ANS-C01 — AWS Certified Advanced Networking – Specialty Study Guide

You are designing a multi-region AWS architecture where traffic must be routed based on geographic location and application health. Which service combination would best meet these requirements?

• A CloudFront with origin failover
• B Application Load Balancer with cross-zone load balancing
• C Network Load Balancer with UDP protocol
• D Route 53 with geolocation routing policy combined with health checks ✓ Correct

What is the maximum number of Network Interfaces that can be attached to a single EC2 instance in a VPC?

• A 8
• B Unlimited
• C Depends on instance type ✓ Correct
• D 2

Your organization requires that all traffic between on-premises data centers and AWS must be encrypted. You also need redundancy. Which AWS service would you primarily use?

• A Amazon GuardDuty for threat detection
• B AWS Site-to-Site VPN with IPSec encryption and redundant connections ✓ Correct
• C AWS Systems Manager Session Manager
• D VPC Flow Logs with encryption enabled

You need to implement Quality of Service (QoS) policies to prioritize latency-sensitive database traffic over general web traffic within your VPC. What is the most appropriate approach?

• A Deploy EC2 instances with enhanced networking and use traffic control (tc) with Linux kernel QoS features ✓ Correct
• B Use VPC traffic mirroring to capture and analyze packets
• C Configure traffic prioritization through VPC Flow Logs and CloudWatch metrics
• D Implement Network Load Balancer connection draining with flow hash algorithm

Your company has implemented a hub-and-spoke network topology using AWS Transit Gateway. You discover that traffic between two spoke VPCs is routing through the hub unnecessarily. What feature should you enable?

• A AWS Direct Connect virtual interfaces for spoke interconnection
• B Transit Gateway peering attachment ✓ Correct
• C Direct spoke-to-spoke routing through Transit Gateway route tables
• D VPC peering between all spoke VPCs

When implementing AWS Direct Connect, what is the significance of the BGP ASN (Autonomous System Number)?

• A It determines the maximum throughput of the connection
• B It is used by BGP to establish relationships and advertise routes between your network and AWS ✓ Correct
• C It specifies which AWS regions the connection can access
• D It encrypts all data traversing the Direct Connect connection

You are configuring a VPC endpoint for Amazon S3. What is the primary advantage of a Gateway endpoint over an Interface endpoint for this use case?

• A Gateway endpoints support SSL/TLS encryption while Interface endpoints do not
• B Gateway endpoints allow fine-grained permission control through bucket policies
• C Interface endpoints provide redundancy across all availability zones automatically
• D Gateway endpoints are free while Interface endpoints incur per-hour and data processing charges ✓ Correct

In a complex multi-account AWS environment, you need to ensure consistent network segmentation and security policies across all accounts. Which service is designed specifically for this purpose?

• A AWS Firewall Manager with AWS Network Firewall rules ✓ Correct
• B VPC Flow Logs aggregated in a central account
• C AWS CloudFormation with cross-stack references
• D Amazon GuardDuty for centralized threat detection

What is the primary role of the Customer Gateway in an AWS Site-to-Site VPN connection?

• A It is the physical or software appliance on your side that initiates and manages the VPN tunnel ✓ Correct
• B It stores encryption keys for the entire VPN session
• C It monitors VPN connection health and automatically fails over to backup connections
• D It represents the AWS side of the VPN connection and manages encryption

You are designing a network for a financial services company with strict data residency requirements. The company has offices in multiple regions and needs isolated network segments. Which networking architecture best addresses these requirements?

• A Single global VPC spanning multiple regions using Route 53 geoproximity routing
• B Separate VPCs per region with Transit Gateway for inter-region connectivity and encryption in transit ✓ Correct
• C VPC peering across all regions without intermediate gateways
• D Single VPC with multiple subnets in different regions and NACL-based isolation

What does the 'Window Size' parameter represent in the context of TCP window scaling for network performance tuning?

