Summer Special 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestdeal

Free Amazon Web Services ANS-C01 Practice Exam with Questions & Answers | Set: 3

Questions 21

A company has a hybrid IT setup that includes services that run in an on-premises data center and in the AWS Cloud. The company is using AWS Direct Connect to connect its data center to AWS. The company is using one AWS Site-to-Site VPN connection as backup and requires a backup connectivity option to always be present. The company is transitioning to IPv6 by implementing dual-stack architectures.

Which combination of steps will transition the data center's connectivity to AWS in the LEAST amount of time? (Select TWO.)

Options:
A.

Create a new Site-to-Site VPN tunnel for the IPv6 traffic.

B.

Create a new dual-stack Site-to-Site VPN connection between the data center and AWS. Provision routing. Delete the original Site-to-Site VPN connection

C.

Associate a new dual-stack public VIF with the Direct Connect connection. Migrate the Direct Connect traffic to the new VIF.

D.

Add a new IPv6 peer in the existing VIF. Use the IPv6 address provided by Amazon on the peer router.

E.

Send IPv6 traffic between the data center and AWS in a tunnel inside the existing IPv4 tunnels.

Amazon Web Services ANS-C01 Premium Access
Questions 22

A network engineer needs to provide dual-stack connectivity between a company's office location and an AWS account. The company's on-premises router supports dual-stack connectivity, and the VPC has been configured with dual-stack support. The company has set up two AWS Direct Connect connections to the office location. This connectivity must be highly available and must be reliable for latency-sensitive traffic.

Which solutions will meet these requirements? (Choose two.)

Options:
A.

Configure a single private VIF on each Direct Connect connection. Add both IPv4 and IPv6 peering to each private VIF. Configure the on- premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

B.

Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

C.

Configure a single private VIF and IPv4 peering on each Direct Connect connection. Configure the on-premises equipment with this peering to advertise the IPv6 routes in the same BGP neighbor configuration. Enable Bidirectional Forwarding Detection (BFD) on all peering sessions.

D.

Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise all IPv4 routes and IPv6 routes on all peering sessions. Keep the Bidirectional Forwarding Detection (BFD) configuration unchanged.

E.

Configure two private VIFs on each Direct Connect connection: one private VIF with the IPv4 address family and one private VIF with the IPv6 address family. Configure the on-premises equipment with the AWS provided BGP neighbors to advertise IPv4 routes on the IPv4 peering and IPv6 routes on the IPv6 peering. Reduce the BGP hello timer to 5 seconds on both the on-premises equipment and the Direct Connect configuration.

Questions 23

A finance company runs multiple applications on Amazon EC2 instances in two VPCs that are within a single AWS Region. The company uses one VPC for stock trading applications. The company uses the second VPC for financial applications. Both VPCs are connected to a transit gateway that is configured as a multicast router.

In the stock trading VPC, an EC2 instance that has an IP address of 10.128.10.2 sends trading data over a multicast network to the 239.10.10.10 IP address on UDP Port 5102. The company recently launched two new EC2 instances in the financial application VPC. The new EC2 instances need to receive the multicast stock trading data from the EC2 instance that is in the stock trading VPC.

Which combination of steps should the company take to meet this requirement? (Choose three.)

Options:
A.

Add the elastic network interfaces of the two new EC2 instances as members of the multicast group by using the group IP address of 239.10.10.10.

B.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows:

Protocol: IGMP Version 2. Port: 5102, and Source: 239 10.10.10/32

C.

Create associations to two EC2 instance IDs on the financial application VPC transit gateway attachment under the transit gateway multicast domain.

D.

Create an association to EC2 instance subnets on the financial application VPC transit gateway attachment under the transit gateway multicast domain.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows.

E.

Protocol: UDP, Port: 5102, and Source: 10.128.10.2/32

F.

Add an inbound rule to the security groups that are attached to the multicast receiver instances. Configure the rule as follows:

Protocol: IGMP Version 2. Port: All, and Source: 0 0.0.0/32

Questions 24

A company runs an application on Amazon EC2 instances. A network engineer implements a NAT gateway in the application's VPC to replace self-managed NAT instances. After the network engineer shifts traffic from the self-managed NAT instances to the NAT gateway, users begin to report issues.

During troubleshooting, the network engineer discovers that the connection to the application is closing after approximately 6 minutes of inactivity.

What should the network engineer do to resolve this issue?

Options:
A.

Check for increases in the Amazon CloudWatch IdleTimeoutCount metric for the NAT gateway. Configure TCP keepalive on the application EC2 instances.

B.

Check for increases in the Amazon CloudWatch ErrorPortAIlocation metric for the NAT gateway. Configure an HTTP timeout value on the application EC2 instances.

C.

Check for increases in the Amazon CloudWatch PacketsDropCount metric for the NAT gateway. Configure an HTTPS timeout value on the application EC2 instances.

D.

Check for decreases in the Amazon CloudWatch ActiveConnectionCount metric for the NAT gateway. Configure UDP keepalive on the application EC2 instances.

Questions 25

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.

A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.

Which solution will meet these requirements?

Options:
A.

Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.

B.

Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnetroute tables to point IPv6 traffic to the NAT instance.

C.

Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

D.

Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

Questions 26

A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.

The company wants to access the management application by using the same URL as the web application, with a path prefix of /management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.

Which combination of steps should a network engineer take to meet these requirements? (Select TWO.)

Options:
A.

Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.

B.

Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.

C.

Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the managementapplication target group if there is a match. Enable group-level stickiness in the rule attributes.

D.

Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match.

E.

Forward all requests to the web application target group. Edit the web application target group and disable stickiness.

Questions 27

A network engineer needs to update a company's hybrid network to support IPv6 for the upcoming release of a new application. The application is hosted in a VPC in the AWS Cloud. The company's current AWS infrastructure includes VPCs that are connected by a transit gateway. The transit gateway is connected to the on-premises network by AWS Direct Connect and AWS Site-to-Site VPN. The company's on-premises devices have been updated to support the new IPv6 requirements.

The company has enabled IPv6 for the existing VPC by assigning a new IPv6 CIDR block to the VPC and by assigning IPv6 to the subnets for dual-stack support. The company has launched new Amazon EC2 instances for the new application in the updated subnets.

When updating the hybrid network to support IPv6 the network engineer must avoid making any changes to the current infrastructure. The network engineer also must block direct access to the instances' new IPv6 addresses from the internet. However, the network engineer must allow outbound internet access from the instances.

What is the MOST operationally efficient solution that meets these requirements?

Options:
A.

Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices

B.

Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Update the existing VPN connection to support IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.

C.

Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add an egress-only internet gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.

D.

Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address. Create a new VPN connection that supports IPv6 connectivity. Add a NAT gateway. Update any affected VPC security groups and route tables to provide connectivity within the VPC and between the VPC and the on-premises devices.

Questions 28

A company has a highly available application that is hosted in multiple VPCs and in two on-premises data centers. All the VPCs reside in the same AWS Region. All the VPCs require access to each other and to the on-premises data centers for the transfer of files that are multiple gigabytes in size.

A network engineer is designing an AWS Direct Connect solution to connect the on-premises data centers to each VPC.

Which architecture will meet the company's requirements with the LEAST operational overhead?

Options:
A.

Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a Direct Connect gateway. Associate the VIF of every VPC with the Direct Connect gateway. Create a new private VIF that connects the Direct Connect gateway to each on-premises data center. Configure the new private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of 9001. Use VPC peering between each VPC. Configure stati

B.

Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a Direct Connect gateway. Associate the VIF of every VPC with the Direct Connect gateway. Create a new private VIF that connects the Direct Connect gateway to each on-premises data center. Configure the new private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of 8500. Use VPC peering between each VPC. Configure stati

C.

Configure a transit gateway in the same Region of each VPC. Attach each VPC to thetransit gateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transit gateway. Associate a new transit VIF with each Direct Connect connection. Configure the new transit VIF to exchange BGP routes and to have an MTU of 9001. Configure route propagation between each VPC and the transit gateway.

D.

Configure a transit gateway in the same Region of each VPC. Attach each VPC to the transit gateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transit gateway. Associate a new transit VIF with each Direct Connect connection. Configure the new transit VIF to exchange BGP routes and to have an MTU of 8500. Configure route propagation between each VPC and the transit gateway.

Questions 29

A company is planning to migrate to AWS and use multiple VPCs in multiple AWS Regions. A network engineer must connect the eu-west-1 and eu-central-1 Regions to the company headquarters and branch office, respectively.

The network engineer created a production VPC, named Prod A, with a CIDR block of 10.0.0.0/16. Prod A runs in an account in eu-west-1. The network engineer then created another production VPC, named Prod B, with a CIDR block of 10.1.0.0/16. Prod В runs in a different account in eu-central-1.

The network engineer performed the following steps to try to achieve the required connectivity:

1. Created one transit gateway in each Region

2. Shared and accepted the transit gateways with the production accounts in both Regions

3. Configured the peering attachment between both transit gateways

4. Attached both VPCs to the respective Region transit gateway

5. Created both transit gateway route tables and associated the attachments with the route tables

6. Configured a static route in both transit gateway route tables to send traffic to the remote VPC in the other Region

7. Activated route propagation on the VPC route tables in each Region

After the configuration, the network engineer tried to connect from Prod A to Prod B. However, the connection was unsuccessful.

What should the network engineer do to achieve the required connectivity?

Options:
A.

Modify the IP address of the peering attachment to a wider range.

B.

Delete the static routes that were in the transit gateway route table to send traffic to the remote VPC and enable route propagation instead.

C.

Create a new route destined to 10.0.0.0/8 in both production VPC route tables with the Region transit gateway as the target.

D.

Modify the transit gateway route tables from the production accounts to propagate routes dynamically between the production VPCs.

Questions 30

A company runs a workload in a single VPC on AWS. The company’s architecture contains several interface VPC endpoints for AWS services, including Amazon CloudWatch Logs and AWS Key Management Service (AWS KMS). The endpoints are configured to use a shared security group. The security group is not used for any other workloads or resources.

After a security review of the environment, the company determined that the shared security group is more permissive than necessary. The company wants to make the rules associated with the security group more restrictive. The changes to the security group rules must not prevent the resources in the VPC from using AWS services through interface VPC endpoints. The changes must prevent unnecessary access.

The security group currently uses the following rules:

• Inbound - Rule 1

Protocol: TCP

Port: 443

Source: 0.0.0.0/0

• Inbound - Rule 2

Protocol: TCP

Port: 443

Source: VPC CIDR

• Outbound - Rule 1

Protocol: All

Port: All

Destination: 0.0.0.0/0

Which rule or rules should the company remove to meet with these requirements?

Options:
A.

Outbound - Rule 2

B.

Inbound - Rule 1 and Outbound - Rule 1

C.

Inbound - Rule 2 and Outbound - Rule 1

D.

Outbound - Rule 1

Exam Code: ANS-C01
Certification Provider: Amazon Web Services
Exam Name: Amazon AWS Certified Advanced Networking - Specialty
Last Update: Jul 9, 2025
Questions: 288

Amazon Web Services Related Exams

How to pass Amazon Web Services MLS-C01 - AWS Certified Machine Learning - Specialty Exam
How to pass Amazon Web Services AXS-C01 - AWS Certified Alexa Skill Builder-Specialty Exam
How to pass Amazon Web Services SCS-C02 - AWS Certified Security - Specialty Exam
SAA-C03 - AWS Certified Solutions Architect - Associate (SAA-C03)
CLF-C02 - AWS Certified Cloud Practitioner
DOP-C02 - AWS Certified DevOps Engineer - Professional
AIF-C01 - AWS Certified AI Practitioner Exam(AI1-C01)
SOA-C01 - AWS Certified SysOps Administrator - Associate
MLA-C01 - AWS Certified Machine Learning Engineer - Associate
SOA-C02 - AWS Certified SysOps Administrator - Associate (SOA-C02)
DVA-C02 - AWS Certified Developer - Associate
Data-Engineer-Associate - AWS Certified Data Engineer - Associate (DEA-C01)
SAP-C02 - AWS Certified Solutions Architect - Professional
Amazon Web Services Free Access
Get Amazon Web Services Full Access

Amazon Web Services Free Exams
Amazon Web Services Free Exams
Get free access to Amazon Web Services exam prep materials and practice tests at Examstrack. Achieve your Amazon Web Services certification goals by exploring Examstrack.