Curious about Actual Amazon Specialty (ANS-C01) Exam Questions?

Here are sample Amazon AWS Certified Advanced Networking - Specialty (ANS-C01) Exam questions from real exam. You can get more Amazon Specialty (ANS-C01) Exam premium practice questions at TestInsights.

Page: 1 /
Total 110 questions

Want more questions? Get Premium Access.

Question 1

A company uses Amazon Route 53 for its DNS needs. The company's security team wants to update the DNS infrastructure to provide the most recent security posture.

The security team has configured DNS Security Extensions (DNSSEC) for the domain. The security team wants a network engineer to explain who is responsible for the

rotation of DNSSEC keys.

Which explanation should the network administrator provide to the security team?

AAWS rotates the zone-signing key (ZSK). The company rotates the key-signing key (KSK).

BThe company rotates the zone-signing key (ZSK) and the key-signing key (KSK).

CAWS rotates the AWS Key Management Service (AWS KMS) key and the key-signing key (KSK).

DThe company rotates the AWS Key Management Service (AWS KMS) key. AWS rotates the key-signing key (KSK).

Correct : A

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

AAWS rotates the zone-signing key (ZSK). The company rotates the key-signing key (KSK).

BThe company rotates the zone-signing key (ZSK) and the key-signing key (KSK).

CAWS rotates the AWS Key Management Service (AWS KMS) key and the key-signing key (KSK).

DThe company rotates the AWS Key Management Service (AWS KMS) key. AWS rotates the key-signing key (KSK).

0 / 1500

Question 2

AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The

companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other.

Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example

Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application

through a limited contiguous block of approved IP addresses (10.1.0.0/24).

A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of

10.1.0.0/24.

What should the network engineer do next to meet the requirements?

AIn each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a public NAT Sateway in each of the new
subnets. Update the route tables that are associated with other subnets to route application traffic to the public NAT gateway in the corresponding Availability
Zone. Add a route to the route table that is associated with the subnets of the public NAT gateways to send traffic destined for the application to the transit
gateway.

BIn each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a private NAT gateway in each of the new
subnets. Update the route tables that are associated with other subnets to route application traffic to the private NAT gateway in the corresponding
Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT gateways to send traffic destined for the application to
the transit gateway.

CIn the VPC, create a subnet that uses the allowed IP address range. Create a private NAT gateway in the new subnet. Update the route tables that are
associated with other subnets to route application traffic to the private NAT gateway. Add a route to the route table that is associated with the subnet of the
private NAT gateway to send traffic destined for the application to the transit gateway.

DIn the VPC, create a subnet that uses the allowed IP address range. Create a public NAT gateway in the new subnet. Update the route tables that are
associated with other subnets to route application traffic to the public NAT gateway. Add a route to the route table that is associated with the subnet of the
public NAT gateway to send traffic destined for the application to the transit gateway.

Correct : B

The correct answer is B. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a private NAT gateway in each of the new subnets. Update the route tables that are associated with other subnets to route application traffic to the private NAT gateway in the corresponding Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT gateways to send traffic destined for the application to the transit gateway.

This solution meets the requirements because:

* It uses a private NAT gateway, which can route traffic to other VPCs or on-premises networks through a transit gateway or a virtual private gateway1.

* It creates a subnet in each Availability Zone that uses part of the approved IP address range, which ensures high availability and compliance.

* It updates the route tables to send traffic from the other subnets to the private NAT gateway in the same Availability Zone, which reduces latency and improves performance.

* It adds a route to the route table of the private NAT gateway subnets to send traffic destined for the application to the transit gateway, which enables connectivity to the on-premises network.

The other options are incorrect because:

* Option A uses a public NAT gateway, which is not necessary for connecting to other VPCs or on-premises networks. A public NAT gateway also requires an elastic IP address, which is not part of the approved IP address range.

* Option C creates only one subnet and one private NAT gateway, which does not provide high availability across multiple Availability Zones.

* Option D uses a public NAT gateway, which is not necessary for connecting to other VPCs or on-premises networks. A public NAT gateway also requires an elastic IP address, which is not part of the approved IP address range. Additionally, option D creates only one subnet and one public NAT gateway, which does not provide high availability across multiple Availability Zones.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

0 / 1500

Question 3

A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment

has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS

Organizations through AWS Resource Access Manager (AWS RAM).

A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.

The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a

VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

ADeploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts
to provision the necessary network infrastructure.

BUpdate the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.

CCreate an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS
Service Catalog product to the shared services account.

DDeploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower
CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.

ECreate an AWSControlTowerBlueprintAccess role in the shared services account.

FCreate an AWSControlTowerBlueprintAccess role in each member account.

Correct : D

The correct answer is A, C, and D. These steps will meet the requirements with the least operational overhead because:

* Step A will deploy an AWS Lambda function to the shared services account that can automate the network infrastructure provisioning in each member account by assuming a role with the necessary permissions.

* Step C will create an AWS CloudFormation template that describes the VPC and the transit gateway attachment for each account. This template can be uploaded as an AWS Service Catalog product to the shared services account, which can be used by the AWS Lambda function to create the network resources in each member account.

* Step D will deploy an Amazon EventBridge rule on a default event bus in the shared services account that can react to AWS Control Tower lifecycle events, such as creating a new managed account. This rule can invoke the AWS Lambda function to provision the network infrastructure in the new account.

