Sample questions
AWS Certified Advanced Networking Specialty ANS-C01 practice questions
A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?
Trap 1: Use VPC peering to connect all VPCs to the shared services VPC and…
VPC peering is not transitive and does not scale well for many VPCs.
Trap 2: Attach all VPCs to a Transit Gateway and configure a Network Load…
Network Load Balancer does not support packet inspection; a Gateway Load Balancer is needed.
Trap 3: Attach all VPCs to a Transit Gateway and use a single firewall…
Single firewall instance is not highly available.
- A
Use VPC peering to connect all VPCs to the shared services VPC and route traffic through the firewall.
Why wrong: VPC peering is not transitive and does not scale well for many VPCs.
- B
Create a Transit Gateway with separate route tables for each VPC and a shared route table for the inspection VPC. Use Gateway Load Balancer to distribute traffic to a fleet of firewall instances.
This design is scalable and highly available, with Gateway Load Balancer for inspection and Transit Gateway for routing.
- C
Attach all VPCs to a Transit Gateway and configure a Network Load Balancer in the shared services VPC to distribute traffic to firewall instances.
Why wrong: Network Load Balancer does not support packet inspection; a Gateway Load Balancer is needed.
- D
Attach all VPCs to a Transit Gateway and use a single firewall instance with elastic network interfaces in each VPC.
Why wrong: Single firewall instance is not highly available.
A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?
Trap 1: Use a public virtual interface (VIF) and route traffic through a…
Public VIF does not encrypt traffic.
Trap 2: Use a private virtual interface (VIF) and enable encryption on the…
Direct Connect does not provide encryption inherently.
Trap 3: Use a private VIF and enable TLS on all applications.
TLS is application-layer, not network-layer encryption.
- A
Use a public virtual interface (VIF) and route traffic through a NAT gateway.
Why wrong: Public VIF does not encrypt traffic.
- B
Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.
IPsec provides encryption over the Direct Connect link.
- C
Use a private virtual interface (VIF) and enable encryption on the Direct Connect connection.
Why wrong: Direct Connect does not provide encryption inherently.
- D
Use a private VIF and enable TLS on all applications.
Why wrong: TLS is application-layer, not network-layer encryption.
A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?
Trap 1: Create a VPC peering connection between VPC A and VPC B, and attach…
VPC peering does not support transitive routing; traffic would go directly.
Trap 2: Use AWS PrivateLink to create VPC endpoints in VPC A and VPC B, and…
PrivateLink is for accessing services, not for routing VPC-to-VPC traffic.
Trap 3: Deploy AWS Network Firewall in each VPC and configure VPC route…
This is a valid approach but does not use Transit Gateway as specified.
- A
Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment.
This design uses Transit Gateway route tables to force traffic through the inspection VPC.
- B
Create a VPC peering connection between VPC A and VPC B, and attach firewall appliances in both VPCs.
Why wrong: VPC peering does not support transitive routing; traffic would go directly.
- C
Use AWS PrivateLink to create VPC endpoints in VPC A and VPC B, and route traffic through the firewall VPC.
Why wrong: PrivateLink is for accessing services, not for routing VPC-to-VPC traffic.
- D
Deploy AWS Network Firewall in each VPC and configure VPC route tables to send traffic to the firewall endpoint.
Why wrong: This is a valid approach but does not use Transit Gateway as specified.
A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?
Trap 1: Change the VPN connection from static to dynamic routing.
Routing type does not affect latency.
Trap 2: Enable BGP route propagation on the transit VPC's route tables.
Route propagation is likely already enabled.
Trap 3: Deploy a new transit VPC in eu-west-1.
Adding another transit VPC increases complexity.
- A
Change the VPN connection from static to dynamic routing.
Why wrong: Routing type does not affect latency.
- B
Enable jumbo frames on the transit VPC's EC2-based virtual appliances.
Jumbo frames reduce overhead and improve throughput for large packets.
- C
Enable BGP route propagation on the transit VPC's route tables.
Why wrong: Route propagation is likely already enabled.
- D
Deploy a new transit VPC in eu-west-1.
Why wrong: Adding another transit VPC increases complexity.
A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?
Trap 1: Set up AWS Site-to-Site VPN connections between each VPC.
VPN is more expensive and complex than peering.
Trap 2: Use ClassicLink to connect the VPCs.
ClassicLink is for EC2-Classic, not VPC-to-VPC.
Trap 3: Create a Transit Gateway and attach all VPCs.
Transit Gateway is more expensive and complex than peering for few VPCs.
- A
Set up AWS Site-to-Site VPN connections between each VPC.
Why wrong: VPN is more expensive and complex than peering.
- B
Use ClassicLink to connect the VPCs.
Why wrong: ClassicLink is for EC2-Classic, not VPC-to-VPC.
- C
Create VPC peering connections between each pair of VPCs.
VPC peering is simple, low-cost, and uses private IPs.
- D
Create a Transit Gateway and attach all VPCs.
Why wrong: Transit Gateway is more expensive and complex than peering for few VPCs.
A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?
Trap 1: Create a VPC peering connection between the two VPCs and route…
VPC peering does not support inter-region peering? Actually it does, but traffic traverses the AWS backbone, but still may not be optimized for latency. Global Accelerator is better.
Trap 2: Use internet gateways and route traffic over the public internet…
Public internet introduces variable latency and jitter.
Trap 3: Use a Site-to-Site VPN connection between the two VPCs over the…
VPN adds latency due to encryption and uses the public internet which is variable.
- A
Create a VPC peering connection between the two VPCs and route traffic through the peering connection.
Why wrong: VPC peering does not support inter-region peering? Actually it does, but traffic traverses the AWS backbone, but still may not be optimized for latency. Global Accelerator is better.
- B
Use internet gateways and route traffic over the public internet between the instances.
Why wrong: Public internet introduces variable latency and jitter.
- C
Use a Site-to-Site VPN connection between the two VPCs over the internet.
Why wrong: VPN adds latency due to encryption and uses the public internet which is variable.
- D
Deploy an AWS Global Accelerator with endpoints in both Regions and use the accelerator's static IP addresses for communication.
Global Accelerator uses the AWS global network to route traffic over optimized paths, reducing latency and jitter.
Which TWO of the following are valid components of an AWS Transit Gateway design for connecting multiple VPCs and on-premises networks?
Trap 1: VPC Endpoint Gateway
VPC Endpoints are for accessing AWS services, not part of Transit Gateway.
Trap 2: Transit Gateway endpoint attached to a subnet in a VPC
Transit Gateway attachments are at the VPC level, not endpoint in a subnet.
Trap 3: Direct Connect Gateway associated with a Transit Gateway
Direct Connect Gateway is a separate entity; it can be associated with a Transit Gateway but is not a component of the Transit Gateway itself.
- A
VPC Endpoint Gateway
Why wrong: VPC Endpoints are for accessing AWS services, not part of Transit Gateway.
- B
Transit Gateway endpoint attached to a subnet in a VPC
Why wrong: Transit Gateway attachments are at the VPC level, not endpoint in a subnet.
- C
Direct Connect Gateway associated with a Transit Gateway
Why wrong: Direct Connect Gateway is a separate entity; it can be associated with a Transit Gateway but is not a component of the Transit Gateway itself.
- D
Transit Gateway route table
Route tables control traffic between attachments.
- E
Transit Gateway peering attachment
Peering attachments connect transit gateways across regions.
A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?
Trap 1: Attach an internet gateway to the VPC and add a default route to…
This allows inbound traffic as well.
Trap 2: Launch an EC2 instance in a public subnet with a proxy software and…
This is a valid but less optimal solution due to management overhead.
Trap 3: Create a VPC endpoint for Amazon S3 and add a route to the endpoint…
VPC endpoints are for AWS services, not general internet.
- A
Attach an internet gateway to the VPC and add a default route to the internet gateway in the private subnet route tables.
Why wrong: This allows inbound traffic as well.
- B
Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet route tables.
NAT Gateway provides outbound-only internet access.
- C
Launch an EC2 instance in a public subnet with a proxy software and route private subnet traffic through it.
Why wrong: This is a valid but less optimal solution due to management overhead.
- D
Create a VPC endpoint for Amazon S3 and add a route to the endpoint in the private subnet route tables.
Why wrong: VPC endpoints are for AWS services, not general internet.
A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?
Trap 1: Deploy a NAT Gateway in a public subnet.
NAT Gateway is for outbound internet without on-premises routing.
Trap 2: Attach an internet gateway to the VPC.
IGW would provide direct internet access, bypassing on-premises.
- A
Deploy a NAT Gateway in a public subnet.
Why wrong: NAT Gateway is for outbound internet without on-premises routing.
- B
Add a default route pointing to the virtual private gateway in the private subnet route tables.
Ensures private subnet traffic goes through Direct Connect.
- C
Remove the default route to the internet gateway from the main route table.
Prevents internet traffic from using IGW.
- D
Attach an internet gateway to the VPC.
Why wrong: IGW would provide direct internet access, bypassing on-premises.
- E
Enable route propagation on the VPC route tables.
Propagates the default route from Direct Connect.
A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)
Trap 1: Use a stateful network ACL for the web tier subnets to simplify…
NACLs are stateless; security groups are stateful.
Trap 2: Deploy a NAT Gateway in a single Availability Zone for outbound…
A single NAT Gateway is a single point of failure; should deploy one per AZ for high availability.
Trap 3: Create the VPC with a single Availability Zone to simplify…
Single AZ is not highly available; should use at least two AZs.
- A
Place an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones.
Provides high availability and internet access for the web tier.
- B
Configure the web tier EC2 instances in an Auto Scaling group across two Availability Zones.
Auto Scaling group across multiple AZs provides high availability and scalability.
- C
Use a stateful network ACL for the web tier subnets to simplify security rules.
Why wrong: NACLs are stateless; security groups are stateful.
- D
Deploy a NAT Gateway in a single Availability Zone for outbound traffic from private subnets.
Why wrong: A single NAT Gateway is a single point of failure; should deploy one per AZ for high availability.
- E
Create the VPC with a single Availability Zone to simplify management.
Why wrong: Single AZ is not highly available; should use at least two AZs.
A network engineer is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC peering connection. Both VPCs have CIDR blocks: VPC-A = 10.0.0.0/16, VPC-B = 10.1.0.0/16. An EC2 instance in VPC-A (10.0.1.10) cannot ping an EC2 instance in VPC-B (10.1.1.10). Security groups and NACLs allow all traffic. The route tables are configured as follows: In VPC-A, a route to 10.1.0.0/16 via the peering connection. In VPC-B, a route to 10.0.0.0/16 via the peering connection. What is the most likely cause?
Trap 1: The VPCs have overlapping CIDR blocks.
CIDR blocks are different.
Trap 2: Security groups are blocking ICMP traffic.
Security groups allow all traffic.
Trap 3: The route tables are missing routes to the peering connection.
Routes are present.
- A
The VPCs have overlapping CIDR blocks.
Why wrong: CIDR blocks are different.
- B
Security groups are blocking ICMP traffic.
Why wrong: Security groups allow all traffic.
- C
The route tables are missing routes to the peering connection.
Why wrong: Routes are present.
- D
There is an intermediate VPC or on-premises network that routes traffic incorrectly due to the lack of transitive routing.
VPC peering does not allow transitive routing; any intermediate hop would break connectivity.
A company is migrating a legacy application to AWS. The application requires multicast communication between EC2 instances in the same VPC. Which THREE options can support this requirement? (Choose three.)
Trap 1: Use AWS Direct Connect to extend the on-premises multicast domain…
Direct Connect does not support multicast across the connection.
Trap 2: Create a VPC peering connection and enable multicast across the…
VPC peering does not support multicast.
- A
Use AWS Transit Gateway with a multicast domain.
Transit Gateway supports multicast groups and domains.
- B
Use AWS Direct Connect to extend the on-premises multicast domain to the VPC.
Why wrong: Direct Connect does not support multicast across the connection.
- C
Deploy a multicast-capable third-party virtual appliance in the VPC and configure multicast routing.
Third-party appliances can be used to support multicast within a VPC.
- D
Use a VPC with a single subnet and enable multicast on the subnet.
AWS supports multicast within the same VPC when using a single subnet and enabling multicast on the subnet.
- E
Create a VPC peering connection and enable multicast across the peered VPCs.
Why wrong: VPC peering does not support multicast.
A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?
Trap 1: Create an AWS Site-to-Site VPN between the VPCs and disable the VPC…
While a VPN provides encryption, it adds complexity; VPC peering can still be used with application-layer encryption.
Trap 2: Replace the VPC peering connection with a Transit Gateway and…
Transit Gateway does not provide built-in encryption; a VPN attachment would be needed, but it's more complex.
Trap 3: Enable encryption on the VPC peering connection.
VPC peering does not support encryption at the connection level.
- A
Create an AWS Site-to-Site VPN between the VPCs and disable the VPC peering connection.
Why wrong: While a VPN provides encryption, it adds complexity; VPC peering can still be used with application-layer encryption.
- B
Use TLS or IPsec at the application layer between instances.
Application-layer encryption provides encryption over the peering connection.
- C
Replace the VPC peering connection with a Transit Gateway and enable VPN encryption.
Why wrong: Transit Gateway does not provide built-in encryption; a VPN attachment would be needed, but it's more complex.
- D
Enable encryption on the VPC peering connection.
Why wrong: VPC peering does not support encryption at the connection level.
A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?
Trap 1: The network ACL in the VPC is blocking outbound traffic.
NACLs are stateless; if ping works, both inbound and outbound rules allow ICMP. However, TCP could be blocked if NACL rules are different for TCP, but ping success suggests NACLs are not the issue.
Trap 2: The BGP session is in the 'Idle' state.
Ping works, so BGP is up and routes are exchanged.
Trap 3: The route table associated with the virtual private gateway does…
The virtual private gateway does not have its own route table; routes are added to the VPC route tables.
- A
The network ACL in the VPC is blocking outbound traffic.
Why wrong: NACLs are stateless; if ping works, both inbound and outbound rules allow ICMP. However, TCP could be blocked if NACL rules are different for TCP, but ping success suggests NACLs are not the issue.
- B
The security group for the EC2 instance does not allow inbound HTTPS traffic.
Security groups are stateful, so outbound return traffic is allowed automatically. The inbound rule for HTTPS must be present.
- C
The BGP session is in the 'Idle' state.
Why wrong: Ping works, so BGP is up and routes are exchanged.
- D
The route table associated with the virtual private gateway does not have a route to the on-premises network.
Why wrong: The virtual private gateway does not have its own route table; routes are added to the VPC route tables.
A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network engineer needs to ensure that traffic between VPC A and VPC B follows a specific path through a Network Virtual Appliance (NVA) in VPC C. Which TWO actions should the engineer take?
Trap 1: Associate VPC A's and VPC B's route tables with a different Transit…
This would affect all traffic, not just between A and B.
Trap 2: Enable route propagation for VPC A and VPC B attachments in the…
Propagation would automatically add routes, potentially allowing direct communication.
Trap 3: Create a VPC peering connection between VPC A and VPC B.
VPC peering would allow direct connectivity, bypassing the NVA.
- A
Associate VPC A's and VPC B's route tables with a different Transit Gateway route table that has a default route pointing to the VPC C attachment.
Why wrong: This would affect all traffic, not just between A and B.
- B
Add a static route in the Transit Gateway route table for VPC A's CIDR pointing to the VPC B attachment with a blackhole.
This prevents VPC A from directly reaching VPC B via the Transit Gateway.
- C
Enable route propagation for VPC A and VPC B attachments in the same Transit Gateway route table.
Why wrong: Propagation would automatically add routes, potentially allowing direct communication.
- D
Add a specific route for VPC B's CIDR in the Transit Gateway route table used by VPC A, pointing to the VPC C attachment.
This sends traffic destined to VPC B through VPC C.
- E
Create a VPC peering connection between VPC A and VPC B.
Why wrong: VPC peering would allow direct connectivity, bypassing the NVA.
A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?
Trap 1: Deploy a NAT Gateway in each VPC to force symmetric traffic.
NAT Gateways do not control routing between VPCs and on-premises.
Trap 2: Create a Transit Gateway peering attachment between the two VPCs.
Peering attachments connect Transit Gateways, not VPCs directly, and do not resolve asymmetric routing.
Trap 3: Enable VPC Flow Logs to detect and alert on asymmetric flows.
Flow Logs are monitoring tools, not routing controls.
- A
Deploy a NAT Gateway in each VPC to force symmetric traffic.
Why wrong: NAT Gateways do not control routing between VPCs and on-premises.
- B
Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.
AS_PATH prepending makes one path less preferred, ensuring symmetric routing.
- C
Create a Transit Gateway peering attachment between the two VPCs.
Why wrong: Peering attachments connect Transit Gateways, not VPCs directly, and do not resolve asymmetric routing.
- D
Enable VPC Flow Logs to detect and alert on asymmetric flows.
Why wrong: Flow Logs are monitoring tools, not routing controls.
A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team observes that traffic between two VPCs (VPC A and VPC B) is not being forwarded correctly. The transit gateway route table is configured with static routes for the VPC CIDRs. Which THREE steps should the engineer take to troubleshoot this issue? (Choose THREE.)
Trap 1: Check the Direct Connect virtual interface status.
Direct Connect is for on-premises connectivity, not VPC-to-VPC communication.
Trap 2: Verify that the NAT Gateway in each VPC is properly configured.
NAT Gateways are for outbound internet traffic, not VPC-to-VPC routing.
- A
Verify that the transit gateway route table contains the CIDR blocks of both VPCs.
The transit gateway route table must have routes for both VPC CIDRs to forward traffic between them.
- B
Check the route tables in VPC A and VPC B to ensure they have routes pointing to the transit gateway for the other VPC's CIDR.
Each VPC must have a route to the other VPC's CIDR pointing to the transit gateway attachment.
- C
Check the association of the VPC attachments with the transit gateway route table.
Each VPC attachment must be associated with the correct route table to use its routes.
- D
Check the Direct Connect virtual interface status.
Why wrong: Direct Connect is for on-premises connectivity, not VPC-to-VPC communication.
- E
Verify that the NAT Gateway in each VPC is properly configured.
Why wrong: NAT Gateways are for outbound internet traffic, not VPC-to-VPC routing.
A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?
Trap 1: Verify that the VPN tunnel status is UP.
The VPN is established, so tunnels are likely up.
Trap 2: Review the customer gateway configuration for incorrect BGP…
The customer gateway is on-premises; the question asks what to check in AWS.
Trap 3: Ensure the virtual private gateway is attached to the correct VPC.
If the VPN is established, the virtual private gateway is attached.
- A
Verify that the VPN tunnel status is UP.
Why wrong: The VPN is established, so tunnels are likely up.
- B
Review the customer gateway configuration for incorrect BGP settings.
Why wrong: The customer gateway is on-premises; the question asks what to check in AWS.
- C
Ensure the virtual private gateway is attached to the correct VPC.
Why wrong: If the VPN is established, the virtual private gateway is attached.
- D
Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.
Missing routes in the VPC route table would prevent inbound traffic from reaching instances.
A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?
Trap 1: Verify that the VPN tunnel status shows as UP on both sides.
While tunnel status is important, the issue could be due to route propagation or association problems, not tunnel status alone.
Trap 2: Enable VPC Flow Logs on VPC A to verify traffic reaching the…
VPC Flow Logs capture traffic at the VPC level, not inside the transit gateway, so they won't show routing decisions within the transit gateway.
Trap 3: Check the security group rules on the EC2 instances in VPC A for…
Security groups control inbound/outbound traffic to instances, but the issue is about network routing through the transit gateway.
- A
Verify that the VPN tunnel status shows as UP on both sides.
Why wrong: While tunnel status is important, the issue could be due to route propagation or association problems, not tunnel status alone.
- B
Enable VPC Flow Logs on VPC A to verify traffic reaching the transit gateway.
Why wrong: VPC Flow Logs capture traffic at the VPC level, not inside the transit gateway, so they won't show routing decisions within the transit gateway.
- C
In the transit gateway route table, verify that the VPN attachment is correctly associated and that the 10.0.0.0/8 route is propagated and has the correct attachment.
This directly checks whether the transit gateway is correctly routing traffic to the VPN attachment for the on-premises CIDR.
- D
Check the security group rules on the EC2 instances in VPC A for outbound traffic.
Why wrong: Security groups control inbound/outbound traffic to instances, but the issue is about network routing through the transit gateway.
A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?
Trap 1: Provision one Direct Connect connection with a single private VIF,…
A single VIF is a single point of failure; BFD only helps detect failures but does not provide redundancy.
Trap 2: Provision one Direct Connect connection with two private VIFs, and…
This design still has a single point of failure at the primary Direct Connect location and does not provide active-active load balancing.
Trap 3: Provision two Direct Connect connections, each with a single…
While having two connections is good, using a single VIF per connection does not leverage ECMP, and VPN backup may have slower failover.
- A
Provision one Direct Connect connection with a single private VIF, and enable BFD on the VIF to detect failures quickly.
Why wrong: A single VIF is a single point of failure; BFD only helps detect failures but does not provide redundancy.
- B
Provision one Direct Connect connection with two private VIFs, and use a second Direct Connect connection as backup with a single VIF. Configure route tables to prefer the primary.
Why wrong: This design still has a single point of failure at the primary Direct Connect location and does not provide active-active load balancing.
- C
Provision two Direct Connect connections, each with multiple private VIFs, and attach them to the same transit gateway. Use BFD to detect failures and rely on ECMP routing across the VIFs.
This provides active-active connectivity with fast failover via BFD, and ECMP allows load balancing across VIFs.
- D
Provision two Direct Connect connections, each with a single private VIF, and use AWS Site-to-Site VPN as a backup for each.
Why wrong: While having two connections is good, using a single VIF per connection does not leverage ECMP, and VPN backup may have slower failover.
A company is experiencing intermittent connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS regions. VPC A has CIDR 10.0.0.0/16 and VPC B has CIDR 10.1.0.0/16. The route tables in both VPCs have been updated to include routes pointing to the peering connection. Security groups and network ACLs are configured to allow all traffic for testing. However, traffic from VPC A to VPC B fails intermittently. Which of the following is the most likely cause of this intermittent failure?
Trap 1: The security group rules in VPC A are not allowing inbound traffic…
The scenario states security groups allow all traffic.
Trap 2: The route tables in both VPCs must include explicit routes for each…
Internet gateway routes are not required for VPC peering.
Trap 3: The VPCs are in different regions, and cross-region VPC peering is…
Cross-region VPC peering is supported.
- A
The security group rules in VPC A are not allowing inbound traffic from VPC B's CIDR. The security group must reference the VPC B CIDR explicitly.
Why wrong: The scenario states security groups allow all traffic.
- B
The route tables in both VPCs must include explicit routes for each other's CIDR blocks, but they should also include routes to the internet gateway for proper routing.
Why wrong: Internet gateway routes are not required for VPC peering.
- C
The VPCs are in different regions, and cross-region VPC peering is not supported. A transit gateway must be used instead.
Why wrong: Cross-region VPC peering is supported.
- D
The VPC peering connection does not support transitive routing. If any traffic is being routed through an intermediate device (e.g., a NAT instance or a VPN connection), the peering connection will not forward that traffic.
VPC peering does not support transitive routing, and intermittent failures suggest that some traffic is being sent through an unsupported path.
A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?
Trap 1: Verify that the virtual private gateway is attached to the VPC.
It is already attached as stated.
Trap 2: Verify that the on-premises firewall is not blocking UDP port 500…
If the tunnel is up, IKE is working.
Trap 3: Verify that the VPN tunnel's pre-shared key matches on both sides.
If the tunnel is up, the pre-shared key is correct.
- A
Verify that the virtual private gateway is attached to the VPC.
Why wrong: It is already attached as stated.
- B
Verify that the on-premises route table has a route to the VPC CIDR via the VPN tunnel.
Without a return route, traffic from on-premises may not reach the VPC.
- C
Verify that the on-premises firewall is not blocking UDP port 500 for IKE.
Why wrong: If the tunnel is up, IKE is working.
- D
Verify that the VPN tunnel's pre-shared key matches on both sides.
Why wrong: If the tunnel is up, the pre-shared key is correct.
Arrange the steps to configure an AWS Transit Gateway with attachments to multiple VPCs:
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Order the steps to set up a Network Load Balancer with a TCP listener in front of an Auto Scaling group:
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.