• A The maximum packet size that can be transmitted in a single frame
• B The latency threshold before packets are automatically retransmitted
• C The number of bytes the receiver can accept before requiring an acknowledgment ✓ Correct
• D The percentage of bandwidth reserved for critical traffic

In AWS VPC, what is the default behavior when you attach an Internet Gateway to a VPC but do not configure route table entries?

• A No traffic flows through the IGW because routes must be explicitly configured ✓ Correct
• B All traffic is automatically routed through the IGW
• C Only broadcast traffic is allowed through the IGW
• D The IGW attachment fails and returns an error

You need to implement conditional routing where traffic to different S3 buckets takes different paths based on the source IP. What combination of services would enable this?

• A Application Load Balancer with target groups and IP-based routing rules
• B VPC endpoints with route table entries specifying different endpoints for different prefixes, combined with prefix lists ✓ Correct
• C S3 bucket policies with IP-based restrictions and Route 53 simple routing
• D CloudFront distributions with origin access identity and source IP matching

Which metric in VPC Flow Logs helps you identify potential network performance issues related to packet loss?

• A accept-device-index field
• B protocol type classification
• C srcport and dstport values
• D REJECT and NODATA actions combined with packet count analysis ✓ Correct

You are implementing AWS Network Firewall for your VPC. What is the relationship between a Network Firewall rule group and a firewall policy?

• A Rule groups contain individual rules; firewall policies reference multiple rule groups and define how they are applied ✓ Correct
• B Rule groups apply to VPCs while firewall policies apply only to Transit Gateways
• C Firewall policies contain rule groups; rule groups are references to the policies that apply them
• D Rule groups and firewall policies are synonymous terms in Network Firewall architecture

In an AWS environment with multiple interconnected VPCs, you observe asymmetric routing where return traffic takes a different path than outbound traffic. Why is this problematic?

• A Stateful firewalls and security group rules are direction-agnostic and expect symmetric paths for connection tracking ✓ Correct
• B It increases latency exponentially and causes packet fragmentation errors
• C It violates AWS service limits and causes automatic connection termination
• D AWS Network ACLs automatically block asymmetric traffic patterns

What is the primary use case for AWS Global Accelerator compared to Route 53 for managing global traffic?

• A Global Accelerator provides DNS-based routing while Route 53 uses anycast IP addresses
• B Global Accelerator is only for CloudFront distribution while Route 53 supports all AWS services
• C Global Accelerator uses anycast IPs and fixed entry points to optimize network path and reduce latency for any TCP/UDP traffic ✓ Correct
• D Global Accelerator provides automatic DDoS mitigation while Route 53 does not

When configuring a Network Load Balancer with UDP protocol, what is a key limitation compared to the TCP protocol?

• A UDP is connectionless, so NLB cannot maintain connection affinity or perform stateful health checks ✓ Correct
• B UDP traffic incurs higher data processing charges than TCP
• C NLB UDP endpoints support only IPv4 addresses, not IPv6
• D UDP connections cannot be load balanced across multiple targets

You need to implement a disaster recovery strategy where your secondary region must be completely independent but synchronized with the primary region. What approach best meets this requirement while minimizing Recovery Time Objective (RTO)?

• A Configure active-active replication using Aurora Global Database for databases and Route 53 failover for networking ✓ Correct
• B Implement AWS Backup with cross-region snapshots and restore to secondary VPC on failure
• C Use AWS Database Migration Service (DMS) with continuous replication and separate VPCs with manual failover
• D Set up daily incremental backups copied to secondary region via S3 cross-region replication

What is the significance of the 'Flow Direction' field in VPC Flow Logs?

• A It identifies which route table entry was used for the traffic
• B It specifies the geographic direction of traffic flow (North, South, East, West)
• C It indicates whether traffic is flowing inbound or outbound from the network interface ✓ Correct
• D It determines the priority level for processing the network packet

You are designing a solution where on-premises applications must securely communicate with AWS services without traversing the internet. You also need private DNS resolution for AWS services. Which services should you combine?

• A Site-to-Site VPN and VPC endpoints for service access
• B AWS Direct Connect and VPC endpoints with Route 53 private hosted zones ✓ Correct
• C AWS Client VPN and CloudFront distribution
• D Virtual Private Gateway and AWS API Gateway

In the context of AWS networking, what does 'Jumbo Frames' (frames larger than 1500 bytes) primarily improve?

• A Network security by obscuring packet metadata
• B Packet delivery reliability in lossy network conditions
• C DNS query resolution speed
• D Throughput and CPU efficiency by reducing the number of frames processed for the same data volume ✓ Correct

You must implement network segmentation where certain applications can only communicate through specific ports. What AWS feature provides this capability at the network layer?

• A VPC Flow Logs with CloudWatch metrics
• B Security Groups with explicit ingress and egress rules
• C AWS Systems Manager Network Insights
• D Network ACLs with stateless rules supporting port-based filtering ✓ Correct

What is the maximum number of BGP routes that AWS Direct Connect advertises to your on-premises network by default?

• A 10000 routes
• B Unlimited
• C 100 routes
• D 1000 routes ✓ Correct

You are implementing a multi-tier application where the web tier must be publicly accessible but the database tier must be private. What subnetting strategy best supports this architecture?

• A Separate VPCs for each tier with VPC peering
• B All subnets as private with CloudFront providing public access
• C Public subnets for web tier with route to IGW; private subnets for database tier with route to NAT gateway in public subnet ✓ Correct
• D Single public subnet for all resources with security group restrictions

When implementing AWS PrivateLink for a SaaS application, what is the advantage of using a Network Load Balancer as the service backend?

• A NLB provides automatic SSL/TLS termination for PrivateLink connections
• B NLB is the only load balancer type that AWS PrivateLink officially supports
• C NLB supports extremely high throughput and ultra-low latency while maintaining connection affinity through flow hash ✓ Correct
• D NLB automatically encrypts all traffic traversing PrivateLink endpoints

In a hybrid cloud setup using AWS Direct Connect, what mechanism ensures that your on-premises network continues to communicate with AWS if the Direct Connect connection fails?

• A A backup Site-to-Site VPN connection configured as secondary with lower BGP precedence ✓ Correct
• B Automatic failover to public internet routing
• C AWS Backup automatically restoring network configurations
• D Route 53 health checks redirecting traffic to alternative paths

You need to design a network architecture that supports multi-region failover with minimal latency. Which combination of AWS services would best achieve this?

• A Single NAT Gateway with cross-region replication
• B Route 53 with health checks, Application Load Balancer, and CloudFront ✓ Correct
• C Direct Connect with BGP failover configuration
• D VPC peering across regions with manual DNS updates

What is the maximum number of Elastic IPs you can allocate per region in AWS by default?

• A Unlimited
• B 5 ✓ Correct
• C 10
• D 20

You are implementing AWS PrivateLink for a SaaS application. Which network components are required on the service provider side?

• A VPN connection and Route 53 private hosted zone
• B NAT Gateway and Internet Gateway only
• C Application Load Balancer with public subnets
• D Network Load Balancer and VPC Endpoint Service configuration ✓ Correct

In a complex hybrid network using AWS Direct Connect with multiple virtual interfaces, how would you implement redundancy across different Direct Connect locations?

• A Configure all traffic through a single Direct Connect with automatic failover to Internet Gateway
• B Use the same Direct Connect location with multiple 100Gbps connections
• C Deploy Direct Connect connections in different AWS Direct Connect locations with equal-cost multi-path (ECMP) routing ✓ Correct
• D Use AWS Site-to-Site VPN as the primary connection and Direct Connect as backup

You need to filter network traffic at the subnet level allowing only specific protocol and port combinations. Which AWS feature provides this capability?

• A AWS WAF
• B Security Groups
• C Network Access Control Lists (NACLs) ✓ Correct
• D VPC Flow Logs

When implementing AWS Global Accelerator, what is the primary advantage over using CloudFront for non-HTTP protocols?

• A Simplified DNS management through Route 53 integration
• B Lower cost for all traffic types
• C Automatic DDoS protection without additional charges
• D Support for TCP and UDP protocols with anycast IP addresses and intelligent routing ✓ Correct

You are configuring a VPC with CIDR block 10.0.0.0/16. What is the usable number of IP addresses available for EC2 instances in a single subnet with /24 CIDR?