The other steps are incorrect because:

* Step B will update the existing accounts with an Account Factory Customization (AFC), which is a feature of AWS Control Tower that allows you to customize the account creation process with AWS CloudFormation templates. However, this step will not automate the network infrastructure provisioning for the existing accounts, as it only applies to the new accounts created through the Account Factory. Moreover, this step will require additional operational overhead to maintain the AFC templates and products.

* Step E will create an AWSControlTowerBlueprintAccess role in the shared services account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the shared services account. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products directly without using this role.

* Step F will create an AWSControlTowerBlueprintAccess role in each member account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the member accounts. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products in the shared services account without using this role.

A company ran out of IP address space in one of the Availability Zones in an AWS Region that the company uses. The Availability Zone that is out of space is assigned the

10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWS CloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDR

block and has available capacity in the 10.10.1.0/22 CIDR block.

How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?

A) Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.

B) Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.

C) Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22 for the Availability Zone.

D) Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ADeploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts
to provision the necessary network infrastructure.

BUpdate the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.

ECreate an AWSControlTowerBlueprintAccess role in the shared services account.

FCreate an AWSControlTowerBlueprintAccess role in each member account.

0 / 1500

Question 4

A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. The company has attached the VPCs in each Region to a transit gateway in that Region. The company also

has set up inter-Region peering connections between the transit gateways.

The company wants to use AWS Direct Connect to provide access from its on-premises location for only four VPCs across the three Regions. The company has provisioned four Direct

Connect connections at two Direct Connect locations.

Which combination of steps will meet these requirements MOST cost-effectively? (Select THREE.)

ACreate four virtual private gateways. Attach the virtual private gateways to the four VPCs.

BCreate a Direct Connect gateway. Associate the four virtual private gateways with the Direct Connect gateway.

CCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the Direct Connect gateway.

DCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the four virtual private gateways.

ECreate four private VIFs on each Direct Connect connection to the Direct Connect gateway.

FCreate an association between the Direct Connect gateway and the transit gateways.

Correct : B, C, F

To connect to multiple VPCs across different Regions using Direct Connect, the best option is to use a Direct Connect gateway and transit gateways. A Direct Connect gateway allows you to associate multiple virtual private gateways and transit gateways with the same Direct Connect connection. A transit gateway acts as a network hub that connects multiple VPCs and on-premises networks. By creating inter-Region peering connections between the transit gateways, you can enable cross-Region communication. Therefore, the steps are:

* Create four virtual private gateways and attach them to the four VPCs that need access from the on-premises location.

* Create a Direct Connect gateway and associate it with the four virtual private gateways.

* Create four transit VIFs on each Direct Connect connection and associate them with the Direct Connect gateway. A transit VIF allows you to connect to a Direct Connect gateway using a private ASN.

* Create an association between the Direct Connect gateway and the transit gateways in each Region. This will enable the on-premises location to access the VPCs that are attached to the transit gateways.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

ACreate four virtual private gateways. Attach the virtual private gateways to the four VPCs.

BCreate a Direct Connect gateway. Associate the four virtual private gateways with the Direct Connect gateway.

CCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the Direct Connect gateway.

DCreate four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the four virtual private gateways.

ECreate four private VIFs on each Direct Connect connection to the Direct Connect gateway.

FCreate an association between the Direct Connect gateway and the transit gateways.

0 / 1500

Question 5

A company has established connectivity between its on-premises data center in Paris, France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway.

The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center.

In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet.

Which set of steps should a network engineer take to meet these requirements?

A1. Create public subnets in the Tokyo VPC to migrate the workloads into.
2. Configure an internet gateway for the Tokyo office to reach the Tokyo VPC.
3. Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads.
4. Create peering connections between the Tokyo VPC and the Paris VPCs.
5. Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.

B1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.
2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway.
3. Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway.
4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

C1. Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC.
2. Create peering connections between the Tokyo transit gateway and the Paris transit gateway.
3. Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target.
4. Configure routing on both transit gateways to allow data to flow between sites and the VPCs.

D1. Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway.
2. Create an association between the Paris transit gateway and the Tokyo VPC.
3. Configure routing on the Paris transit gateway to allow data to flow between sites and the VPCs.

Correct : C

Option C is the best solution because it allows the company to use transit gateways to connect the VPCs in different regions and the on-premises sites. Transit gateways support inter-region peering and VPN attachments, which enable secure and scalable connectivity. Option A is not valid because public subnets are not suitable for workloads that cannot be directly accessible from the internet. Option B is not valid because Direct Connect connections take longer than 5 days to provision.

Options Selected by Other Users:

Mark Question:

Start a Discussions

Submit Your Answer:

0 / 1500

Page: 1 / 22
Total 110 questions

Unlock Full
ANS-C01 Exam Features

In Just $49 You can Access

All Official Question Types
Interactive Web-Based Practice Test Software
No Installation or 3rd Party Software Required
Customize your practice sessions (Free Demo)
24/7 Customer Support

Get Full Access Now

Marked Questions
ANS-C01 Exam

ANS-C01 Exam Question 1
ANS-C01 Exam Question 2
ANS-C01 Exam Question 3
ANS-C01 Exam Question 4
ANS-C01 Exam Question 5

Download PDF File Demo

Try Web-Based Exam Practice Software Demo

Commenting

In order to participate in the comments you need to be logged-in.
You can sign-up or login