AWS Certified Advanced Networking - Specialty · Domain 1 · 30% of exam

Network Design

Drill 20 practice questions focused entirely on Network Design for the AWS ANS-C01 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A financial services company runs a latency-sensitive trading API on an Application Load Balancer in two AWS Regions (us-east-1 and eu-west-1). Global clients connect over TCP with long-lived, encrypted sessions and cannot tolerate connection resets during a regional failure. The API responses are fully dynamic and non-cacheable. The company wants clients to always use a single fixed set of static IP addresses and needs sub-minute automatic regional failover. Which edge design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 2 of 20

A media company serves a static single-page application and its API from CloudFront. The origin is an S3 bucket in us-east-1 for static assets, and a Regional Application Load Balancer in us-east-1 for the API. Leadership requires that if the entire us-east-1 origin infrastructure becomes unavailable, viewers automatically continue to be served from a warm standby stack deployed in us-west-2 — without requiring any DNS TTL wait or client-side changes. Which CloudFront configuration meets this requirement with the least additional latency during normal operation?

Reviewed for accuracy · Report an issue
Question 3 of 20

A media company runs a web application behind an internal (private) Application Load Balancer inside a VPC. They want to serve this application globally through Amazon CloudFront for caching and TLS termination at the edge, but the security team mandates that the ALB must NOT be publicly accessible from the internet — traffic must only reach the ALB from CloudFront. Which design meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 4 of 20

A media company hosts a static website with downloadable assets in an S3 bucket and serves it globally through CloudFront. Security requires that the S3 bucket be completely private and only accessible through the CloudFront distribution, and the solution must support SSE-KMS encrypted objects while following current AWS best practices. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 5 of 20

A financial services company runs a critical hybrid workload that requires an SLA-backed connection between their on-premises data center and a single AWS Region. The design must survive the failure of any one AWS Direct Connect device, any one on-premises router, and an entire Direct Connect location, while maintaining active connectivity with no reliance on VPN failover. The company wants the AWS-recommended maximum resiliency posture. Which connectivity design meets these requirements?

Reviewed for accuracy · Report an issue
Question 6 of 20

A company operates 40 VPCs spread across three AWS accounts in the eu-west-1 Region. They connect to two on-premises data centers using Direct Connect. Requirements: (1) all VPCs must reach on-premises networks over Direct Connect, (2) each VPC's CIDR must be advertised to on-premises, and (3) the design must scale to 100+ VPCs while minimizing per-connection management overhead. They currently use one Direct Connect gateway associated directly with each VPC's virtual private gateway. As they grow, they hit the limit on the number of VGWs that can be associated with a single Direct Connect gateway. Which design change best meets the requirements at scale?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company runs an identical API stack in us-east-1 and eu-west-1, each fronted by a Network Load Balancer. They use AWS Global Accelerator with both NLBs registered as endpoints across two endpoint groups (one per Region). During a planned maintenance window for the eu-west-1 stack, the network team must gracefully remove that Region from receiving new traffic without deregistering endpoints or changing DNS, while allowing existing connections to complete. Which Global Accelerator configuration change accomplishes this MOST effectively?

Reviewed for accuracy · Report an issue
Question 8 of 20

A gaming company runs a multiplayer backend on EC2 instances behind Network Load Balancers deployed in three AWS Regions (us-east-1, eu-west-1, ap-southeast-1). The game uses custom UDP and TCP protocols on non-HTTP ports and requires the lowest possible latency for players worldwide, static entry-point IP addresses that can be embedded in the game client, and fast regional failover if a Region becomes unhealthy. Which edge design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company runs workloads across multiple VPCs connected to a Transit Gateway. On-premises servers connect via Direct Connect and must resolve private DNS records hosted in a Route 53 private hosted zone (example.internal). Additionally, EC2 instances in the VPCs must resolve internal DNS names hosted on the on-premises Active Directory DNS servers (corp.example.com). The solution must be highly available and require minimal ongoing operational management. Which approach should the network engineer implement?

Reviewed for accuracy · Report an issue
Question 10 of 20

A company is designing a new AWS environment expected to grow to hundreds of VPCs across multiple accounts and Regions. The network team wants to avoid IP exhaustion and future re-addressing work. They plan to use dual-stack VPCs but want their internal east-west traffic and future workloads to primarily rely on IPv6 to eliminate address overlap concerns. When designing the IPv6 addressing scheme for the VPCs, which approach best meets these goals while allowing centralized, auditable allocation of address space?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company runs a payment processing service behind a Network Load Balancer in an eu-west-1 VPC and exposes it via an AWS PrivateLink endpoint service. A newly acquired subsidiary operates all of its workloads in us-east-1 and must consume this service privately, without traversing the public internet and without requiring the two organizations to coordinate on overlapping RFC 1918 address spaces. The networking team wants the simplest design that keeps traffic on the AWS backbone. Which approach should they implement?

