[Jun 03, 2025] Get New ANS-C01 Certification Practice Test Questions Exam Dumps [Q79-Q94]

[Jun 03, 2025] Get New ANS-C01 Certification Practice Test Questions Exam Dumps

Real ANS-C01 Exam Dumps Questions Valid ANS-C01 Dumps PDF

Amazon ANS-C01 (AWS Certified Advanced Networking Specialty) certification exam is a popular and valuable credential for IT professionals who want to demonstrate their advanced knowledge and skills in designing and implementing AWS network solutions. AWS Certified Advanced Networking Specialty Exam certification is designed for individuals who have a strong background in networking and want to specialize in AWS networking technologies.

The AWS Certified Advanced Networking Specialty certification exam is an excellent way for IT professionals to demonstrate their advanced networking skills and knowledge of AWS. By earning this certification, professionals can enhance their career prospects and demonstrate their value to potential employers.

 

NEW QUESTION # 79
A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.
Which solution will meet these requirements?

• A. Configure a transit gateway in the same AWS Region as the existing virtual private gateway. Create a new accelerated Site-to-Site VPN connection. Connect the new connection to the transit gateway by using a VPN attachment. Update the customer gateway device to use the new Site to Site VPN connection. Delete the existing Site-to-Site VPN connection
• B. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Cloud. Update the customer gateway device to use the new Direct Connect connection. Delete the existing Site-to-Site VPN connection.
• C. Create a new accelerated Site-to-Site VPN connection. Connect the new Site-to-Site VPN connection to the existing virtual private gateway. Update the customer gateway device to use the new Site-to-Site VPN connection. Delete the existing Site-to-Site VPN connection.
• D. Edit the existing Site-to-Site VPN connection by enabling acceleration. Stop and start the VPN service on the customer gateway for the new setting to take effect.

Answer: A

NEW QUESTION # 80
What does the term "statistics" mean with respect to CloudWatch metrics?
Response:

• A. Time of a metric collection
• B. Status of a metric
• C. Unit of a metric
• D. Data aggregation over a specific period of time

Answer: D

NEW QUESTION # 81
Your VPC has a DX connection that is advertising 99 routes. You have two more prefixes to add:
10.223.1.0/24 and 10.223.2.0/24. You have several locations, so you need to be as exact as possible with your routing. How would you do this?
Response:

• A. Contact AWS to extend the number of prefixes you are allowed to advertise.
• B. Add the prefixes; AWS allows for as many BGP routes as you need but not static.
• C. Summarize the routes into a 10.223.0.0/12 and advertise that route instead.
• D. Summarize the routes into a 10.223.0.0/22 and advertise that route instead.

Answer: D

NEW QUESTION # 82
You have defined your original Virtual Private Cloud (VPC) Classless Inter-Domain Routing (CIDR) as
192.168.20.0/24. Your on-premises infrastructure is defined as 192.168.128.0/17.
You have configured a route to on-premises as 192.168.0.0/16 in your VPC route table. You have added a new CIDR range of 192.168.100.0/24 to your VPC.
Which of the following is true?
Response:

• A. The new CIDR range should be contiguous to the existing VPC CIDR range.
• B. The route should be defined for 192.168.128.0/17 to allow more granular routing to on-premises devices. All traffic for 192.168.20.0/24 will now flow to on-premises network.
• C. This is a valid configuration, the more specific route takes the precedence and hence VPC traffic will be routed internally and on-premises traffic will be routed as per VPC route table configuration.
• D. New CIDR ranges cannot be more specific than existing routes

Answer: C

NEW QUESTION # 83
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

• A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts.
  2. In the Connectivity account: Accept the resource.
  3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.
  4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
• B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts
  2. In the Connectivity account: Accept the resource.
  3. In the Connectivity account: Create an attachment to the VPC subnets.
  4. In the Production account: Accept the attachment. Associate a route table with the attachment.
• C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID Enable the feature to allow external accounts.
  2. In the Production account: Accept the resource.
  3. In the Production account: Create an attachment to the VPC subnets.
  4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
• D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts.
  2. In the Production account: Accept the resource.
  3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.
  4. In the Production account: Accept the attachment. Associate a route table with the attachment.

