ANS-C01 · topic practice

Troubleshooting practice questions

Practise AWS Certified Advanced Networking Specialty ANS-C01 Troubleshooting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Troubleshooting

What the exam tests

What to know about Troubleshooting

Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Troubleshooting exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Troubleshooting questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC peering connection. Both VPCs have CIDR blocks: VPC-A = 10.0.0.0/16, VPC-B = 10.1.0.0/16. An EC2 instance in VPC-A (10.0.1.10) cannot ping an EC2 instance in VPC-B (10.1.1.10). Security groups and NACLs allow all traffic. The route tables are configured as follows: In VPC-A, a route to 10.1.0.0/16 via the peering connection. In VPC-B, a route to 10.0.0.0/16 via the peering connection. What is the most likely cause?

Question 2mediummultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

Question 3easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?

Question 4mediummulti select
Read the full VPN explanation →

A network engineer is troubleshooting high latency on an AWS Transit Gateway that connects multiple VPCs and an on-premises network via AWS Site-to-Site VPN. The engineer wants to identify potential causes. Which TWO actions should the engineer take? (Choose two.)

Match each AWS networking monitoring or troubleshooting tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic information for security and troubleshooting

Monitor network performance metrics like throughput and latency

Test network path between two resources and identify configuration issues

Copy network traffic for content inspection or security analysis

Trace requests through distributed applications, including network calls

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to monitor network traffic in their VPC for troubleshooting and security analysis. They need to capture IP traffic information, including source/destination IPs, ports, and protocol, but not the packet payload. Which AWS service should be used?

Question 7mediummultiple choice
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a web server in subnet with network ACL 'acl-12345678'. The web server is on port 443. The administrator finds that traffic from IP 10.0.1.5 is being denied. Why is the traffic being denied?

Network Topology
$ aws ec2 describe-network-aclsregion us-west-2Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0","PortRange": {"From": 443,"To": 443},"RuleNumber": 200,"Protocol": "-1","RuleAction": "deny","CidrBlock": "10.0.0.0/8","PortRange": {}
Question 8mediummultiple choice
Read the full Troubleshooting explanation →

A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:CreateNetworkInterface",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVpc",
      "Resource": "*"
    }
  ]
}
```

A Network Engineer is troubleshooting a cross-account VPC endpoint connection. The service provider account (123456789012) has the above IAM policy attached to the endpoint service. The consumer account (111111111111) has created a VPC endpoint (vpce-abc123) and is trying to accept the connection. The consumer receives an 'AccessDenied' error when calling ec2:AcceptVpcEndpointConnections. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowVPCEConnection",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:AcceptVpcEndpointConnections",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc-endpoint/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:ec2:us-east-1:111111111111:vpc-endpoint/vpce-abc123"
        }
      }
    }
  ]
}
```
Question 10mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to monitor all network traffic to and from an EC2 instance for troubleshooting. Which AWS service should they use?

Question 11hardmultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer notices that the BGP session is flapping intermittently. The connection is a 1 Gbps dedicated connection with a single private VIF. The router configuration uses default BGP timers. What is the most likely cause of the flapping?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity issues between an on-premises network and a VPC over a Direct Connect private VIF. The on-premises network can reach EC2 instances in the VPC, but cannot reach an RDS database in the same VPC. The VPC has a single subnet. What is the MOST likely cause?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity from an EC2 instance in a private subnet to an S3 bucket. The VPC has a VPC endpoint for S3 configured. The instance can access the internet via a NAT Gateway. Which configuration is MOST likely causing the connection to S3 to fail?

Question 14mediummulti select
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues between two VPCs connected via a Transit Gateway. The VPCs are in the same region and have proper route tables. Which TWO actions should the engineer perform to diagnose the problem?

Question 15hardmultiple choice
Read the full Troubleshooting explanation →

A company is troubleshooting high latency on an AWS Direct Connect connection. The network team notices that the latency increases during peak hours. The connection uses a single virtual interface (VIF) with a 1 Gbps capacity. What is the MOST likely cause of the latency?

Question 16hardmultiple choice
Read the full Troubleshooting explanation →

A network engineer is troubleshooting connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS accounts and regions. The engineer can ping the private IP of an instance in the peered VPC from one side, but not from the other. What is the most likely cause?

Question 17easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity from an on-premises network to an EC2 instance in a VPC via a Site-to-Site VPN. The VPN tunnel is up, but the engineer cannot ping the EC2 instance's private IP. What should the engineer check first?

Question 18easymultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity between two EC2 instances in the same VPC but different subnets. The instances can ping each other's private IP addresses, but traffic on TCP port 443 fails. What is the most likely cause?

A company is troubleshooting connectivity issues between two VPCs that are peered using an inter-region VPC peering connection. The VPCs have the following CIDR blocks: VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Which THREE of the following are possible reasons for the connectivity failure?

Question 20mediummulti select
Read the full VPN explanation →

A network engineer is troubleshooting connectivity between an on-premises data center and a VPC over an AWS Site-to-Site VPN. The tunnel status shows UP, but traffic from on-premises to the VPC is intermittently dropped. Which TWO of the following are likely causes? (Choose 2.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Troubleshooting sessions

Start a Troubleshooting only practice session

Every question in these sessions is drawn from the Troubleshooting domain — nothing else.

Related practice questions

Related ANS-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the ANS-C01 exam test about Troubleshooting?
Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Troubleshooting questions in a focused session?
Yes — the session launcher on this page draws every question from the Troubleshooting domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other ANS-C01 topics?
Use the topic links above to move to related areas, or go back to the ANS-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the ANS-C01 exam covers. They are not copied from any real exam or dump site.