Free Amazon ANS-C01 Exam Questions

Question 1

A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company's applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups. A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances. Which solution will meet this requirement with the LEAST implementation and administrative effort?

A : Create a network ACL for each application. Reference the network ACL in the stateful rule group.

B : Create a prefix list for each application. Reference the prefix list in the stateful rule group.

C : Create an AWS Lambda function that queries the EC2 instance tags for each application name and then updates the stateful rule group with the IP address of each instance.

D : Create a resource group for each application name. Reference the Amazon Resource Name (ARN) for the resource groups in the stateful rule group.

Answer: B

Question 2

An online retail organization runs its e-commerce website on AWS. The Amazon EC2 instances running the application are fronted by an Application Load Balancer (ALB). Amazon Route 53 provides public DNS services. Different URLs (mobile.shopping.com, web.shopping.com, api.shopping.com) will serve the required content to the end-users.

Which combination of services must be used to serve the content correctly to the end-users? (Select two)

A : Path conditions in ALB listener to route *.shopping.com to appropriate target groups

B : Host conditions in ALB listener to route *.shopping.com to appropriate target groups

C : Host conditions in ALB listener to route shopping.com to appropriate target groups

D : Use Host conditions in ALB listener to route $$$$.shopping.com to appropriate target groups

E : Path component of Redirect actions in ALB listener configuration to route shopping.com to appropriate target groups

Answer: B,C

Question 3

A company is planning to migrate to AWS and use multiple VPCs in multiple AWS Regions. A network engineer must connect the eu-west-1 and eu-central-1 Regions to the company headquarters and branch office, respectively. The network engineer created a production VPC, named Prod A, with a CIDR block of 10.0.0.0. Prod A runs in an account in eu-west-1. The network engineer then created another production VPC, named Prod B, with a CIDR block of 10.1.0.0. Prod Ð’ runs in a different account in eu-central-1. The network engineer performed the following steps to try to achieve the required connectivity: 1. Created one transit gateway in each Region2. Shared and accepted the transit gateways with the production accounts in both Regions3. Configured the peering attachment between both transit gateways4. Attached both VPCs to the respective Region transit gateway5. Created both transit gateway route tables and associated the attachments with the route tables6. Configured a static route in both transit gateway route tables to send traffic to the remote VPC in the other Region7. Activated route propagation on the VPC route tables in each Region After the configuration, the network engineer tried to connect from Prod A to Prod B. However, the connection was unsuccessful. What should the network engineer do to achieve the required connectivity?

A : Modify the IP address of the peering attachment to a wider range.

B : Delete the static routes that were in the transit gateway route table to send traffic to the remote VPC and enable route propagation instead.

C : Create a new route destined to 10.0.0.0 in both production VPC route tables with the Region transit gateway as the target.

D : Modify the transit gateway route tables from the production accounts to propagate routes dynamically between the production VPCs.

Answer: C

Question 4

A company runs workloads in multiple VPCs. The company needs to securely access a workload in one of the VPCs, named VPC-A, from an on-premises data center. A network engineer sets up an AWS Site-to-Site VPN connection to a transit gateway. The network engineer configures dynamic routing for the connection, and communication works properly. Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner created workloads that use the additional CIDR range. The company's on-premises network is unable to reach the new workloads. The network engineer needs to resolve the network connectivity issue and ensure that connectivity will not be affected if additional VPC CIDR ranges are added to the VPC in the future. Which solution will meet these requirements with the MOST operational efficiency?

A : Configure route propagation for VPC-A to the VPN attachment route table.

B : Manually update the VPN attachment route table to include the new CIDR range.

C : Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule to matches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table.

D : Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table. Restart the VPN tunnels.

Answer: A

Question 5

A company wants to implement a distributed architecture on AWS that uses a Gateway Load Balancer (GWLB) and GWLB endpoints. The company has chosen a hub-and-spoke model. The model includes a GWLB and virtual appliances that are deployed into a centralized appliance VPC and GWLB endpoints. The model also includes internet gateways that are configured in spoke VPCs. Which sequence of traffic flow to the internet from the spoke VPC is correct?

A : 1.An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.2. Traffic is delivered securely and privately to the GWLB.3. The GWLB sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

B : 1. An application in a spoke VPC sends traffic to the GWLB endpoint based on the VPC route table configuration.2. Traffic is delivered securely and privately to the GWLB endpoint.3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

C : 1. An application in a spoke VPC sends traffic to the GWLB endpoint.2. Traffic is delivered securely and privately to the GWLB.3. The GWLB sets the X-Forwarded-For request header and sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB endpoint and out to the internet through the internet gateway.

D : 1. An application in a spoke VPC sends traffic to the GWLB.2. Traffic is delivered securely and privately to the GWLB endpoint.3. The GWLB sends the traffic to a virtual appliance for inspection.4. Return traffic flows back to the GWLB and out to the internet through an internet gateway.

Answer: A