Network Implementation
Drill 20 practice questions focused entirely on Network Implementation for the AWS ANS-C01 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A company runs a payment processing API behind a Network Load Balancer (NLB) with targets registered by instance ID across three Availability Zones. The security team requires that the backend EC2 instances see the original client source IP addresses in their application logs. Additionally, the operations team reports that traffic is being distributed unevenly — some AZs receive far more connections than others, causing hot spots. The NLB currently has cross-zone load balancing disabled. Which combination of actions will preserve original client IPs AND resolve the uneven traffic distribution?
A company runs three microservices behind a single Application Load Balancer using the domain shop.example.com. Requests to /api/orders must reach the orders service, /api/inventory must reach the inventory service, and all other paths must reach a default web frontend service. Each service runs in its own target group. The networking team must implement this routing with the fewest ALB resources while ensuring unmatched requests always land on the frontend. Which configuration meets these requirements?
A retail company runs a production web application behind an Application Load Balancer. The platform team wants to perform blue/green deployments by gradually shifting a percentage of live traffic from the current version (green) to a new version (blue) on the same listener, monitoring error rates before completing the cutover. Both versions are registered in separate target groups. What is the correct way to configure the ALB to shift a controlled percentage of traffic between the two versions?
A company has a single 10 Gbps dedicated Direct Connect connection at an AWS Direct Connect location, terminating on one physical port. Traffic to AWS has grown, and the network team wants to increase available bandwidth to 20 Gbps while presenting the connection to their router as a single logical interface for simpler management. They also want the ability to add more connections later without reconfiguring VIFs. Which approach meets these requirements?
A company has a single production VPC that needs private connectivity to its on-premises data center over an existing 1 Gbps Direct Connect connection. The networking team wants the simplest configuration that provides private, low-latency access to resources in that one VPC and does not require any additional AWS routing constructs beyond what is strictly necessary. Which implementation should the team use?
A media company runs an on-premises rendering farm connected to AWS through a 10 Gbps Direct Connect connection. They currently upload large render outputs to an Amazon S3 bucket in us-east-1 over the public internet, but want the traffic to traverse the Direct Connect link instead to reduce cost and improve consistency. The workload must reach S3 and other AWS public service endpoints without going through a VPC. Which Direct Connect configuration meets this requirement?
A retail company has two Direct Connect locations, one in London and one in Frankfurt, each terminating a dedicated connection with a transit VIF attached to a separate Transit Gateway in eu-west-2 and eu-central-1. The company also has on-premises data centers connected at each Direct Connect location. The networking team wants traffic between the two on-premises data centers to flow directly across the AWS global backbone between the two Direct Connect locations, without traversing the customer's own WAN and without routing through a Transit Gateway. Which approach meets this requirement?
A company has a 10 Gbps Direct Connect connection at a single location. They need to provide private connectivity from their on-premises data center to five VPCs spread across three AWS accounts, all attached to a single Transit Gateway in one Region. They want to minimize the number of virtual interfaces they must provision and manage on the Direct Connect connection. Which approach meets these requirements?
A company runs a fleet of EC2 instances in a private subnet of a dual-stack VPC. The instances have both IPv4 and IPv6 addresses. For IPv4, they already reach the internet through a NAT gateway for software updates. The security team now requires that these instances be able to initiate outbound IPv6 connections to the internet (for example, to fetch packages from IPv6-enabled repositories) but must NOT be reachable from the internet over IPv6. Which configuration meets this requirement?
A company operates a centralized security account containing a Gateway Load Balancer (GWLB) fronting a fleet of firewall appliances. Application teams in separate AWS accounts within the same AWS Organization must route their VPC egress traffic through this inspection fleet using Gateway Load Balancer endpoints (GWLBEs) deployed in each application VPC. The networking team wants application teams to be able to create GWLBEs in their own accounts that point to the centralized GWLB, while keeping the appliance fleet fully managed in the security account. What is the correct way to enable this cross-account architecture?
A company deploys a fleet of third-party firewall appliances behind a Gateway Load Balancer (GWLB) to inspect north-south traffic for a set of application VPCs. During testing, engineers observe that some TCP sessions inspected by the firewalls are being dropped intermittently, while others pass cleanly. Packet captures on the appliances show that return packets for the affected flows are arriving at a different appliance than the one that processed the initial forward packets. Which GWLB configuration change will resolve the dropped sessions?
A company runs a fleet of third-party firewall appliances that must inspect all north-south traffic entering and leaving several application VPCs. The security team wants to centralize these appliances in a dedicated inspection VPC, scale them horizontally, and preserve flow symmetry so that both directions of a connection hit the same appliance. Application teams must not manage the appliances directly. Which implementation meets these requirements?
A company runs a workload across three private subnets in three Availability Zones (AZ-a, AZ-b, AZ-c) within a single VPC. Instances in all three subnets need outbound internet access for software updates. The networking team initially deployed one NAT gateway in AZ-a's public subnet and pointed the route tables of all three private subnets to it. During a recent AZ-a service event, instances in AZ-b and AZ-c also lost outbound connectivity. The team wants to eliminate this cross-AZ dependency while following AWS best practices. What should they implement?
A media company runs a fleet of EC2 instances in private subnets that push telemetry to a single third-party analytics endpoint (one destination IP and port) over HTTPS. Traffic flows through a NAT gateway. During peak events, application logs show connection failures and the CloudWatch metric ErrorPortAllocation for the NAT gateway spikes above zero, even though bandwidth utilization is well below the NAT gateway's throughput limit. What is the MOST effective way to resolve these connection failures?
A company runs a public HTTPS web application behind an Application Load Balancer (ALB) that they want to protect with AWS WAF. They also have a requirement from their security team: the backend EC2 instances must see the original client source IP addresses in the application logs for fraud analysis, without deploying any additional software on the instances. The ALB terminates TLS. Which approach meets both the WAF protection and original client IP requirements with the least operational overhead?
A financial services company is deploying a payment processing API for external partners. Requirements: partners must whitelist a small set of static IP addresses in their firewalls; TLS termination must occur on the backend EC2 instances (not on the load balancer) because a hardware security module (HSM) integration is required; and the solution must support millions of concurrent connections with ultra-low latency. Which load balancing implementation meets all requirements?
A financial services company runs a high-throughput trading API behind a Network Load Balancer (NLB). Currently, the NLB uses a TCP listener on port 443 and passes encrypted traffic through to the EC2 backends, which perform TLS termination. The security team wants to centralize certificate management using AWS Certificate Manager (ACM) and reduce CPU load on the backend instances, while keeping the NLB (not an ALB) as the entry point to preserve ultra-low latency and static IP addresses. Which implementation meets these requirements?
A company runs a fleet of custom UDP-based real-time telemetry servers behind a Network Load Balancer (NLB) in a single VPC. Operations reports that unhealthy backend instances continue to receive UDP traffic, causing packet loss for clients. The team confirms the target group protocol is set to UDP and instances are registered correctly. What is the MOST likely cause and appropriate fix?
A company hosts a critical web application in the us-east-1 Region behind an internet-facing Application Load Balancer (ALB), with a warm standby stack behind a second ALB in us-west-2. Both ALBs share the same domain name, app.example.com, in a public Route 53 hosted zone. The networking team must ensure that if the primary ALB in us-east-1 becomes unhealthy, DNS automatically directs users to the us-west-2 ALB, and that traffic returns to the primary once it recovers. Which Route 53 configuration meets these requirements?
A company operates a shared services VPC (Account A) that hosts internal APIs resolvable via the domain internal.example.com. Application teams run workloads in several VPCs spread across Account B and Account C. All VPCs are attached to a Transit Gateway and have non-overlapping CIDRs. The networking team wants every application VPC to resolve records in the internal.example.com private hosted zone using native Route 53, without deploying Resolver endpoints or running custom DNS servers. What is the correct way to implement this?
More ANS-C01 practice
Keep going with the other AWS Certified Advanced Networking - Specialty domains, or take a full timed mock exam.
← Back to ANS-C01 overview