The AWS Certified Advanced Networking – Specialty (ANS-C01) certification is for professionals who design and implement complex AWS and hybrid networking architectures. This specialty exam is a deep dive into the core AWS networking services, validating your ability to build scalable, secure, and highly available network infrastructure. Success requires more than a casual understanding; it demands mastery. Our ANS-C01 mock test is engineered to get you there.
This full-length practice exam simulates the real ANS-C01 test experience, with questions weighted across the official domains: Network Design, Implementation, Management, and Security. Taking our AWS Advanced Networking Specialty practice exam will test your skills on everything from complex hybrid connectivity with AWS Direct Connect and Transit Gateway to DNS resolution strategies with Route 53 Resolver and advanced VPC configurations. Each question includes a thorough explanation, ensuring you grasp the intricate details of AWS networking services and how they interact to solve enterprise-level challenges.
Don’t let complex routing policies or BGP configurations stand in your way. Consistent practice with our ANS-C01 mock test will build your expertise and confidence. You’ll learn to identify the optimal networking solution for any given scenario, a critical skill for both the exam and your career. If you’re ready to prove you’re a leader in cloud networking, our practice exam is the essential final step in your preparation.
Always check the official AWS Advanced Networking – Specialty Exam Guide for the latest version and details.
This is a timed quiz. You will be given 10200 seconds to answer all questions. Are you ready?
A company has a 1 Gbps Direct Connect connection. They are consistently using over 90% of the bandwidth and experiencing degraded performance. What is the recommended operational procedure to increase the bandwidth?
You cannot modify the bandwidth of an existing Direct Connect connection. The correct procedure is to order a new connection with the desired higher bandwidth (e.g., 10 Gbps) and then migrate your traffic to the new connection before decommissioning the old one. Alternatively, if multiple connections are available, you can use a LAG to aggregate them.
A network operations team is troubleshooting intermittent packet loss for an application running on an EC2 instance. They suspect an intermediate network device between two specific EC2 instances in the same VPC is dropping packets. Which tool would be most effective for tracing the path and identifying the point of failure without installing any third-party software on the instances?
VPC Reachability Analyzer is a static analysis tool that analyzes the network path between a source and a destination in a VPC. It can identify configuration issues that would cause packet loss, such as missing route table entries, restrictive security groups, or network ACLs. It does this without sending any packets, making it ideal for troubleshooting without altering the state of the instances.
A network administrator needs a central place to view and manage their entire global network, including AWS Transit Gateways, VPNs, and on-premises devices. The service should provide a topology map and performance monitoring. Which service offers these capabilities?
AWS Network Manager provides a single, unified view of your private networks. It allows you to create a global network that includes your AWS Transit Gateways and on-premises resources. It provides a topology visualization, performance monitoring (latency, packet loss), and can notify you of changes in your network.
A company is deploying a large number of IoT devices that will send data to an application hosted in a VPC. The devices have limited processing power and need to resolve a custom DNS domain name (e.g., `iot.internal.corp`) to a private IP address of an Application Load Balancer. The solution must not require the devices to connect via VPN. How should a network architect design the DNS solution?
Route 53 Resolver endpoints, specifically an inbound endpoint, allow you to resolve Route 53 private hosted zones from outside the VPC (like from an on-premises network or, in this case, IoT devices over the internet, assuming proper security). The devices would be configured to use the IP addresses of the inbound endpoint for DNS queries, allowing them to resolve the private domain name.
How would you implement a shared services VPC model where a central VPC hosts services (e.g., directory services) that need to be accessed by multiple other spoke VPCs?
AWS Transit Gateway is the ideal service for a shared services model. The shared services VPC and all spoke VPCs attach to the Transit Gateway. The Transit Gateway route tables are then configured to allow traffic to flow from the spokes to the shared services VPC, providing centralized access and simplified network management.
A security group rule allows inbound traffic on port 443 from source 0.0.0.0/0. A network ACL rule with a lower number denies all inbound traffic on port 443 from source 0.0.0.0/0. What is the result for an EC2 instance in the associated subnet?
Network ACLs are evaluated before Security Groups. Because the NACL rule is a `Deny`, it will be applied first, and the traffic will be blocked before it ever reaches the security group for evaluation. Therefore, the instance will not receive the traffic.
