ANS-C01 · topic practice

Network Design practice questions

Use this page to practise Network Design questions for this certification. Focus on how the exam tests network design in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Design

What the exam tests

What to know about Network Design

Network Design questions on this certification test your ability to deploy and manage network design concepts in scenario-based situations.

Core Network Design concepts and how they apply in real-world cloud scenarios.

How to deploy network design correctly and verify the outcome.

Troubleshooting network design issues by interpreting error output and system state.

Cloud best practices and Network Design design trade-offs tested by this certification.

Watch out for

Common Network Design exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Network Design questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Network Design explanation →

A company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?

Question 2hardmultiple choice
Read the full VPN explanation →

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?

Question 5mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

A company is designing a hybrid network using AWS Transit Gateway. The company has three VPCs (VPC-A, VPC-B, VPC-C) all attached to the same Transit Gateway. The on-premises network connects to the Transit Gateway via a Direct Connect gateway. The company needs to ensure that VPC-C can communicate with the on-premises network but not with VPC-A or VPC-B. Which TWO actions should the network engineer take?

Question 7mediummulti select
Read the full VPN explanation →

A company is deploying a new application in a VPC. The application consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB must only receive traffic from the company's on-premises network via an AWS Site-to-Site VPN. Which THREE steps should the network engineer take to meet this requirement?

Question 8mediummultiple choice
Read the full VPN explanation →

A network engineer has configured an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer checks the VPN status and sees the output above. What is the MOST likely cause of Tunnel2 being down?

Exhibit

Refer to the exhibit.

```
Tunnel1:
  State: UP
  Last Status Change: 2024-03-15 10:23:45 UTC
  Details: Tunnel is in UP state with BGP established.
Tunnel2:
  State: DOWN
  Last Status Change: 2024-03-15 10:25:12 UTC
  Details: Tunnel is in DOWN state due to phase 2 negotiation failure.
```
Question 9hardmultiple choice
Review the full routing breakdown →

A network engineer is setting up a cross-account Route 53 Resolver rule association. The engineer creates the above resource-based policy on a resolver rule in account 111111111111. The engineer then tries to associate the rule from account 222222222222 but receives an access denied error. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "route53resolver:AssociateResolverRule",
        "route53resolver:DisassociateResolverRule"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 10mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer in the public subnets distributes traffic to EC2 instances in the private subnets. The security group for the EC2 instances allows inbound traffic from the ALB security group. Users report intermittent timeouts. What is the most likely cause?

Question 11easymultiple choice
Review the full subnetting walkthrough →

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway attached. The on-premises network advertises a specific route 10.0.0.0/16, but the VPC uses the same CIDR 10.0.0.0/16. The company requires connectivity to the VPC from on-premises but cannot change the VPC CIDR. What is the most cost-effective solution?

Question 13mediummultiple choice
Read the full VPN explanation →

A company's VPC has an internet gateway and a NAT Gateway in a public subnet. The private subnet route table has a default route pointing to the NAT Gateway. EC2 instances in the private subnet can access the internet, but cannot access an on-premises network connected via AWS Site-to-Site VPN. What is the most likely cause?

Question 14easymultiple choice
Read the full Network Design explanation →

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

Question 15mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?

Question 16hardmulti select
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?

Question 17hardmultiple choice
Review the full subnetting walkthrough →

A company runs a multi-tier web application on AWS. The web servers in public subnets need to send traffic to the application servers in private subnets. The application servers must only accept traffic from the web servers. Both tiers are in the same VPC. Which design meets these requirements without introducing a single point of failure or unnecessary complexity?

Question 18mediummultiple choice
Open the full BGP breakdown →

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to minimize operational overhead. The on-premises network uses BGP to advertise routes to AWS. Which design meets these requirements?

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of route tables and security groups achieves this?

Question 20mediummultiple choice
Read the full Network Design explanation →

A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Design sessions

Start a Network Design only practice session

Every question in these sessions is drawn from the Network Design domain — nothing else.

Related practice questions

Related ANS-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the ANS-C01 exam test about Network Design?
Network Design questions on this certification test your ability to deploy and manage network design concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Design questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Design domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other ANS-C01 topics?
Use the topic links above to move to related areas, or go back to the ANS-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the ANS-C01 exam covers. They are not copied from any real exam or dump site.