic inspection before traffic leaves to on-premises or internet. Option F: AWS Shield Advanced provides DDoS protection and importantly includes cost protection (financial liability protection) during DDoS attacks that cause scaling. Option A (Traffic Mirroring) only copies traffic for analysis, doesn't inspect/block it. Option B (WAF on all components) is incorrect - WAF only protects HTTP/HTTPS applications, not all network components. Option C (Lambda creating deny rules) is too slow and reactive for DDoS protection.

Question 8

A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway. The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage. Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.)

A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.
C. Configure traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic.
D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.
Show Answer & Explanation

Correct Answers: A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs.; D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs.

Option A: Enabling VPC flow logs on the NAT gateway's elastic network interface captures all traffic metadata. Publishing to CloudWatch Logs and using CloudWatch Logs Insights provides powerful querying capabilities to analyze traffic patterns and sources. Option D: VPC flow logs to S3 with Athena analysis provides a more cost-effective solution for large-scale log analysis with SQL queries. Both approaches use VPC flow logs which capture source/destination IPs, ports, and traffic volumes. Option B and E are incorrect because NAT gateways don't have "access logs" as a feature. Option C (Traffic Mirroring) is overkill for investigating traffic patterns and requires additional EC2 infrastructure.

Question 9

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?

A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.
Show Answer & Explanation

Correct Answer: C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

Egress-only internet gateway is specifically designed for IPv6 outbound connectivity, allowing instances in private subnets to initiate IPv6 connections to the internet while blocking all inbound IPv6 connections from the internet. This exactly meets the requirement that servers must initiate all IPv6 connectivity and prevents public internet IPv6 traffic from reaching the private subnet. Adding routes to point IPv6 traffic to the egress-only IGW enables the functionality. Option A is incorrect because NAT gateways don't support IPv6 (they're IPv4 only). Option B has the same issue with NAT instances. Option D incorrectly suggests associating a security group with an egress-only IGW, which isn't how egress-only IGWs work - they inherently block inbound traffic.

Question 10

A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time. Which solution will meet these requirements?

A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Noti cation Service (Amazon SNS) noti cations on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination.
B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.
C. Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs.
D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs.
Show Answer & Explanation

Correct Answer: B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs.

Amazon Kinesis Data Firehose is purpose-built for streaming log delivery and can deliver data to Amazon OpenSearch Service with near-real-time latency (60 seconds or less). Network Firewall supports direct integration with Kinesis Data Firehose as a flow log destination, making this the fastest and most direct solution. Option A (S3 with Lambda and SNS) introduces additional latency due to the multi-step process and Lambda cold starts. Option C is incorrect because Network Firewall cannot send flow logs directly to OpenSearch - it requires an intermediary service. Option D (Kinesis Data Streams) requires additional processing to get data into OpenSearch, adding complexity compared to Firehose's direct integration.

Ready for the Full ANS-C01 Experience?

Access all 53 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →