AWS Certified Advanced Networking - Specialty · Difficulty

Hard ANS-C01 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 33 hard questions available — no sign-up, always free.

Question 1 of 25

A company runs a payment processing API behind a Network Load Balancer (NLB) with targets registered by instance ID across three Availability Zones. The security team requires that the backend EC2 instances see the original client source IP addresses in their application logs. Additionally, the operations team reports that traffic is being distributed unevenly — some AZs receive far more connections than others, causing hot spots. The NLB currently has cross-zone load balancing disabled. Which combination of actions will preserve original client IPs AND resolve the uneven traffic distribution?

Reviewed for accuracy · Report an issue
Question 2 of 25

A network operations team runs a fleet of EC2 instances behind a custom TCP proxy on Nitro-based instance types. Applications intermittently report dropped connections during traffic spikes, but VPC Flow Logs show no REJECT entries and the instances' CPU and memory are healthy. The team suspects the instances are hitting Nitro network performance allowances (such as bandwidth or packet-per-second limits) that cause packets to be queued or dropped. Which approach provides the specific metrics needed to confirm this hypothesis?

Reviewed for accuracy · Report an issue
Question 3 of 25

A financial services company runs a critical hybrid workload that requires an SLA-backed connection between their on-premises data center and a single AWS Region. The design must survive the failure of any one AWS Direct Connect device, any one on-premises router, and an entire Direct Connect location, while maintaining active connectivity with no reliance on VPN failover. The company wants the AWS-recommended maximum resiliency posture. Which connectivity design meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A retail company has two Direct Connect locations, one in London and one in Frankfurt, each terminating a dedicated connection with a transit VIF attached to a separate Transit Gateway in eu-west-2 and eu-central-1. The company also has on-premises data centers connected at each Direct Connect location. The networking team wants traffic between the two on-premises data centers to flow directly across the AWS global backbone between the two Direct Connect locations, without traversing the customer's own WAN and without routing through a Transit Gateway. Which approach meets this requirement?

Reviewed for accuracy · Report an issue
Question 5 of 25

A company deploys a fleet of third-party firewall appliances behind a Gateway Load Balancer (GWLB) to inspect north-south traffic for a set of application VPCs. During testing, engineers observe that some TCP sessions inspected by the firewalls are being dropped intermittently, while others pass cleanly. Packet captures on the appliances show that return packets for the affected flows are arriving at a different appliance than the one that processed the initial forward packets. Which GWLB configuration change will resolve the dropped sessions?

Reviewed for accuracy · Report an issue
Question 6 of 25

A financial services company must inspect all outbound TLS traffic from a centralized inspection VPC using third-party firewall appliances behind a Gateway Load Balancer. A compliance mandate requires that the private keys used for TLS decryption never be exportable in plaintext and that all cryptographic operations be performed on FIPS 140-2 Level 3 validated hardware under the company's sole control. The security team wants to minimize custom key-handling code on the appliances. Which approach BEST satisfies these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 25

A media company runs a fleet of EC2 instances in private subnets that push telemetry to a single third-party analytics endpoint (one destination IP and port) over HTTPS. Traffic flows through a NAT gateway. During peak events, application logs show connection failures and the CloudWatch metric ErrorPortAllocation for the NAT gateway spikes above zero, even though bandwidth utilization is well below the NAT gateway's throughput limit. What is the MOST effective way to resolve these connection failures?

Reviewed for accuracy · Report an issue
Question 8 of 25

A financial services company runs a centralized inspection VPC using AWS Network Firewall to inspect all egress traffic from workload VPCs attached to a Transit Gateway. Auditors require that the security team be able to prove, on demand, exactly which domains each workload attempted to reach over the past 90 days, including connections that were ultimately blocked, without dropping any legitimate traffic during the initial rollout. The security team wants to introduce a new set of stateful rules but is concerned about accidentally blocking business-critical traffic before the rules are validated. Which approach best satisfies both the audit-evidence and safe-rollout requirements?