Reviewed for accuracy · Report an issue
Question 12 of 20

A financial services company runs a shared analytics service in a provider VPC. Dozens of consumer accounts, several with CIDR ranges that overlap with the provider VPC and with each other, must reach this single TCP-based service on port 8443. The provider must not manage routing for consumer networks, and consumers must not gain access to any other resources in the provider VPC. Traffic must stay on the AWS private network. Which connectivity design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A financial services company exposes an internal payment API to hundreds of partner VPCs using AWS PrivateLink. The endpoint service is backed by a Network Load Balancer. Partners report intermittent connection failures that correlate with times when the company performs maintenance in one Availability Zone. The company's VPC spans three AZs (us-east-1a, 1b, 1c), but the NLB and endpoint service are configured with subnets only in us-east-1a and us-east-1b. Partner interface endpoints are created in all three AZs. What is the most likely cause of the failures and the correct remediation?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services company operates a shared analytics service hosted in a central VPC. More than 40 application VPCs across multiple accounts must reach a single TCP endpoint (port 443) exposed by this analytics service. The security team requires that application VPCs must NOT be able to initiate connections to each other or to any other resource in the central VPC beyond the specific analytics endpoint. CIDR ranges across several application VPCs overlap. Which connectivity design best meets these requirements with the least ongoing administrative overhead?

Reviewed for accuracy · Report an issue
Question 15 of 20

A SaaS provider hosts a proprietary analytics service in its own AWS account and VPC. Hundreds of customers, each in separate AWS accounts and VPCs, must consume this service over private connectivity. Many customers use overlapping RFC 1918 CIDR ranges, and the provider wants to expose only the single analytics service (not its entire VPC) while avoiding any management of customer routing. Which connectivity design best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company hosts a public marketing website behind an Application Load Balancer (ALB) in the us-east-1 Region. They own the domain example.com registered in a Route 53 public hosted zone. The web team needs users who type the bare domain https://example.com (the zone apex) to resolve directly to the ALB. They also want to avoid any additional query charges for this specific record where possible and ensure the record automatically tracks the ALB's changing IP addresses. Which Route 53 configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company runs an active-active application across two Regions (us-east-1 and eu-west-1), each fronted by an Application Load Balancer. They use Route 53 with latency-based routing and standard health checks to distribute traffic. During a recent partial outage, the application in us-east-1 was returning HTTP 200 on its health check endpoint but was silently corrupting data due to a dependency failure. Route 53 continued sending traffic there. The networking team needs a DNS-layer control that lets operators reliably and instantly shift 100% of traffic away from an unhealthy Region during an incident, independent of application-level health check status, while still supporting routine automated failover. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 18 of 20

A media streaming company runs identical backend fleets in us-east-1 and eu-west-1, each fronted by a public Network Load Balancer. Users are currently routed to the geographically closest fleet. Ahead of a major regional launch, the operations team wants to gradually shift more traffic toward the eu-west-1 fleet to validate its capacity under production load, while still keeping routing fundamentally based on the physical location of both users and resources. They need a single Route 53 policy that lets them expand or shrink the effective service area of a region using a tunable value. Which Route 53 routing policy meets this requirement?

Reviewed for accuracy · Report an issue
Question 19 of 20

A media streaming company hosts its web application in three AWS Regions: us-east-1, eu-west-1, and ap-southeast-1. The company wants users to be automatically directed to the Region that provides the lowest network round-trip time from their location, while also ensuring that if the endpoint in the selected Region becomes unhealthy, users are routed to the next-best-performing healthy Region. All endpoints serve identical content. Which Route 53 configuration meets these requirements with the least operational overhead?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company is deploying a new microservices platform in IPv6-only subnets within a VPC to conserve IPv4 address space. The services must be able to reach an external partner API that is only reachable via an IPv4 public endpoint (no AAAA record exists for it). The networking team needs a solution that allows the IPv6-only workloads to initiate outbound connections to this IPv4-only destination without assigning IPv4 addresses to the workload instances. Which combination of features should the team enable to achieve this?

Reviewed for accuracy · Report an issue

More ANS-C01 practice

Keep going with the other AWS Certified Advanced Networking - Specialty domains, or take a full timed mock exam.

← Back to ANS-C01 overview