Amazon Web Services · Free Practice Questions · Last reviewed May 2026
24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?
The EC2 instance is using a different VPC than the one where flow logs are configured.
The flow log format is set to 'ALL' which excludes NAT gateway traffic.
The flow logs are configured to capture only rejected traffic by default.
Flow logs must be created specifically for the NAT gateway's elastic network interface to capture its traffic.
VPC-level flow logs do not capture traffic for the NAT gateway's ENI; a separate flow log for the NAT gateway ENI is required.
A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?
Deploy a NAT Gateway in each VPC to force symmetric traffic.
Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.
AS_PATH prepending makes one path less preferred, ensuring symmetric routing.
Create a Transit Gateway peering attachment between the two VPCs.
Enable VPC Flow Logs to detect and alert on asymmetric flows.
A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?
Verify that the VPN tunnel status is UP.
Review the customer gateway configuration for incorrect BGP settings.
Ensure the virtual private gateway is attached to the correct VPC.
Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.
Missing routes in the VPC route table would prevent inbound traffic from reaching instances.
A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?
The security group assigned to the Client VPN endpoint does not allow inbound traffic from the client CIDR.
The route table associated with the Client VPN subnet does not have a route for the client IP range.
Without a return route, traffic from instances cannot reach the VPN clients.
The authorization rule is too broad and is blocking traffic.
The Client VPN endpoint does not have a security group association group configured.
A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?
The BGP session is not established.
The on-premises router is advertising a default route, causing a routing conflict.
The default route from Direct Connect may override the internet gateway route, breaking internet access for on-premises traffic.
The VPC route table does not have a route to the internet gateway for the on-premises traffic.
The private VIF is associated with the wrong VLAN.
A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)
Use AWS Config rules to evaluate the Transit Gateway route tables.
Send the flow logs to Amazon CloudWatch Logs for monitoring and alerting.
CloudWatch Logs can aggregate and analyze flow logs for security monitoring.
Enable VPC Flow Logs on each Transit Gateway attachment.
Flow logs at the attachment level capture all traffic traversing that attachment.
Enable VPC Flow Logs on the Transit Gateway itself.
Configure VPC Traffic Mirroring on the Transit Gateway.
Want more Network Management and Operations practice?
Practice this domainA company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?
Create VPC peering connections between each application VPC and the inspection VPC, and add routes pointing to the peering connection.
Attach an internet gateway to each application VPC and add a default route pointing to the inspection VPC's NAT gateway.
Attach an internet gateway to each application VPC and add default route pointing to it.
Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.
This enforces traffic flow through inspection VPC.
A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?
The member accounts have not created an IAM role with permissions to write to the central bucket.
The bucket policy does not include a condition that restricts access to the flow log delivery service using aws:SourceArn or aws:SourceAccount.
This condition is essential to prevent the confused deputy problem.
The bucket policy does not grant write access to the member accounts' root user.
The central S3 bucket has not been configured with ACLs enabled.
A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?
Use a public virtual interface (VIF) and route traffic through a NAT gateway.
Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.
IPsec provides encryption over the Direct Connect link.
Use a private virtual interface (VIF) and enable encryption on the Direct Connect connection.
Use a private VIF and enable TLS on all applications.
A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?
Launch a NAT instance in a public subnet and assign an Elastic IP. Configure the private subnet route table to point to the NAT instance.
Create an internet gateway and attach it to the private subnet, then configure the route table.
Create a VPC endpoint for Amazon S3 and route software update traffic through that endpoint.
Create a NAT gateway in each Availability Zone and assign the same Elastic IP to both.
A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?
AWS CloudTrail
CloudTrail logs API calls for auditing.
Amazon GuardDuty
VPC Flow Logs
AWS Config
A security engineer is designing a security group configuration for a web application that consists of an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS database. Which TWO actions should the engineer take to follow security best practices? (Choose TWO.)
Configure the RDS security group to allow inbound traffic on port 3306 from 0.0.0.0/0.
Configure the EC2 instance security group to allow inbound traffic on port 443 from the ALB security group.
Best practice: reference security group instead of CIDR.
Configure the RDS security group to allow inbound traffic on port 3306 from the EC2 instance security group.
Best practice: restrict database access to app servers.
Configure the ALB security group to allow inbound traffic on port 443 from the security group of the EC2 instances.
Configure the ALB security group to allow inbound traffic on port 80 from the security group of the EC2 instances.
Want more Network Security, Compliance and Governance practice?
Practice this domainA company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?
Provision a separate Direct Connect virtual interface for each VPC.
Create a VPN connection over the Direct Connect link to each VPC.
Use VPC peering between the on-premises network and each VPC.
Use a Direct Connect gateway and associate it with the VPCs.
A Direct Connect gateway allows multiple VPCs to share the same Direct Connect connection.
A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?
Change the VPN connection from static to dynamic routing.
Enable jumbo frames on the transit VPC's EC2-based virtual appliances.
Jumbo frames reduce overhead and improve throughput for large packets.
Enable BGP route propagation on the transit VPC's route tables.
Deploy a new transit VPC in eu-west-1.
A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?
Web servers in public subnets, application and database servers in private subnets with an internet gateway for outbound traffic.
All servers in public subnets with security groups restricting access.
Web servers in public subnets with an Application Load Balancer, application servers in private subnets with a NAT gateway, and database servers in private subnets.
This follows best practices for a three-tier architecture.
All servers in private subnets and a VPN connection to the internet.
A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?
Set up a VPN connection over the Direct Connect link and attach the VPN to the Transit Gateway.
Attach the existing private VIFs directly to the Transit Gateway.
Create a new private VIF on the Direct Connect connection and attach it to the Transit Gateway.
Create a Direct Connect gateway, associate the existing VIFs, and attach the Direct Connect gateway to the Transit Gateway.
This is the correct integration path.
A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?
Set up an AWS Transit Gateway in each region and connect them via a VPN attachment.
Transit Gateway with VPN can handle overlapping CIDRs.
Use a Direct Connect connection between the regions.
Use VPC peering between the two VPCs.
Place all resources in a single VPC with multiple Availability Zones.
A company is designing a hybrid network using AWS Transit Gateway. The company has three VPCs (VPC-A, VPC-B, VPC-C) all attached to the same Transit Gateway. The on-premises network connects to the Transit Gateway via a Direct Connect gateway. The company needs to ensure that VPC-C can communicate with the on-premises network but not with VPC-A or VPC-B. Which TWO actions should the network engineer take?
Use security groups on VPC-C to deny traffic from VPC-A and VPC-B.
Associate the VPC-C route table with the Direct Connect gateway attachment.
This enables VPC-C to communicate with on-premises via Direct Connect.
Establish VPC peering connections between VPC-C and VPC-A, and VPC-C and VPC-B.
Create a separate Transit Gateway route table for VPC-C and do not propagate VPC-A and VPC-B routes.
This isolates VPC-C from VPC-A and VPC-B.
Apply a network ACL on VPC-C subnets to block traffic from VPC-A and VPC-B.
Want more Network Design practice?
Practice this domainA company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?
Deploy a Network Load Balancer (NLB) in each region with targets in public subnets. Use Route 53 latency-based routing to the NLB.
Deploy an internal ALB in each region. Place targets in private subnets. Use VPC endpoints for the ALB (AWS PrivateLink) and Route 53 latency-based routing to the VPC endpoint.
Internal ALB with VPC endpoints keeps traffic within AWS and preserves source IP.
Deploy an Application Load Balancer (ALB) with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB.
Use AWS Global Accelerator with endpoints in each region. Attach the ALB as an endpoint and enable client IP preservation on the accelerator.
Deploy an ALB with internet-facing scheme in each region. Use Route 53 latency-based routing to the ALB. Place targets in public subnets to preserve source IP.
A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?
The secondary VIF is not configured with BGP authentication.
AS_PATH prepending on the AWS side only affects outbound traffic, not inbound traffic.
AS_PATH prepending on AWS side makes the path longer for outbound traffic from AWS to on-premises. To affect inbound traffic, prepending must be done on the on-premises router.
The BGP hold time timer is set too low, causing the primary connection to flap.
The company did not set the MED attribute on the primary VIF.
The company configured the prepending on the virtual private gateway instead of the Direct Connect gateway.
A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?
The route tables in both VPCs do not have the route propagation enabled.
The VPC CIDR blocks overlap.
There is a VPN connection attached to both VPCs that creates a transitive routing issue.
VPC peering does not support transitive routing; if there is another connection that could create a transitive route, it may cause unexpected behavior.
The security group in VPC A does not allow inbound ICMP from VPC B.
The network ACLs are not configured correctly for return traffic.
A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?
Deploy a Gateway Load Balancer (GWLB) in the spoke VPC and route traffic to it.
Use AWS Transit Gateway with VPC attachments and configure route tables to force traffic between the two instances through the inspection VPC.
Transit Gateway can be configured with route tables that send inter-VPC traffic to the inspection VPC for firewall inspection.
Enable VPC peering and use route propagation to send traffic to the inspection VPC.
Create a VPC peering connection between the two instances' VPCs.
A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?
Set a higher weight on the Direct Connect BGP session.
Set a higher local preference on the Direct Connect VIF.
Change the BGP timers on the Direct Connect VIF to have a lower hold time.
Configure AS_PATH prepending on the VPN BGP session.
Configure a lower MED (Multi-Exit Discriminator) on the Direct Connect VIF.
Lower MED is preferred for inbound traffic; setting a lower MED on the Direct Connect VIF will make it the preferred path.
A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)
Place an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones.
Provides high availability and internet access for the web tier.
Configure the web tier EC2 instances in an Auto Scaling group across two Availability Zones.
Auto Scaling group across multiple AZs provides high availability and scalability.
Use a stateful network ACL for the web tier subnets to simplify security rules.
Deploy a NAT Gateway in a single Availability Zone for outbound traffic from private subnets.
Create the VPC with a single Availability Zone to simplify management.
Want more Network Implementation practice?
Practice this domainThe ANS-C01 exam has 65 questions and must be completed in 170 minutes. The passing score is 750/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 4 domains: Network Management and Operations, Network Security, Compliance and Governance, Network Design, Network Implementation. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Amazon Web Services ANS-C01 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.