Question 765 of 1,705
Network DesigneasyMultiple ChoiceObjective-mapped

Quick Answer

The best way to avoid IP address overlap when connecting a VPC to an on-premises network via VPN is to use a different RFC 1918 CIDR block for the VPC, such as 172.16.0.0/12 or 192.168.0.0/16, rather than reusing the 10.0.0.0/8 space. This is critical because overlapping IP ranges prevent proper route propagation in the VPN tunnel, leading to asymmetric routing or complete connectivity failures, as both sides would claim the same addresses. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this scenario tests your understanding of VPC CIDR design principles and the pitfalls of overlapping private IPs, often appearing as a trap where candidates consider NAT as a simpler fix. While NAT can technically resolve overlap, it adds operational complexity and is not the best design choice when a non-overlapping private range is available. Memory tip: "Don't double-dip the 10—pick a different private strip."

ANS-C01 Network Design Practice Question

This ANS-C01 practice question tests your understanding of network design. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is designing a network for a new VPC. They want to ensure that the VPC can connect to an on-premises data center via a site-to-site VPN. The on-premises network uses a CIDR block of 10.0.0.0/8. The VPC will use a CIDR block of 10.0.0.0/16. The network engineer is concerned about overlapping IP addresses. What is the best way to avoid IP address overlap?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1easymultiple choice
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use a different RFC 1918 CIDR block for the VPC

Option B is correct because using a different RFC 1918 CIDR block (e.g., 172.16.0.0/12 or 192.168.0.0/16) for the VPC completely avoids IP address overlap with the on-premises 10.0.0.0/8 network. Overlapping CIDR blocks (both using 10.0.0.0/8) would prevent successful route propagation and cause asymmetric routing or connectivity failures in the site-to-site VPN. NAT can mitigate overlap but adds complexity and is not the 'best' design choice when a non-overlapping private range is available.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use the same CIDR block and rely on NAT

    Why it's wrong here

    Overlap will cause routing issues.

  • Use a different RFC 1918 CIDR block for the VPC

    Why this is correct

    Avoids overlap.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use a smaller subnet within the same 10.0.0.0/8 range

    Why it's wrong here

    Still overlaps.

  • Use a public IP range for the VPC

    Why it's wrong here

    Public IPs are not recommended for private VPCs.

Common exam traps

Common exam trap: answer the scenario, not the keyword

AWS often tests the misconception that NAT can always solve IP overlap issues, but the best practice is to design non-overlapping private IP spaces from the start to avoid complexity and routing failures.

Detailed technical explanation

How to think about this question

Under the hood, AWS site-to-site VPN uses BGP dynamic routing or static routes; overlapping CIDRs cause the VPN connection to reject or ignore routes that conflict with the VPC's main route table, leading to unreachable destinations. In a real-world scenario, if both sides use 10.0.0.0/8, traffic destined for the VPC's 10.0.1.0/24 might be sent to the on-premises network instead, breaking connectivity. AWS recommends using unique RFC 1918 ranges per VPC and on-premises to ensure proper route propagation and avoid NAT overhead.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Design — This question tests Network Design — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use a different RFC 1918 CIDR block for the VPC — Option B is correct because using a different RFC 1918 CIDR block (e.g., 172.16.0.0/12 or 192.168.0.0/16) for the VPC completely avoids IP address overlap with the on-premises 10.0.0.0/8 network. Overlapping CIDR blocks (both using 10.0.0.0/8) would prevent successful route propagation and cause asymmetric routing or connectivity failures in the site-to-site VPN. NAT can mitigate overlap but adds complexity and is not the 'best' design choice when a non-overlapping private range is available.

What should I do if I get this ANS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More ANS-C01 practice questions

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.