AWS Certified Advanced Networking - Specialty · Difficulty

Medium ANS-C01 practice questions

Applied — put a concept to work in a realistic situation. 108 medium questions available — no sign-up, always free.

Question 1 of 25

A financial services company runs a public-facing web application behind an internet-facing Application Load Balancer (ALB) with an HTTPS listener using an ACM certificate. A compliance audit requires that all TLS connections enforce forward secrecy and disallow any TLS versions below 1.2. The security team must ensure that the ALB rejects clients that cannot negotiate a cipher supporting forward secrecy, while minimizing operational overhead. What is the MOST appropriate action?

Reviewed for accuracy · Report an issue
Question 2 of 25

A financial services company exposes a partner-facing REST API behind an Application Load Balancer (ALB) with an HTTPS listener. Security policy now requires that only partner client applications presenting a certificate issued by the company's own private certificate authority may connect, and any connection presenting an untrusted or expired client certificate must be rejected at the ALB before reaching the backend targets. The team wants a managed solution that minimizes custom code on the targets. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 25

A company runs three microservices behind a single Application Load Balancer using the domain shop.example.com. Requests to /api/orders must reach the orders service, /api/inventory must reach the inventory service, and all other paths must reach a default web frontend service. Each service runs in its own target group. The networking team must implement this routing with the fewest ALB resources while ensuring unmatched requests always land on the frontend. Which configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 25

A retail company runs a production web application behind an Application Load Balancer. The platform team wants to perform blue/green deployments by gradually shifting a percentage of live traffic from the current version (green) to a new version (blue) on the same listener, monitoring error rates before completing the cutover. Both versions are registered in separate target groups. What is the correct way to configure the ALB to shift a controlled percentage of traffic between the two versions?

Reviewed for accuracy · Report an issue
Question 5 of 25

A financial services company must ensure that no network ACL in any of its 40 member accounts allows unrestricted inbound SSH (TCP port 22 from 0.0.0.0/0). The security team wants automatic detection of violations across all accounts and regions, plus automatic remediation that removes the offending rule whenever one appears. The solution must produce an auditable record of compliance status for regulators. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 25

A network operations team manages all VPC security groups, route tables, and NACLs through a CloudFormation stack to enforce a consistent baseline. During an incident, an engineer manually added an inbound rule to a security group via the console to restore service quickly. Weeks later, the team wants to programmatically identify every resource in the stack whose live configuration no longer matches the template, without disrupting running resources. Which approach meets this requirement with the least operational effort?

Reviewed for accuracy · Report an issue
Question 7 of 25

A network operations team manages 40 AWS accounts under a single AWS Organizations structure. They need to deploy an identical set of interface VPC endpoints (for SSM, EC2 Messages, and CloudWatch Logs) into a standard VPC in every account, and ensure that any newly created account automatically receives the same endpoints without manual intervention. The solution must minimize ongoing operational effort. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 8 of 25

A financial services company runs a latency-sensitive trading API on an Application Load Balancer in two AWS Regions (us-east-1 and eu-west-1). Global clients connect over TCP with long-lived, encrypted sessions and cannot tolerate connection resets during a regional failure. The API responses are fully dynamic and non-cacheable. The company wants clients to always use a single fixed set of static IP addresses and needs sub-minute automatic regional failover. Which edge design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 25

A media company serves a static single-page application and its API from CloudFront. The origin is an S3 bucket in us-east-1 for static assets, and a Regional Application Load Balancer in us-east-1 for the API. Leadership requires that if the entire us-east-1 origin infrastructure becomes unavailable, viewers automatically continue to be served from a warm standby stack deployed in us-west-2 — without requiring any DNS TTL wait or client-side changes. Which CloudFront configuration meets this requirement with the least additional latency during normal operation?

Reviewed for accuracy · Report an issue
Question 10 of 25

A media company runs a web application behind an internal (private) Application Load Balancer inside a VPC. They want to serve this application globally through Amazon CloudFront for caching and TLS termination at the edge, but the security team mandates that the ALB must NOT be publicly accessible from the internet — traffic must only reach the ALB from CloudFront. Which design meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 11 of 25

A media company hosts a static website with downloadable assets in an S3 bucket and serves it globally through CloudFront. Security requires that the S3 bucket be completely private and only accessible through the CloudFront distribution, and the solution must support SSE-KMS encrypted objects while following current AWS best practices. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 12 of 25

A company runs a Site-to-Site VPN connection to AWS with two tunnels for redundancy. The network operations team wants to be automatically notified within a few minutes whenever either tunnel changes state, and they want to trigger a Lambda function that pages the on-call engineer. They must use native AWS metrics without deploying any agents. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 13 of 25

A global e-commerce company hosts its application on EC2 behind an Application Load Balancer in us-east-1, with CloudFront in front. Users in Southeast Asia have started reporting slow page loads and intermittent errors over the past two days, but internal synthetic canaries running from AWS regions show healthy latency. The network operations team needs to determine whether the degradation is caused by internet path issues (such as an ISP or transit provider problem) affecting specific city/ASN combinations, and quantify the impact on real users without deploying agents. Which AWS capability should the team use?

Reviewed for accuracy · Report an issue
Question 14 of 25

A network operations team stores VPC Flow Logs in a CloudWatch Logs log group. During an unexpected NAT gateway data-processing cost spike, an engineer must quickly identify which private instances (source IP addresses) generated the most outbound bytes over the last 3 hours, without deploying additional infrastructure. What is the FASTEST approach to produce this ranked list?

Reviewed for accuracy · Report an issue
Question 15 of 25

A network operations team runs a Transit Gateway connecting 12 VPCs across a region. Users in one VPC report intermittent slow transfers to a shared services VPC. The team suspects a specific TGW attachment is hitting a throughput ceiling but needs data to confirm before escalating. Without deploying any agents, which approach gives the team the fastest way to identify whether that attachment is saturating its bandwidth limit?

Reviewed for accuracy · Report an issue
Question 16 of 25

A company runs a critical application in a VPC that communicates with an on-premises database over an AWS Direct Connect connection. Users intermittently report slow response times, but the Direct Connect virtual interface metrics and BGP session appear healthy. The network team needs a managed AWS solution that continuously measures round-trip latency and packet loss between the VPC subnets and the on-premises database endpoint, with minimal agent installation and near-real-time CloudWatch metrics for alerting. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 25

A financial services company exposes an internal REST API through an Application Load Balancer reachable only within their VPC. The network operations team wants proactive alerting when the API's HTTPS response latency exceeds a threshold or when the endpoint returns error codes, even during periods with no customer traffic. The monitoring must run from within the private network context and generate CloudWatch metrics and alarms. Which approach best meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 18 of 25

A financial services company operates 40 AWS accounts under AWS Organizations, spread across three Regions. The security governance team must continuously evaluate whether any security group in any account permits unrestricted inbound SSH (0.0.0.0/0 on port 22), and they need a single consolidated view of all non-compliant resources across the entire organization without logging into each account. Which approach meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 19 of 25

A financial services company operates 40 AWS accounts under AWS Organizations. The security governance team must continuously detect and report on security groups that allow unrestricted inbound access (0.0.0.0/0) to ports other than 80 and 443 across all accounts and Regions, and produce a single compliance dashboard for auditors. Which approach best meets these governance requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 20 of 25

A security team manages a centralized audit account and needs to continuously verify that no VPC across 40 member accounts (in an AWS Organization) has an internet gateway attached to subnets tagged 'PCI-Restricted'. The team wants a scalable, near-real-time governance solution that produces findings in the audit account without deploying custom Lambda in each member account. Which approach best meets this requirement?

Reviewed for accuracy · Report an issue
Question 21 of 25

A company has a single 10 Gbps dedicated Direct Connect connection at an AWS Direct Connect location, terminating on one physical port. Traffic to AWS has grown, and the network team wants to increase available bandwidth to 20 Gbps while presenting the connection to their router as a single logical interface for simpler management. They also want the ability to add more connections later without reconfiguring VIFs. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 22 of 25

A company has a single production VPC that needs private connectivity to its on-premises data center over an existing 1 Gbps Direct Connect connection. The networking team wants the simplest configuration that provides private, low-latency access to resources in that one VPC and does not require any additional AWS routing constructs beyond what is strictly necessary. Which implementation should the team use?

Reviewed for accuracy · Report an issue
Question 23 of 25

A media company runs an on-premises rendering farm connected to AWS through a 10 Gbps Direct Connect connection. They currently upload large render outputs to an Amazon S3 bucket in us-east-1 over the public internet, but want the traffic to traverse the Direct Connect link instead to reduce cost and improve consistency. The workload must reach S3 and other AWS public service endpoints without going through a VPC. Which Direct Connect configuration meets this requirement?

Reviewed for accuracy · Report an issue
Question 24 of 25

A company has a 10 Gbps Direct Connect connection at a single location. They need to provide private connectivity from their on-premises data center to five VPCs spread across three AWS accounts, all attached to a single Transit Gateway in one Region. They want to minimize the number of virtual interfaces they must provision and manage on the Direct Connect connection. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 25 of 25

A company operates 40 VPCs spread across three AWS accounts in the eu-west-1 Region. They connect to two on-premises data centers using Direct Connect. Requirements: (1) all VPCs must reach on-premises networks over Direct Connect, (2) each VPC's CIDR must be advertised to on-premises, and (3) the design must scale to 100+ VPCs while minimizing per-connection management overhead. They currently use one Direct Connect gateway associated directly with each VPC's virtual private gateway. As they grow, they hit the limit on the number of VGWs that can be associated with a single Direct Connect gateway. Which design change best meets the requirements at scale?

Reviewed for accuracy · Report an issue