• A 251 ✓ Correct
• B 254
• C 256
• D 255

In a multi-account AWS organization with centralized networking, how would you implement DNS resolution for resources across accounts while maintaining security boundaries?

• A Configure public hosted zones accessible from all accounts
• B Deploy separate DNS servers in each account with manual zone transfers
• C Use VPC peering with host file entries on each EC2 instance
• D Use Route 53 private hosted zones shared across accounts with VPC associations and restrictive IAM policies ✓ Correct

What is the correct order of evaluation for security groups and network ACLs when traffic flows to an EC2 instance?

• A Order depends on whether traffic is inbound or outbound
• B Security Group first, then NACL
• C They are evaluated simultaneously
• D NACL first, then Security Group ✓ Correct

You need to monitor network packet flow across your VPC infrastructure for troubleshooting and compliance. Which service would provide the most detailed packet-level visibility?

• A Traffic Mirroring to send a copy of network traffic to monitoring tools ✓ Correct
• B VPC Flow Logs with CloudWatch
• C AWS X-Ray for network tracing
• D CloudTrail API logging

When configuring AWS Site-to-Site VPN, what is the purpose of the Customer Gateway resource?

• A It represents the AWS side of the VPN connection in the customer's VPC
• B It handles DDoS protection for the VPN connection
• C It manages encryption keys for the VPN tunnel
• D It represents the customer's on-premises VPN endpoint device ✓ Correct

You are designing a network that requires ultra-low latency communication between EC2 instances. Which placement strategy would you recommend?

• A Cluster placement group within a single availability zone ✓ Correct
• B Partition placement group for distributed processing
• C Spread placement group across multiple availability zones
• D Deploy instances in different regions with Global Accelerator

In a scenario where you must comply with data residency regulations, how would you ensure that network traffic does not cross geographic boundaries?

• A Rely solely on Route 53 geolocation routing
• B Use S3 bucket policies to restrict data location
• C Configure VPCs in specific regions with no cross-region peering or Global Accelerator, and disable CloudFront
• D Use separate AWS accounts for each geography with no networking between them and implement VPC endpoints for required services ✓ Correct

What is the maximum transmission unit (MTU) size supported by AWS Ethernet network interface by default?

• A 1460 bytes
• B 9000 bytes
• C 65535 bytes
• D 1500 bytes ✓ Correct

You need to implement a solution where on-premises users can seamlessly access AWS resources with minimal configuration. Which service would best fit this requirement?

• A Direct Connect with manual routing configuration
• B AWS Client VPN with certificate-based authentication and split tunneling ✓ Correct
• C CloudFront with origin access identity
• D Site-to-Site VPN requiring IPsec configuration on all endpoints

In implementing cross-region VPC peering, what are the key limitations you must consider when designing the network architecture?

• A No bandwidth limitation but propagated routes require manual configuration and multiple peering connections increase operational complexity ✓ Correct
• B Cross-region peering only supports IPv4 traffic with a maximum bandwidth of 1Gbps
• C Maximum of 5 peering connections per VPC regardless of region
• D Cross-region peering is not supported; only AWS Transit Gateway or Direct Connect can connect regions

You are troubleshooting connectivity issues for a customer accessing your application through AWS PrivateLink. What would be the first diagnostic step?

• A Review CloudFront cache hit ratio
• B Examine S3 bucket versioning settings
• C Verify the customer's internet connection speed
• D Check the Network Load Balancer health checks and target registration status ✓ Correct

When designing a high-availability network with Application Load Balancer, which configuration ensures traffic is distributed evenly during target failures?

• A Set connection draining to 0 seconds
• B Use a single availability zone with multiple targets
• C Enable cross-zone load balancing with health checks set to 5-second intervals ✓ Correct
• D Configure sticky sessions with a duration of 1 hour

In a network using AWS Transit Gateway, how would you control which VPCs can communicate with each other while allowing all to access a shared services VPC?

• A Configure NACLs in the shared services VPC to filter traffic
• B Create separate Transit Gateways for each VPC cluster
• C Use Transit Gateway route tables with different route propagation and association settings for each attachment ✓ Correct
• D Rely solely on Security Groups across all VPCs

What is the primary architectural difference between AWS Outposts networking and standard AWS region networking?

• A Outposts use completely different IP addressing schemes with no integration to VPCs
• B Outposts only support IPv6 addressing to differentiate from region resources
• C Outposts extend AWS infrastructure on-premises with local gateway connectivity to the parent region VPC and AWS services ✓ Correct
• D Outposts require dedicated Direct Connect circuits exclusively for connectivity

You need to implement egress filtering to prevent data exfiltration from your VPCs. Which combination of services would provide the most comprehensive solution?

• A NAT Gateway alone with default deny policies
• B NACL deny rules combined with Security Group egress restrictions and VPC endpoint policies for AWS services ✓ Correct
• C AWS WAF on Internet Gateway
• D VPC Flow Logs with automatic blocking

When implementing DNS failover using Route 53, what is the difference between failover routing policy and health check-based simple routing?

• A Simple routing with health checks automatically fails over while failover routing requires manual configuration
• B Failover routing automatically switches to secondary resources when primary health checks fail; simple routing requires manual updates ✓ Correct
• C Both are identical; the names are just different marketing terms
• D Failover routing only works with Elastic IPs while simple routing works with all resource types

You are designing a network for a real-time gaming application requiring extremely low latency and jitter. Which AWS networking feature would be most critical to implement?

• A AWS Wavelength for 5G edge computing
• B Enhanced networking with single-root I/O virtualization (SR-IOV) on supported instance types ✓ Correct
• C CloudFront with regional edge caches
• D AWS Global Accelerator for all connections

In implementing network segmentation for compliance purposes, how would you isolate production traffic from development traffic at the network layer?

• A Rely on application-level firewalls to separate traffic
• B Use separate VPCs with explicit peering only between necessary components and implement distinct CIDR ranges for each environment ✓ Correct
• C Use a shared VPC with security group naming conventions
• D Use a single VPC with subnets named 'prod' and 'dev' with tagging for isolation

What is the significance of the BGP Autonomous System Number (ASN) when configuring Dynamic Host Configuration Protocol with AWS Direct Connect?

• A The ASN is used by BGP to identify your network and establish peer relationships; AWS uses 64512 for customer connections ✓ Correct
• B The ASN is exclusively for IPv6 routing and does not affect IPv4 connections
• C AWS assigns a fixed ASN and customers cannot modify it
• D The ASN determines the bandwidth capacity of your Direct Connect connection

You are designing a multi-region AWS infrastructure with active-active traffic distribution. Your organization requires sub-50ms latency between regions and needs automatic failover. Which combination of services would best meet these requirements?

• A VPC peering with BGP dynamic routing and CloudWatch alarms triggering manual failover
• B Route 53 with geolocation routing and Application Load Balancer health checks
• C Global Accelerator with endpoint groups in multiple regions and health checks configured ✓ Correct
• D CloudFront with origin failover and Lambda@Edge for latency measurement

Your organization is implementing AWS PrivateLink to expose internal microservices to partner organizations. You need to ensure that the endpoint service maintains PII data isolation and prevents cross-tenant access. What is the PRIMARY mechanism to enforce this isolation?

• A Enable endpoint policy restrictions with principal-based allow/deny statements ✓ Correct
• B Configure security groups on the Network Load Balancer with strict ingress rules per principal
• C Use separate subnets for each partner and implement subnet-level NACLs
• D Configure AWS WAF rules on the PrivateLink endpoint service interface

You are troubleshooting intermittent packet loss on an EC2 instance in a placement group. The instance occasionally experiences MTU-related packet fragmentation. Which action would MOST directly resolve this issue without affecting other instances?

• A Migrate the instance to a different availability zone within the same region
• B Reduce the EC2 instance ENI MTU from 9001 to 1500 bytes ✓ Correct
• C Increase the VPC CIDR block size to allow for larger frame sizes
• D Enable jumbo frames on the Network Load Balancer configuration

Your company operates a hybrid network with AWS and on-premises data centers connected via AWS Direct Connect. You need to implement traffic engineering to prefer certain paths for specific application flows. Which approach would provide the finest granularity of control?

• A Configure VPC route tables with static routes pointing to specific Direct Connect virtual interfaces
• B Implement AWS Global Accelerator to optimize routing decisions automatically
• C Deploy SD-WAN appliances to override BGP decisions with application-aware routing
• D Use BGP communities and route preferences in your customer gateway to influence path selection ✓ Correct

You are designing a network for a healthcare organization that must comply with HIPAA. The architecture includes EC2 instances processing patient data in private subnets. What is the MINIMUM requirement for network traffic inspection to meet compliance auditing needs?

• A Deploy AWS WAF on all Network Load Balancers with HIPAA-specific rule groups
• B Implement packet-level inspection using third-party intrusion detection systems in each subnet
• C Configure Amazon GuardDuty with threat intelligence and export findings to a central log account
• D Enable VPC Flow Logs on all ENIs with destination to CloudWatch Logs ✓ Correct

Your organization has implemented AWS Transit Gateway with 15 VPCs across three regions. You notice that traffic between two specific VPCs has latency variance of 40-200ms. After confirming network congestion is not the cause, what is the MOST likely reason?

• A The Transit Gateway attachment subnets are in different availability zones, causing variable routing paths ✓ Correct
• B Transit Gateway inter-region peering is routing through AWS global network backbone inconsistently
• C BGP convergence is incomplete; waiting 60 seconds would resolve the issue
• D EC2 instances are experiencing CPU throttling due to network packet processing limits

You are implementing DNS failover for a critical application using Route 53. The application requires automatic failover within 10 seconds and must handle regional failures gracefully. Which Route 53 routing policy combination would achieve this with MINIMAL configuration overhead?

• A Failover routing policy with health checks configured and sufficient interval/failure threshold tuning ✓ Correct
• B Simple routing with alias records and health checks on each endpoint
• C Latency-based routing with geoproximity bias and manual failover triggers
• D Weighted routing with CloudWatch-based dynamic weight adjustment via Lambda

Your organization uses AWS Direct Connect with a 100 Gbps port shared across multiple customer VPCs via virtual interfaces (VIFs). You need to implement QoS to guarantee bandwidth allocation for business-critical applications. What is the RECOMMENDED approach?

• A Deploy SD-WAN controllers to apply QoS rules at the WAN edge
• B Implement traffic shaping on customer gateway devices to limit bandwidth per VIF ✓ Correct
• C Configure AWS-side QoS parameters on the Direct Connect connection to prioritize VLANs
• D Use Transit Gateway with Traffic Flow policies to manage bandwidth across VPCs

You are designing network security for a multi-tier application using security groups and NACLs. You need to log all denied connections for compliance purposes. Which combination provides the MOST comprehensive logging with least operational overhead?

• A Use Amazon Detective to analyze flow records and correlate security group denials automatically
• B Configure VPC Flow Logs with REJECT and DROP action filtering at the ENI level ✓ Correct
• C Enable NACL logs to VPC Flow Logs and security group logs to CloudTrail
• D Deploy AWS WAF on Application Load Balancer with full logging to S3

Your organization implemented a hub-and-spoke network topology using AWS Transit Gateway. During a regional failover scenario, you discover that spoke VPC traffic destined for an on-premises failover site is not automatically rerouting through a secondary Direct Connect connection. What is the PRIMARY cause?

• A Transit Gateway route tables do not support dynamic BGP route updates from the secondary Direct Connect connection
• B On-premises BGP configuration is not advertising the secondary path with lower AS prepend value ✓ Correct
• C Transit Gateway inter-region peering is preventing failover routing to the secondary connection
• D The Transit Gateway attachment for the primary Direct Connect connection is still active, blocking secondary path adoption