Question 633 of 1,705
Network Security, Compliance and GovernancehardMultiple ChoiceObjective-mapped

Quick Answer

The correct architecture uses separate Transit Gateway route tables to force inter-VPC traffic through a centralized inspection VPC. By attaching all VPCs to a single Transit Gateway, then creating one route table for the inspection VPC attachments and another for all other VPCs, you can configure the route table for VPC A to point to VPC B’s CIDR via the inspection VPC attachment. This ensures traffic between VPCs is routed through the third-party firewall appliances, leveraging Transit Gateway’s ability to isolate routing domains while maintaining centralized inspection. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this scenario tests your understanding of Transit Gateway route tables, associations, and propagation—a common trap is assuming VPC peering or a single route table will suffice, which breaks inspection. Remember the key principle: separate route tables create a forced path through the inspection VPC, much like a network hub-and-spoke model. Memory tip: “Two tables, one path—inspect the middle, not the edge.”

ANS-C01 Network Security, Compliance and Governance Practice Question

This ANS-C01 practice question tests your understanding of network security, compliance and governance. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

Question 1hardmultiple choice
Read the full VPN explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment.

Option A is correct because it uses separate Transit Gateway route tables to isolate the inspection VPC and other VPCs. By configuring the route table for VPC A to point to VPC B's CIDR via the inspection VPC attachment, all inter-VPC traffic is forced through the centralized firewall appliances. This leverages Transit Gateway's ability to route traffic between attachments based on route table associations and propagations, ensuring traffic flows through the inspection VPC without requiring VPC peering or additional per-VPC firewalls.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment.

    Why this is correct

    This design uses Transit Gateway route tables to force traffic through the inspection VPC.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Create a VPC peering connection between VPC A and VPC B, and attach firewall appliances in both VPCs.

    Why it's wrong here

    VPC peering does not support transitive routing; traffic would go directly.

  • Use AWS PrivateLink to create VPC endpoints in VPC A and VPC B, and route traffic through the firewall VPC.

    Why it's wrong here

    PrivateLink is for accessing services, not for routing VPC-to-VPC traffic.

  • Deploy AWS Network Firewall in each VPC and configure VPC route tables to send traffic to the firewall endpoint.

    Why it's wrong here

    This is a valid approach but does not use Transit Gateway as specified.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is assuming that simply attaching all VPCs to a Transit Gateway automatically routes traffic through a centralized inspection VPC, when in fact you must explicitly configure separate route tables and static routes to force traffic through the inspection VPC, otherwise Transit Gateway uses its default route table for direct attachment-to-attachment routing.

Detailed technical explanation

How to think about this question

Transit Gateway uses separate route tables to control traffic flow between attachments; by associating VPC A and VPC B with a route table that has a static route for the other VPC's CIDR pointing to the inspection VPC attachment, traffic is forced through the firewall. The inspection VPC itself must have route tables that forward traffic between its attachments (e.g., to the firewall appliances) and back, often using EC2 instances or Gateway Load Balancers for stateful inspection. In a real-world scenario, this architecture supports east-west traffic inspection while maintaining high availability by deploying multiple firewall instances across Availability Zones.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Security, Compliance and Governance — This question tests Network Security, Compliance and Governance — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Attach all VPCs to a Transit Gateway. Create separate route tables: one for inspection VPC attachments and one for others. In VPC A's route table, route to VPC B via the inspection VPC attachment. — Option A is correct because it uses separate Transit Gateway route tables to isolate the inspection VPC and other VPCs. By configuring the route table for VPC A to point to VPC B's CIDR via the inspection VPC attachment, all inter-VPC traffic is forced through the centralized firewall appliances. This leverages Transit Gateway's ability to route traffic between attachments based on route table associations and propagations, ensuring traffic flows through the inspection VPC without requiring VPC peering or additional per-VPC firewalls.

What should I do if I get this ANS-C01 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

8 more ways this is tested on ANS-C01

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized security appliance running in a security VPC. Which configuration should be used?

medium
  • A.Configure network ACLs in each VPC to deny traffic directly between VPCs.
  • B.Attach the VPCs to the Transit Gateway and configure route tables to send inter-VPC traffic to the security VPC via a blackhole route.
  • C.Create VPC peering connections between each VPC and the security VPC, then update route tables.
  • D.Use NAT gateways in each VPC to route traffic through the security VPC.

Why B: Option A is correct because Transit Gateway route tables with route propagation and blackhole routes enable inspection. Option B is wrong because VPC peering is not centralized. Option C is wrong because NAT gateways are for outbound only. Option D is wrong because Network ACLs are stateless and not designed for traffic inspection routing.

Variation 2. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized firewall appliance in a inspection VPC. Which architecture meets this requirement?

hard
  • A.Create VPC peering connections between all VPCs and route traffic through the inspection VPC.
  • B.Deploy AWS Network Firewall in each VPC and allow traffic to flow directly between VPCs.
  • C.Attach all VPCs to a Transit Gateway and create separate route tables for inspection.
  • D.Use AWS Direct Connect Gateway to route traffic between VPCs through the inspection VPC.

Why C: Option C is correct because Transit Gateway route tables can direct traffic between VPCs through a central inspection VPC by using blackhole routes or specific associations. Option A is wrong because VPC peering does not support transitive routing and cannot enforce central inspection. Option B is wrong because Direct Connect is for on-premises connectivity and does not provide inter-VPC inspection. Option D is wrong because AWS Network Firewall can be deployed in a single VPC but it is not a requirement to use Transit Gateway with route tables to direct traffic to it.

Variation 3. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to inspect all traffic between VPCs and on-premises using a centralized firewall appliance. Which architecture meets this requirement?

medium
  • A.Deploy AWS Network Firewall in each VPC and route all traffic through it.
  • B.Connect all VPCs to on-premises via AWS Direct Connect and inspect traffic on-premises.
  • C.Create VPC peering connections between each VPC and the firewall VPC.
  • D.Use Transit Gateway with a central inspection VPC that hosts the firewall appliance.

Why D: Option B is correct because a Transit Gateway with a centralized inspection VPC allows routing traffic through firewall appliances. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because Direct Connect alone does not provide inspection. Option D is wrong because AWS Network Firewall can be deployed in a VPC, but the question asks for architecture; inspection VPC is the best design pattern.

Variation 4. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is inspected by a security appliance in a centralized inspection VPC. How should they configure the Transit Gateway route tables?

hard
  • A.Create a route table for the inspection VPC and add blackhole routes for all other VPCs
  • B.Use one route table with all VPC attachments and enable route propagation for all attachments
  • C.Create separate route tables for each VPC and add a static route to the inspection VPC
  • D.Associate all VPCs with a single route table that has a default route pointing to the inspection VPC attachment, and enable route propagation from the inspection VPC

Why D: Option D is correct because using separate route tables for each VPC with a blackhole route pointing to the inspection VPC is not standard; the correct approach is to have a shared route table that propagates routes and uses a static route to the inspection VPC. Option D is correct: associate all VPCs with a single route table that has a default route pointing to the inspection VPC's attachment, and enable route propagation from the inspection VPC. Option A is wrong because it does not force traffic through the inspection VPC. Option B is wrong because it only inspects traffic from one VPC. Option C is wrong because a blackhole route drops traffic.

Variation 5. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a security requirement that all traffic between VPCs must be inspected by a third-party firewall deployed in a central inspection VPC. The Transit Gateway has route tables configured with blackhole routes for inter-VPC traffic, and the inspection VPC has the firewall. However, traffic is not being inspected; it is being dropped. What is the MOST likely cause?

hard
  • A.The inspection VPC is not propagating its routes to the Transit Gateway.
  • B.The firewall appliance is not configured to forward traffic back to the Transit Gateway.
  • C.The Transit Gateway route tables do not have static routes for the inspection VPC.
  • D.The Transit Gateway route table for inter-VPC traffic has blackhole routes instead of pointing to the inspection VPC attachment.

Why D: Option D is correct because if the Transit Gateway route table has blackhole routes for inter-VPC traffic, that traffic is dropped before reaching the inspection VPC. The route table should direct traffic to the inspection VPC attachment, not blackhole. Option A is wrong because firewall configuration is not the issue if traffic is not reaching it. Option B is wrong because static routes are fine. Option C is wrong because propagation is not the issue.

Variation 6. A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which THREE steps are required? (Choose three.)

hard
  • A.Configure the firewall appliance to perform stateful inspection and route traffic back to the Transit Gateway.
  • B.Set up VPC peering between the inspection VPC and each spoke VPC.
  • C.Create Transit Gateway route tables that propagate routes from the inspection VPC and associate them with the other VPC attachments.
  • D.Establish an AWS Direct Connect connection between the inspection VPC and the on-premises network.
  • E.Attach the inspection VPC to the Transit Gateway.

Why A: Option A is correct because the inspection VPC must be attached to the Transit Gateway. Option B is correct because route tables must direct inter-VPC traffic to the inspection VPC. Option C is correct because the firewall appliance must be configured to inspect and forward traffic. Option D is wrong because Direct Connect is not required; VPN is already used. Option E is wrong because VPC Peering is not used with Transit Gateway; Transit Gateway replaces peering.

Variation 7. A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to implement a centralized inspection architecture where all traffic between VPCs must be inspected by a security appliance (e.g., firewall) deployed in a dedicated inspection VPC. Currently, traffic flows directly between VPCs using the Transit Gateway. Which architecture change would enforce that all inter-VPC traffic passes through the inspection VPC?

medium
  • A.Create VPC peering connections between each VPC and the inspection VPC, and remove the Transit Gateway attachments.
  • B.Configure the Transit Gateway to use separate route tables for each VPC attachment, with a default route pointing to the inspection VPC's attachment. Then, in the inspection VPC, route traffic back to the Transit Gateway for final delivery.
  • C.Use AWS Direct Connect Gateway to route traffic through the inspection VPC.
  • D.Deploy a Network Load Balancer in each VPC and configure it to forward traffic to the inspection VPC.

Why B: Option B is correct. By using Transit Gateway route tables, you can create separate route tables for each VPC attachment and propagate only a default route pointing to the inspection VPC. This forces all traffic to go through the inspection VPC. Option A is incorrect because VPC peering does not integrate with Transit Gateway. Option C is incorrect because Network Load Balancer does not provide routing control. Option D is incorrect because Direct Connect is for on-premises connectivity, not for inter-VPC routing.

Variation 8. A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via a VPN. They want to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the network?

medium
  • A.Create VPC Peering connections between each VPC and the inspection VPC.
  • B.Configure Transit Gateway with appliance mode and route traffic through a dedicated inspection VPC.
  • C.Use security groups in each VPC to restrict traffic and enable VPC Flow Logs for auditing.
  • D.Place the security appliance in each VPC and use Network Firewall to inspect traffic.

Why B: Option B is correct because Transit Gateway supports appliance mode that forces traffic to be routed through a specific VPC where the security appliance resides. Option A is wrong because VPC Peering does not support transitive routing. Option C is wrong because Network Firewall can inspect traffic but does not require Transit Gateway; however, the question specifically asks for a design with Transit Gateway. Option D is wrong because Security Groups cannot inspect traffic at the network level.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.