Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsANS-C01Flashcards
Free — No Signup RequiredAmazon Web Services· Updated 2026

ANS-C01 Flashcards — Free AWS Certified Advanced Networking Specialty ANS-C01 Study Cards

Reinforce ANS-C01 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1705+ study cards4 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

ANS-C01 Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,705+ cards · All free

Domains

Network Management and Operations
Network Security, Compliance and Governance
Network Design
Network Implementation

How to use ANS-C01 flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For ANS-C01 preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the ANS-C01 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your ANS-C01 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real ANS-C01 exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass ANS-C01.

ANS-C01 flashcard preview

Sample cards from the ANS-C01 flashcard bank. Read the question, think of the answer, then read the explanation below.

1

A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?

Network Management and Operations

Flow logs must be created specifically for the NAT gateway's elastic network interface to capture its traffic.

VPC Flow Logs capture traffic at the elastic network interface (ENI) level. A centralized NAT gateway has its own ENI in the public subnet, and traffic from private instances is routed through that ENI when it reaches the internet. To log that traffic, flow logs must be created specifically for the NAT gateway's ENI, not just at the VPC level, because VPC-level flow logs capture traffic for ENIs within that VPC but do not inherently capture traffic passing through the NAT gateway's ENI unless that ENI is explicitly targeted.

2

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

Network Security, Compliance and Governance

Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.

Option D is correct because it uses separate Transit Gateway route tables to enforce traffic isolation: the application VPC attachments use a route table with a blackhole for 0.0.0.0/0, preventing direct internet access, while the inspection VPC uses a different route table with a route to an egress VPC that has an internet gateway. This ensures all outbound traffic from application VPCs must first traverse the inspection VPC for security monitoring before reaching the internet.

3

A company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?

Network Design

Use a Direct Connect gateway and associate it with the VPCs.

A Direct Connect gateway allows a single Direct Connect connection to connect to multiple VPCs in the same or different AWS Regions, minimizing latency by using a private, dedicated network path and reducing cost by eliminating the need for separate virtual interfaces or VPN tunnels per VPC. It also maximizes bandwidth utilization by aggregating traffic from multiple VPCs over the same Direct Connect link.

4

A company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?

Network Implementation

Deploy a Network Load Balancer (NLB) in each region with targets in public subnets. Use Route 53 latency-based routing to the NLB.

Option A is correct because Network Load Balancer (NLB) preserves the client source IP by default, meeting the requirement for source IP preservation. Targets can be placed in public subnets, and traffic between the NLB and targets remains within the VPC, satisfying the condition that traffic stays within AWS. With an internet-facing NLB, Route 53 latency-based routing can be used to distribute traffic to the closest healthy NLB across regions. Options B, C, D, and E are incorrect: B incorrectly relies on an internal ALB with PrivateLink, which does not support Route 53 latency routing and does not preserve source IP; C and E use ALB, which does not preserve source IP; D uses Global Accelerator, which does not use Route 53 and does not preserve source IP when ALB is an endpoint.

5

A financial services company has a VPC with a public subnet and a private subnet. EC2 instances in the private subnet need to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, instances cannot reach the internet. The NAT gateway is in an 'available' state and has an Elastic IP attached. The security group for the NAT gateway allows all outbound traffic. What is the most likely cause of the issue?

The route table for the public subnet does not have a default route (0.0.0.0/0) pointing to an internet gateway

The most likely cause is that the route table for the public subnet (where the NAT gateway resides) does not have a default route (0.0.0.0/0) pointing to an internet gateway. The NAT gateway needs this route to forward traffic from private instances to the internet. Option A is incorrect because security groups for NAT gateways do not block inbound traffic from private instances; they only control traffic to the NAT gateway itself. Option B is incorrect because bandwidth provisioning is not related to connectivity; the NAT gateway can handle traffic up to its bandwidth limit. Option C is incorrect because NAT gateways do not require IAM roles to access the internet; they use Elastic IPs.

6

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

Create a Transit Gateway with separate route tables for each VPC and a shared route table for the inspection VPC. Use Gateway Load Balancer to distribute traffic to a fleet of firewall instances.

Option B is correct because it combines AWS Transit Gateway with separate route tables per VPC and a shared inspection route table, enabling centralized traffic steering to a fleet of firewall instances behind a Gateway Load Balancer (GWLB). GWLB transparently distributes traffic across multiple firewall instances at the network layer (GENEVE protocol), providing both horizontal scalability and high availability without introducing a single point of failure or requiring complex VPC peering meshes.

7

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.

Option B is correct because AWS Direct Connect does not natively encrypt traffic; it provides a private, dedicated network connection. To meet the encryption requirement, you can establish an IPsec VPN tunnel over the private VIF, which encrypts all traffic between the on-premises network and the VPC. This approach combines the low latency and reliability of Direct Connect with the security of IPsec encryption.

8

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment.

Option A is correct because it uses separate Transit Gateway route tables to isolate the inspection VPC and other VPCs. By configuring the route table for VPC A to point to VPC B's CIDR via the inspection VPC attachment, all inter-VPC traffic is forced through the centralized firewall appliances. This leverages Transit Gateway's ability to route traffic between attachments based on route table associations and propagations, ensuring traffic flows through the inspection VPC without requiring VPC peering or additional per-VPC firewalls.

9

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

The ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet.

Option A is correct because the ALB security group is configured to allow inbound traffic from the Client VPN CIDR range, but if the ALB itself is internet-facing (i.e., it has public IP addresses and is deployed in public subnets), traffic can bypass the security group rules if the security group is not actually applied to the ALB's network interfaces. The most likely cause is that the ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet, meaning the security group rules are not being enforced on the ALB's listener. This allows users outside the VPN to access the application because the ALB accepts traffic from any source unless the security group explicitly restricts it.

10

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

Enable jumbo frames on the transit VPC's EC2-based virtual appliances.

The issue is intermittent connectivity between an on-premises office in ap-southeast-1 and a spoke VPC in eu-west-1, traversing a transit VPC in us-east-1. The VPN is up, so the problem is likely packet fragmentation or MTU mismatch across the long-haul path. Enabling jumbo frames on the transit VPC's EC2-based virtual appliances (e.g., firewall or router instances) increases the maximum transmission unit, reducing fragmentation and improving performance for large packets, which is a common cause of intermittent issues in hub-and-spoke topologies.

11

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

Create VPC peering connections between each pair of VPCs.

Option C is correct because VPC peering connections provide direct, private IP connectivity between VPCs using the AWS global network, with no bandwidth bottlenecks or single points of failure. It is the most cost-effective solution for a small number of VPCs (e.g., fewer than 10) as there are no hourly charges for the peering connection itself—only data transfer costs. This minimizes operational overhead compared to managing VPN tunnels or a Transit Gateway, as peering is a simple, one-to-one relationship that does not require additional appliances or complex routing policies.

12

A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?

Deploy an AWS Global Accelerator with endpoints in both Regions and use the accelerator's static IP addresses for communication.

AWS Global Accelerator uses the AWS global network and Anycast static IP addresses to route traffic over optimized paths, providing lower and more consistent latency than VPC peering, internet transit, or VPNs. It minimizes jitter by avoiding the public internet and leveraging AWS's internal backbone, which is ideal for latency-sensitive inter-Region communication.

13

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet route tables.

Option B is correct because a NAT Gateway, deployed in a public subnet with an Elastic IP and a route to an Internet Gateway, enables outbound traffic from private subnets to the internet while blocking unsolicited inbound connections. The private subnet route table directs default traffic (0.0.0.0/0) to the NAT Gateway, which performs source network address translation (SNAT) on outbound packets, ensuring responses return to the NAT Gateway without exposing private instances directly.

14

A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?

Use TLS or IPsec at the application layer between instances.

Option B is correct because VPC peering connections do not support native encryption of traffic. To meet the requirement for encryption in transit between two VPCs connected via a VPC peering connection, you must implement encryption at the application layer using TLS or IPsec between the instances. This ensures that traffic is encrypted end-to-end, independent of the underlying network path.

15

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

The security group for the EC2 instance does not allow inbound HTTPS traffic.

Since the on-premises router can ping the EC2 instance's private IP, Layer 3 connectivity is working, which rules out routing and BGP issues. The failure of TCP port 443 specifically points to a firewall or access control blocking the application traffic. A security group acts as a virtual firewall at the instance level, and by default it denies all inbound traffic unless explicitly allowed. Therefore, the most likely cause is that the security group for the EC2 instance does not have an inbound rule permitting HTTPS (TCP 443) traffic.

16

A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?

Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.

AS_PATH prepending allows the on-premises router to artificially lengthen the AS_PATH for specific BGP routes, making those routes less preferred. This influences route selection in the Transit Gateway and VPC route tables, ensuring that traffic from each VPC takes a consistent path and eliminating asymmetric routing.

17

A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?

Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.

Option D is correct because even if the VPN tunnel is up and BGP is peering, traffic will not flow unless the VPC route tables have a route pointing to the virtual private gateway (VGW) for the on-premises CIDR. Without this route, the VPC has no path to forward return traffic back to the on-premises network, causing asymmetric routing or blackholing.

18

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?

In the transit gateway route table, verify that the VPN attachment is correctly associated and that the 10.0.0.0/8 route is propagated and has the correct attachment.

Option C is correct because the first diagnostic step for intermittent connectivity through a transit gateway is to verify the route table configuration. The engineer must confirm that the VPN attachment is correctly associated with the transit gateway route table and that the 10.0.0.0/8 route is propagated from the VPN attachment, as a missing or misassociated route would cause traffic to be dropped even if the VPN tunnel is up.

19

A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?

Provision two Direct Connect connections, each with multiple private VIFs, and attach them to the same transit gateway. Use BFD to detect failures and rely on ECMP routing across the VIFs.

Option C is correct because it provides true high availability and fast failover by using two separate Direct Connect connections, each with multiple private VIFs, attached to the same transit gateway. BFD (Bidirectional Forwarding Detection) enables sub-second failure detection, and ECMP (Equal-Cost Multi-Path) routing across the VIFs allows active-active load balancing, minimizing packet loss during failover. This design eliminates single points of failure and meets the requirement for rapid convergence with minimal disruption.

20

A company is experiencing intermittent connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS regions. VPC A has CIDR 10.0.0.0/16 and VPC B has CIDR 10.1.0.0/16. The route tables in both VPCs have been updated to include routes pointing to the peering connection. Security groups and network ACLs are configured to allow all traffic for testing. However, traffic from VPC A to VPC B fails intermittently. Which of the following is the most likely cause of this intermittent failure?

The VPC peering connection does not support transitive routing. If any traffic is being routed through an intermediate device (e.g., a NAT instance or a VPN connection), the peering connection will not forward that traffic.

The intermittent failure is most likely due to VPC peering's lack of transitive routing. If traffic from VPC A to VPC B is routed through an intermediate device (e.g., a NAT instance, VPN connection, or another VPC), the VPC peering connection will not forward that traffic because it does not support transitive routing. This can cause intermittent failures when the intermediate device's route or state changes, even though direct routes and security groups are correctly configured.

21

A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?

Verify that the on-premises route table has a route to the VPC CIDR via the VPN tunnel.

Since the VPN tunnel is up and the on-premises firewall confirms traffic is being sent to the tunnel, the issue is likely on the on-premises routing side. For traffic to flow from on-premises to the VPC, the on-premises router must have a route pointing to the VPC CIDR via the VPN tunnel interface. Without this route, packets will not be forwarded into the tunnel, even though the tunnel itself is operational.

22

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

Establish an IPSec VPN connection over the Direct Connect public virtual interface using a customer gateway and a virtual private gateway.

Option A is correct because it establishes an IPSec VPN tunnel over a Direct Connect public virtual interface (VIF), which encrypts traffic between the on-premises network and the VPC. The customer gateway and virtual private gateway create a site-to-site VPN connection that uses IPSec to secure all data traversing the Direct Connect link, meeting the encryption requirement without relying on physical-layer security.

Study all 1705+ ANS-C01 cards

ANS-C01 flashcards by domain

The ANS-C01 flashcard bank covers all 4 official blueprint domains published by Amazon Web Services. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

Network Management and Operations

~1 cards

Network Security, Compliance and Governance

~1 cards

Network Design

~1 cards

Network Implementation

~1 cards

Flashcards vs practice tests: which is better for ANS-C01?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that ANS-C01 questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.ANS-C01 questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective ANS-C01 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

ANS-C01 flashcards — frequently asked questions

Are the ANS-C01 flashcards free?

Yes. Courseiva provides free ANS-C01 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many ANS-C01 flashcards are on Courseiva?

Courseiva has 1705+ original ANS-C01 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Amazon Web Services exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official ANS-C01 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use ANS-C01 flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your ANS-C01 flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains