Home/ Practice/ ANS-C01 Questions/ Page 3

AWS ANS-C01 Free Practice Questions — Page 3

Advanced Networking - Specialty • 5 questions • Answers & explanations included

Question 11

A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFSle system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannotresolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.)

A. Configure the BIND DNS servers in the central VPC to forward queries for efs.us-east-1.amazonaws.com to the Amazon provided DNS server (169.254.169.253).
B. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution.
C. Create an Amazon Route 53 Resolver inbound endpoint in the central VPC. Update all the VPC DHCP options sets to use the Route 53 Resolver inbound endpoint in the central VPC for name resolution.
D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.
E. Create an Amazon Route 53 private hosted zone for the efs.us-east-1.amazonaws.com domain. Associate the private hosted zone with the VPC where the EC2 instance is deployed. Create an A record for fs-33444567d.efs.us-east-1.amazonaws.com in the private hosted zone. Configure the A record to return the mount target of the EFS mount point.
Show Answer & Explanation

Correct Answers: A. Configure the BIND DNS servers in the central VPC to forward queries for efs.us-east-1.amazonaws.com to the Amazon provided DNS server (169.254.169.253).; D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs.

Option A: The BIND servers need to forward queries for AWS service domains (like EFS endpoints) to the Amazon-provided DNS (169.254.169.253) so they can resolve AWS service endpoints. This allows the custom DNS to handle on-premises queries while delegating AWS service resolution to AWS DNS. Option D: Route 53 Resolver rules can forward queries for the on-premises domain to on-premises DNS servers. Sharing the rule via AWS RAM and associating it with all VPCs ensures consistent DNS resolution across the organization. Options B and C are incorrect because they suggest replacing the BIND servers entirely, which contradicts the requirement to keep using custom DNS for on-premises resolution. Option E creates unnecessary manual DNS record management.

Question 12

An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed. Which solution will meet these requirements?

A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Configure the Auto Scaling group to register instances with the ALB's target group.
B. Create an Amazon CloudFront distribution. Configure the distribution with a custom SSL/TLS certi cate. Set the Auto Scaling group as the distribution's origin.
C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group.
D. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group.
Show Answer & Explanation

Correct Answer: C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group.

Network Load Balancer with TCP listener passes through encrypted traffic without decryption, maintaining end-to-end encryption from client to EC2 instances. The TCP listener on port 443 forwards encrypted TLS traffic directly to the instances where decryption occurs, meeting the requirement that no intermediate decryption is allowed. Option A (ALB with HTTPS) terminates TLS at the load balancer, decrypting traffic which violates requirements. Option B (CloudFront) also terminates TLS connections. Option D (Gateway Load Balancer) is designed for inserting network appliances for traffic inspection, not for standard application load balancing.

Question 13

A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway. A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally e cient manner. What should the network engineer do to meet these requirements?

A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC.
B. Change the router configurations to summarize the advertised routes.
C. Open a support ticket to increase the quota on advertised routes to the VPC route table.
D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway
Show Answer & Explanation

Correct Answer: B. Change the router configurations to summarize the advertised routes.

The issue is that the Virtual Private Gateway has a limit of 100 routes that can be propagated to the VPC route table. With 110 routes from the fifirst data center, this limit is exceeded. Route summarization (aggregation) reduces the number of advertised routes by combining multiple specific routes into broader CIDR blocks, bringing the count under 100. This is operationally efficient and doesn't require infrastructure changes. Option A (removing Direct Connect gateway) creates architectural complexity. Option C suggests increasing quotas, but this quota cannot be increased for VGW. Option D (Transit Gateway) would work but is more operationally complex than summarization; Transit Gateway supports up to 10,000 routes.

Question 14

A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company o ces. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. O ce-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal. The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams. The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access.
B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created.
C. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers.
D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain.
E. Launch two Amazon EC2 instances in the shared AWS account. Install BIND on each instance. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS account. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the IP addresses of the BIND servers.
F. Create a private hosted zone in the shared AWS account for each account that runs the service. Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC.
Show Answer & Explanation

Correct Answers: B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created.; D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain.; F. Create a private hosted zone in the shared AWS account for each account that runs the service. Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC.

Option B: Route 53 Resolver inbound endpoint allows on-premises DNS to forward queries to AWS. The conditional forwarder for aws.example.internal on on-premises DNS directs AWS queries to the inbound endpoint. Option D: Creating a private hosted zone for aws.example.internal in the shared account provides centralized DNS management. Option F: Each service account creates their own private hosted zone (like account1.aws.example.internal), associates it with their VPC and the shared VPC, giving service owners control while maintaining the hierarchical structure. Option A doesn't allow on-premises access. Option C creates a rule for the wrong direction. Option E (BIND servers) adds unnecessary complexity and operational overhead.

Question 15

A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs. The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection. Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones. What should a network engineer do to resolve this issue?

A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.
B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.
C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.
D. Modify the transit gateway by selecting multicast support.
Show Answer & Explanation

Correct Answer: B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.

Appliance mode support on the transit gateway VPC attachment ensures symmetric routing by forcing both directions of a flow through the same Availability Zone and same appliance. Without appliance mode, return traffic might take a different path than forward traffic (asymmetric routing), causing stateful inspection appliances to drop packets since they don't see both sides of the connection. This causes the intermittent connection issues reported. Option A (cross-AZ load balancing) doesn't address routing symmetry. Option C (ECMP routing) is for VPN connections with multiple tunnels. Option D (multicast) is unrelated to this issue.

Ready for the Full ANS-C01 Experience?

Access all 53 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →

Recommended Next Certifications

After ANS-C01, consider these certification paths:

SCS-C02 — Security Specialty SAP-C02 — Solutions Architect Professional