1. Home
  2. Amazon
  3. ANS-C01

Amazon ANS-C01 Online Practice Questions and Exam Preparation

ANS-C01 Exam Details

  • Exam Code
    :ANS-C01
  • Exam Name
    :AWS Certified Advanced Networking - Specialty (ANS-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :285 Q&As
  • Last Updated
    :May 24, 2026

Amazon ANS-C01 Online Questions & Answers

  • Question 121:

    A company has established connectivity between its on-premises data center in Paris. France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway.

    The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center.

    In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet.

    Which set of steps should a network engineer take to meet these requirements?

    A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into. 2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC. 3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads. 4. Create peering connections between the Tokyo VPC and the Paris VPCs. 5. Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.
    B. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway. 4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
    C. 1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target. 4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
    D. 1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway. 2. Create an association between the Paris transit gateway and the Tokyo VPC. 3. Configure routing on the Paris transit gateway to allow data to flow between sites and the VPC.

  • Question 122:

    A company runs an application across multiple AWS Regions and multiple Availability Zones. The company needs to expand to a new AWS Region. Low latency is critical to the functionality of the application.

    A network engineer needs to gather metrics for the latency between the existing. Regions and the new Region. The network engineer must gather metrics for at least the previous 30 days.

    Which solution will meet these requirements?

    A. Configure an AWS Network Access Analyzer Network Access Scope, and use the analysis to review the latency.
    B. Set up AWS Network Manager Infrastructure Performance. Publish network performance metrics to Amazon CloudWatch.
    C. Use an Amazon VPC Reachability Analyzer path to review the latency.
    D. Set up VPC Flow Logs. Publish log metrics to Amazon CloudWatch.

  • Question 123:

    A company's security guidelines state that all outbound traffic from a VPC to the company's on-premises data center must pass through a security appliance. The security appliance runs on an Amazon EC2 instance. A network engineer needs to improve the network performance between the on-premises data center and the security appliance.

    Which actions should the network engineer take to meet these requirements? (Choose two.)

    A. Use an EC2 instance that supports enhanced networking.
    B. Send outbound traffic through a transit gateway.
    C. Increase the EC2 instance size.
    D. Place the EC2 instance in a placement group within the VPC.
    E. Attach multiple elastic network interfaces to the EC2 instance.

  • Question 124:

    A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company's applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups.

    A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances.

    Which solution will meet this requirement with the LEAST implementation and administrative effort?

    A. Create a network ACL for each application. Reference the network ACL in the stateful rule group.
    B. Create a prefix list for each application. Reference the prefix list in the stateful rule group.
    C. Create an AWS Lambda function that queries the EC2 instance tags for each application name and then updates the stateful rule group with the IP address of each instance.
    D. Create a resource group for each application name. Reference the Amazon Resource Name (ARN) for the resource groups in the stateful rule group.

  • Question 125:

    A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its on-premises data center. The connection provides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.

    The company plans to build an additional application on AWS. On-site and remote employees will use the additional application. After the deployment of this additional application, the company will need 20% more bandwidth than the company currently uses. With the increased usage, the company wants to add resiliency to the AWS connectivity. A network engineer must review the current implementation and must make improvements within a limited budget.

    What should the network engineer do to meet these requirements MOST cost-effectively?

    A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application. Create a link aggregation group (LAG).
    B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the on-premises routing for the remote employees to connect to the Site-to-Site VPN connection.
    C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces.
    D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections. Create an AWS Client VPN endpoint in the application VPC. Instruct the remote employees to connect to the Client VPN endpoint.

  • Question 126:

    A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured. The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications.

    Which solution will meet these requirements with the LEAST operational overhead?

    A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and the dstaddr field in the flow logs.
    B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
    C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
    D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.

  • Question 127:

    A company has an AWS Site-to-Site VPN connection between its office and its VPC. Users report occasional failure of the connection to the application that is hosted inside the VPC. A network engineer discovers in the customer gateway logs that the Internet Key Exchange (IKE) session ends when the connection to the application fails.

    What should the network engineer do to bring up the IKE session if the IKE session goes down?

    A. Set the dead peer detection (DPD) timeout action to Clear. Initiate traffic from the VPC to on premises.
    B. Set the dead peer detection (DPD) timeout action to Restart. Initiate traffic from on premises to the VPC.
    C. Set the dead peer detection (DPD) timeout action to None. Initiate traffic from the VPC to on premises.
    D. Set the dead peer detection (DPD) timeout action to Cancel. Initiate traffic from on premises to the VPC.

  • Question 128:

    A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads. A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.

    How should the network engineer configure routing to meet these requirements?

    A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that are more specific to point to the primary SD-WAN virtual appliance.
    B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
    C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
    D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.

  • Question 129:

    A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.

    What should the network engineer do to meet this requirement?

    A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
    B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
    C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
    D. Change the ALB security policy to a policy that supports forward secrecy (FS)

  • Question 130:

    A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit,the company needs to remove the NAT gateway.In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solutionto ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.

    Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

    A. Validate that private DNS is enabled on the VPC by setting the enable DnsHostnames VPC attribute and the enable DnsSupport VPC attribute to true.
    B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0
    C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets.
    D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces.
    E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch. Associate the new security group with the endpoint network interfaces.
    F. Associate the VPC endpoint or endpoints with route tables that the private subnets use.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.