Question 1,598 of 1,705
Network DesignhardMultiple ChoiceObjective-mapped

Quick Answer

The correct design is to route all internet traffic through a centralized inspection VPC using Transit Gateway. This approach works because Transit Gateway acts as a hub, allowing you to attach multiple VPCs and route all outbound traffic from your application VPCs to a dedicated inspection VPC, where a firewall—such as AWS Network Firewall or a third-party appliance—inspects every packet before forwarding it to an Internet Gateway. This enforces a single, centralized egress point, ensuring no traffic bypasses security controls. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this scenario tests your understanding of Transit Gateway route tables and how to propagate routes to force traffic through a centralized inspection architecture. A common trap is assuming a simple VPC peering or a single VPC with a NAT Gateway suffices, but those lack centralized inspection for all subnets. Memory tip: think “Transit Gateway as the traffic cop” — it directs all outbound flows to the inspection VPC before they reach the internet.

ANS-C01 Network Design Practice Question

This ANS-C01 practice question tests your understanding of network design. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet goes through a centralized firewall. Which design should be used?

Question 1hardmultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Route all internet traffic through a centralized inspection VPC using Transit Gateway.

Option A is correct because it uses a Transit Gateway to route all outbound internet traffic from the VPC to a centralized inspection VPC, where a firewall (e.g., AWS Network Firewall or a third-party appliance) inspects and forwards traffic to an Internet Gateway. This design meets the security requirement by enforcing a single egress point, ensuring all traffic is inspected before reaching the internet.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Route all internet traffic through a centralized inspection VPC using Transit Gateway.

    Why this is correct

    Enforces centralized firewall.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Attach an Internet Gateway to each VPC.

    Why it's wrong here

    No central inspection.

  • Use AWS Site-to-Site VPN to a third-party firewall.

    Why it's wrong here

    Not for internet egress.

  • Use VPC Endpoints for all services.

    Why it's wrong here

    Not for internet.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume an Internet Gateway is required for internet access and overlook the need for centralized inspection, leading them to choose Option B without considering the security constraint.

Detailed technical explanation

How to think about this question

A Transit Gateway enables transitive routing between VPCs and on-premises networks, allowing you to create a hub-and-spoke architecture. In this design, the inspection VPC acts as the hub with a firewall (e.g., AWS Network Firewall or a third-party appliance) that performs stateful inspection, and the spoke VPCs route 0.0.0.0/0 traffic to the Transit Gateway attachment. The firewall must be configured to handle asymmetric routing and NAT if needed, and the Transit Gateway route tables must propagate the default route to the inspection VPC.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Design — This question tests Network Design — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Route all internet traffic through a centralized inspection VPC using Transit Gateway. — Option A is correct because it uses a Transit Gateway to route all outbound internet traffic from the VPC to a centralized inspection VPC, where a firewall (e.g., AWS Network Firewall or a third-party appliance) inspects and forwards traffic to an Internet Gateway. This design meets the security requirement by enforcing a single egress point, ensuring all traffic is inspected before reaching the internet.

What should I do if I get this ANS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on ANS-C01

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet must traverse a centralized inspection appliance for traffic inspection. Which architecture should be used?

hard
  • A.Use VPC Peering between all VPCs
  • B.Configure a NAT Gateway in each Availability Zone
  • C.Use Transit Gateway with VPC attached and route traffic through a shared services VPC containing the inspection appliance
  • D.Use AWS Direct Connect to route traffic on-premises

Why C: Option C is correct because a Transit Gateway with a shared services VPC architecture allows centralized inspection of all outbound internet traffic. By attaching the VPCs to a Transit Gateway and routing traffic through a shared services VPC that hosts the inspection appliance (e.g., a firewall or proxy), you can enforce security policies. The Transit Gateway acts as a hub, enabling transitive routing between VPCs while directing internet-bound traffic to the inspection appliance before it reaches an internet gateway or NAT gateway.

Keep practising

More ANS-C01 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.