Answer: C

Explanation:
The transit gateway is owned by Connectivity account, and it is the production account who will create a VPC attachment to the TGW post resource share by Connectivity account through AWS RAM.
https://repost.aws/knowledge-center/transit-gateway-sharing

NEW QUESTION # 84
Select the VPC Peering statement below that is NOT true.
Response:

• A. TCP connections can be performed between peered VPCs
• B. VPC peering supports transitive peering relationships for IPv6 traffic but not IPv4
• C. UDP connections can be performed between peered VPCs
• D. VPC peering can be performed between VPCs in different AWS accounts in the same region

Answer: B

NEW QUESTION # 85
What are three services that help mitigate a DDoS?
(Choose two.)
Note: Answers to this question are not verified by our experts, please study yourself and select the appropriate answers.
Contribute: Please send the correct answers with reference text/link on [email protected] to get up to 50% cashback.
Response:

• A. DynamoDB
• B. AWS Shield
• C. CloudFront
• D. Elastic Beanstalk

Answer: A,B

NEW QUESTION # 86
A company has been using an outdated application layer protocol for communication among applications. The company decides not to use this protocol anymore and must migrate all applications to support a new protocol. The old protocol and the new protocol are TCP-based, but the protocols use different port numbers.
After several months of work, the company has migrated dozens of applications that run on Amazon EC2 instances and in containers. The company believes that all the applications have been migrated, but the company wants to verify this belief. A network engineer needs to verify that no application is still using the old protocol.
Which solution will meet these requirements without causing any downtime?

• A. Use Amazon Inspector and its Network Reachability rules package. Wait until the analysis has finished running to find out which EC2 instances are still listening to the old port.
• B. Configure VPC flow logs to be delivered into an Amazon S3 bucket. Use Amazon Athena to query the data and to filter for the port number that is used by the old protocol.
• C. Enable Amazon GuardDuty. Use the graphical visualizations to filter for traffic that uses the port of the old protocol. Exclude all internet traffic to filter out occasions when the same port is used as an ephemeral port.
• D. Inspect all security groups that are assigned to the EC2 instances that host the applications. Remove the port of the old protocol if that port is in the list of allowed ports. Verify that the applications are operating properly after the port is removed from the security groups.

Answer: B

Explanation:
Configuring VPC flow logs to be delivered into an Amazon S3 bucket would enable capture of information about the IP traffic going to and from network interfaces within the VPC3. Using Amazon Athena to query the data and to filter for the port number that is used by the old protocol would enable identification of applications that are still using the old protocol.

NEW QUESTION # 87
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on- premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2 To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?
Response:

• A. Configure a VPN connection to the company's AWS VPC in us-west-2 Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3
• B. Configure a Direct Connect connection public virtual interface to us-west-2 Leverage an onpremises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection
• C. Configure an AWS Direct Connect private virtual interface to the company's AWS VPC in us-west-2 Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3
• D. Configure a VPN connection to the company's AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3

Answer: B

NEW QUESTION # 88
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off.
  Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for each interface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
• B. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off.
  Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manager. Associate the private hosted zones with all the VPCs. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to the interface VPC endpoint in the shared services VPC.
• C. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.
• D. Create a central egress VPC that has private NAT gateways. Connect all the VPCs to the central egress VPC by using AWS Transit Gateway. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.

Answer: B

Explanation:
https://aws.amazon.com/es/blogs/networking-and-content-delivery/centralized-dns-management- of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network- infrastructure/centralized-access-to-vpc-private-endpoints.html

NEW QUESTION # 89
A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC.
The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?
Response:

• A. Create a total of four private VIFs, and enable VPC peering between all VPCs.
• B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs, enable source/destination NAT in the Management VPC.
• C. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
• D. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

Answer: A

NEW QUESTION # 90
A company uses Amazon Route 53 for its DNS needs. The company's security team wants to update the DNS infrastructure to provide the most recent security posture.
The security team has configured DNS Security Extensions (DNSSEC) for the domain. The security team wants a network engineer to explain who is responsible for the rotation of DNSSEC keys.
Which explanation should the network administrator provide to the security team?

• A. AWS rotates the AWS Key Management Service (AWS KMS) key and the key-signing key (KSK).
• B. AWS rotates the zone-signing key (ZSK). The company rotates the key-signing key (KSK).
• C. The company rotates the zone-signing key (ZSK) and the key-signing key (KSK).
• D. The company rotates the AWS Key Management Service (AWS KMS) key. AWS rotates the key-signing key (KSK).

Answer: B

NEW QUESTION # 91
A network engineer is evaluating a network setup for a global retail company. The company has an AWS Direct Connect connection between its on-premises data center and the AWS Cloud.
The company has AWS resources in the eu-west-2 Region. These resources consist of multiple VPCs that are attached to a transit gateway.
The company recently provisioned a few AWS resources in the eu-central-1. Region in a single VPC close to its users in this area. The network engineer must connect the resources in eu- central-1 with the on-premises data center and the resources in eu-west-2. The solution must minimize changes to the Direct Connect connection.
What should the network engineer do to meet these requirements?

• A. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu- central-1. Use a public VIF to connect the VPC and the Direct Connect router.
• B. Create a new transit gateway in eu-central-1. Create a peering attachment request to the transit gateway in eu-west-2. Add a static route in the transit gateway route table in eu-central-1 to point to the transit gateway peering attachment. Accept the peering request. Add a static route in the transit gateway route table in eu-west-2 to point to the new transit gateway peering attachment.
• C. Create a new virtual private gateway. Attach the new virtual private gateway to the VPC in eu- central-1. Use a transit VIF to connect the VPC and the Direct Connect router.
• D. Create a new transit gateway in eu-central-1. Use an AWS Site-to-Site VPN connection to peer both transit gateways. Add a static route in the transit gateway route table in eu-central-1 to point to the transit gateway VPN attachment. Add a static route in the transit gateway route table in eu- west-2 to point to the new transit gateway peering attachment.

Answer: B

Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/building-a-global-network-using- aws-transit-gateway-inter-region-peering/

NEW QUESTION # 92
A company has a VPC that hosts Amazon EC2 instances in a private subnet. The EC2 Instances use a NAT gateway and an internet gateway for internet connectivity to retrieve data from specific internet websites. The company wants to use AWS Network Firewall to filter outbound traffic.
What should a network engineer do to meet these requirements?

• A. 1. Create a firewall in a new subnet.
  2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint.
  3. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway.
  4. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
• B. 1. Create a firewall in the NAT gateway subnet.
  2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway.
  3. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint.
  4. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
• C. 1. Create a firewall in the subnet of the EC2 instances.
  2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint.
  3. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway.
  4. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.
• D. 1. Create a firewall in a new subnet.
  2. Configure the EC2 instance subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the NAT gateway.
  3. Configure the NAT gateway subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the firewall endpoint.
  4. Configure the firewall subnet route tables to direct traffic with a destination of 0.0.0.0/0 to the internet gateway.

Answer: A

NEW QUESTION # 93
A company's application runs in a VPC and stores sensitive data in Amazon S3. The application's Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances.
The company wants to ensure that this bucket can be accessed only from the VPC where the application resides. Which changes should a network engineer make to the architecture to meet these requirements?
Response:

• A. to the application instances. Configure an S3 bucket policy to allow access only from the role
• B. Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet.
• C. Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
• D. Configure the S3 security group to allow only the application instances to access the bucket
• E. Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges
• F. Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role

Answer: D

NEW QUESTION # 94
......

ANS-C01 Exam Dumps - PDF Questions and Testing Engine: https://braindumps2go.dumpsmaterials.com/ANS-C01-real-torrent.html