Real Practice Questions Answer of ANS-C01 Exam Dumps
                      
  
DumpsFile
 
 
 
 
 
Amazon  
ANS-C01 Dumps
AWS Certified Advanced Networking Specialty
https://www.dumpsfile.com/amazon/ans-c01-dumps.html
 
 
 
Latest Version: 6.0  
 
Question: 1 
   
DNS name resolution must be provided for services in the following four zones: 
 
A. company.private. 
B. emea.company.private. 
C. apac.company.private. 
D. amer.company.private. 
 
Answer: D     
 
Question: 2 
   
The contents of these zones is not considered sensitive, however, the zones only need to be used by 
services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all 
zones. 
How can you use Amazon route 53 to meet these requirements? 
Response: 
 
A. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three 
VPCs. 
B. Create a single Route 53 Private Hosted Zone for the zone company.private and associate it with the 
three VPCs. 
C. Create a Route Public Hosted Zone for each of the four zones and configure the VPS DNS Resolver to 
forward 
D. Create a single Route 53 Public Hosted Zone for the zone company.private and configure the VPS DNS 
Resolver to forward 
 
Answer: B         
 
Question: 3 
   
A network engineer needs to limit access to the company's Amazon S3 bucket to specific source 
networks. What should the network engineer do to accomplish this? 
Response: 
 
A. Create an ACL on the S3 bucket, limiting access to the CIDR blocks of the specified networks. 
B. Create a bucket policy on the S3 bucket, limiting access to the CIDR blocks of the specified networks 
using a condition statement. 
https://www.dumpsfile.com/amazon/ans-c01-dumps.html
 
C. Create a security group allowing inbound access to the CIDR blocks of the specified networks and 
apply the security group to the S3 bucket. 
D. Create a security group allowing inbound access to the CIDR blocks of the specified networks, create a 
S3 VPC endpoint, and apply the security group to the VPC endpoint. 
 
Answer: B     
 
Question: 4 
   
A company is migrating many applications from two on-premises data centers to AWS. The company's 
network team is setting up connectivity to the AWS environment. The migration will involve spreading 
the applications across two AWS Regions: us-east-1 and us-west-2. 
The company has set up AWS Direct Connect connections at two different locations. Direct Connect 
connection 1 is to the first data center and is at a location in us-east-1. Direct Connect connection 2 is to 
the second data center and is at a location in us-west-2. 
The company has connected both Direct Connect connections to a single Direct Connect gateway by 
using transit VIFs. The Direct Connect gateway is associated with transit gateways that are deployed in 
each Region. All traffic to and from AWS must travel through the first data center. In the event of failure, 
the second data center must take over the traffic. 
How should the network team configure BGP to meet these requirements? 
Response: 
 
A. Configure the local preference BGP community tag 7224:7300 for the transit VIF connected to Direct 
Connect connection 2. 
B. Configure the local preference BGP community tag 7224:9300 for the transit VIF connected to Direct 
Connect connection 2. 
C. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct 
Connect connection 2. 
D. Use the AS_PATH attribute to prepend the additional hop for the transit VIF connected to Direct 
Connect connection 1. 
 
Answer: A     
 
Question: 5 
   
A company has developed a new web application that processes confidential data that is hosted on 
Amazon EC2 instances. The application needs to scale and must use certificates to authenticate clients. 
The application is configured to request a client's certificate and will validate the certificate as part of 
the initial handshake. 
Which Elastic Load Balancing (ELB) solution will meet these requirements? 
Response: 
 
 
A. Configure an Application Load Balancer (ALB) that includes an HTTPS listener on port 443. Create an 
Auto Scaling group for the EC2 instances. Configure the Auto Scaling group as the target group of the 
ALB. Configure HTTPS as the protocol for the target group. 
B. Configure a Network Load Balancer (NLB) that includes a TLS listener on port 443. Create an Auto 
Scaling group for the EC2 instances. Configure the Auto Scaling group as the target group of the NLB. 
Configure the NLB to terminate TLS. Configure TLS as the protocol for the target group. 
C. Configure a Network Load Balancer (NLB) that includes a TCP listener on port 443. Create an Auto 
Scaling group for the EC2 instances. Configure the Auto Scaling group as the target group of the NLB. 
Configure TCP as the protocol for the target group. 
D. Configure an Application Load Balancer (ALB) that includes a TLS listener on port 443. Create an Auto 
Scaling group for the EC2 instances. Configure the Auto Scaling group as the target group of the ALB. 
Configure TLS as the protocol for the target group. 
 
Answer: C     
 
Question: 6 
   
A company’s internal security team receives a request to allow Amazon S3 access from inside the 
corporate network. All external traffic must be explicitly allowed through the corporate firewalls. 
How can the security team grant this access? 
Response: 
 
A. Schedule a script to download the Amazon S3 IP prefixes from AWS developer forum announcements. 
Update the firewall rules accordingly. 
B. Schedule a script to download and parse the Amazon S3 IP prefixes from the ip-ranges.json file. 
Update the firewall rules accordingly. 
C. Schedule a script to perform a DNS lookup on Amazon S3 endpoints. Update the firewall rules 
accordingly. 
D. Connect the data center to a VPC using AWS Direct Connect. Create routes that forward traffic from 
the data center to an Amazon S3 VPC endpoint. 
 
Answer: B     
 
Question: 7 
   
Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having 
public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow 
outbound traffic for instances. Outbound traffic is required for updates. 
What are two options to alleviate your company's concerns? 
(Choose two.) 
Response: 
 
A. Remove any rules allowing ::/0 inbound in the security group. 
B. Block ::/0 inbound in the NACL. 
https://www.dumpsfile.com/
 
C. Create an egress-only internet gateway 
D. Block 0.0.0.0/0 inbound in the NACL. 
 
Answer: A,C     
 
Question: 8 
   
A company’s compliance requirements specify that web application logs must be collected and analyzed 
to identify any malicious activity. A network engineer also needs to monitor for remote attempts to 
change the network interface of web instances. 
Which services and configurations will meet these requirements? 
Response: 
 
A. Install the Amazon CloudWatch Logs agent on the web instances to collect application logs. Use VPC 
Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs metric filters to define the patterns to 
look for in the log data. 
B. Configure AWS CloudTrail to log all management and data events to a custom Amazon S3 bucket and 
Amazon CloudWatch Logs. Use VPC Flow Logs to send data to CloudWatch Logs. Use CloudWatch Logs 
metric filters to define the patterns to look for in the log data. 
C. Configure AWS CloudTrail to log all management events to a custom Amazon S3 bucket and Amazon 
CloudWatch Logs. Install the Amazon CloudWatch Logs agent on the web instances to collect application 
logs. Use CloudWatch Logs Insights to define the patterns to look for in the log data. 
D. Enable AWS Config to record all configuration changes to the web instances. Configure AWS 
CloudTrail to log all management and data events to a custom Amazon S3 bucket. Use Amazon Athena 
to define the patterns to look for in the log data stored in Amazon S3. 
 
Answer: C     
 
Question: 9 
   
The 10.0.1.0/24 subnet has been created in a VPC. Which addresses of this subnet are reserved? 
(Choose two.) 
Response: 
 
A. 10.0.1.255 
B. 10.0.1.0 to 10.0.1.3 
C. 10.0.1.0 to 10.0.1.4 
D. 10.0.1.254 and 10.0.1.255 
 
Answer: A,B     
 
Question: 10 
https://www.dumpsfile.com/
 
   
A company hosts its ecommerce application on Amazon EC2 instances behind an Application Load 
Balancer. The EC2 instances are in a private subnet with the default DHCP options set. Internet 
connectivity is through a NAT gateway that is configured in the public subnet. 
A third-party audit of the security infrastructure identifies a DNS exfiltration vulnerability. The company 
must implement a highly available solution that protects against this vulnerability. 
Which solution will meet these requirements MOST cost-effectively? 
Response: 
 
A. Configure a BIND server with DNS filtering. Modify the DNS servers in the DHCP options set. 
B. Use AWS Network Firewall with domain name filtering. 
C. Configure an Amazon Route 53 Resolver outbound endpoint with rules to filter and block suspicious 
traffic. 
D. Use Amazon Route 53 Resolver DNS Firewall. Configure a domain list with a rule group. 
 
Answer: D 
 
DumpsFile
https://www.dumpsfile.com/