Free AWS Certified Advanced Networking Questions & Answers

1. A company has two on-premises data center locations. There is a companymanaged router at each data center. Each data center has a dedicated AWS Direct
Connect connection to a Direct Connect gateway through a private virtual
interface. The router for the first location is advertising 110 routes to the Direct
Connect gateway by using BGP, and the router for the second location is
advertising 60 routes to the Direct Connect gateway by using BGP. The Direct
Connect gateway is attached to a company VPC through a virtual private gateway.
A network engineer receives reports that resources in the VPC are not reachable
from various locations in either data center. The network engineer checks the VPC
route table and sees that the routes from the first data center location are not
being populated into the route table. The network engineer must resolve this issue
in the most operationally efficient manner. What should the network engineer do
to meet these requirements?

2. A company has developed an application on AWS that will track inventory levels of
vending machines and initiate the restocking process automatically. The company
plans to integrate this application with vending machines and deploy the vending
machines in several markets around the world. The application resides in a VPC in
the us-east-1 Region. The application consists of an Amazon Elastic Container
Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The
communication from the vending machines to the application happens over
HTTPS. The company is planning to use an AWS Global Accelerator accelerator
and configure static IP addresses of the accelerator in the vending machines for
application endpoint access. The application must be accessible only through the
accelerator and not through a direct connection over the internet to the ALB
endpoint. Which solution will meet these requirements?

3. A company has expanded its network to the AWS Cloud by using a hybrid
architecture with multiple AWS accounts. The company has set up a shared AWS
account for the connection to its on-premises data centers and the company
offices. The workloads consist of private web-based services for internal use. These
services run in different AWS accounts. Office-based employees consume these
services by using a DNS name in an on-premises DNS zone that is named
example.internal. The process to register a new service that runs on AWS requires
a manual and complicated change request to the internal DNS. The process
involves many teams. The company wants to update the DNS registration process
by giving the service creators access that will allow them to register their DNS
records. A network engineer must design a solution that will achieve this goal. The
solution must maximize cost-effectiveness and must require the least possible
number of configuration changes. Which combination of steps should the network
engineer take to meet these requirements? (Choose three.)

4. A company is using custom DNS servers that run BIND for name resolution in its
VPCs. The VPCs are deployed across multiple AWS accounts that are part of the
same organization in AWS Organizations. All the VPCs are connected to a transit
gateway. The BIND servers are running in a central VPC and are configured to
forward all queries for an on-premises DNS domain to DNS servers that are
hosted in an on-premises data center. To ensure that all the VPCs use the custom
DNS servers, a network engineer has configured a VPC DHCP options set in all the
VPCs that specifies the custom DNS servers to be used as domain name servers.
Multiple development teams in the company want to use Amazon Elastic File
System (Amazon EFS). A development team has created a new EFS file system but
cannot mount the file system to one of its Amazon EC2 instances. The network
engineer discovers that the EC2 instance cannot resolve the IP address for the EFS
mount point fs-33444567d.efs.us-east-1. Amazonaws.com. The network engineer
needs to implement a solution so that development teams throughout the
organization can mount EFS file systems. Which combination of steps will meet
these requirements? (Choose two.)

5. A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link
aggregation group (LAG) bundle to connect to five VPCs that are deployed in the
us-east-1 Region. Each VPC serves a different business unit and uses its own
private VIF for connectivity to the on-premises environment. Users are reporting
slowness when they access resources that are hosted on AWS. A network engineer
finds that there are sudden increases in throughput and that the Direct Connect
connection becomes saturated at the same time for about an hour each business
day. The company wants to know which business unit is causing the sudden
increase in throughput. The network engineer must find out this information and
implement a solution to resolve the problem. Which solution will meet these
requirements?

6. A global delivery company is modernizing its fleet management system. The
company has several business units. Each business unit designs and maintains
applications that are hosted in its own AWS account in separate application VPCs
in the same AWS Region. Each business unit's applications are designed to get
data from a central shared services VPC. The company wants the network
connectivity architecture to provide granular security controls. The architecture
also must be able to scale as more business units consume data from the central
shared services VPC in the future. Which solution will meet these requirements in
the MOST secure manner?

7. A company is deploying a new application in the AWS Cloud. The company wants
a highly available web server that will sit behind an Elastic Load Balancer. The load
balancer will route requests to multiple target groups based on the URL in the
request. All traffic must use HTTPS. TLS processing must be offloaded to the load
balancer. The web server must know the user's IP address so that the company can
keep accurate logs for security purposes. Which solution will meet these
requirements?

8. A company has deployed an AWS Network Firewall firewall into a VPC. A network
engineer needs to implement a solution to deliver Network Firewall flow logs to
the company's Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster
in the shortest possible time. Which solution will meet these requirements?

9. A retail company is running its service on AWS. The company's architecture
includes Application Load Balancers (ALBs) in public subnets. The ALB target
groups are configured to send traffic to backend Amazon EC2 instances in private
subnets. These backend EC2 instances can call externally hosted services over the
internet by using a NAT gateway. The company has noticed in its billing that NAT
gateway usage has increased significantly. A network engineer needs to find out
the source of this increased usage. Which options can the network engineer use to
investigate the traffic through the NAT gateway? (Choose two.)

10. A company has multiple AWS accounts. Each account contains one or more VPCs.
A new security guideline requires the inspection of all traffic between VPCs. The
company has deployed a transit gateway that provides connectivity between all
VPCs. The company also has deployed a shared services VPC with Amazon EC2
instances that include IDS services for stateful inspection. The EC2 instances are
deployed across three Availability Zones. The company has set up VPC
associations and routing on the transit gateway. The company has migrated a few
test VPCs to the new solution for traffic inspection. Soon after the configuration of
routing, the company receives reports of intermittent connections for traffic that
crosses Availability Zones. What should a network engineer do to resolve this
issue?

11. A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service
(Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these
requirements?

12. A banking company is successfully operating its public mobile banking stack on
AWS. The mobile banking stack is deployed in a VPC that includes private subnets
and public subnets. The company is using IPv4 networking and has not deployed
or supported IPv6 in the environment. The company has decided to adopt a thirdparty service provider's API and must integrate the API with the existing
environment. The service provider's API requires the use of IPv6. A network
engineer must turn on IPv6 connectivity for the existing workload that is deployed
in a private subnet. The company does not want to permit IPv6 traffic from the
public internet and mandates that the company's servers must initiate all IPv6
connectivity. The network engineer turns on IPv6 in the VPC and in the private
subnets. Which solution will meet these requirements?

13. A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2
instances within a VPC in the AWS Cloud. All of the provider's customers also have
their environments in the AWS Cloud. A recent design meeting revealed that the
customers have IP address overlap with the provider's AWS deployment. The
customers have stated that they will not share their internal IP addresses and that
they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements?
(Choose two.)

14. An ecommerce company is hosting a web application on Amazon EC2 instances to
handle continuously changing customer demand. The EC2 instances are part of an
Auto Scaling group. The company wants to implement a solution to distribute
traffic from customers to the EC2 instances. The company must encrypt all traffic
at all stages between the customers and the application servers. No decryption at
intermediate points is allowed. Which solution will meet these requirements?

15. A network engineer is designing the architecture for a healthcare company's
workload that is moving to the AWS Cloud. All data to and from the on-premises
environment must be encrypted in transit. All traffic also must be inspected in the
cloud before the traffic is allowed to leave the cloud and travel to the on-premises
environment or to the internet. The company will expose components of the
workload to the internet so that patients can reserve appointments. The
architecture must secure these components and protect them against DDoS
attacks. The architecture also must provide protection against financial liability for
services that scale out during a DDoS event. Which combination of steps should
the network engineer take to meet all these requirements for the workload?
(Choose three.)