Curious about Actual Amazon Specialty (ANS-C01) Exam Questions?
Here are sample Amazon AWS Certified Advanced Networking - Specialty (ANS-C01) Exam questions from real exam. You can get more Amazon Specialty (ANS-C01) Exam premium practice questions at TestInsights.
A company uses Amazon Route 53 for its DNS needs. The company's security team wants to update the DNS infrastructure to provide the most recent security posture.
The security team has configured DNS Security Extensions (DNSSEC) for the domain. The security team wants a network engineer to explain who is responsible for the
rotation of DNSSEC keys.
Which explanation should the network administrator provide to the security team?
Correct : A
Start a Discussions
AnyCompany has acquired Example Corp. AnyCompany's infrastructure is all on premises, and Example Corp's infrastructure is completely in the AWS Cloud. The
companies are using AWS Direct Connect with AWS Transit Gateway to establish connectivity between each other.
Example Corp has deployed a new application across two Availability Zones in a VPC with no internet gateway. The CIDR range for the VPC is 10.0.0.0/16. Example
Corp needs to access an application that is deployed on premises by AnyCompany. Because of compliance requirements, Example Corp must access the application
through a limited contiguous block of approved IP addresses (10.1.0.0/24).
A network engineer needs to implement a highly available solution to achieve this goal. The network engineer starts by updating the VPC to add a new CIDR range of
10.1.0.0/24.
What should the network engineer do next to meet the requirements?
Correct : B
The correct answer is B. In each Availability Zone in the VPC, create a subnet that uses part of the allowed IP address range. Create a private NAT gateway in each of the new subnets. Update the route tables that are associated with other subnets to route application traffic to the private NAT gateway in the corresponding Availability Zone. Add a route to the route table that is associated with the subnets of the private NAT gateways to send traffic destined for the application to the transit gateway.
This solution meets the requirements because:
* It uses a private NAT gateway, which can route traffic to other VPCs or on-premises networks through a transit gateway or a virtual private gateway1.
* It creates a subnet in each Availability Zone that uses part of the approved IP address range, which ensures high availability and compliance.
* It updates the route tables to send traffic from the other subnets to the private NAT gateway in the same Availability Zone, which reduces latency and improves performance.
* It adds a route to the route table of the private NAT gateway subnets to send traffic destined for the application to the transit gateway, which enables connectivity to the on-premises network.
The other options are incorrect because:
* Option A uses a public NAT gateway, which is not necessary for connecting to other VPCs or on-premises networks. A public NAT gateway also requires an elastic IP address, which is not part of the approved IP address range.
* Option C creates only one subnet and one private NAT gateway, which does not provide high availability across multiple Availability Zones.
* Option D uses a public NAT gateway, which is not necessary for connecting to other VPCs or on-premises networks. A public NAT gateway also requires an elastic IP address, which is not part of the approved IP address range. Additionally, option D creates only one subnet and one public NAT gateway, which does not provide high availability across multiple Availability Zones.
Start a Discussions
A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment
has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS
Organizations through AWS Resource Access Manager (AWS RAM).
A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.
The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a
VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)
Correct : D
The correct answer is A, C, and D. These steps will meet the requirements with the least operational overhead because:
* Step A will deploy an AWS Lambda function to the shared services account that can automate the network infrastructure provisioning in each member account by assuming a role with the necessary permissions.
* Step C will create an AWS CloudFormation template that describes the VPC and the transit gateway attachment for each account. This template can be uploaded as an AWS Service Catalog product to the shared services account, which can be used by the AWS Lambda function to create the network resources in each member account.
* Step D will deploy an Amazon EventBridge rule on a default event bus in the shared services account that can react to AWS Control Tower lifecycle events, such as creating a new managed account. This rule can invoke the AWS Lambda function to provision the network infrastructure in the new account.
The other steps are incorrect because:
* Step B will update the existing accounts with an Account Factory Customization (AFC), which is a feature of AWS Control Tower that allows you to customize the account creation process with AWS CloudFormation templates. However, this step will not automate the network infrastructure provisioning for the existing accounts, as it only applies to the new accounts created through the Account Factory. Moreover, this step will require additional operational overhead to maintain the AFC templates and products.
* Step E will create an AWSControlTowerBlueprintAccess role in the shared services account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the shared services account. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products directly without using this role.
* Step F will create an AWSControlTowerBlueprintAccess role in each member account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the member accounts. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products in the shared services account without using this role.
A company ran out of IP address space in one of the Availability Zones in an AWS Region that the company uses. The Availability Zone that is out of space is assigned the
10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWS CloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDR
block and has available capacity in the 10.10.1.0/22 CIDR block.
How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?
A) Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
B) Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
C) Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22 for the Availability Zone.
D) Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.
Start a Discussions
A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. The company has attached the VPCs in each Region to a transit gateway in that Region. The company also
has set up inter-Region peering connections between the transit gateways.
The company wants to use AWS Direct Connect to provide access from its on-premises location for only four VPCs across the three Regions. The company has provisioned four Direct
Connect connections at two Direct Connect locations.
Which combination of steps will meet these requirements MOST cost-effectively? (Select THREE.)
Correct : B, C, F
To connect to multiple VPCs across different Regions using Direct Connect, the best option is to use a Direct Connect gateway and transit gateways. A Direct Connect gateway allows you to associate multiple virtual private gateways and transit gateways with the same Direct Connect connection. A transit gateway acts as a network hub that connects multiple VPCs and on-premises networks. By creating inter-Region peering connections between the transit gateways, you can enable cross-Region communication. Therefore, the steps are:
* Create four virtual private gateways and attach them to the four VPCs that need access from the on-premises location.
* Create a Direct Connect gateway and associate it with the four virtual private gateways.
* Create four transit VIFs on each Direct Connect connection and associate them with the Direct Connect gateway. A transit VIF allows you to connect to a Direct Connect gateway using a private ASN.
* Create an association between the Direct Connect gateway and the transit gateways in each Region. This will enable the on-premises location to access the VPCs that are attached to the transit gateways.
Start a Discussions
A company has established connectivity between its on-premises data center in Paris, France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway.
The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center.
In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet.
Which set of steps should a network engineer take to meet these requirements?
Correct : C
Option C is the best solution because it allows the company to use transit gateways to connect the VPCs in different regions and the on-premises sites. Transit gateways support inter-region peering and VPN attachments, which enable secure and scalable connectivity. Option A is not valid because public subnets are not suitable for workloads that cannot be directly accessible from the internet. Option B is not valid because Direct Connect connections take longer than 5 days to provision.
Start a Discussions
Total 154 questions