1. Home
  2. Amazon
  3. ANS-C00

AWS Certified Advanced Networking - Specialty (ANS-C00)

Exam Details

  • Exam Code
    :ANS-C00
  • Exam Name
    :AWS Certified Advanced Networking - Specialty (ANS-C00)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :414 Q&As
  • Last Updated
    :Apr 25, 2025

Amazon Amazon Certifications ANS-C00 Questions & Answers

  • Question 331:

    An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.

    What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

    A. Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.

    B. Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.

    C. Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.

    D. Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

  • Question 332:

    A Network Engineer has enabled VPC Flow Logs to troubleshoot an ICMP reachability issue for an echo reply from an Amazon EC2 instance. The flow logs reveal an ACCEPT record for the request from the client to the EC2 instance, and a REJECT record for the response from the EC2 instance to the client.

    What is the MOST likely reason for there to be a REJECT record?

    A. The security group is denying inbound ICMP.

    B. The network ACL is denying inbound ICMP.

    C. The security group is denying outbound ICMP.

    D. The network ACL is denying outbound ICMP.

  • Question 333:

    An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.

    What changes should be made to meet this requirement while continuing to support the existing application requirements?

    A. Modify the existing DHCP option set and specify the different domain name for the specified subnet.

    B. Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

    C. Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.

    D. Create a new peered VPC, configure the DHCP option set with the different domain name, and relaunch the required instances there.

  • Question 334:

    A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider's public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing.

    Which of the following actions should improve the connectivity issues? (Choose two.)

    A. Allocate additional elastic IP addresses to the NAT gateway.

    B. Request that the third-party service provider implement HTTP keepalive.

    C. Implement TCP keepalive on the client instances.

    D. Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.

    E. Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.

  • Question 335:

    An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.

    What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

    A. Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.

    B. Provision a private virtual interface for each VPC connection.

    C. Enable VPC Flow Logs for each VPC.

    D. Use AWS KMS to encrypt traffic between on-premises and AWS.

    E. Provision a VPN connection to each VPC over the internet.

  • Question 336:

    A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.

    What steps must be taken to order the cross-connect at the Direct Connect location?

    A. Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.

    B. Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.

    C. Obtain one LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The Facility Operator will ensure that the cross-connect is installed.

    D. Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.

  • Question 337:

    A Network Engineer is troubleshooting a network connectivity issue for an instance within a public subnet that cannot connect to the internet. The first step the Engineer takes is to SSH to the instance via a local bastion within the VPC and runs an ifconfigcommand to inspect the IP addresses configured on the instance. The output is as follows:

    The Engineer notices that the command output does not contain a public IP address. In the AWS Management Console, the public subnet has a route to the internet gateway. The instance also has a public IP address associated with it.

    What should the Engineer do next to troubleshoot this situation?

    A. Configure the public IP on the interface.

    B. Disable source/destination checking for the instance.

    C. Associate an Elastic IP address to the interface.

    D. Evaluate the security groups and the network access control list.

  • Question 338:

    A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable -‘app.example.com’.

    Instances within the VPC should always connect to the private IP to minimize data transfer costs.

    How should the engineer configure DNS to support these requirements?

    A. Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

    B. Create two A record entries for ‘app’ in the DNS zone ‘example.com’ - one for the public IP and one for the private IP.

    C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.

    D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

  • Question 339:

    A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.

    What design will use the LEAST amount of IP space, while allowing for this growth?

    A. Use two /29 subnets for an Application Load Balancer in different Availability Zones.

    B. Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

    C. Use two /28 subnets for a Network Load Balancer in different Availability Zones.

    D. Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

  • Question 340:

    An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the ‘Remote’ (receiving) account are already in place.

    The template below creates the VPC peering connection in the Originating account. It contains these components:

    Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Choose two.)

    A. Option A

    B. Option B

    C. Option C

    D. Option D

    E. Option E

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your ANS-C00 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.