• Home
  • Articles
  • [Q113-Q132] Full ANS-C01 Practice Test and 291 unique questions with explanations waiting just for you!

[Q113-Q132] Full ANS-C01 Practice Test and 291 unique questions with explanations waiting just for you!

Share

Full ANS-C01 Practice Test and 291 unique questions with explanations waiting just for you!

AWS Certified Specialty Dumps ANS-C01 Exam for Full Questions - Exam Study Guide

NEW QUESTION # 113
The development team at a company is deploying a web application in a VPC that requires SSL mutual authentication with a client-side certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.
Which load balancer protocol should you select for this application?
Response:

  • A. HTTPS
  • B. HTTP
  • C. SSL
  • D. TCP

Answer: D


NEW QUESTION # 114
A company is establishing hybrid cloud connectivity from an on-premises environment to AWS in the us-east-
1 Region. The company is using a 10 Gbps AWS Direct Connect dedicated connection. The company has two accounts in AWS. Account A has transit gateways in four AWS Regions. Account # has transit gateways in three Regions. The company does not plan to expand.
To meet security requirements the company's accounts must have separate cloud infrastructure.
Which solution will meet these requirements MOST cost-effectively?

  • A. Create one Direct Connect gateway in us-east-1 for Account A. Create a second Direct Connect gateway in us-east-1 for Account B. Create a transit VIF for Account A. Associate the four transit gateways in Account A to the Direct Connect gateway in Account A. Create a transit VIF for Account C
    Associate the three transit gateways in Account # to the Direct Connect gateway in Account #.
  • B. Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM) to share the Direct Connect gateway with each account. Create a transit VIF for Account A. Associate the four transit gateways in Account A to the Direct Connect gateway. Create a transit VIF for Account B.
    Associate the three transit gateways inAccount # to the Direct Connect gateway.
  • C. Create one Direct Connect gateway in us-east-1 for Account A. Create a second Direct Connect gateway in us-east-1 for Account B. Create a transit VIF for Account A. Associate the four transit gateways in Account A to the Direct Connect gateway in Account A. Order a new 10 Gbps Direct Connect dedicated connection for Account #. Create a transit VIF on the new Direct Connect connection for Account #. Associate the three transit gateways in Account # to the Direct Connect gateway in Account #.
  • D. Create one Direct Connect gateway in us-east-1. Use AWS Resource Access Manager (AWS RAM) to share the Direct Connect gateway with each account. Create a transit VIF for Account A. Associate the four transit gateways in Account A to the Direct Connect gateway. Order a new 10 Gbps Direct Connect dedicated connection for Account B. Create a transit VIF on the new Direct Connect connection for Account B. Associate the three transit gateways in Account # to the Direct Connect gateway.

Answer: B

Explanation:
The most cost-effective and scalable solution is to create a singleDirect Connect gatewayin us-east-1, and useAWS Resource Access Manager (AWS RAM)to share the Direct Connect gateway betweenAccount AandAccount B. This approach avoids the need for multiple Direct Connect connections and allows both accounts to share the same connection, which is a more cost-efficient solution compared to creating separate connections for each account.
Transit VIFs (Virtual Interfaces)will be created for bothAccount AandAccount B, and each account's respective transit gateways will be associated with the same Direct Connect gateway. This solution allows both accounts to access AWS resources in the most efficient manner.


NEW QUESTION # 115
A network engineer is working on a private DNS design to integrate AWS workloads and on-premises resources. The AWS deployment consists of five VPCs in the eu-west-1 Region that connect to the on- premises network over AWS Direct Connect. The VPCs communicate with each other by using a transit gateway. Each VPC is associated with a private hosted zone that uses the aws.example.internal domain. The network engineer creates an Amazon Route 53 Resolver outbound endpoint in a shared services VPC and attaches the shared services VPC to the transit gateway.
The network engineer is implementing a solution for DNS resolution. Queries for hostnames that end with aws.example.internal must use the private hosted zone. Queries for hostnames that end with all other domains must be forwarded to a private on-premises DNS resolver.
Which solution will meet these requirements?

  • A. Add a forwarding rule for"""that targets the on-premises server's DNS IP address. Add a system rule for aws.example.internal that targets Route 53 Resolver.
  • B. Add a forwarding rule for"""that targets the Route 53 Resolver outbound endpoint.
  • C. Add a forwarding rule for"." that targets the Route 53 Resolver outbound endpoint.
  • D. Add a forwarding rule for aws example.internal that targets Route 53 Resolver. Add a system rule for V that targets the Route 53 Resolver outbound endpoint.

Answer: C


NEW QUESTION # 116
A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs.
The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection.
Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones.
What should a network engineer do to resolve this issue?

  • A. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support.
  • B. Modify the transit gateway by selecting multicast support.
  • C. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing.
  • D. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support.

Answer: D

Explanation:
To resolve the issue of intermittent connections for traffic that crosses Availability Zones after configuring routing for traffic inspection between VPCs using a transit gateway and EC2 instances with IDS services in a shared services VPC, a network engineer should modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support (Option B). This will ensure that traffic is routed to the same EC2 instance for stateful inspection and prevent intermittent connections.


NEW QUESTION # 117
A company has a total of 30 VPCs. Three AWS Regions each contain 10 VPCs. The company has attached the VPCs in each Region to a transit gateway in that Region. The company also has set up inter-Region peering connections between the transit gateways.
The company wants to use AWS Direct Connect to provide access from its on-premises location for only four VPCs across the three Regions. The company has provisioned four Direct Connect connections at two Direct Connect locations.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose three.)

  • A. Create four virtual private gateways. Attach the virtual private gateways to the four VPCs.
  • B. Create four private VIFs on each Direct Connect connection to the Direct Connect gateway.
  • C. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the four virtual private gateways.
  • D. Create four transit VIFs on each Direct Connect connection. Associate the transit VIFs with the Direct Connect gateway.
  • E. Create a Direct Connect gateway. Associate the four virtual private gateways with the Direct Connect gateway.
  • F. Create an association between the Direct Connect gateway and the transit gateways.

Answer: A,B,E

Explanation:
TGW for inter VPC peering within AWS. From on-prem access to only 4 VPCs is required. Hence DXGW and VGW via private VIF. Peering TGW with DXGW would be possible for on-prem connectivity but is more costly.
https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/aws-dx-dxgw-with-vgw-multi- regions-and-aws-public-peering.html


NEW QUESTION # 118
A company is running business applications on AWS. The company uses 50 AWS accounts, thousands of VPCs. and 3 AWS Regions across the United States and Europe.
A network engineer needs to establish network connectivity between an on-premises data center and the Regions. The network engineer also must establish connectivity between the VPCs. On-premises users and applications must be able to connect to applications that run in the VPCs.
The company has an existing AWS Direct Connect connection that the network engineer can use. The network engineer creates a transit gateway in each Region and configures the transit gateways as inter-Region peers.
Which solution will provide network connectivity from the on-premises data center to the Regions and will provide inter-VPC communications across the different Regions?

  • A. Create a private VIF with a gateway type of virtual private gateway. Configure the private VIF to use a virtual private gateway that is associated with one of the VPCs.
  • B. Create a private VIF to a new Direct Connect gateway. Associate the new Direct Connect gateway with a virtual private gateway in each VPC.
  • C. Create a transit VIF with a gateway association to a new Direct Connect gateway. Associate each transit gateway with the new Direct Connect gateway.
  • D. Create an AWS Site-to-Site VPN connection that uses a public VIF for the Direct Connect connection Attach the Site-to-Site VPN connection to the transit gateways.

Answer: C


NEW QUESTION # 119
How many prefixes can be announced from a customer to AWS over an AWS Direct Connect Private Virtual Interface (VIF)?
Response:

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: A


NEW QUESTION # 120
A company wants to migrate a proprietary application from on premises to the AWS Cloud. The application implements segregation of different types of network traffic.
The application uses services that listen to multiple ports on two different IP addresses. One IP address is used for customer-facing traffic, and the other IP address is used for management traffic.
The application requires the IP addresses to belong to different subnets. How can the company deploy the application with the LEAST management overhead?
Response:

  • A. Deploy the application to an Amazon EC2 instances that has a secondary elastic network interface attached. Select different subnets for each network interface
  • B. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Configure two elastic network interfaces in the task definition
  • C. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Create an AWS Lambda function to attach a second elastic network interface. Use an AWS Step Functions workflow to invoke the function.
  • D. Deploy the application to Amazon Elastic Container Service (Amazon ECS). Create an AWS Lambda function to attach a second elastic network interface. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the function

Answer: A


NEW QUESTION # 121
Which of the following tools can be used to record the source and destination IP addresses of traffic flowing in/out of VPC or EC2 instances ?
A) VPC Flow logs
B) Packet capture on an instance
C) AWS CloudTrail
D) AWS Identity and Access Management (IAM)
Response:

  • A. A & C
  • B. C & D
  • C. B & C
  • D. A & B

Answer: D


NEW QUESTION # 122
Your current web application's network security architecture includes an Application Load Balancer, locked down Security Groups, and restrictive VPC route tables. You have been asked to implement additional controls for temporarily blocking hundreds of noncontiguous, malicious IP addresses.
Which AWS service or features should you add to this architecture?
Response:

  • A. AWS Shield
  • B. Amazon VPC Private Link
  • C. AWS WAF
  • D. Network ACLs

Answer: C


NEW QUESTION # 123
You place an application load balancer in front of two web servers that are stateful. Users begin to report intermittent connectivity issues when accessing the website. Why is the site not responding?
Response:

  • A. Sticky sessions must be enabled on the application load balancer
  • B. The web servers need to have their security group set to allow all Transmission Control Protocol (TCP) traffic from 0.0.0.0/0.
  • C. The website needs to have port 443 open.
  • D. The network Access Control List (ACL) on the subnet needs to allow a stateful connection.

Answer: A


NEW QUESTION # 124
DNS name resolution must be provided for services in the following four zones:
company.private.
emea.company.private.
apac.company.private.
amer.company.private.
The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.
How can you use Amazon route 53 to meet these requirements?

  • A. Create a single Route 53 Private Hosted Zone for the zone company.private and associate it with the three VPCs.
  • B. Create a single Route 53 Public Hosted Zone for the zone company.private and configure the VPS DNS Resolver to forward
  • C. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.
  • D. Create a Route Public Hosted Zone for each of the four zones and configure the VPS DNS Resolver to forward

Answer: A

Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html Using rules in multiple Regions Route 53 Resolver is a regional service, so objects that you create in one AWS Region are available only in that Region. To use the same rule in more than one Region, you must create the rule in each Region.
For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with the same VPCs.


NEW QUESTION # 125
A company has an AWS Site-to-Site VPN connection between AWS and its branch office. A network engineer is troubleshooting connectivity issues that the connection is experiencing. The VPN connection terminates at a transit gateway and is statically routed. In the transit gateway route table, there are several static route entries that target specific subnets at the branch office.
The network engineer determines that the root cause of the issues was the expansion of underlying subnet ranges in the branch office during routine maintenance.
Which solution will solve this problem with the LEAST administrative overhead for future expansion efforts?

  • A. Create an AWS Direct Connect gateway and a transit VIF. Associate the Direct Connect gateway with the transit gateway. Create a propagation for the Direct Connect attachment to the transit gateway route table.
  • B. Create a dynamically routed VPN connection on the transit gateway. Connect the dynamically routed VPN connection to the branch office. Create a propagation for the VPN attachment to the transit gateway route table. Remove the existing static VPN connection.
  • C. Create a prefix list that contains the new subnets and the old subnets for the branch office.Remove the specific subnet routes in the transit gateway route table. Create a prefix list reference in the transit gateway route table.
  • D. Determine a supernet for the branch office. In the transit gateway route table, add an aggregate route that targets the VPN attachment. Replace the specific subnet routes in the transit gateway route table with the new supernet route.

Answer: D


NEW QUESTION # 126
A company is using AWS Local Zones to bring cloud resources closer to the end-users to ensure very low latency access to the required resources. The company is looking at adding Elastic Load Balancing for enhanced security and performance.
Which of the following statements are relevant for configuring the ELB correctly?
(Select two)
Response:

  • A. For added security, AWS WAF is supported on the load balancer with Local Zone subnets
  • B. You cannot use a Lambda function as a target when using Local Zone subnets for configuring the ELB
  • C. Only Application Load Balancer (ALB) supports Local Zones
  • D. Both Application Load Balancer (ALB) and Network Load Balancer (NLB) support Local Zones
  • E. Both Application Load Balancer (ALB) and Classic Load Balancer (CLB) support Local Zones

Answer: B,C


NEW QUESTION # 127
Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances.
End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service. You must prepare the system for global expansion. The end users must access the application with lowest latency.
How should you use AWS services to meet these requirements?
Response:

  • A. Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
  • B. Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
  • C. Register the IP addresses of the service hosts as "A" records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
  • D. Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.

Answer: C


NEW QUESTION # 128
Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving.
According to company policy, data should not flow on the public Internet even if data is encrypted.
You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?
Response:

  • A. An AWS Direct Connect connection to us-east-1.
  • B. An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
  • C. An AWS Direct Connect connection to us-west-2.
  • D. An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.

Answer: C


NEW QUESTION # 129
A company's network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company's security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.
Which solution will meet these requirements?

  • A. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB, deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring only during non-business hours.
  • B. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB. deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.
  • C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB. deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring as necessary.
  • D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target. Behind the ALB. deploy a fleet of EC2 instances in an Auto Scaling group. Use Traffic Mirroring only during active events or business hours.

Answer: B


NEW QUESTION # 130
A network engineer is working on a large migration effort from an on-premises data center to an AWS Control Tower based multi-account environment. The environment has a transit gateway that is deployed to a central network services account. The central network services account has been shared with an organization in AWS Organizations through AWS Resource Access Manager (AWS RAM).
A shared services account also exists in the environment. The shared services account hosts workloads that need to be shared with the entire organization.
The network engineer needs to create a solution to automate the deployment of common network components across the environment. The solution must provision a VPC for application workloads to each new and existing member account. The VPCs must be connected to the transit gateway in the central network services account.
Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

  • A. Create an AWSControlTowerBlueprintAccess role in the shared services account.
  • B. Deploy an Amazon EventBridge rule on a default event bus in the shared services account. Configure the EventBridge rule to react to AWS Control Tower CreateManagedAccount lifecycle events and to invoke the AWS Lambda function.
  • C. Create an AWS CloudFormation template that describes the infrastructure that needs to be created in each account. Upload the template as an AWS Service Catalog product to the shared services account.
  • D. Deploy an AWS Lambda function to the shared services account. Program the Lambda function to assume a role in the new and existing member accounts to provision the necessary network infrastructure.
  • E. Update the existing accounts with an Account Factory Customization (AFC). Select the same AFC when provisioning new accounts.
  • F. Create an AWSControlTowerBlueprintAccess role in each member account.

Answer: B

Explanation:
The correct answer is A, C, and D. These steps will meet the requirements with the least operational overhead because:
* Step A will deploy an AWS Lambda function to the shared services account that can automate the network infrastructure provisioning in each member account by assuming a role with the necessary permissions.
* Step C will create an AWS CloudFormation template that describes the VPC and the transit gateway attachment for each account. This template can be uploaded as an AWS Service Catalog product to the shared services account, which can be used by the AWS Lambda function to create the network resources in each member account.
* Step D will deploy an Amazon EventBridge rule on a default event bus in the shared services account that can react to AWS Control Tower lifecycle events, such as creating a new managed account. This rule can invoke the AWS Lambda function to provision the network infrastructure in the new account.
The other steps are incorrect because:
* Step B will update the existing accounts with an Account Factory Customization (AFC), which is a feature of AWS Control Tower that allows you to customize the account creation process with AWS CloudFormation templates. However, this step will not automate the network infrastructure provisioning for the existing accounts, as it only applies to the new accounts created through the Account Factory. Moreover, this step will require additional operational overhead to maintain the AFC templates and products.
* Step E will create an AWSControlTowerBlueprintAccess role in the shared services account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the shared services account. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products directly without using this role.
* Step F will create an AWSControlTowerBlueprintAccess role in each member account, which is a role that allows AWS Control Tower to access the AWS Service Catalog products in the member accounts. However, this step is not necessary for the automation solution, as the AWS Lambda function can access the AWS Service Catalog products in the shared services account without using this role.
A company ran out of IP address space in one of the Availability Zones in an AWS Region that the company uses. The Availability Zone that is out of space is assigned the
10.10.1.0/24 CIDR block. The company manages its networking configurations in an AWS CloudFormation stack. The company's VPC is assigned the 10.10.0.0/16 CIDR block and has available capacity in the 10.10.1.0/22 CIDR block.
How should a network specialist add more IP address space in the existing VPC with the LEAST operational overhead?
A) Update the AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
B) Update the AWS :: EC2 :: VPC resource in the CloudFormation stack. Change the CidrBlock property to 10.10.1.0/22.
C) Copy the CloudFormation stack. Set the AWS :: EC2 :: VPC resource CidrBlock property to 10.10.0.0/16. Set the AWS :: EC2 :: Subnet resource CidrBlock property to 10.10.1.0/22 for the Availability Zone.
D) Create a new AWS :: EC2 :: Subnet resource for the Availability Zone in the CloudFormation stack. Set the CidrBlock property to 10.10.2.0/24.


NEW QUESTION # 131
A network engineer needs to design a solution for an application running on an Amazon EC2 instance to connect to a publicly accessible Amazon RDS Multi-AZ DB instance in a different VPC and Region.
Security requirements mandate that the traffic not traverse the internet.
Which configuration will ensure that the instances communicate privately without routing traffic over the internet?
Response:

  • A. Create a NAT gateway in the same subnet as the EC2 instances. Update the routing tables in the application VPC to route traffic through the NAT gateway to the DNS endpoint of the DB instance.
  • B. Create a gateway endpoint to the DB instance. Update the routing tables in the application VPC to route traffic to the gateway endpoint.
  • C. Configure a transit VPC to route traffic between the VPCs privately. Configure the application to connect to the DNS endpoint of the DB instance.
  • D. Create a peering connection between the VPCs and update the routing tables to route traffic between the VPCs. Enable DNS resolution support for the VPC peering connection. Configure the application to connect to the DNS endpoint of the DB instance.

Answer: D


NEW QUESTION # 132
......

Authentic Best resources for ANS-C01 Online Practice Exam: https://exams4sure.pdftorrent.com/ANS-C01-latest-dumps.html

Related Articles

more
Amazon ANS-C01 Certification Practice Exam

Contact Us

Our Working Time: ( GMT 0:00-15:00 )   From Monday to Saturday

Contact now

Selecting valid dumps torrent is the key of passing real exam, the accuracy of our exam questions and exam answers will make your preparation easier and guarantee you get high mark in test.

Copyright © 2026 PDFTorrent NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy