• Home
  • Articles
  • [Dec 01, 2025] ANS-C01 Exam Dumps, ANS-C01 Practice Test Questions [Q105-Q126]

[Dec 01, 2025] ANS-C01 Exam Dumps, ANS-C01 Practice Test Questions [Q105-Q126]

Share

[Dec 01, 2025] ANS-C01 Exam Dumps, ANS-C01 Practice Test Questions

Free ANS-C01 Study Guides Exam Questions and Answer

NEW QUESTION # 105
Which of the following endpoints can be accessed over AWS Direct Connect?
Response:

  • A. Interface VPC endpoints
  • B. Internet gateway
  • C. VPC Gateway endpoints
  • D. Network Address Translation (NAT) gateway

Answer: A


NEW QUESTION # 106
A company hosts a public hosted zone in Amazon Route 53. The company wants to configure DNS Security Extensions (DNSSEC) signing for the public hosted zone. All the company's business-critical applications are running in the us-west-2 Region.
The company has created a symmetric, customer managed, single-Region key in us-west-2 by using AWS Key Management Service (AWS KMS). A network engineer finds that the existing AWS KMS key cannot be used to create a key-signing key (KSK).
How can the network engineer resolve this issue?
Response:

  • A. Recreate a symmetric, customer managed, single-Region key in us-west-2. Use this key to create a KSK.
  • B. Recreate an asymmetric, customer managed key with an ECC_NIST_P256 key spec in the us-east-1 Region. Use this key to create a KSK.
  • C. Recreate an asymmetric, customer managed key with an ECC_NIST_P256 key spec in us-west-2. Use this key to create a KSK.
  • D. Recreate a symmetric, customer managed, multi-Region key in the us-east-1 Region. Use this key to create a KSK.

Answer: B


NEW QUESTION # 107
A company's network engineer is designing a hybrid DNS solution for an AWS Cloud workload.
Individual teams want to manage their own DNS hostnames for their applications in their development environment. The solution must integrate the application-specific hostnames with the centrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also must minimize management overhead. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

  • A. Create Amazon Route 53 private hosted zones.
  • B. Modify the DHCP options set by setting a custom DNS server value.
  • C. Set up a zone transfer between Amazon Route 53 and the on-premises DNS.
  • D. Create DNS proxy servers.
  • E. Use an Amazon Route 53 Resolver outbound endpoint.
  • F. Use an Amazon Route 53 Resolver inbound endpoint.

Answer: A,E,F

Explanation:
For bidirectional name resolution, both Route 53 Resolver inbound & outbound endpoint is required.
https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-dns-management-of- hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/


NEW QUESTION # 108
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC.
The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.
Which architecture will meet these requirements MOST cost-effectively?

  • A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
  • B. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
  • C. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single network interface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.
  • D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single network interface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.

Answer: A


NEW QUESTION # 109
You are a network admin of a US company called Webby Widgets that is expanding to Europe. The company has a website that serves dynamic and static content. You have been instructed to ensure the European clients receive the least latency possible, no matter where in Europe they live, while still allowing the US clients to receive the same user experience and performance they have been accustomead to. You have also been instructed to ensure both countries use the same URL to access the site and keep costs low.
What two things should you do?
(Choose two.)
Response:

  • A. Create two A records: eu.webbywidgets.com that points to the EU resources and us.webbywidgets.com that points to the US resources.
  • B. Use the Traffic Flow policy creator to create the perfect routing policy.
  • C. Create a CloudFront distribution to serve the static content from an S3 bucket.
  • D. Deploy three VPCs; one for the US, one for the EU, and one as a central VPC that hosts an Elastic Load Balancer that will distribute traffic between the US and EU VPCs.

Answer: B,C


NEW QUESTION # 110
For _______ distributions, CloudFront does not cache cookies in edge caches.
Note: Answers to this question are not verified by our experts, please study yourself and select the appropriate answers.
Contribute: Please send the correct answers with reference text/link on [email protected] to get up to 50% cashback.
Response:

  • A. RTMP
  • B. Web and RTMP
  • C. AMI
  • D. Web

Answer: C


NEW QUESTION # 111
A company has deployed Amazon EC2 instances in private subnets in a VPC. The EC2 instances must initiate any requests that leave the VPC, including requests to the company's on-premises data center over an AWS Direct Connect connection. No resources outside the VPC can be allowed to open communications directly to the EC2 instances.
The on-premises data center's customer gateway is configured with a stateful firewall device that filters for incoming and outgoing requests to and from multiple VPCs. In addition, the company wants to use a single IP match rule to allow all the communications from the EC2 instances to its data center from a single IP address.
Which solution will meet these requirements with the LEAST amount of operational overhead?

  • A. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.
  • B. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.
  • C. Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.
  • D. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

Answer: B


NEW QUESTION # 112
Your company has the following Direct Connect and VPN Connections
Site A - VPN 10.1.0.0/24 AS 6500o 65000
Site B - VPN 10.10.252/30 AS 6500o
Site C - Direct Connect 10.0.0.0/8 AS 6500o
Site D - Direct Connect 10.0.0.0/16 AS 65000 65000 65000
You are trying to connect to an IP address of 10.1.0.254. Which of the following route will be chosen?
Response:

  • A. Site B
  • B. Site A
  • C. Site D
  • D. Site C

Answer: B


NEW QUESTION # 113
You are the network engineer at your company, and you are noticing issues with QoS in you're the traffic to your instances hosting a VOIP program. You need to inspect the network packets to determine if it is a programming error or a networking error. How should you do this?
Response:

  • A. Configure a network monitoring program on every instance and stream the logs to an S3 bucket to be parsed.
  • B. Inspect Flow Logs
  • C. Set up another instance with an ENI added to act as a monitoring interface. Set the port to
    "promiscuous mode" and sniff the traffic to analyze the packets. Then output this single stream to an S3 bucket to be parsed.
  • D. Use CloudWatch

Answer: A


NEW QUESTION # 114
An e-commerce company has its technology infrastructure deployed in hybrid mode with applications running in a single AWS Region as well as its on-premises data center. The company has a 10 Gbps AWS Direct Connect connection from the data center to AWS that is 70% utilized.
The company wants to deploy a new flagship application on AWS that will connect with existing applications running on-premises. The application SLA requires a minimum of 99.9% network uptime between the on-premises data center and the AWS Cloud. The company has an AWS Enterprise Support plan.
Which of the following options would you recommend as the MOST cost-effective solution to address this requirement?
Response:

  • A. Purchase another 10 Gbps Direct Connect hosted connection through an AWS Direct Connect partner in a different Direct Connect location that terminates in the associated AWS Region. Set up a new virtual interface (VIF) to the existing VPC and use BGP for load balancing
  • B. Purchase another 10 Gbps Direct Connect dedicated connection from AWS in a different Direct Connect location that terminates in the associated AWS Region. Set up a new virtual interface (VIF) to the existing VPC and use BGP for load balancing
  • C. Purchase another 10 Gbps Direct Connect dedicated connection from AWS in the existing Direct Connect location that terminates in the associated AWS Region. Set up a new virtual interface (VIF) to the existing VPC and use BGP for load balancing
  • D. Purchase two new Direct Connect hosted connections of 5 Gbps each through an AWS Direct Connect partner. Provision two virtual interfaces (VIFs) to the existing VPC on both Direct Connect connections and use BGP for load balancing. Terminate the existing 10 Gbps Direct Connect connection

Answer: B


NEW QUESTION # 115
A company has 10 web server Amazon EC2 instances that run in an Auto Scaling group in a production VPC. The company has 10 other web servers that run in an on-premises data center.
The company has a 10 Gbps AWS Direct Connect connection between the on-premises data center and the production VPC.
The company needs to implement a load balancing solution that receives HTTPS traffic from thousands of external users. The solution must distribute the traffic across the web servers on AWS and the web servers in the on-premises data center. Regardless of the location of the web servers, HTTPS requests must go to the same web server throughout the entire session.
Which solution will meet these requirements?

