Back to AWS Certified Advanced Networking Specialty ANS-C01 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise AWS Certified Advanced Networking Specialty ANS-C01 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

13
scenario questions
ANS-C01
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related ANS-C01 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full VPN explanation →

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

Question 2hardmultiple choice
Full question →

A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?

Question 3mediummultiple choice
Full question →

A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:CreateNetworkInterface",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVpc",
      "Resource": "*"
    }
  ]
}
```
Question 4hardmultiple choice
Full question →

An administrator needs to create an interface VPC endpoint for Amazon S3 in a VPC and attach an elastic network interface (ENI) to an EC2 instance. The administrator applies the IAM policy shown in the exhibit. Which action will be DENIED by this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcEndpoint",
        "ec2:DescribeVpcEndpoints",
        "ec2:ModifyVpcEndpoint"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 5hardmultiple choice
Full question →

Refer to the exhibit. A network engineer has this IAM policy attached to their user. They attempt to create a VPC peering connection between VPC A (in account 123456789012) and VPC B (in account 210987654321). The request fails. Which additional permission is required?

Exhibit

Refer to the exhibit.

IAM policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcPeeringConnection",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DeleteVpcPeeringConnection"
      ],
      "Resource": "*"
    }
  ]
}
Question 6hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An EC2 instance launched in subnet-1a is unable to access the internet. Which is the most likely cause?

Exhibit

Refer to the exhibit.

AWS CLI output:
{
    "Vpc": {
        "VpcId": "vpc-0123456789abcdef0",
        "CidrBlock": "10.0.0.0/16",
        "Ipv6CidrBlock": "2001:db8:1234:1a00::/56",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true
    },
    "Subnets": [
        {
            "SubnetId": "subnet-1a",
            "CidrBlock": "10.0.1.0/24",
            "AvailabilityZone": "us-east-1a",
            "MapPublicIpOnLaunch": false
        },
        {
            "SubnetId": "subnet-2a",
            "CidrBlock": "10.0.2.0/24",
            "AvailabilityZone": "us-east-1a",
            "MapPublicIpOnLaunch": true
        }
    ],
    "RouteTables": [
        {
            "RouteTableId": "rtb-main",
            "Associations": [{"SubnetId": "subnet-1a"}],
            "Routes": [
                {"DestinationCidrBlock": "10.0.0.0/16", "Target": "local"},
                {"DestinationCidrBlock": "0.0.0.0/0", "Target": "igw-12345"}
            ]
        },
        {
            "RouteTableId": "rtb-custom",
            "Associations": [{"SubnetId": "subnet-2a"}],
            "Routes": [
                {"DestinationCidrBlock": "10.0.0.0/16", "Target": "local"},
                {"DestinationCidrBlock": "0.0.0.0/0", "Target": "igw-12345"}
            ]
        }
    ]
}
Question 7mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An EC2 instance in the PrivateSubnet is unable to download patches from the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.2.0/24
      MapPublicIpOnLaunch: false
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnet
      RouteTableId: !Ref PrivateRouteTable
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt ElasticIP.AllocationId
      SubnetId: !Ref PublicSubnet
  ElasticIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
Question 8easymultiple choice
Full question →

Based on the output, which of the following is true?

Exhibit

Refer to the exhibit. The following is an AWS CLI command output:

{
    "DirectConnectGateway": {
        "directConnectGatewayId": "dxgw-1234567890abcdef0",
        "directConnectGatewayName": "My-DXGW",
        "amazonSideAsn": 64512,
        "ownerAccount": "123456789012",
        "state": "available"
    }
}
Question 9easymultiple choice
Review the full routing breakdown →

A network engineer runs the AWS CLI command shown in the exhibit. The VPC has an Amazon Route 53 private hosted zone associated. What is the impact of this setting?

Network Topology
$ aws ec2 describe-vpc-attributevpc-id vpc-12345678attribute enableDnsSupportRefer to the exhibit.```"VpcId": "vpc-12345678","EnableDnsSupport": {"Value": false
Question 10mediummulti select
Full question →

Which TWO of the following are valid methods to connect multiple VPCs together in a hub-and-spoke topology while maintaining centralized control? (Choose two.)

Question 11hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A subnet is created in VPC vpc-abcde but no explicit route table association is set. What is the default route for internet-bound traffic from this subnet?

Exhibit

Refer to the exhibit.

AWS CLI output:
{
    "RouteTables": [
        {
            "Associations": [
                {
                    "Main": true,
                    "RouteTableId": "rtb-12345",
                    "SubnetId": null
                }
            ],
            "Routes": [
                {
                    "DestinationCidrBlock": "10.0.0.0/16",
                    "GatewayId": "local",
                    "Origin": "CreateRouteTable",
                    "State": "active"
                },
                {
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "NatGatewayId": "nat-67890",
                    "Origin": "CreateRoute",
                    "State": "active"
                }
            ],
            "RouteTableId": "rtb-12345",
            "VpcId": "vpc-abcde"
        }
    ]
}
Question 12mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. After deploying this CloudFormation stack, the VPC is attached to the transit gateway. However, routes are not being propagated to the transit gateway route table. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyTransitGateway:
    Type: AWS::EC2::TransitGateway
    Properties:
      AmazonSideAsn: 64512
      AutoAcceptSharedAttachments: disable
      DefaultRouteTableAssociation: enable
      DefaultRouteTablePropagation: enable
      DnsSupport: enable
      VpnEcmpSupport: enable
  MyVpcAttachment:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      SubnetIds:
        - subnet-abc
        - subnet-def
      TransitGatewayId: !Ref MyTransitGateway
      VpcId: vpc-12345
Question 13mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VPC endpoint for S3 is created as a Gateway endpoint. The route tables rtb-11111111 and rtb-22222222 are associated with the endpoint. An EC2 instance in a subnet associated with rtb-11111111 cannot access S3 via the endpoint. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsregion us-east-1Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-0a1b2c3d4e5f67890","VpcId": "vpc-12345678","ServiceName": "com.amazonaws.us-east-1.s3","VpcEndpointType": "Gateway","State": "available","RouteTableIds": ["rtb-11111111", "rtb-22222222"],"PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}"

These ANS-C01 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style ANS-C01 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.