Reviewed for accuracy · Report an issue
Question 9 of 25

A financial services company operates a multi-account AWS Organization with a centralized inspection VPC that hosts AWS Network Firewall. The security governance team must guarantee that every stateful rule group deployed across all firewall policies in every member account enforces a mandatory drop rule for known malicious domains, and they must be automatically alerted whenever a firewall policy is created or modified in a way that removes this baseline protection. The team wants a scalable, organization-wide approach that centralizes rule management while continuously auditing compliance. Which combination BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 25

A company runs a public-facing web application in a VPC. Internet traffic enters through an Internet Gateway to an Application Load Balancer in public subnets, and the ALB forwards to application instances in private subnets. Security requires that ALL inbound traffic from the Internet be inspected by AWS Network Firewall before reaching the ALB. The team deploys a Network Firewall with firewall endpoints in dedicated firewall subnets. Which route table configuration correctly forces inbound Internet traffic through the firewall endpoint before reaching the public (ALB) subnets?

Reviewed for accuracy · Report an issue
Question 11 of 25

A financial services company hosts a public-facing web application behind an internet-facing Application Load Balancer in a public subnet. The security team requires that all inbound HTTPS traffic from the internet be deep-packet inspected by AWS Network Firewall for exploit signatures BEFORE it reaches the ALB, while preserving the original client source IP for the application's audit logs. The VPC uses an Internet Gateway. Which routing configuration correctly forces inbound internet traffic through the Network Firewall endpoint?

Reviewed for accuracy · Report an issue
Question 12 of 25

A financial services company runs a centralized inspection VPC using AWS Network Firewall to enforce egress controls for all workload accounts. The compliance team requires that (1) all flow and alert logs from the firewall be retained immutably for 7 years, (2) logs be encrypted with a customer-managed key that the security team fully controls, and (3) the security team be able to prove during audits that logging was never disabled. Which combination of configurations BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 25

A financial services company routes all outbound internet traffic from its VPCs through a centralized inspection VPC that uses AWS Network Firewall. Compliance requires that the firewall block access to any HTTPS destination outside an approved list of fully qualified domain names (FQDNs). Currently the firewall's stateful rules match on the TLS Server Name Indication (SNI), but security auditors report that some clients bypass the controls by sending a benign SNI while connecting to a disallowed domain. Which change most directly closes this gap while keeping the approved-domain allow-list model?

Reviewed for accuracy · Report an issue
Question 14 of 25

A financial services company runs a centralized inspection VPC with AWS Network Firewall for all outbound internet traffic from workloads across multiple accounts via a Transit Gateway. The security team must ensure that all data leaving the environment toward on-premises data centers over the Site-to-Site VPN is encrypted in transit, and that any workload attempting to establish an unencrypted (plaintext) connection to an external partner API endpoint is blocked. Traffic to the partner endpoint uses HTTPS on port 443, but the team suspects some legacy applications fall back to HTTP on port 80. Which approach BEST enforces encryption-in-transit requirements for the outbound partner traffic while minimizing operational overhead?

Reviewed for accuracy · Report an issue
Question 15 of 25

A financial services company runs a centralized inspection VPC using AWS Network Firewall to filter east-west traffic between multiple spoke VPCs attached to a Transit Gateway. The security team must prove to auditors that no spoke-to-spoke traffic can bypass the firewall and reach another spoke directly. During a compliance review, an auditor asks how to programmatically and continuously verify that the Transit Gateway route tables associated with spoke attachments always route inter-spoke traffic through the inspection VPC attachment. Which approach best satisfies this continuous governance requirement?

Reviewed for accuracy · Report an issue
Question 16 of 25

A financial services company exposes an internal payment API to hundreds of partner VPCs using AWS PrivateLink. The endpoint service is backed by a Network Load Balancer. Partners report intermittent connection failures that correlate with times when the company performs maintenance in one Availability Zone. The company's VPC spans three AZs (us-east-1a, 1b, 1c), but the NLB and endpoint service are configured with subnets only in us-east-1a and us-east-1b. Partner interface endpoints are created in all three AZs. What is the most likely cause of the failures and the correct remediation?

Reviewed for accuracy · Report an issue
Question 17 of 25

A network operations team manages several critical paths in a large VPC environment, including connectivity from an application EC2 instance to an RDS database across subnets. Recently, an unauthorized security group change silently broke this path for hours before anyone noticed. The team wants an automated, ongoing verification that continuously confirms the intended network path remains reachable and alerts them within minutes when a configuration change breaks it. Which approach best meets this requirement with the least custom development?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company runs a Lambda function attached to a private subnet that intermittently fails to reach an on-premises database over a Site-to-Site VPN. During failures, the CloudWatch metrics show no errors on the VPN tunnels, and the tunnels report UP. The network team suspects that Lambda is exhausting available Hyperplane ENIs or private IP addresses in the subnet during scaling events. Which action MOST directly confirms whether subnet IP address exhaustion is the root cause?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company runs an active-active application across two Regions (us-east-1 and eu-west-1), each fronted by an Application Load Balancer. They use Route 53 with latency-based routing and standard health checks to distribute traffic. During a recent partial outage, the application in us-east-1 was returning HTTP 200 on its health check endpoint but was silently corrupting data due to a dependency failure. Route 53 continued sending traffic there. The networking team needs a DNS-layer control that lets operators reliably and instantly shift 100% of traffic away from an unhealthy Region during an incident, independent of application-level health check status, while still supporting routine automated failover. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 25

A company is deploying a new microservices platform in IPv6-only subnets within a VPC to conserve IPv4 address space. The services must be able to reach an external partner API that is only reachable via an IPv4 public endpoint (no AAAA record exists for it). The networking team needs a solution that allows the IPv6-only workloads to initiate outbound connections to this IPv4-only destination without assigning IPv4 addresses to the workload instances. Which combination of features should the team enable to achieve this?

Reviewed for accuracy · Report an issue
Question 21 of 25

A financial services company runs a large VPC hosting thousands of EC2 instances that generate a very high volume of DNS queries to the Amazon-provided VPC resolver (the .2 address). During peak trading hours, application teams report intermittent DNS resolution failures and timeouts, but CloudWatch shows CPU and network utilization on the instances is normal. The instances are spread across three Availability Zones. What is the MOST likely cause of the DNS failures, and how should the network team address it?

Reviewed for accuracy · Report an issue
Question 22 of 25

A security team detects that a workload in a specific VPC has been compromised. The VPC is attached to a Transit Gateway that routes traffic between multiple VPCs and an on-premises network via a VPN attachment. The team wants to immediately isolate the compromised VPC from all other attachments and on-premises networks while preserving the ability to investigate the instances through a dedicated forensics VPC that remains reachable. What is the most effective way to achieve this using Transit Gateway features?

Reviewed for accuracy · Report an issue
Question 23 of 25

A company operates workloads in a Transit Gateway in us-east-1 and another Transit Gateway in eu-west-1. They have a single Direct Connect location in the US with a 10 Gbps dedicated connection. The network team must allow on-premises networks to reach VPCs attached to both Transit Gateways over the Direct Connect connection, while minimizing the number of virtual interfaces required. Which implementation meets these requirements?

Reviewed for accuracy · Report an issue
Question 24 of 25

A company runs a hub-and-spoke topology using a Transit Gateway with multiple VPC attachments across three Availability Zones. Application teams report intermittent high latency for east-west traffic between two spoke VPCs, but only for flows that traverse different AZs. The network team must confirm whether traffic is being hairpinned across AZs at the Transit Gateway before opening a support case. Which action provides the most direct evidence of the cross-AZ traffic behavior?

Reviewed for accuracy · Report an issue
Question 25 of 25

A media company runs a large file-transfer workload between two VPCs attached to the same AWS Transit Gateway. On-premises testing showed high throughput using 9001-byte jumbo frames, but after migrating to AWS the application experiences sporadic large-payload failures and reduced throughput. A packet capture on the receiving instance shows that some large packets never arrive, while smaller packets pass normally. The instances themselves are configured with an MTU of 9001. What is the most likely cause and the correct remediation?

Reviewed for accuracy · Report an issue