The AWS Certified Advanced Networking – Specialty (ANS-C00) examination is intended for individuals who perform complex networking tasks. This examination validates advanced technical skills and experience in designing and implementing AWS and hybrid IT network architectures at scale.
The exam covers the following domains:
Domain 1: Design and Implement Hybrid IT Network Architectures at Scale – 23%
Domain 2: Design and Implement AWS Networks – 29%
Domain 3: Automate AWS Tasks – 8%
Domain 4: Configure Network Integration with Application Services – 15%
Domain 5: Design and Implement for Security and Compliance – 12%
Domain 6: Manage, Optimize, and Troubleshoot the Network – 13%
Below are the top 20 Top 20 AWS Certified Advanced Networking – Specialty Practice Quiz including Questions and Answers and References –
Question 1: What is the relationship between private IPv4 addresses and Elastic IP addresses?
Reference1: IPv4 and Elastic IP
Question 2: A company’s on-premises network has an IP address range of 220.127.116.11/16. Only IPs within this network range can be used for inter-server communication. The IP address range 18.104.22.168/24 has been allocated for the cloud. A network engineer needs to design a VPC on AWS. The servers within the VPC should be able to communicate with hosts both on the internet and on-premises through a VPN connection. Which combination of configuration steps meet these requirements? (Select TWO.)
A) Set up the VPC with an IP address range of 22.214.171.124/24.
B) Set up the VPC with an RFC 1918 private IP address range (for example, 10.10.10.0/24). Set up a NAT gateway to do translation between 10.10.10.0/24 and 126.96.36.199/24 for all outbound traffic.
C) Set up a VPN connection between a virtual private gateway and an on-premises router. Set the virtual private gateway as the default gateway for all traffic. Configure the on-premises router to forward traffic to the internet.
D) Set up a VPN connection between a virtual private gateway and an on-premises router. Set the virtual private gateway as the default gateway for traffic destined to 188.8.131.52/24. Add a VPC subnet route to point the default gateway to an internet gateway for internet traffic.
E) Set up the VPC with an RFC 1918 private IP address range (for example, 10.10.10.0/24). Set the virtual private gateway to do a source IP translation of all outbound packets to 184.108.40.206/16.
Reference1: CIDR block
Question 3: Tasks running on Amazon EC2 Container Service (Amazon ECS) can use which mode for container networking (allocating an elastic networking interface to each running task, providing a dynamic private IP address and internal DNS name)?
Reference3: Task Networking with the
awsvpc Network Mode
Question 4: A network engineer needs to design a solution for an application running on an Amazon EC2 instance to connect to a publicly accessible Amazon RDS Multi-AZ DB instance in a different VPC and Region. Security requirements mandate that the traffic not traverse the internet. Which configuration will ensure that the instances communicate privately without routing traffic over the internet?
A) Create a peering connection between the VPCs and update the routing tables to route traffic between the VPCs. Enable DNS resolution support for the VPC peering connection. Configure the application to connect to the DNS endpoint of the DB instance.
B) Create a gateway endpoint to the DB instance. Update the routing tables in the application VPC to route traffic to the gateway endpoint.
C) Configure a transit VPC to route traffic between the VPCs privately. Configure the application to connect to the DNS endpoint of the DB instance.
D) Create a NAT gateway in the same subnet as the EC2 instances. Update the routing tables in the application VPC to route traffic through the NAT gateway to the DNS endpoint of the DB instance.
Reference4: DNS Resolution on the VPC Peering connection
Question 5: Management has decided that your firm will implement an AWS hybrid architecture. Given that decision, which of the following is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS Cloud?
Reference5: AWS Snowball
Question 6: A company has implemented a critical environment on AWS. For compliance purposes, a network engineer needs to verify that the Amazon EC2 instances are using a specific approved security group and belong to a specific VPC. The configuration history of the instances should be recorded and, in the event of any compliance issues, the instances should be automatically stopped. What should be done to meet these requirements?
A) Enable AWS CloudTrail and create a custom Amazon CloudWatch alarm to perform the required checks. When the CloudWatch alarm is in a failed state, trigger the stop this instance action to stop the noncompliant EC2 instance.
B) Configure a scheduled event with AWS CloudWatch Events to invoke an AWS Lambda function to perform the required checks. In the event of a noncompliant resource, invoke another Lambda function to stop the EC2 instance.
C) Configure an event with AWS CloudWatch Events for an EC2 instance state-change notification that triggers an AWS Lambda function to perform the required checks. In the event of a noncompliant resource, invoke another Lambda function to stop the EC2 instance.
D) Enable AWS Config and create custom AWS Config rules to perform the required checks. In the event of a noncompliant resource, use a remediation action to execute an AWS Systems Manager document to stop the EC2 instance.
Reference6: AwS Config,
Question 7: A previous administrator configured an inbound security group rule for port 80 (TCP) of 0.0.0.0/0 on the web server. What does this allow?
Reference7: Inbound Traffic
Question 8: A company is extending its on-premises data center to AWS. Peak traffic is expected to range between 1 Gbps and 2 Gbps. A network engineer must ensure that there is sufficient bandwidth between AWS and the data center to handle peak traffic. The solution should be highly available and cost effective. What should be implemented to address these needs?
A) Deploy a 10 Gbps AWS Direct Connect connection with an IPsec VPN backup.
B) Deploy two 1 Gbps AWS Direct Connect connections in a link aggregation group.
C) Deploy two 1 Gbps AWS Direct Connect connections in a link aggregation group to two different Direct Connect locations.
D) Deploy a 10 Gbps AWS Direct Connect connection to two different Direct Connect locations.
Reference8: Direct Connect connections with link aggregation
Question 9: Which of the following DNS record types is not supported by Amazon Route 53?
Reference9: Route53 record types
Question 10: A network engineer needs to limit access to the company’s Amazon S3 bucket to specific source networks. What should the network engineer do to accomplish this?
A) Create an ACL on the S3 bucket, limiting access to the CIDR blocks of the specified networks.
B) Create a bucket policy on the S3 bucket, limiting access to the CIDR blocks of the specified networks using a condition statement.
C) Create a security group allowing inbound access to the CIDR blocks of the specified networks and apply the security group to the S3 bucket.
D) Create a security group allowing inbound access to the CIDR blocks of the specified networks, create a S3 VPC endpoint, and apply the security group to the VPC endpoint.
Reference10: S3 Bucket Policy
Question 11: AWS Direct Connect has two separate billable charges: port-hours and data transfer. Pricing is per port-hour consumed for each port type. How are partial port-hours handled?
Reference11: AWS Direct Connect billing
Question 12: A company’s compliance requirements specify that web application logs must be collected and analyzed to identify any malicious activity. A network engineer also needs to monitor for remote attempts to change the network interface of web instances. Which services and configurations will meet these requirements?
A) Install the Amazon CloudWatch Logs agent on the web instances to collect application logs. Use VPC Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs metric filters to define the patterns to look for in the log data.
B) Configure AWS CloudTrail to log all management and data events to a custom Amazon S3 bucket and Amazon CloudWatch Logs. Use VPC Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs metric filters to define the patterns to look for in the log data.
C) Configure AWS CloudTrail to log all management events to a custom Amazon S3 bucket and Amazon CloudWatch Logs. Install the Amazon CloudWatch Logs agent on the web instances to collect application logs. Use CloudWatch Logs Insights to define the patterns to look for in the log data.
D) Enable AWS Config to record all configuration changes to the web instances. Configure AWS CloudTrail to log all management and data events to a custom Amazon S3 bucket. Use Amazon Athena to define the patterns to look for in the log data stored in Amazon S3.
Reference12: Amazon CloudWatch Logs insights
Question 13: What is the maximum number of security groups that you can create for each VPC?
Question 14: A company has an application that processes confidential data. The data is currently stored in an on premises data center. A network engineer is moving workloads to AWS, and needs to ensure confidentiality and integrity of the data in transit to AWS. The company has an existing AWS Direct Connect connection. Which combination of steps should the network engineer perform to set up the most cost-effective connection between the on-premises data center and AWS? (Select TWO.)
A) Attach an internet gateway to the VPC.
B) Configure a public virtual interface on the AWS Direct Connect connection.
C) Configure a private virtual interface to the virtual private gateway.
D) Set up an IPsec tunnel between the customer gateway and a software VPN on Amazon EC2.
E) Set up a Site-to-Site VPN between the customer gateway and the virtual private gateway.
Reference14: VPN over Direct Connect
Question 15: A site you are helping create must use Adobe Media Server and the Adobe Real-Time Messaging Protocol (RTMP) to stream media files. When it comes to AWS, an RTMP distribution must use which of the following as the origin?
Reference15: S3 Bucket as origin
Question 16: A company is creating new features for its ecommerce website. These features will be deployed as microservices using different domain names for each service. The company requires the use of HTTPS for all its public-facing websites. The application requires the client’s source IP. Which combination of actions should be taken to accomplish this? (Select TWO.)
A) Use a Network Load Balancer to distribute traffic to each service.
B) Use an Application Load Balancer to distribute traffic to each service.
C) Configure the application to retrieve client IPs using the X-Forwarded-For header.
D) Configure the application to retrieve client IPs using the X-Forwarded-Host header.
E) Configure the application to retrieve client IPs using the PROXY protocol header.
Reference16: Host based routing
Question 17: What is the maximum number of connections you can have in a LAG (Link Aggregation Group)?
Reference17: Link Aggregation Group
Question 18: A network engineer is architecting a high performance computing solution on AWS. The system consists of a cluster of Amazon EC2 instances that require low-latency communications between them. Which method will meet these requirements?
A) Launch instances into a single subnet with a size equal to the number of instances required for the cluster.
B) Create a cluster placement group. Launch Elastic Fabric Adapter (EFA)-enabled instances into the placement group.
C) Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach Amazon EBS Provisioned IOPS (PIOPS) volumes. Implement a shared memory system across all instances in the cluster.
D) Choose an Amazon EC2 instance type that offers enhanced networking. Attach a 10 Gbps non-blocking elastic network interface to the instances.
Reference18: Cluster placement groups
Question 19: What is the maximum number of security groups that can be associated with each network interface?
Question 20: A company’s internal security team receives a request to allow Amazon S3 access from inside the corporate network. All external traffic must be explicitly allowed through the corporate firewalls. How can the security team grant this access?
A) Schedule a script to download the Amazon S3 IP prefixes from AWS developer forum announcements. Update the firewall rules accordingly.
B) Schedule a script to download and parse the Amazon S3 IP prefixes from the ip-ranges.json file. Update the firewall rules accordingly.
C) Schedule a script to perform a DNS lookup on Amazon S3 endpoints. Update the firewall rules accordingly.
D) Connect the data center to a VPC using AWS Direct Connect. Create routes that forward traffic from the data center to an Amazon S3 VPC endpoint.
1- Djamga Cloud Networking Youtube Channel
II- LATEST NETWORKING NEWS: