• Home
  • Articles
  • Latest Amazon ANS-C01 Free Certification Exam Material with 101 Q&As [Q11-Q31]

Latest Amazon ANS-C01 Free Certification Exam Material with 101 Q&As [Q11-Q31]

Share

Latest Amazon ANS-C01 Free Certification Exam Material with 101 Q&As 

UPDATED ANS-C01 Exam Questions Certification Test Engine to PDF


The Amazon ANS-C01 exam is a certification exam offered by Amazon Web Services (AWS) for advanced networking professionals who want to validate their expertise in designing and implementing complex networking architectures on the AWS platform. The exam is designed to test the candidate's knowledge and skills in various networking concepts, including network infrastructure, security, automation, and optimization. The ANS-C01 exam is intended for individuals who already have experience working with AWS networking services and want to take their skills to the next level.

 

NEW QUESTION # 11
Where would you create a firewall rule to block access to instance metadata?
Response:

  • A. In the Network ACL
  • B. In the OS of the EC2 instance
  • C. In the Security Group

Answer: B


NEW QUESTION # 12
You need to ensure the files served by your CloudFront distribution are only accessible to authorized users. You hope to serve thousands of users. What two steps should you take?
(Choose two.)
Response:

  • A. Configure a WAF.
  • B. Configure signed cookies.
  • C. Configure a bucket policy restricting the bucket to only CloudFront OAI.
  • D. Configure an SSL on the distribution.

Answer: B,C


NEW QUESTION # 13
A Network Engineer is designing a system on AWS that will leverage Amazon CloudFront for content caching and for protecting the underlying origin. The security team has flagged a concern of a probable attack on the origin server IP addresses, despite it being served by CloudFront.
Suggest a solution that provides the strongest level of protection to the origin server?
Response:

  • A. Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront
  • B. Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header
  • C. Configure private access to content by using special CloudFront signed URLs or signed cookies
  • D. Configure Origin Access Identity(OAI) on the origin server, which will only allow requests originating from CloudFront

Answer: B


NEW QUESTION # 14
You have created three Virtual Private Clouds (VPCs) named A, B, and C. VPC A is peered with VPC B.
VPC B is peered with VPC C. Which statement is true about this peering arrangement?
Response:

  • A. Instances in VPC A can reach instances in VPC C if the correct routes are configured
  • B. Instances in VPC A can reach instances in VPC C by default.
  • C. Instances in VPC A can reach instances in VPC C if they use a proxy instance in VPC B.
  • D. Instances in VPC A can reach instances in VPC C if they set their routes to an instance in VPC B.

Answer: C


NEW QUESTION # 15
Which two statements about placement groups are correct?
(Choose two.)
Response:

  • A. It is best to use the same instance types in a placement group.
  • B. A placement group can span multiple VPCs.
  • C. You cannot merge placement groups.
  • D. A placement group can span multiple Availability Zones.

Answer: B,C


NEW QUESTION # 16
An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket.
The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.
What is the MOST simple and secure architecture that will achieve the organization's goal?
Response:

  • A. use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • B. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.
  • C. Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • D. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.

Answer: A


NEW QUESTION # 17
An organization processes consumer information submitted through its website. The organization's security policy requires that personally identifiable information (Pll) elements are specifically encrypted at all times and as soon as feasible when received.
The front-end Amazon EC2 instances should not have access to decrypted Pll. A single service within the production VPC must decrypt the Pll by leveraging an iAM role.
Which combination of services will support these requirements?
(Select two.)
Response:

  • A. AWS Key Management Services
  • B. Amazon CloudFront using AWS Lambda@Edge
  • C. Customer-managed MySQL with Transparent Data Encryption
  • D. Amazon Aurora in a private subnet
  • E. Application Load Balancer using HTTPS listeners and targets

Answer: A,C


NEW QUESTION # 18
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 private hosted zone for aws.example.com to host the VPC resources.
The company is using an open-source recursive DNS resolver in a VPC subnet and is using a DNS resolver in the on-premises data center. The company's on-premises DNS resolver has a forwarder that directs requests for the aws.example.com domain name to the DNS resolver in the VPC. The DNS resolver in the VPC has a forwarder that directs requests for the corp.example.com domain name to the DNS resolver in the on-premises data center. The company has deckled to replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints.
Which combination of steps should a network engineer take to make this replacement? (Choose three.)

  • A. Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver.
  • B. Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
  • C. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the inbound endpoint.
  • D. Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint.
  • E. Configure the on-premises DNS resolver to forward aws.example.com queries to the IP addresses of the outbound endpoint.
  • F. Create a Route 53 Resolver rule to forward aws.example.com domain queries to the IP addresses of the outbound endpoint.

Answer: A,B,D

Explanation:
To replace the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints in a hybrid architecture where on-premises applications need to communicate with applications running in a VPC, a network engineer should take the following steps:
Create a Route 53 Resolver inbound endpoint and a Route 53 Resolver outbound endpoint. (Option C) Configure the on-premises DNS resolver to forward aws.example.com domain queries to the IP addresses of the inbound endpoint. (Option B) Create a Route 53 Resolver rule to forward corp.example.com domain queries to the IP address of the on-premises DNS resolver. (Option E) These steps will allow for seamless replacement of the open-source recursive DNS resolver with Amazon Route 53 Resolver endpoints and enable communication between on-premises and VPC applications.


NEW QUESTION # 19
Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an on-premises Hadoop cluster.
You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, faulttolerant connectivity between Amazon Kinesis and your data center.
What should you implement to address these needs?
Response:

  • A. Set up an IPsec VPN connection over Direct Connect with two tunnels.
  • B. Deploy three 1-Gbps Direct Connect connections.
  • C. Deploy two 1-Gbps Direct Connect connections.
  • D. Deploy a single 1-Gbps Direct Connect connection with a VPN backup.

Answer: B


NEW QUESTION # 20
Your on-premises network has an IP address range of 11.11.0.0/16. Only IPs within this network range can be used for interserver communication. The IP address range 11.11.253.0/24 has been allocated for the cloud.
You need to design a VPC in AWS. The servers within the VPC should be able to communicate with hosts both on the Internet and on-premises through a VPN connection. What combination of configuration steps meets your needs?
(Choose two)
Response:

  • A. Set up the VPC with an IP address range of 11.11.253.0/24
  • B. Set up a VPN connection between a VGW and an on-premises router, set the VGW as the default gateway for all traffic, and configure the on-premises router to forward traffic to the Internet
  • C. Set up the VPC with an RFC 1918 private IP address range (e.g., 10.10.10.0/24), and set up a NAT gateway to do translation between 10.10.10.0/24 and 11.11.253.0/24 for all outbound traffic
  • D. Set up a VPN connection between a VGW and an on-premises router, set the VGW as the default gateway for traffic destined to 11.11.0.0/24, and add a VPC subnet route to point the default gateway to an Internet gateway for Internet traffic
  • E. Set up the VPC with an RFC 1918 private IP address range (e.g., 10.10.10.0/24), and set the VGW to do a source IP translation of all outbound packets to 11.11.0.0/16

Answer: A,B


NEW QUESTION # 21
Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving.
According to company policy, data should not flow on the public Internet even if data is encrypted.
You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?
Response:

  • A. An AWS Direct Connect connection to us-east-1.
  • B. An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.
  • C. An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
  • D. An AWS Direct Connect connection to us-west-2.

Answer: D


NEW QUESTION # 22
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company's global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency.
The company migrates the MQTT brokers to run on Amazon EC2 instances.
What should the company do next to meet these requirements?

  • A. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.
  • B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
  • C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
  • D. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.

Answer: B


NEW QUESTION # 23
For _______ distributions, CloudFront does not cache cookies in edge caches.
Note: Answers to this question are not verified by our experts, please study yourself and select the appropriate answers.
Contribute: Please send the correct answers with reference text/link on [email protected] to get up to 50% cashback.
Response:

  • A. Web
  • B. AMI
  • C. Web and RTMP
  • D. RTMP

Answer: B


NEW QUESTION # 24
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.
Which solution will meet these requirements?

  • A. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service definition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.
  • B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC endpoint service for the ALB Share the VPC endpoint service with other AWS accounts.
  • C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the application to target the containers that are registered in the target group. Specify the ALB in the service definition. Create a VPC peer for the external AWS accounts. Update the route tables so that the AWS accounts can reach the ALB.
  • D. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to the target group from Amazon ECS as required to handle scaling. Specify the GLB in the service definition. Create a VPC peer for external AWS accounts. Update the route tables so that the AWS accounts can reach the GLB.

Answer: A


NEW QUESTION # 25
Some people in your company have created a very complicated and management-intensive workflow for automating development builds and testing.
They have requested those involved in creating it not to repeat this workflow more than once. The security organization, however, wants every developer to have their own account to reduce the blast radius of development issues.
What is the best design for providing access to the development system?
Response:

  • A. Ask the developers simply to automate the deployment of their build system and make it a distributed system. Deploy a copy of this in each developer VPC to prevent any blast radius or complexity problems.
  • B. Provide one large Virtual Private Cloud (VPC). Configure network Access Control Lists (ACLs) and security groups so that the blast radius for developers is limited.
  • C. Deploy the development system in a central VPC. Extend network interfaces with cross-account permissions so that developers can route their code to the development system.
  • D. Deploy the development system in a central VPC. Allow developers to access the system through AWS PrivateLink

Answer: D


NEW QUESTION # 26
You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.
Which of the following will improve transmission quality?
Response:

  • A. Enable jumbo frames
  • B. Select G2 instance types
  • C. Use multiple elastic network interfaces
  • D. Enable enhanced networking

Answer: D


NEW QUESTION # 27
You have many IAM users with the ability to create EC2 volumes. Most of the data your team works with is sensitive, so you would like to make sure all volumes are encrypted. How might you facilitate this requirement?
Response:

  • A. Use AWS Config to send out reminders to IAM users every time they create an EC2 volume.
  • B. Create an AWS KMS policy and attach it to all IAM users that can create EC2 volumes.
  • C. Set EC2 to notify creators to encrypt their EC2 volumes.
  • D. Use AWS Config and create a rule that requires all volumes, upon creation, be encrypted.

Answer: D


NEW QUESTION # 28
What is the default weight for a locally originated BGP route?
Response:

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: B


NEW QUESTION # 29
A company provisions an AWS Direct Connect connection to permit access to Amazon EC2 resources in several Amazon VPCs and to data stored in private Amazon S3 buckets. The Network Engineer needs to configure the company's on-premises router for this Direct Connect connection.
Which of the following actions will require the LEAST amount of configuration overhead on the customer router?
Response:

  • A. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and for Amazon S3
  • B. Configure private virtual interfaces for the VPC resources and a public virtual interface for Amazon S3
  • C. Configure a private virtual interface to a Direct Connect gateway for the VPC resources and a public virtual interface for Amazon S3
  • D. Configure private virtual interfaces for the VPC resources and for Amazon S3

Answer: C


NEW QUESTION # 30
Internal security teams at your customer get requests to enable Amazon S3 access from inside the corporate network. Through your company firewalls, all external traffic must be expressly whitelisted.How is this access going to be granted by your security team?
Response:

  • A. Obtain the list of IP prefixes from AWS Forum announcements, and use those prefixes in firewall rules
  • B. Connect your data center to a VPC via Direct Connect. Create routes that forward traffic from your data center to an S3 private endpoint
  • C. Obtain the list of IP prefixes from ip-ranges.json, and use those prefixes in firewall rules
  • D. Obtain the list of IP prefixes by performing a DNS lookup on Amazon S3 endpoints, and use those prefixes in firewall rules

Answer: C


NEW QUESTION # 31
......

Get The Important Preparation Guide With ANS-C01 Dumps: https://testking.practicedump.com/ANS-C01-exam-questions.html

Related Articles

more
Amazon ANS-C01 Certification Practice Exam

Copyright © 2026 PracticeDump NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy