Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›ANS-C01›Objectives›Network Design
Objective 1.0

Network Design

ANS-C01 Practice Questions

Use this page to practise Network Design questions for this certification. Focus on how the exam tests network design in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

ANS-C01 Network Design — Key Topics

Network Design questions on this certification test your ability to deploy and manage network design concepts in scenario-based situations.

  • Core Network Design concepts and how they apply in real-world cloud scenarios.
  • How to deploy network design correctly and verify the outcome.
  • Troubleshooting network design issues by interpreting error output and system state.
  • Cloud best practices and Network Design design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Network Design

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

ANS-C01 Network Design — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?

Question 3hardmultiple choice
Read the full VPN explanation →

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

Question 4easymultiple choice
Full question →

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

Question 5hardmultiple choice
Full question →

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?

Question 6mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

Question 7hardmulti select
Full question →

A company is designing a hybrid network using AWS Transit Gateway. The company has three VPCs (VPC-A, VPC-B, VPC-C) all attached to the same Transit Gateway. The on-premises network connects to the Transit Gateway via a Direct Connect gateway. The company needs to ensure that VPC-C can communicate with the on-premises network but not with VPC-A or VPC-B. Which TWO actions should the network engineer take?

Question 8mediummulti select
Read the full VPN explanation →

A company is deploying a new application in a VPC. The application consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB must only receive traffic from the company's on-premises network via an AWS Site-to-Site VPN. Which THREE steps should the network engineer take to meet this requirement?

Question 9mediummultiple choice
Read the full VPN explanation →

A network engineer has configured an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer checks the VPN status and sees the output above. What is the MOST likely cause of Tunnel2 being down?

Exhibit

Refer to the exhibit.

```
Tunnel1:
  State: UP
  Last Status Change: 2024-03-15 10:23:45 UTC
  Details: Tunnel is in UP state with BGP established.
Tunnel2:
  State: DOWN
  Last Status Change: 2024-03-15 10:25:12 UTC
  Details: Tunnel is in DOWN state due to phase 2 negotiation failure.
```
Question 10hardmultiple choice
Review the full routing breakdown →

A network engineer is setting up a cross-account Route 53 Resolver rule association. The engineer creates the above resource-based policy on a resolver rule in account 111111111111. The engineer then tries to associate the rule from account 222222222222 but receives an access denied error. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "route53resolver:AssociateResolverRule",
        "route53resolver:DisassociateResolverRule"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 11mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer in the public subnets distributes traffic to EC2 instances in the private subnets. The security group for the EC2 instances allows inbound traffic from the ALB security group. Users report intermittent timeouts. What is the most likely cause?

Question 12easymultiple choice
Review the full subnetting walkthrough →

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

Question 13hardmultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway attached. The on-premises network advertises a specific route 10.0.0.0/16, but the VPC uses the same CIDR 10.0.0.0/16. The company requires connectivity to the VPC from on-premises but cannot change the VPC CIDR. What is the most cost-effective solution?

Question 14mediummultiple choice
Read the full VPN explanation →

A company's VPC has an internet gateway and a NAT Gateway in a public subnet. The private subnet route table has a default route pointing to the NAT Gateway. EC2 instances in the private subnet can access the internet, but cannot access an on-premises network connected via AWS Site-to-Site VPN. What is the most likely cause?

Question 15easymultiple choice
Full question →

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

Question 16mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?

Question 17hardmulti select
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?

Question 18hardmultiple choice
Review the full subnetting walkthrough →

A company runs a multi-tier web application on AWS. The web servers in public subnets need to send traffic to the application servers in private subnets. The application servers must only accept traffic from the web servers. Both tiers are in the same VPC. Which design meets these requirements without introducing a single point of failure or unnecessary complexity?

Question 19mediummultiple choice
Open the full BGP breakdown →

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to minimize operational overhead. The on-premises network uses BGP to advertise routes to AWS. Which design meets these requirements?

Question 20easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of route tables and security groups achieves this?

Question 21mediummultiple choice
Full question →

A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?

Question 22hardmultiple choice
Open the full BGP breakdown →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to two on-premises data centers, each with overlapping CIDR blocks (192.168.0.0/16). The company wants to use AWS Site-to-Site VPN with dynamic routing (BGP). Which design allows the VPC to reach both data centers without route conflicts?

Question 23easymulti select
Full question →

Which TWO of the following are valid components of an AWS Transit Gateway design for connecting multiple VPCs and on-premises networks?

Question 24hardmulti select
Full question →

Which THREE of the following are valid considerations when designing a multi-Region active-active application using AWS Global Accelerator?

Question 25hardmultiple choice
Review the full subnetting walkthrough →

A network engineer analyzes a VPC Flow Log entry showing an ACCEPT for a TCP connection from 203.0.113.50 (internet) to 10.0.1.5 on port 443. The security group for the instance allows inbound HTTPS only from 10.0.0.0/16, and the NACL for the subnet has the rules shown. Why was the traffic accepted?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-12345678 10.0.1.5 203.0.113.50 443 38000 6 20 5000 1450670868 1450670868 ACCEPT OK

And the following security group inbound rule:
Type: Custom TCP, Protocol: TCP, Port Range: 443, Source: 10.0.0.0/16

And NACL inbound rule:
Rule #100: Type: HTTP (80), Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0, Allow
Rule #120: Type: HTTPS (443), Protocol: TCP, Port Range: 443, Source: 10.0.0.0/16, Allow
Rule #*: Type: All traffic, Protocol: All, Port Range: All, Source: 0.0.0.0/0, Deny
Question 26hardmultiple choice
Full question →

A company is designing a multi-Region architecture using AWS Transit Gateway and Direct Connect. They have VPCs in us-east-1 and eu-west-1, each with an attached Transit Gateway. The Direct Connect gateway is associated with the Transit Gateway in us-east-1. They need to enable communication between VPCs across Regions using the Direct Connect gateway. What is the correct design to achieve this?

Question 27mediummultiple choice
Review the full subnetting walkthrough →

A company has a hub-and-spoke network topology using AWS Transit Gateway in us-east-1. The hub VPC hosts centralized inspection appliances from a third-party vendor. The spokes include VPCs with application workloads and a Direct Connect VIF attached to a Direct Connect gateway which is associated with the Transit Gateway. The company notices that traffic from the on-premises network to the spoke VPCs is not being inspected by the centralized appliances. They have verified that the Transit Gateway route tables are correctly configured with static routes pointing to the inspection VPC for all spoke CIDRs, and the inspection appliances are properly configured to forward traffic. What is the most likely cause of this issue?

Question 28easymultiple choice
Read the full NAT/PAT explanation →

A startup is launching a new web application on AWS and needs to design a highly available and secure network architecture. The application will run on EC2 instances in an Auto Scaling group across two Availability Zones in a single region. The application must be accessible from the internet over HTTPS. The company expects variable traffic and wants to reduce costs where possible. They also need to protect against common web exploits like SQL injection and cross-site scripting. Which combination of AWS services should be used for the network design?

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company is designing a hybrid network architecture using AWS Direct Connect. They have a Direct Connect connection with a public VIF and a private VIF. The private VIF is associated with a Direct Connect gateway that is attached to a Transit Gateway in us-east-1. The Transit Gateway has attachments to a production VPC and a shared services VPC. The company wants to ensure that all traffic from the on-premises network to the production VPC flows through a centralized inspection appliance in the shared services VPC for security compliance. Additionally, traffic from the production VPC to the internet must use a NAT gateway in the shared services VPC. The inspection appliance in the shared services VPC performs stateful inspection and must see both directions of traffic. The network engineer configured the following route tables: In the Transit Gateway route table associated with the Direct Connect gateway attachment, a static route for 0.0.0.0/0 points to the shared services VPC attachment. In the Transit Gateway route table associated with the production VPC attachment, a static route for the on-premises CIDR (10.0.0.0/8) points to the shared services VPC attachment. In the Transit Gateway route table associated with the shared services VPC attachment, a static route for the on-premises CIDR points to the Direct Connect gateway attachment, and a static route for 0.0.0.0/0 points to the Direct Connect gateway attachment (for outbound internet traffic, the shared services VPC has its own internet gateway and NAT gateway). The production VPC has a default route (0.0.0.0/0) pointing to the Transit Gateway. The shared services VPC has a default route pointing to the NAT gateway. However, traffic from on-premises to the production VPC is not being inspected; it goes directly to the production VPC. What is the most likely reason?

Question 30hardmultiple choice
Review the full subnetting walkthrough →

A large e-commerce company operates a multi-tier application across multiple AWS accounts. The web tier is in a VPC (10.0.0.0/16) in Account A, and the application tier is in a separate VPC (10.1.0.0/16) in Account B. Both VPCs are connected via a VPC peering connection. The application tier uses an NLB to distribute traffic to EC2 instances in private subnets. The web tier sends traffic to the NLB's private IP address. Recently, the company migrated the application tier to use AWS PrivateLink instead of the VPC peering connection, creating a VPC endpoint service in Account B and an interface VPC endpoint in Account A. After the migration, the web tier cannot connect to the application tier. The security groups and NACLs allow the traffic. Which of the following is the MOST likely cause of the connectivity issue?

Question 31mediumdrag order
Full question →

Arrange the steps to configure an AWS Transit Gateway with attachments to multiple VPCs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

More Network Design questions available in the full practice test.

Continue Practising →

Next objective

Network Implementation

→

All ANS-C01 Objectives

  • 1.Network Design
  • 2.Network Implementation