An engineer is troubleshooting a routing issue in a complex Transit Gateway environment with multiple route tables. They observe that traffic from a specific spoke VPC is not reaching the intended destination in another spoke VPC. What is the MOST likely cause of this issue?
In a Transit Gateway setup, routing is controlled by route tables associated with each VPC attachment and propagations from those attachments. A common issue is a misconfiguration where the route table associated with the source VPC's attachment does not have a route for the destination VPC's CIDR, or the destination VPC's attachment route table doesn't have a return route.
An administrator needs to create a network ACL rule to allow inbound SSH traffic (port 22) to a subnet. Since NACLs are stateless, what corresponding outbound rule is required to allow the return traffic?
Because NACLs are stateless, return traffic must be explicitly allowed by an outbound rule. SSH traffic originates from a high-numbered ephemeral port on the client and goes to port 22 on the server. The return traffic will come from port 22 on the server and go back to the high-numbered ephemeral port on the client. Therefore, an outbound rule must allow TCP traffic to the ephemeral port range (1024-65535).
A company needs to securely access and manage their EC2 instances without opening any inbound ports like SSH (22) or RDP (3389) in the security groups. Which service provides this capability?
AWS Systems Manager Session Manager provides secure and auditable instance management without the need to open inbound ports, manage bastion hosts, or maintain SSH keys. It allows you to manage your instances through a browser-based shell or through the AWS CLI, with all actions logged in CloudTrail.
An operations team needs to be alerted if their AWS Site-to-Site VPN connection goes down. Which metric in CloudWatch should they create an alarm for?
AWS VPN publishes the `TunnelState` metric to CloudWatch for each of its tunnels. A value of `1` indicates the tunnel is UP, and a value of `0` indicates the tunnel is DOWN. Creating an alarm that triggers when the metric is `0` for a sustained period is the standard way to monitor VPN tunnel health.
A company wants to automate the process of adding DNS records for new EC2 instances that are launched by an Auto Scaling group. The instances have a specific tag (e.g., `AppName: my-web-app`). The DNS records should be created in a Route 53 private hosted zone. The solution should be event-driven. What is the most efficient way to implement this automation?
This is a classic event-driven automation pattern. Amazon EventBridge (or CloudWatch Events) can capture the 'EC2 Instance State-change Notification' event for instances entering the 'running' state. A rule can be created to filter these events based on the specific tag. The rule's target would be an AWS Lambda function, which receives the event payload (containing the instance ID and other details), retrieves the instance's private IP, and uses the AWS SDK to create the necessary `A` record in the specified Route 53 private hosted zone.
When designing a multi-region architecture for disaster recovery, what is the difference between RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
RPO is about data loss tolerance: it's the maximum acceptable amount of time since the last data recovery point. RTO is about downtime tolerance: it's the maximum acceptable delay between the interruption of service and restoration of service.
A global company is designing a hybrid network to connect its on-premises data centers in North America and Europe to AWS Regions in us-east-1 and eu-west-1. They require a resilient, high-bandwidth, private connection. The design must ensure that VPCs in both regions can communicate with both data centers, and the VPCs can communicate with each other. Which design provides the highest resiliency and manageability?
Using AWS Direct Connect Gateway with Transit Gateways in each region is the most resilient and scalable solution. A DXGW is a global resource that can connect to multiple Direct Connect locations and multiple Transit Gateways across regions. This allows for a fully routed, manageable global network where on-premises sites and all VPCs can communicate without complex peering meshes.
What is the function of AWS VPC IP Address Manager (IPAM)?
VPC IPAM is a managed service that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. It automates IP address assignment to your VPCs, preventing conflicts and simplifying CIDR block management, especially in large and complex network environments.
What is the difference between a stateful and a stateless firewall in the context of VPC security components?
Stateful firewalls, like Security Groups, automatically track the state of connections. If you allow an inbound request, the corresponding outbound response is automatically allowed. Stateless firewalls, like Network ACLs, do not track connection state; you must explicitly create separate inbound and outbound rules for both the request and the response traffic.
A company needs to connect their on-premises network to AWS and requires a connection with a consistent, low-latency, and dedicated bandwidth of 10 Gbps. Which AWS networking service should they use?
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using Direct Connect, you can establish private connectivity between AWS and your datacenter, which can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
A company needs to centrally manage and deploy AWS WAF rules across multiple accounts in its AWS Organization. What is the most appropriate service to use?
AWS Firewall Manager is a security management service that simplifies your WAF administration and maintenance tasks across multiple accounts and resources. You can centrally configure WAF rules, and Firewall Manager automatically applies those rules to the resources you select, such as ALBs or CloudFront distributions, across your accounts.
A company wants to use a single set of third-party virtual security appliances to inspect all traffic between VPCs, between VPCs and the internet, and between VPCs and their on-premises network. The solution must be highly scalable and centrally managed. Which architecture should be implemented?
An inspection VPC with a Gateway Load Balancer and a Transit Gateway is the standard, scalable pattern for centralized traffic inspection. The Transit Gateway routes all traffic flows to the inspection VPC. The Gateway Load Balancer provides a transparent 'bump-in-the-wire' service, distributing traffic across a fleet of virtual security appliances that can be managed by an Auto Scaling group for high availability and scalability.
When troubleshooting a Network Load Balancer, you find that the health checks are failing for a target instance, but you can connect to the application on the instance successfully from within the VPC. What is a likely cause?
A common cause of NLB health check failures is a misconfigured security group on the target instance. The security group must have an inbound rule that explicitly allows traffic from the NLB nodes on the health check port. Since the source of NLB traffic is preserved, you can't just allow traffic from the NLB's security group; you must allow it from the client IPs or, for health checks, from the VPC CIDR.
How do you configure a CloudFront distribution to serve content from an EC2 instance behind an Application Load Balancer?
To serve content from an ALB, you set the ALB's DNS name as the 'Origin Domain Name' when configuring the CloudFront origin. CloudFront then forwards requests to the ALB, which in turn distributes them to the backend EC2 instances.
A network engineer is configuring a Route 53 weighted routing policy to distribute 25% of traffic to a new application stack for canary testing and 75% to the existing stack. How should the record weights be configured?
Weighted routing distributes traffic based on the ratio of a record's weight to the sum of all weights for that record name and type. To achieve a 25/75 split, you can use any numbers that have that ratio. The simplest is to assign a weight of 25 to the new stack and 75 to the existing stack.
A CloudFront distribution is configured with an S3 bucket as the origin. The security team wants to ensure that users can only access the S3 content through CloudFront and not by using the direct S3 URL. How should this be implemented?
Origin Access Identity (OAI) is a special CloudFront user that you associate with your distribution. You then create a bucket policy that grants this OAI permission to read the objects in your bucket. This locks down the bucket so that only CloudFront can access the content, forcing users to go through the distribution.
A network engineer needs to implement a centralized egress (outbound) traffic filtering solution for multiple VPCs in the same region. All internet-bound traffic from spoke VPCs must be routed through an inspection VPC that contains a fleet of third-party firewall appliances running on EC2 instances. The solution must be highly available and scalable. Which set of services should be used?
This describes the classic centralized egress architecture. AWS Transit Gateway acts as a cloud router. All spoke VPCs are attached to it. The Transit Gateway route tables are configured to send default traffic (0.0.0.0/0) to the inspection VPC. Inside the inspection VPC, the firewall instances are in an Auto Scaling group behind a Gateway Load Balancer, which provides high availability and scalability for the firewall fleet.
A financial services company must inspect all traffic flowing between subnets in a VPC to meet compliance requirements. The inspection must be done by a fleet of third-party security appliances. The solution must be highly available and should not require any agents to be installed on the application instances. Which service should be used to transparently route traffic between subnets to the security appliances?
Amazon VPC More-specific routing allows you to create more specific routes in a VPC route table that override the default local route. You can use this to redirect traffic between two subnets to a middlebox, such as a Gateway Load Balancer endpoint, which fronts the security appliances. This forces the traffic through the inspection fleet without needing to change security groups or install agents.
A company needs to connect a VPC to an on-premises network over a Direct Connect connection. For security, all traffic over the connection must be encrypted. How can this be achieved?
Direct Connect provides a private, dedicated path but is not encrypted by default. To encrypt traffic over this path, you establish an AWS Site-to-Site VPN connection that runs over the private Direct Connect link. This is achieved by configuring a private virtual interface (VIF) for the Direct Connect and then building the VPN tunnel between the VGW and the on-premises customer gateway over that private path.
To secure a Direct Connect connection, a company wants to encrypt the data in transit at Layer 2. Which feature supports this?
MACsec (Media Access Control Security) is an IEEE standard that provides point-to-point security on Ethernet links. AWS Direct Connect supports MACsec for 10 Gbps and 100 Gbps dedicated connections at select locations, allowing you to encrypt your data at Layer 2 from your on-premises router to the AWS Direct Connect router.
Which AWS service helps protect against volumetric DDoS attacks like UDP reflection attacks?
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost and protects against most common network and transport layer DDoS attacks. AWS Shield Advanced provides additional protections and features for a higher level of security.
A team is performing a blue/green deployment using Route 53. After shifting 10% of traffic to the new green environment using a weighted routing policy, they detect a high error rate. What is the FASTEST way to roll back the deployment?
With a weighted routing policy, the fastest way to roll back is to update the weights. By changing the weight of the new (green) environment's record to 0 and the old (blue) environment's record to any non-zero value (e.g., 100), you can immediately direct all traffic back to the stable environment. This is much faster than waiting for DNS propagation of a changed record value.
A company needs to provide controlled access to its internal web applications for its remote employees. The solution must not expose the applications directly to the internet and must enforce strong authentication and authorization. Employees should not be required to use a traditional VPN client. Which AWS service is designed for this purpose?
AWS Verified Access is a service that provides secure access to private applications without using a VPN. It acts as a broker, evaluating every access request against a set of user-defined security policies based on identity (from identity providers) and device posture. It provides a more granular, zero-trust approach to application access compared to a traditional VPN.
A company is deploying an application that uses UDP for real-time communication. They need a load balancer that can distribute UDP traffic to a fleet of EC2 instances. Which type of load balancer should be used?
Network Load Balancers (NLBs) operate at the transport layer (Layer 4) and are capable of handling both TCP and UDP traffic. This makes them the ideal choice for load balancing applications that rely on UDP, such as DNS, streaming media, or real-time gaming.
What is the primary use case for AWS Global Accelerator?
AWS Global Accelerator uses the AWS global network to improve the performance and availability of your applications. It provides static IP addresses that act as a fixed entry point and routes traffic to the optimal endpoint based on health, client location, and policies you configure. It is ideal for non-HTTP traffic (gaming, IoT) or for HTTP applications that need static IPs or instant regional failover without relying on DNS propagation.
A company wants to use Amazon Route 53 to perform health checks on an endpoint that is hosted in a VPC and is not publicly accessible. How can Route 53 be configured to perform these health checks?
Route 53 health checkers are located around the world and need a public endpoint to check. However, Route 53 allows you to create health checks that monitor a CloudWatch alarm. You can create a custom CloudWatch alarm within your VPC that monitors the private endpoint (e.g., using a Lambda function or other internal metric). Route 53 will then use the state of this CloudWatch alarm to determine the health of the endpoint.
An application running on AWS needs to connect to a third-party SaaS provider's service. The SaaS provider has made their service available on AWS PrivateLink. What is the most secure way for the application VPC to connect to the SaaS service?
AWS PrivateLink is designed for this exact use case. By creating an interface VPC endpoint for the provider's service in your VPC, you create a private, secure connection. The endpoint is an elastic network interface with a private IP in your subnet, and all traffic to the service travels over the AWS private network, never leaving it.
A company wants to extend its on-premises data center to a VPC in AWS to support a low-latency, high-performance computing (HPC) application. The solution requires the lowest possible network latency. Which service should be used?
AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. This is the ideal solution when the lowest possible latency to on-premises systems is required, as the AWS infrastructure is physically located at the on-premises site.
A company is deploying an Application Load Balancer. They need to route requests to different target groups based on the hostname in the HTTP request (e.g., `images.example.com` goes to one group, `api.example.com` goes to another). Which feature of the ALB should be used?
Application Load Balancer listener rules allow for advanced, content-based routing. You can create rules based on conditions like the hostname, path, HTTP headers, or query strings. A host-based routing rule can inspect the `Host` header of the request and forward it to the appropriate target group.
What is a key architectural difference between a Network Load Balancer (NLB) and an Application Load Balancer (ALB)?
NLBs operate at the transport layer (Layer 4) and are ideal for high-throughput, low-latency TCP/UDP traffic. ALBs operate at the application layer (Layer 7) and are aware of application-level constructs like HTTP headers, cookies, and query strings, allowing for advanced, content-based routing rules.
A web application behind an Application Load Balancer is being targeted by a SQL injection attack. Which AWS service can be used to mitigate this attack at the edge?
AWS WAF is a web application firewall that protects against common web exploits. It has managed rule groups, including one specifically for SQL database attacks, which contains rules to block requests that show signs of SQL injection.
A company needs to log all DNS queries originating from its VPCs for security auditing. The solution must be native to AWS and not require installing agents on instances. Which service should be used?
Amazon Route 53 Resolver Query Logging is a feature that allows you to capture and log DNS queries that originate in your Amazon VPCs. You can log queries to CloudWatch Logs, S3, or Kinesis Data Firehose, providing a full audit trail of DNS activity for security analysis and troubleshooting.
An organization has 50 VPCs in a single region. They need to enable full mesh connectivity between all VPCs. Which solution is the MOST scalable and has the LOWEST operational overhead?
AWS Transit Gateway acts as a cloud router and is designed to connect thousands of VPCs and on-premises networks together. It simplifies network architecture by removing the need for complex VPC peering meshes, which become unmanageable at scale.
A company is experiencing higher than expected data processing charges from their NAT Gateways. How can they analyze which specific EC2 instances are sending the most traffic through the NAT Gateways to identify potential cost savings?
VPC Flow Logs capture IP traffic information. By delivering these logs to S3 and querying them with Amazon Athena, you can perform detailed analysis. You can write a SQL query to group traffic by source IP address (the private IPs of your EC2 instances) where the destination IP is outside the VPC, and then order the results to find the 'top talkers' responsible for the most outbound traffic and associated NAT Gateway costs.
A rule in a network ACL has the number 100. Another rule has the number 200. Which rule is evaluated first?
Network ACLs evaluate rules in order, starting with the lowest numbered rule. As soon as a rule matches the traffic, it is applied immediately, and no subsequent rules are evaluated. Therefore, the rule with number 100 will be evaluated before the rule with number 200.
A company wants to use a single private IP address as an entry point for a service that spans multiple EC2 instances. The IP address must remain constant even if the underlying instances fail and are replaced. Which service provides a static private IP for its targets?
A Network Load Balancer (NLB) provides a static IP address per Availability Zone. This makes it a reliable, fixed entry point for services. Even if the backend instances in the target group change, the NLB's IP address remains the same.
A network architect is designing a VPC. To improve the availability of an application, they must place resources in at least three physically separate, isolated locations within the same AWS Region. What do these locations correspond to in AWS terminology?
Availability Zones (AZs) are distinct locations within an AWS Region that are engineered to be isolated from failures in other AZs. They provide inexpensive, low-latency network connectivity to other AZs in the same Region. Deploying applications across multiple AZs is a fundamental best practice for high availability.
A company is designing a network for a global application with a presence in multiple AWS regions. They need to provide a single entry point for their users and route them to the optimal region based on performance, health, and user location. The solution must also support failover between regions. Which Route 53 routing policy is most suitable?
Latency-based routing directs users to the AWS region that provides the lowest latency. When combined with health checks, Route 53 can automatically failover to another healthy region if the primary region becomes unavailable. Geoproximity routing is similar but uses geographic distance, while latency routing uses actual network performance measurements, which is generally more accurate for performance-based routing.
A company has established a 10 Gbps AWS Direct Connect connection to their on-premises data center. They are using BGP to advertise routes. The on-premises network has a default route (0.0.0.0/0) pointing to their ISP. They now want to route all internet-bound traffic from a specific VPC through their on-premises firewall for inspection before it goes to the internet. How should the routing be configured?
To route VPC traffic to the on-premises network, the on-premises router must advertise a default route (0.0.0.0/0) to the VGW via BGP. This route will propagate to the VPC's route table. The VPC route table must then be updated to point 0.0.0.0/0 to the VGW. The on-premises firewall will then handle the traffic and route it to the internet.
A company is implementing a Direct Connect connection. What is a Link Aggregation Group (LAG) used for in this context?
A LAG is a feature that allows you to bundle multiple Direct Connect connections at a single AWS Direct Connect location and treat them as a single, logical connection. This provides increased bandwidth (by aggregating the capacity of the member connections) and higher resiliency (if one connection in the LAG fails, traffic is redirected over the remaining connections).
A security engineer wants to ensure that an S3 bucket cannot be accessed by any principal outside of a specific VPC. Which type of policy should be used?
A VPC endpoint policy is a resource-based policy that you attach to a VPC endpoint. You can use it to control access to the service from the VPC. By creating a bucket policy that denies access unless the request comes through a specific VPC endpoint (using the `aws:sourceVpce` condition key), you can ensure the bucket is only accessible from within that VPC's private network.
A company needs to deploy a highly available NAT service for their private subnets. Which implementation provides the highest availability?
To ensure high availability for a NAT service, you should deploy a NAT Gateway in each Availability Zone where you have private subnets that need internet access. You then create a route table for the subnets in each AZ that points the default route (0.0.0.0/0) to the NAT Gateway in the same AZ. This prevents a single AZ failure from disrupting internet access for other AZs.
When using a Direct Connect connection with BGP, what is the purpose of the Border Gateway Protocol (BGP) Autonomous System Number (ASN)?
BGP uses Autonomous System Numbers (ASNs) to uniquely identify networks on the internet and in private network connections. When you set up a Direct Connect connection, you must provide your network's public or private ASN, and AWS provides its own ASN. These are used to establish the BGP peering session for exchanging routing information.
An administrator needs to establish a VPN connection that supports BGP for dynamic route propagation. What is required on the AWS side of the connection?
For a standard Site-to-Site VPN, you can attach it to either a Virtual Private Gateway (VGW) or a Transit Gateway. Both support BGP sessions for dynamic routing with your on-premises customer gateway device.
When implementing a VPC endpoint for S3, what is the effect on the VPC's route table?
When you create a gateway VPC endpoint for S3, you must associate it with a route table. AWS automatically adds a route to that table. The route's destination is a prefix list for S3 (e.g., `pl-12345`) and the target is the VPC endpoint ID (e.g., `vpce-54321`). This directs all traffic destined for S3 in that region through the private endpoint.
A network architect needs to enforce a firewall policy that automatically blocks outbound connections from specific VPCs to a list of known malicious domains. The solution should be managed and scalable. Which service is most appropriate?
Route 53 Resolver DNS Firewall is designed to protect outbound DNS queries for a VPC. You can create domain lists (blocklists) and associate them with your VPCs via firewall rules. This provides a managed, scalable way to prevent your resources from communicating with known malicious or unwanted domains.
What is the difference between AWS WAF and AWS Network Firewall?
AWS WAF is a web application firewall that operates at Layer 7 (Application) and protects against web exploits like SQL injection and XSS. It is used with services like ALB, CloudFront, and API Gateway. AWS Network Firewall is a managed network firewall service that operates at Layers 3-7, providing stateful inspection for all traffic entering and leaving your VPC, not just web traffic.
A network architect needs to design a solution for a global content delivery network (CDN) that will serve both static and dynamic content. The solution must cache content close to users worldwide and provide application-layer protection. Which service should be the primary component of this design?
Amazon CloudFront is a global CDN that caches content in edge locations around the world, providing low latency and high transfer speeds. It can serve both static content (from S3) and dynamic content (from origins like ALBs). It also integrates seamlessly with AWS WAF for application-layer protection.
A company wants to connect its on-premises network to a VPC using an AWS Site-to-Site VPN. For redundancy, they have two customer gateway devices at their data center. How should the VPN connection be configured for high availability?
To achieve high availability with two customer gateway devices, you should create a single AWS virtual private gateway (VGW) and establish two separate VPN connections to it, one from each of your customer gateway devices. AWS will provide two tunnels for each VPN connection, giving you a total of four redundant tunnels into the AWS region.
An engineer is using `ping` to test connectivity to an EC2 instance from their laptop, but it fails. However, they can successfully connect to a web server on the instance using a browser. What is the most likely reason for the `ping` failure?
The `ping` utility uses the ICMP protocol. By default, security groups do not allow inbound ICMP traffic. Even if TCP port 80 (for HTTP) is open, allowing web browser access, ICMP traffic will be blocked unless an explicit inbound rule is added to the instance's security group to allow it.
A network engineer is creating a dual-stack VPC with both IPv4 and IPv6 CIDR blocks. What is the source of the IPv6 CIDR block for the VPC?
When you enable IPv6 for a VPC, you cannot choose your own CIDR block range. AWS assigns a unique /56 IPv6 CIDR block to your VPC from its own pool of IPv6 addresses. You then assign /64 CIDR blocks from this /56 range to the subnets within your VPC.
In a hybrid DNS architecture, what is the function of a Route 53 Resolver outbound endpoint?
An outbound endpoint allows DNS queries originating within your VPCs to be forwarded to an external DNS server, such as one in your on-premises data center. You create Resolver rules that specify which domain queries should be forwarded and to which IP addresses.
An architect is choosing between VPC peering and AWS Transit Gateway to connect three VPCs. What is a key advantage of using Transit Gateway in this scenario?
Even with only three VPCs, Transit Gateway simplifies the network. With VPC peering, you would need three separate peering connections to create a full mesh. With Transit Gateway, each VPC only needs one attachment to the gateway. The Transit Gateway acts as a hub, and all VPCs can communicate with each other through it (transitive routing), simplifying management and scaling.
A network engineer is allocating CIDR blocks for a new VPC. What is the maximum size CIDR block that can be assigned to a VPC?
According to AWS documentation, the largest CIDR block you can assign to a VPC is a /16 netmask, which provides 65,536 private IPv4 addresses. The smallest is a /28, which provides 16.
An administrator for an AWS Organization wants to prevent any IAM user in a member account from disabling AWS Config. Which policy is the MOST effective tool for this?
Service Control Policies (SCPs) are the most effective way to enforce permissions guardrails across an organization. By creating an SCP that explicitly denies the `config:StopConfigurationRecorder` and `config:DeleteConfigurationRecorder` actions and attaching it to the relevant OU or account, you can prevent even local administrators in that account from disabling AWS Config.
An administrator is setting up a new Direct Connect connection and needs to configure the physical connection for maximum resiliency. The Direct Connect partner offers two separate routers at the co-location facility. How should the administrator order the connections?
For maximum resiliency, you should provision two separate Direct Connect connections, terminating each one on a different router at the AWS Direct Connect location and a different device on your on-premises network. This protects against device failure on either side, as well as fiber cuts to a single device.
An application behind a Classic Load Balancer is reporting the load balancer's private IP as the source IP for all requests. How can the application be configured to see the actual client IP address?
Classic Load Balancers (and Application Load Balancers) add the `X-Forwarded-For` HTTP header to requests, which contains the original client's IP address. The backend application servers must be configured to parse this header to get the true source IP.
A network engineer observes that one of their two Direct Connect connections in a LAG is down. How can they confirm which specific connection has failed?
Both the AWS Management Console for Direct Connect and the AWS CLI provide detailed information about the state of individual connections, including those that are part of a LAG. You can inspect the `connectionState` property of each member connection to identify which one is 'down' while others are 'available'.
An engineer is configuring a BGP session over a Direct Connect connection. They want to influence inbound traffic from AWS to their on-premises network by making one path preferred over another. Which BGP attribute should be manipulated on the on-premises router?
AS_PATH prepending is a common technique to influence inbound routing from AWS. By adding your own ASN multiple times to the AS_PATH for a specific route advertisement, you make that path appear longer to AWS. BGP's path selection algorithm prefers shorter AS_PATHs, so AWS will prefer the route with fewer prepends.
Share your Results:
