Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsANS-C01Exam Questions

Amazon Web Services · Free Practice Questions · Last reviewed May 2026

ANS-C01 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

65 exam questions
170 min time limit
Pass: 750/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Network Management and Operations2. Network Security, Compliance and Governance3. Network Design4. Network Implementation
1

Domain 1: Network Management and Operations

All Network Management and Operations questions
Q1
mediumFull explanation →

A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?

A

The EC2 instance is using a different VPC than the one where flow logs are configured.

B

The flow log format is set to 'ALL' which excludes NAT gateway traffic.

C

The flow logs are configured to capture only rejected traffic by default.

D

Flow logs must be created specifically for the NAT gateway's elastic network interface to capture its traffic.

VPC-level flow logs do not capture traffic for the NAT gateway's ENI; a separate flow log for the NAT gateway ENI is required.

Why: VPC Flow Logs capture traffic at the elastic network interface (ENI) level. A centralized NAT gateway has its own ENI in the public subnet, and traffic from private instances is routed through that ENI when it reaches the internet. To log that traffic, flow logs must be created specifically for the NAT gateway's ENI, not just at the VPC level, because VPC-level flow logs capture traffic for ENIs within that VPC but do not inherently capture traffic passing through the NAT gateway's ENI unless that ENI is explicitly targeted.
Q2
hardFull explanation →

A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?

A

Deploy a NAT Gateway in each VPC to force symmetric traffic.

B

Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.

AS_PATH prepending makes one path less preferred, ensuring symmetric routing.

C

Create a Transit Gateway peering attachment between the two VPCs.

D

Enable VPC Flow Logs to detect and alert on asymmetric flows.

Why: AS_PATH prepending allows the on-premises router to artificially lengthen the AS_PATH for specific BGP routes, making those routes less preferred. This influences route selection in the Transit Gateway and VPC route tables, ensuring that traffic from each VPC takes a consistent path and eliminating asymmetric routing.
Q3
easyFull explanation →

A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?

A

Verify that the VPN tunnel status is UP.

B

Review the customer gateway configuration for incorrect BGP settings.

C

Ensure the virtual private gateway is attached to the correct VPC.

D

Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.

Missing routes in the VPC route table would prevent inbound traffic from reaching instances.

Why: Option D is correct because even if the VPN tunnel is up and BGP is peering, traffic will not flow unless the VPC route tables have a route pointing to the virtual private gateway (VGW) for the on-premises CIDR. Without this route, the VPC has no path to forward return traffic back to the on-premises network, causing asymmetric routing or blackholing.
Q4
mediumFull explanation →

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?

A

The security group assigned to the Client VPN endpoint does not allow inbound traffic from the client CIDR.

B

The route table associated with the Client VPN subnet does not have a route for the client IP range.

Without a return route, traffic from instances cannot reach the VPN clients.

C

The authorization rule is too broad and is blocking traffic.

D

The Client VPN endpoint does not have a security group association group configured.

Why: The Client VPN endpoint is associated with a single subnet in the VPC. For traffic from the VPN clients to reach resources in the VPC, the route table of that subnet must include a route pointing the client IP range back to the VPN endpoint's network interface. Without this route, the subnet has no path to forward return traffic to the clients, even though the clients can establish the VPN tunnel. Option B correctly identifies this missing route as the root cause.
Q5
hardFull explanation →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?

A

The BGP session is not established.

B

The on-premises router is advertising a default route, causing a routing conflict.

The default route from Direct Connect may override the internet gateway route, breaking internet access for on-premises traffic.

C

The VPC route table does not have a route to the internet gateway for the on-premises traffic.

D

The private VIF is associated with the wrong VLAN.

Why: The on-premises router advertising a default route (0.0.0.0/0) via BGP over the private VIF causes a routing conflict because the VPC route table already has a default route pointing to the internet gateway. When traffic from on-premises destined for the internet enters the VPC, it matches the more specific BGP-learned default route and is forwarded back toward the on-premises router (or black-holed), rather than being sent to the internet gateway. This creates a routing loop or asymmetric routing, breaking internet connectivity from on-premises.
Q6
mediumFull explanation →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)

A

Use AWS Config rules to evaluate the Transit Gateway route tables.

B

Send the flow logs to Amazon CloudWatch Logs for monitoring and alerting.

CloudWatch Logs can aggregate and analyze flow logs for security monitoring.

C

Enable VPC Flow Logs on each Transit Gateway attachment.

Flow logs at the attachment level capture all traffic traversing that attachment.

D

Enable VPC Flow Logs on the Transit Gateway itself.

E

Configure VPC Traffic Mirroring on the Transit Gateway.

Why: Option B is correct because VPC Flow Logs can be published to Amazon CloudWatch Logs, enabling real-time monitoring, alerting, and integration with AWS Lambda or third-party tools for security analysis. This allows the network team to capture IP traffic information for all flows across Transit Gateway attachments when flow logs are enabled on those attachments. Option C is correct because VPC Flow Logs must be enabled at the Transit Gateway attachment level (not on the Transit Gateway itself) to capture traffic traversing the Transit Gateway, as the Transit Gateway is a network transit hub and does not generate its own flow logs.

Want more Network Management and Operations practice?

Practice this domain
2

Domain 2: Network Security, Compliance and Governance

All Network Security, Compliance and Governance questions
Q1
mediumFull explanation →

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

A

Create VPC peering connections between each application VPC and the inspection VPC, and add routes pointing to the peering connection.

B

Attach an internet gateway to each application VPC and add a default route pointing to the inspection VPC's NAT gateway.

C

Attach an internet gateway to each application VPC and add default route pointing to it.

D

Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.

This enforces traffic flow through inspection VPC.

Why: Option D is correct because it uses separate Transit Gateway route tables to enforce traffic isolation: the application VPC attachments use a route table with a blackhole for 0.0.0.0/0, preventing direct internet access, while the inspection VPC uses a different route table with a route to an egress VPC that has an internet gateway. This ensures all outbound traffic from application VPCs must first traverse the inspection VPC for security monitoring before reaching the internet.
Q2
hardFull explanation →

A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?

A

The member accounts have not created an IAM role with permissions to write to the central bucket.

B

The bucket policy does not include a condition that restricts access to the flow log delivery service using aws:SourceArn or aws:SourceAccount.

This condition is essential to prevent the confused deputy problem.

C

The bucket policy does not grant write access to the member accounts' root user.

D

The central S3 bucket has not been configured with ACLs enabled.

Why: Option B is correct because the VPC Flow Logs delivery service uses a service-linked role to write to the destination S3 bucket. Without a condition in the bucket policy that restricts access using `aws:SourceArn` or `aws:SourceAccount`, the policy is vulnerable to the confused deputy problem, where a different AWS service or account could potentially write to the bucket. The missing condition causes the delivery to fail because the service cannot verify that the request originated from the expected source.
Q3
easyFull explanation →

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

A

Use a public virtual interface (VIF) and route traffic through a NAT gateway.

B

Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.

IPsec provides encryption over the Direct Connect link.

C

Use a private virtual interface (VIF) and enable encryption on the Direct Connect connection.

D

Use a private VIF and enable TLS on all applications.

Why: Option B is correct because AWS Direct Connect does not natively encrypt traffic; it provides a private, dedicated network connection. To meet the encryption requirement, you can establish an IPsec VPN tunnel over the private VIF, which encrypts all traffic between the on-premises network and the VPC. This approach combines the low latency and reliability of Direct Connect with the security of IPsec encryption.
Q4
hardFull explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

A

Launch a NAT instance in a public subnet and assign an Elastic IP. Configure the private subnet route table to point to the NAT instance.

B

Create an internet gateway and attach it to the private subnet, then configure the route table.

C

Create a VPC endpoint for Amazon S3 and route software update traffic through that endpoint.

D

Create a NAT gateway in each Availability Zone and assign the same Elastic IP to both.

Why: Option B is correct because a NAT gateway in each AZ provides high availability and a single elastic IP per AZ, but if you need a single IP, you can use a single NAT gateway in one AZ (with a single EIP) or use a NAT instance with an EIP. However, the requirement is highly available and single IP. A NAT gateway in each AZ would have multiple IPs. Option A is wrong because NAT instance is not highly available. Option C is wrong because internet gateway in private subnet is not allowed. Option D is wrong because VPC endpoint for S3 does not provide internet access.
Q5
mediumFull explanation →

A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?

A

AWS CloudTrail

CloudTrail logs API calls for auditing.

B

Amazon GuardDuty

C

VPC Flow Logs

D

AWS Config

Why: AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including those that modify security groups and network ACLs. By enabling CloudTrail, you can capture CreateSecurityGroup, AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, CreateNetworkAclEntry, and similar API calls, providing an audit trail of who made the change, when, and from which IP address.
Q6
mediumFull explanation →

A security engineer is designing a security group configuration for a web application that consists of an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS database. Which TWO actions should the engineer take to follow security best practices? (Choose TWO.)

A

Configure the RDS security group to allow inbound traffic on port 3306 from 0.0.0.0/0.

B

Configure the EC2 instance security group to allow inbound traffic on port 443 from the ALB security group.

Best practice: reference security group instead of CIDR.

C

Configure the RDS security group to allow inbound traffic on port 3306 from the EC2 instance security group.

Best practice: restrict database access to app servers.

D

Configure the ALB security group to allow inbound traffic on port 443 from the security group of the EC2 instances.

E

Configure the ALB security group to allow inbound traffic on port 80 from the security group of the EC2 instances.

Why: Option B is correct because referencing the ALB security group as the source in the EC2 security group rule ensures that only traffic originating from the ALB (and not any other source) is allowed on port 443. This follows the security best practice of using security group references instead of IP ranges, providing a tighter, more dynamic access control that automatically scales with the ALB's elastic network interfaces.

Want more Network Security, Compliance and Governance practice?

Practice this domain
3

Domain 3: Network Design

All Network Design questions
Q1
mediumFull explanation →

A company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?

A

Provision a separate Direct Connect virtual interface for each VPC.

B

Create a VPN connection over the Direct Connect link to each VPC.

C

Use VPC peering between the on-premises network and each VPC.

D

Use a Direct Connect gateway and associate it with the VPCs.

A Direct Connect gateway allows multiple VPCs to share the same Direct Connect connection.

Why: A Direct Connect gateway allows a single Direct Connect connection to connect to multiple VPCs in the same or different AWS Regions, minimizing latency by using a private, dedicated network path and reducing cost by eliminating the need for separate virtual interfaces or VPN tunnels per VPC. It also maximizes bandwidth utilization by aggregating traffic from multiple VPCs over the same Direct Connect link.
Q2
hardFull explanation →

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

A

Change the VPN connection from static to dynamic routing.

B

Enable jumbo frames on the transit VPC's EC2-based virtual appliances.

Jumbo frames reduce overhead and improve throughput for large packets.

C

Enable BGP route propagation on the transit VPC's route tables.

D

Deploy a new transit VPC in eu-west-1.

Why: The issue is intermittent connectivity between an on-premises office in ap-southeast-1 and a spoke VPC in eu-west-1, traversing a transit VPC in us-east-1. The VPN is up, so the problem is likely packet fragmentation or MTU mismatch across the long-haul path. Enabling jumbo frames on the transit VPC's EC2-based virtual appliances (e.g., firewall or router instances) increases the maximum transmission unit, reducing fragmentation and improving performance for large packets, which is a common cause of intermittent issues in hub-and-spoke topologies.
Q3
easyFull explanation →

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

A

Web servers in public subnets, application and database servers in private subnets with an internet gateway for outbound traffic.

B

All servers in public subnets with security groups restricting access.

C

Web servers in public subnets with an Application Load Balancer, application servers in private subnets with a NAT gateway, and database servers in private subnets.

This follows best practices for a three-tier architecture.

D

All servers in private subnets and a VPN connection to the internet.

Why: Option C is correct because it places web servers in public subnets with an Application Load Balancer for inbound internet traffic, while application and database servers reside in private subnets without direct internet access. A NAT gateway in a public subnet enables the application servers to initiate outbound connections to a third-party API, with return traffic automatically routed back, meeting the requirement for outbound-only internet access.
Q4
hardFull explanation →

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?

A

Set up a VPN connection over the Direct Connect link and attach the VPN to the Transit Gateway.

B

Attach the existing private VIFs directly to the Transit Gateway.

C

Create a new private VIF on the Direct Connect connection and attach it to the Transit Gateway.

D

Create a Direct Connect gateway, associate the existing VIFs, and attach the Direct Connect gateway to the Transit Gateway.

This is the correct integration path.

Why: Option D is correct because AWS Direct Connect private VIFs cannot be attached directly to a Transit Gateway. Instead, you must create a Direct Connect Gateway, associate the existing private VIFs with it, and then attach the Direct Connect Gateway to the Transit Gateway. This architecture allows the Transit Gateway to route traffic between the on-premises network (via the Direct Connect connection) and the attached VPCs, while also enabling inter-VPC routing through the Transit Gateway.
Q5
mediumFull explanation →

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

A

Set up an AWS Transit Gateway in each region and connect them via a VPN attachment.

Transit Gateway with VPN can handle overlapping CIDRs.

B

Use a Direct Connect connection between the regions.

C

Use VPC peering between the two VPCs.

D

Place all resources in a single VPC with multiple Availability Zones.

Why: Option A is correct because AWS Transit Gateway supports inter-region peering attachments that use the AWS global network backbone, providing low-latency, private connectivity between VPCs in different regions. Even when VPCs have overlapping CIDR blocks, Transit Gateway can handle this through route table isolation and network segmentation (e.g., using separate route tables for each VPC attachment), which VPC peering cannot do. VPN attachments between Transit Gateways in each region establish encrypted tunnels over the AWS backbone, avoiding the public internet.
Q6
hardFull explanation →

A company is designing a hybrid network using AWS Transit Gateway. The company has three VPCs (VPC-A, VPC-B, VPC-C) all attached to the same Transit Gateway. The on-premises network connects to the Transit Gateway via a Direct Connect gateway. The company needs to ensure that VPC-C can communicate with the on-premises network but not with VPC-A or VPC-B. Which TWO actions should the network engineer take?

A

Use security groups on VPC-C to deny traffic from VPC-A and VPC-B.

B

Associate the VPC-C route table with the Direct Connect gateway attachment.

This enables VPC-C to communicate with on-premises via Direct Connect.

C

Establish VPC peering connections between VPC-C and VPC-A, and VPC-C and VPC-B.

D

Create a separate Transit Gateway route table for VPC-C and do not propagate VPC-A and VPC-B routes.

This isolates VPC-C from VPC-A and VPC-B.

E

Apply a network ACL on VPC-C subnets to block traffic from VPC-A and VPC-B.

Why: Option B is correct because associating the VPC-C route table with the Direct Connect gateway attachment allows VPC-C to exchange routes with the on-premises network via the Transit Gateway, enabling communication. Option D is correct because creating a separate Transit Gateway route table for VPC-C and not propagating VPC-A and VPC-B routes ensures that VPC-C has no routes to those VPCs, effectively isolating it from them at the network layer.

Want more Network Design practice?

Practice this domain
4

Domain 4: Network Implementation

All Network Implementation questions
Q1
mediumFull explanation →

A company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?

A

Deploy a Network Load Balancer (NLB) in each region with targets in public subnets. Use Route 53 latency-based routing to the NLB.

B

Deploy an internal ALB in each region. Place targets in private subnets. Use VPC endpoints for the ALB (AWS PrivateLink) and Route 53 latency-based routing to the VPC endpoint.

Internal ALB with VPC endpoints keeps traffic within AWS and preserves source IP.

C

Deploy an Application Load Balancer (ALB) with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB.

D

Use AWS Global Accelerator with endpoints in each region. Attach the ALB as an endpoint and enable client IP preservation on the accelerator.

E

Deploy an ALB with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB. Place targets in public subnets to preserve source IP.

Why: Option B is correct because an internal ALB with targets in private subnets ensures traffic stays within AWS and preserves the client source IP by using VPC endpoints (AWS PrivateLink). Route 53 latency-based routing directs traffic to the closest healthy VPC endpoint, meeting the multi-region distribution requirement while maintaining source IP transparency for backend targets.
Q2
hardFull explanation →

A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?

A

The secondary VIF is not configured with BGP authentication.

B

AS_PATH prepending on the AWS side only affects outbound traffic, not inbound traffic.

AS_PATH prepending on AWS side makes the path longer for outbound traffic from AWS to on-premises. To affect inbound traffic, prepending must be done on the on-premises router.

C

The BGP hold time timer is set too low, causing the primary connection to flap.

D

The company did not set the MED attribute on the primary VIF.

E

The company configured the prepending on the virtual private gateway instead of the Direct Connect gateway.

Why: B is correct because AS_PATH prepending on the AWS side (the VIF) affects the AS_PATH attribute of routes advertised by AWS to the on-premises router. For inbound traffic (traffic coming from on-premises into AWS), the on-premises router makes the routing decision based on the BGP attributes it receives from AWS. Prepending on the AWS side makes the path through the primary VIF look longer to the on-premises router, so the on-premises router should prefer the secondary VIF. However, if the on-premises router is not honoring the prepended AS_PATH (e.g., due to local preference or other policies), or if the prepending is not actually being applied to the correct direction, traffic may still be balanced. The key point is that AS_PATH prepending on the AWS side influences outbound traffic from AWS, not inbound traffic to AWS; inbound traffic steering is controlled by the on-premises router's BGP decision process.
Q3
easyFull explanation →

A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?

A

The route tables in both VPCs do not have the route propagation enabled.

B

The VPC CIDR blocks overlap.

C

There is a VPN connection attached to both VPCs that creates a transitive routing issue.

VPC peering does not support transitive routing; if there is another connection that could create a transitive route, it may cause unexpected behavior.

D

The security group in VPC A does not allow inbound ICMP from VPC B.

E

The network ACLs are not configured correctly for return traffic.

Why: Option C is correct because a VPN connection attached to both VPCs can introduce transitive routing, which is not supported by VPC peering. VPC peering does not allow transitive routing; traffic must flow directly between the peered VPCs. If both VPCs have a VPN connection to the same on-premises network or another network, the VPN can create a path that interferes with the direct peering path, causing ICMP pings to fail even when route tables and security groups are correctly configured.
Q4
hardFull explanation →

A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?

A

Deploy a Gateway Load Balancer (GWLB) in the spoke VPC and route traffic to it.

B

Use AWS Transit Gateway with VPC attachments and configure route tables to force traffic between the two instances through the inspection VPC.

Transit Gateway can be configured with route tables that send inter-VPC traffic to the inspection VPC for firewall inspection.

C

Enable VPC peering and use route propagation to send traffic to the inspection VPC.

D

Create a VPC peering connection between the two instances' VPCs.

Why: Option B is correct because AWS Transit Gateway can route traffic between instances in the same spoke VPC by using VPC attachments and route tables to force the traffic through the centralized inspection VPC. This is achieved by configuring the spoke VPC's route table to send inter-instance traffic to the Transit Gateway, which then forwards it to the inspection VPC for firewall inspection before returning it to the destination instance. This approach avoids the need for additional appliances or complex routing within the spoke VPC itself.
Q5
mediumFull explanation →

A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?

A

Set a higher weight on the Direct Connect BGP session.

B

Set a higher local preference on the Direct Connect VIF.

C

Change the BGP timers on the Direct Connect VIF to have a lower hold time.

D

Configure AS_PATH prepending on the VPN BGP session.

E

Configure a lower MED (Multi-Exit Discriminator) on the Direct Connect VIF.

Lower MED is preferred for inbound traffic; setting a lower MED on the Direct Connect VIF will make it the preferred path.

Why: Option E is correct because the Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from an AS to the local AS. By setting a lower MED on the Direct Connect VIF, the on-premises router will prefer the Direct Connect path over the VPN path when both advertise the same prefix, assuming all other BGP path selection criteria are equal. This directly addresses the requirement to prefer the Direct Connect connection for all traffic.
Q6
easyFull explanation →

A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)

A

Place an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones.

Provides high availability and internet access for the web tier.

B

Configure the web tier EC2 instances in an Auto Scaling group across two Availability Zones.

Auto Scaling group across multiple AZs provides high availability and scalability.

C

Use a stateful network ACL for the web tier subnets to simplify security rules.

D

Deploy a NAT Gateway in a single Availability Zone for outbound traffic from private subnets.

E

Create the VPC with a single Availability Zone to simplify management.

Why: Option A is correct because an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones (AZs) provides both internet access to the web tier and high availability. The ALB distributes incoming HTTP/HTTPS traffic to web instances in private subnets, and deploying across two AZs ensures fault tolerance if one AZ fails.

Want more Network Implementation practice?

Practice this domain

Frequently asked questions

How many questions are on the ANS-C01 exam?

The ANS-C01 exam has 65 questions and must be completed in 170 minutes. The passing score is 750/1000.

What types of questions appear on the ANS-C01 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are ANS-C01 questions organised by domain?

The exam covers 4 domains: Network Management and Operations, Network Security, Compliance and Governance, Network Design, Network Implementation. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual ANS-C01 exam questions?

No. These are original exam-style practice questions written against the official Amazon Web Services ANS-C01 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 65 ANS-C01 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all ANS-C01 questionsTake a timed practice test