  • A. Create an Application Load Balancer (ALB) in the production VPC. Create a target group Specify ip as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable application-based session affinity (sticky sessions) on the ALB.
  • B. Create an Application Load Balancer (ALB) in the production VPC. Create a target group. Specify instance as the target type Register the EC2 instances and the on-premises servers with the target group Enable application-based session affinity (sticky sessions) on the ALB.
  • C. Create a Network Load Balancer (NLB) in the production VPC. Create a target group. Specify ip as the target type. Register the EC2 instances and the on-premises servers with the target group Enable connection draining on the NLB
  • D. Create a Network Load Balancer (NLB) in the production VPCreate a target group. Specify instance as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable session affinity (sticky sessions) on the NLB.

Answer: A

Explanation:
ALB support on prem's ip address as a target group, and you need session affinity for this.
https://aws.amazon.com/blogs/aws/new-application-load-balancing-via-ip-address-to-aws-on- premises-resources/


NEW QUESTION # 116
The networking team at a global company has set up separate VPCs for applications managed by the Finance, Marketing, Audit and HR departments. You need to set up AWS Direct Connect to enable data flow from the on-premises data center to each of these VPCs. The company has monitoring software running in the Audit department's VPC that needs to collect metrics from the instances in all the other VPCs.
Due to budget constraints, the data transfer charges should be kept to a minimum. Which of the following solutions would you recommend for the given requirement?
Response:

  • A. Create a public VIF to the Audit department's VPC. Peer this VPC to all the other VPCs
  • B. Create four private VIFs, that is, one VIF each from the on-premises data center to each of the VPCs.
    Enable VPC peering between all VPCs
  • C. Create four private VIFs, that is, one VIF each from the on-premises data center to each of the VPCs.
    Route traffic between VPCs using the Direct Connect link
  • D. Create a private VIF to the Audit department's VPC. Peer this VPC to all the other VPCs

Answer: B


NEW QUESTION # 117
A social media company is planning to release the major upgrade of its flagship application in a week.
The development team is testing the alpha release of the application running on 10 EC2 instances managed by an Auto Scaling group in subnet 172.10.0.0/24 within VPC A having CIDR block
172.10.0.0/16.
The team has noticed connection timeout errors in the application logs while connecting to a MySQL database running on an EC2 instance in the same region in subnet 172.40.0.0/24 within VPC B having CIDR block 172.40.0.0/16. The IP of the database instance is hard-coded in the application instances.
As a Networking Specialist, which of the following solutions would you suggest to the development team to solve the problem securely with minimal maintenance and overhead?
(Select two)
Response:

  • A. Create and attach NAT gateways for both VPCs and set up routes to the NAT gateways for both VPCs.
    Assign an Elastic IP for the EC2 instance running MySQL database in VPC B. Update the application instances to connect to this Elastic IP
  • B. Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.40.0.0/16
  • C. Create and attach internet gateways for both VPCs and set up default routes to the Internet gateways for both VPCs. Assign an Elastic IP for the EC2 instance running MySQL database in VPC B. Update the application instances to connect to this Elastic IP
  • D. Set up a VPC peering connection between the two VPCs and add a route to the routing table of VPC B that points to the IP address range of 172.10.0.0/16
  • E. Create and attach virtual private gateways for both VPCs and set up default routes to the customer gateways for both VPCs. Assign an Elastic IP for the EC2 instance running MySQL database in VPC B.
    Update the application instances to connect to this Elastic IP

Answer: B,D


NEW QUESTION # 118
Which of the following allows you to restrict access to your Amazon Simple Storage Service (Amazon S3) bucket to Amazon CloudFront distributions that you control?
Response:

  • A. Origin Access Control (OAC)
  • B. AWS Lambda@Edge
  • C. Preshared keys
  • D. Custom HTTP header

Answer: A


NEW QUESTION # 119
A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?

  • A. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambda function, assign a network interface to an AWS Global Accelerator endpoint.
  • B. Configure the two network interfaces in the launch template. Define the primary network interface to be created in one of the private subnets. For the second network interface, select one of the public subnets.
    Choose the BYOIP pool ID as the source of public IP addresses.
  • C. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
  • D. Configure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init script after boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.

Answer: C

Explanation:
During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
This solution meets all of the requirements stated in the question. The primary network interface can be configured in a private subnet during creation of the Auto Scaling group. The user data option can be used to run a cloud-init script that will allocate a second network interface and associate an Elastic IP address from the BYOIP pool with it.


NEW QUESTION # 120
A company has two AWS Direct Connect connections between Direct Connect locations and the company's on-premises environment in the US. The company uses the connections to communicate with AWS workloads that run in the us-east-1 Region. Thecompany has a transit gateway that connects several VPCs.
The Direct Connect connections terminate at a Direct Connect gateway and the transit VIFs to the transit gateway.
The company recently acquired a smaller company that is based in Europe. The newly acquired company has only on-premises workloads. The newly acquired company does not expect to run workloads on AWS for the next 3 years. However, the newly acquired company requires connectivity to the parent company's AWS resources in us-east-1 and to the parent company's on-premises environment in the US. The parent company wants to use two new Direct Connect connections in Europe to provide the required connectivity.
Which solution will meet these requirements with the LEAST operational overhead for the newly acquired company?

  • A. Associate new transit VIFs to a new Direct Connect gateway and to a new transit gateway in the eu- west-1 Region. Use transit gateway peering to connect the transit gateways.
  • B. Associate new private VIFs to the existing Direct Connect gateway. Configure the existing transit VIFs and the new private VIFs to use Direct Connect SiteLink.
  • C. Associate new transit VIFs to the existing Direct Connect gateway. Configure the new transit VIFs to use Direct Connect SiteLink.
  • D. Associate new private VIFs to a new Direct Connect gateway and to a new VPC in us-east-1. Configure the existing transit VIFs and the new private VIFs to use Direct Connect SiteLink and AWS PrivateLink endpoints in the new VPC.

Answer: C

Explanation:
In this scenario, the company wants to provide connectivity from the newly acquired company in Europe to the existing AWS resources in the us-east-1 Region with minimal operational overhead. The best approach is to useDirect Connect SiteLink, which allows direct communication between two different Direct Connect locations (one in Europe and one in the US) via the existing Direct Connect gateway.
By associating newtransit VIFs(Virtual Interfaces) to theexisting Direct Connect gatewayand configuring Direct Connect SiteLink, the company can efficiently extend the existing network architecture with minimal additional configuration. This solution provides the required connectivity to both AWS resources and the on- premises environment in the US, leveraging the existing infrastructure without introducing significant complexity or the need for additional resources like new transit gateways or VPCs.


NEW QUESTION # 121
You have set up an S3 endpoint, and you want to restrict some instances from being able to access it.
These instances are all in the same subnet, so you cannot simply remove the prefix list from the route table. What two approaches can you take to solve this?
(Choose two.)
Response:

  • A. Add A rule in the NACL to block the prefix list ID outbound.
  • B. This is not possible.
  • C. Remove any access to the PL in the security group attached to the instances.
  • D. Modify the endpoint policy.

Answer: C,D


NEW QUESTION # 122
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.
Which set of steps should the network engineer follow in each AWS account to meet these requirements?

  • A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts
    2. In the Connectivity account: Accept the resource.
    3. In the Connectivity account: Create an attachment to the VPC subnets.
    4. In the Production account: Accept the attachment. Associate a route table with the attachment.
  • B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts.
    2. In the Connectivity account: Accept the resource.
    3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.
    4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
  • C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts.
    2. In the Production account: Accept the resource.
    3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.
    4. In the Production account: Accept the attachment. Associate a route table with the attachment.
  • D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID Enable the feature to allow external accounts.
    2. In the Production account: Accept the resource.
    3. In the Production account: Create an attachment to the VPC subnets.
    4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

Answer: A

Explanation:
step 1: In the Production account, create a resource share in AWS Resource Access Manager for the transit gateway and provide the Connectivity account ID. Enabling the feature to allow external accounts is also required to share resources between accounts. Step 2: In the Connectivity account, accept the shared resource.
This action will allow the Production account to use the transit gateway in the Connectivity account. Step 3:
In the Connectivity account, create an attachment to the VPC subnets. This attachment will enable communication between the VPC in the Production account and the transit gateway in the Connectivity account. Step 4: In the Production account, accept the attachment and associate a route table with the attachment. This will enable the VPC to route traffic through the transit gateway to other resources in the Connectivity account.


NEW QUESTION # 123
A company is migrating critical applications to AWS. The company has multiple accounts and VPCs that are connected by a transit gateway.
A network engineer must design a solution that performs deep packet inspection for any traffic that leaves a VPC network boundary. All inspected traffic and the actions that are taken on the traffic must be logged in a central log account.
Which solution will meet these requirements with the LEAST administrative overhead?

  • A. Create a central log VPC and an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Network Load Balancer (NLB) that is backed by third-party, next-generation intrusion detection system (IDS) security appliances to the central VPC. Activate rules on the security appliances to monitor for intrusion signatures. For each network interface, create a VPC Traffic Mirroring session that sends the traffic to the central VPC's NLB.
  • B. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Application Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create a syslog server in the central log account. Configure the firewall appliances to capture and save the network flow logs to the syslog server.
  • C. Create a central network VPC that includes an attachment to the transit gateway. Update the VPC and transit gateway route tables to support the new attachment. Deploy an AWS Gateway Load Balancer that is backed by third-party, next-generation firewall appliances to the central network VPC. Create a policy that contains the rules for deep packet inspection. Attach the policy to the firewall appliances. Create an Amazon S3 bucket in the central log account. Configure the firewall appliances to capture and save the network flow logs to the S3 bucket.
  • D. Deploy network ACLs and security groups to each VPAttach the security groups to active network interfaces. Associate the network ACLs with VPC subnets. Create rules for the network ACLs and security groups to allow only the required traffic flows between subnets and network interfaces.
    Create an Amazon S3 bucket in the central log account. Configure a VPC flow log that captures and saves all traffic flows to the S3 bucket.

Answer: A

Explanation:
https://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-traffic-mirroring-to- monitor-and-secure-your-aws-infrastructure/


NEW QUESTION # 124
Two VPCs have been connected with a VPC peering relationship. Both VPCs should be able to perform DNS lookups in the private address space of the other VPC. Which configuration task must be completed to allow VPC peering to correctly resolve DNS queries to internal IP addresses?
Response:

  • A. Create routes to the DNS server of the peer VPC
  • B. Configure DNS forwarding using Route 53
  • C. Allow accepter and requester DNS resolution
  • D. Configure the TCP/IP stack of instances with the DNS server for the other VPC

Answer: C


NEW QUESTION # 125
You have a server that serves www, FTP, and mail. You need to access this server using www.yourname.com, ftp.yourname.com, and mail.yourname.com. You want to ensure an IP change results in the least number of other changes.
What is the best solution?
Response:

  • A. Create an A record for www, ftp and mail, and point it to the ALIAS of the server.
  • B. Create an A record pointing to the server's IP address and create CNAME records for www, ftp, and mail and point those to the A record.
  • C. Create PTR records and point the IP address of the server back to www, ftp, and mail.
  • D. Create CNAME records for www, ftp, and mail and point those to the A record already provided to the instance by AWS.

Answer: C


NEW QUESTION # 126
......

ANS-C01 Exam Dumps, ANS-C01 Practice Test Questions: https://actualtests.torrentexam.com/ANS-C01-exam-latest-torrent.html

Related Articles

more
Amazon ANS-C01 Certification Practice Exam

Our Exam Materials can help you solve all the difficulties in the actual test. Our Training Source is carefully compiled by industry experts based on the examination questions and industry trends in the past few years. Our Study Pdf guaranteed a higher passing rate than that of other agency.

Latest Exams Dumps

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TorrentExam NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy