AWS Certified Advanced Networking - Specialty

Here you have the best Amazon ANS-C01 practice exam questions

  • You have 201 total questions to study from
  • Each page has 5 questions, making a total of 41 pages
  • You can navigate through the pages using the buttons at the bottom
  • This questions were last updated on December 17, 2024
Question 1 of 201

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.

Which solution will meet these requirements?

    Correct Answer: D

    The service requires encryption in transit without decryption between the client and the backend. This can be achieved by using a Network Load Balancer (NLB) which operates at the transport layer (Layer 4), supporting TCP. By using a TLS listener on port 443, the traffic remains encrypted end-to-end. Mutual TLS (mTLS) can be implemented using NLB as it does not terminate the TLS connection, ensuring secure and continuous encryption. Therefore, the correct solution is to use a Network Load Balancer with a TLS listener to forward traffic to the backend service.

Question 2 of 201

A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.

Which solution will meet these requirements?

    Correct Answer: A

    To meet the requirements of having highly available web servers behind an Elastic Load Balancer, routing requests based on the URL, ensuring all traffic uses HTTPS, offloading TLS processing, and having the web server recognize the user's IP address, you would deploy an Application Load Balancer with an HTTPS listener. The Application Load Balancer supports path-based routing, which allows traffic to be forwarded to the correct target group based on the URL. Additionally, the ALB can include the X-Forwarded-For request header with traffic to the targets, allowing the web server to know the user's IP address, fulfilling the security logging requirement.

Question 3 of 201

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.

The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint.

Which solution will meet these requirements?

    Correct Answer: D

    To make the application accessible only through the AWS Global Accelerator and not through a direct internet connection to the ALB endpoint, the ALB must be configured in a private subnet. An internet gateway must be attached to indicate that the VPC accepts internet traffic, but no public IP addressing or routing is required at the subnet level. The security group of the ALB should only allow inbound traffic from the accelerator's IP addresses, ensuring controlled access through the accelerator.

Question 4 of 201

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.

The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future.

Which solution will meet these requirements in the MOST secure manner?

    Correct Answer: C

    To meet the requirements for granular security controls and scalability, creating VPC endpoint services powered by AWS PrivateLink in the central shared services VPC and creating VPC endpoints in each application VPC is the optimal solution. AWS PrivateLink allows secure and private connectivity between VPCs without traversing the internet, ensuring high levels of security by restricting access to specific services. This method also easily scales as new business units are added, as new VPC endpoints can be created in each application VPC to connect to the shared services VPC.

Question 5 of 201

A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.

A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem.

Which solution will meet these requirements?

    Correct Answer: A

    To address the issue of slowness due to bandwidth saturation, the network engineer should review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which virtual interface (VIF) is sending the highest throughput during the period when slowness is observed. Once the problematic VIF is identified, the correct approach is to create a new 10 Gbps dedicated connection and shift traffic from the existing 4 Gbps connection to the new connection. AWS Direct Connect does not support upgrading the port speed of an existing connection; a new connection must be created to achieve the desired increase in bandwidth.