Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›ANS-C01›Objectives›Network Implementation
Objective 2.0

Network Implementation

ANS-C01 Practice Questions

Use this page to practise Network Implementation questions for this certification. Focus on how the exam tests network implementation in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

ANS-C01 Network Implementation — Key Topics

Network Implementation questions on this certification test your ability to deploy and manage network implementation concepts in scenario-based situations.

  • Core Network Implementation concepts and how they apply in real-world cloud scenarios.
  • How to deploy network implementation correctly and verify the outcome.
  • Troubleshooting network implementation issues by interpreting error output and system state.
  • Cloud best practices and Network Implementation design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Network Implementation

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

ANS-C01 Network Implementation — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?

Question 3hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?

Question 4easymultiple choice
Review the full routing breakdown →

A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?

Question 5hardmultiple choice
Review the full routing breakdown →

A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?

Question 6mediummultiple choice
Open the full BGP breakdown →

A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?

Question 7easymulti select
Review the full subnetting walkthrough →

A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)

Question 8mediummulti select
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application requires multicast communication between EC2 instances in the same VPC. Which THREE options can support this requirement? (Choose three.)

Question 9easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in private subnets can access the internet for software updates while remaining unreachable from the internet. Which solution meets these requirements?

Question 10mediummultiple choice
Full question →

A company has deployed a web application across multiple AWS Regions using Application Load Balancers (ALBs) and EC2 instances. They want to use AWS Global Accelerator to improve performance and provide a fixed entry point. The Global Accelerator is configured with endpoints pointing to the ALBs. However, users are experiencing intermittent failures. What is the most likely cause?

Question 11hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC peering connection. Both VPCs have CIDR blocks: VPC-A = 10.0.0.0/16, VPC-B = 10.1.0.0/16. An EC2 instance in VPC-A (10.0.1.10) cannot ping an EC2 instance in VPC-B (10.1.1.10). Security groups and NACLs allow all traffic. The route tables are configured as follows: In VPC-A, a route to 10.1.0.0/16 via the peering connection. In VPC-B, a route to 10.0.0.0/16 via the peering connection. What is the most likely cause?

Question 12mediummultiple choice
Review the full routing breakdown →

A company is setting up a Direct Connect connection to connect its on-premises data center to AWS. The connection is established, and a private virtual interface (VIF) is configured. The on-premises router can ping the VIF's Amazon side IP address, but cannot ping an EC2 instance in the VPC. The VPC has a virtual private gateway attached, and the route tables are correctly configured. What should the company check next?

Question 13hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and has enabled VPC Flow Logs to capture all traffic. The logs show that an EC2 instance (10.0.1.10) is sending outbound traffic to an external IP (203.0.113.50) on port 443, but the traffic is being rejected. The instance's security group allows outbound HTTPS to 0.0.0.0/0, and the subnet's NACL allows outbound traffic on port 443. The VPC has an internet gateway attached, and the route table directs 0.0.0.0/0 to the internet gateway. What is the most likely cause of the rejection?

Question 14mediummulti select
Open the full BGP breakdown →

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect and a VPN connection as a backup. The on-premises network uses BGP to advertise routes to AWS. Which of the following are best practices for this setup? (Choose TWO.)

Question 15hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets spanning three Availability Zones. They have deployed an Application Load Balancer (ALB) in the VPC and need to ensure high availability and scalability for a web application. Which of the following are design considerations for implementing the ALB in this environment? (Choose THREE.)

Question 16easymultiple choice
Review the full subnetting walkthrough →

A network engineer is analyzing VPC Flow Logs for a VPC with CIDR 10.0.0.0/16. The exhibit shows a sample log entry. The engineer notices that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted. However, the application team reports that the connection is failing. What is the most likely reason for the disconnect?

Exhibit

Refer to the exhibit.

```
VPC Flow Logs version 2
account-id 123456789012
interface-id eni-0a1b2c3d4e5f67890
srcaddr 10.0.1.10
dstaddr 10.0.2.10
srcport 12345
dstport 443
protocol 6
packets 10
bytes 1500
start 1625097600
end 1625097660
action ACCEPT
log-status OK
```
Question 17mediummultiple choice
Review the full subnetting walkthrough →

A company has set up a transit gateway with attachments to VPC-A and VPC-B. The transit gateway route table shows routes to both VPCs and a blackhole for 0.0.0.0/0. VPC-A's public subnet route table sends 10.1.0.0/16 traffic to the transit gateway. However, an EC2 instance in VPC-A's public subnet cannot reach an instance in VPC-B. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
AWS Transit Gateway Route Table
Route Table ID: tgw-rtb-0123456789abcdef0
Routes:
10.0.0.0/16 attachment tgw-attach-11111111111111111 (VPC-A)
10.1.0.0/16 attachment tgw-attach-22222222222222222 (VPC-B)
0.0.0.0/0 blackhole
```

```
VPC-A Route Table (public subnet)
Destination Target
10.0.0.0/16 local
10.1.0.0/16 tgw-1234567890abcdef0
0.0.0.0/0 igw-1234567890abcdef0
```
Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new VPC with both public and private subnets. The public subnet hosts an internet-facing Application Load Balancer (ALB), and the private subnet hosts EC2 instances running a web application. The EC2 instances need to download updates from the internet, but they must not be directly accessible from the internet. Which combination of steps should a network engineer implement to meet these requirements?

Question 19hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF connected to a VPC. The network engineer notices that traffic from on-premises to the VPC is being dropped intermittently. The on-premises router shows BGP session is up, but the VPC route table does not have the on-premises prefix. What is the most likely cause?

Question 20easymultiple choice
Full question →

A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?

Question 21mediummultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

Question 22hardmulti select
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network engineer needs to ensure that traffic between VPC A and VPC B follows a specific path through a Network Virtual Appliance (NVA) in VPC C. Which TWO actions should the engineer take?

Question 23mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway. The private subnet instances need to access an S3 bucket in the same region. Which THREE steps should the network engineer take to ensure the most cost-effective and secure access without traversing the internet?

Question 24hardmultiple choice
Read the full VRF explanation →

A company has a large AWS environment with hundreds of VPCs connected via a Transit Gateway. The network team is implementing a new hub-and-spoke architecture where all traffic between VPCs must be inspected by a centralized firewall appliance in a shared services VPC. The firewall appliance is a third-party virtual appliance that supports VRF-like segmentation. The network engineer has configured the Transit Gateway with separate route tables for each VPC, and the shared services VPC is associated with all route tables. The firewall appliance is deployed in the shared services VPC with two ENIs: one in a 'trust' subnet and one in an 'untrust' subnet. The trust subnet is used for traffic coming from spoke VPCs, and the untrust subnet is used for traffic going to other spoke VPCs. The firewall appliance performs stateful inspection and returns traffic to the Transit Gateway via the correct ENI. However, after implementation, traffic between two spoke VPCs (VPC A and VPC B) is being dropped. The engineer verifies that the Transit Gateway route tables have static routes for each spoke VPC CIDR pointing to the shared services VPC attachment. The spoke VPCs have routes to each other's CIDR via the Transit Gateway. The firewall logs show that traffic from VPC A reaches the trust ENI, but the firewall is unable to send traffic to VPC B because it does not have a route to VPC B's CIDR. What is the most likely cause?

Question 25easymultiple choice
Open the full BGP breakdown →

A company is deploying a hybrid network architecture with an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The on-premises network uses BGP to advertise routes to the VPN connection. After the VPN is established, the on-premises network cannot reach EC2 instances in the VPC. The VPC route table has a route for the on-premises CIDR block pointing to the VPN gateway. What is the most likely cause of this issue?

Question 26mediummulti select
Review the full routing breakdown →

A network engineer is troubleshooting a connectivity issue between two VPCs (VPC-A and VPC-B) that are connected via a VPC peering connection. The engineer has verified that the route tables in both VPCs have the appropriate routes. However, instances in VPC-A cannot ping instances in VPC-B. Which TWO actions should the engineer take to resolve this issue? (Choose two.)

Question 27mediumdrag order
Full question →

Order the steps to set up a Network Load Balancer with a TCP listener in front of an Auto Scaling group:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Full question →

Order the steps to set up a redundant Direct Connect connection with two virtual interfaces in different AWS regions:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediummatching
Full question →

Match each AWS security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall that controls inbound and outbound traffic at instance level

Stateless firewall that controls traffic at subnet level

Web application firewall that protects against common web exploits

Managed DDoS protection service with enhanced detection and mitigation

Managed firewall service that provides stateful inspection for VPC traffic

Question 30mediummatching
Full question →

Match each AWS networking monitoring or troubleshooting tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic information for security and troubleshooting

Monitor network performance metrics like throughput and latency

Test network path between two resources and identify configuration issues

Copy network traffic for content inspection or security analysis

Trace requests through distributed applications, including network calls

Question 31easymultiple choice
Full question →

A company is deploying a new web application on AWS. They need to distribute incoming HTTPS traffic across multiple EC2 instances in different Availability Zones. Which AWS service should they use?

More Network Implementation questions available in the full practice test.

Continue Practising →
←

Previous objective

Network Design

All ANS-C01 Objectives

  • 1.Network Design
  • 2.Network Implementation