AWS Certified Advanced Networking - Specialty Practice Exam 2025: Latest Questions

A company has deployed a new VPC with public and private subnets. Instances in the private subnets must download operating system updates from the internet, but must not accept any inbound connections initiated from the internet. Which solution meets these requirements with the LEAST operational overhead?

An application hosted on Amazon EC2 in a VPC needs private access to Amazon S3 without traversing the internet or using NAT. Which networking feature should be used?

A network engineer is troubleshooting connectivity between two EC2 instances in different subnets of the same VPC. Security groups allow the traffic, but the instances still cannot communicate. Which VPC component should be checked NEXT to identify a possible explicit deny?

A security team wants to centrally restrict which AWS services can be accessed from VPCs in multiple accounts without relying on instance-based proxies. They want to ensure access to approved services stays on the AWS network and is not reachable from the internet. Which solution best meets these requirements?

A company needs connectivity between two VPCs in the same Region across different AWS accounts. The company wants the simplest architecture with low latency and does not need transitive routing to additional networks. Which solution should be used?

An organization uses AWS Transit Gateway (TGW) to connect multiple VPCs and an on-premises network through a Site-to-Site VPN attachment. The organization must ensure VPC A can communicate with on-premises, but VPC B must not. Which TGW feature should be used to enforce this segmentation?

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect to a VPC via a Direct Connect gateway. The BGP session is up, but routes to the VPC are not being learned on-premises. Which configuration issue is the MOST likely cause?

A company uses Amazon Route 53 Resolver endpoints to integrate DNS between on-premises and multiple VPCs. Users report intermittent failures resolving an on-premises DNS zone from workloads in a VPC. VPC connectivity is stable. Which configuration is the MOST appropriate to improve resiliency of DNS forwarding?

A company wants to inspect and control egress traffic from dozens of VPCs to the internet. The design must be centralized, scalable, and support adding third-party firewall appliances in a dedicated inspection VPC. The company also needs to avoid complex static routing updates in each spoke VPC when new VPCs are added. Which architecture best meets these requirements?

A financial services company must ensure that traffic from EC2 instances to supported AWS services never leaves the AWS network and cannot be exfiltrated to arbitrary endpoints, even if an instance is compromised. The company also wants to restrict access to specific S3 buckets and specific Secrets Manager secrets. Which combination of controls is MOST effective?

A company wants all outbound internet access from private subnets to use the same static public IP address for allow-listing by a third-party SaaS provider. The workloads run in multiple Availability Zones. Which solution meets this requirement with high availability?

An engineer needs to enable DNS resolution for private hostnames from an on-premises data center to resources in a VPC. The VPC uses AmazonProvidedDNS. Which solution is the MOST appropriate?

A VPC has subnets associated with a route table that includes a route to a virtual private gateway (VGW) for a Site-to-Site VPN. Instances cannot reach on-premises networks, but the VPN tunnels show as UP. Which configuration issue is the MOST likely cause?

A company uses AWS Transit Gateway (TGW) to connect 20 VPCs. Security requires that only a shared inspection VPC can access the internet, and all VPC egress must traverse centralized inspection before reaching the internet. Which design best meets the requirement?

An application uses an internet-facing Network Load Balancer (NLB) with targets in private subnets. Clients report intermittent connection failures during deployments when targets are deregistered and registered. Which NLB feature should be configured to reduce connection disruption?

A company must allow an external partner to access a specific application hosted in a VPC through a private connection. The partner uses AWS in a different account and wants to connect from multiple VPCs without building many point-to-point connections. Which solution is MOST scalable and keeps traffic off the public internet?

A security team requires centralized, auditable control over allowed network paths between VPCs attached to an AWS Transit Gateway, including explicit denies for certain VPC-to-VPC communications. Which approach best meets the requirement?

An organization uses AWS Direct Connect with a private VIF to reach a Transit Gateway. After adding a new on-premises prefix, routes to AWS stop appearing intermittently on the on-premises router. The BGP session stays established. Which action is the BEST next troubleshooting step?

A company hosts a multi-tier application behind an Application Load Balancer (ALB). Compliance requires that only specific corporate source IP ranges can access the application, and all other sources must be blocked as close to the edge as possible with centralized policy management. Which solution best meets these requirements?

An enterprise has overlapping IPv4 CIDR ranges across multiple acquired networks that must connect to the same set of AWS VPCs through AWS Transit Gateway. The enterprise wants to avoid large-scale renumbering and needs connectivity between on-premises and AWS. Which solution is MOST appropriate?

A company has a hybrid environment with an on-premises data center connected to AWS through AWS Direct Connect. Several application subnets in a VPC use a NAT gateway for internet-bound traffic. The company wants all outbound internet traffic from these subnets to be inspected by an on-premises security appliance before reaching the internet, while keeping the existing Direct Connect connection. Which solution meets these requirements with the least operational complexity?

A company uses a transit VPC with third-party firewalls for east-west inspection. Multiple spoke VPCs connect to the transit VPC using VPC peering. The company is adding 40 more VPCs and needs scalable connectivity, centralized inspection, and simplified routing management. Which architecture should a network engineer recommend?

An application in a private subnet must access an Amazon S3 bucket without traversing the public internet. A Gateway VPC endpoint for S3 is configured and associated with the route tables of the private subnets. However, access still fails. The instance role has the required S3 permissions. What is the MOST likely cause?

A company operates Amazon EKS clusters in multiple VPCs. Pods need to resolve private hosted zone records in Amazon Route 53 that are associated with each VPC. Intermittently, pods fail DNS lookups during scaling events. The company wants to improve DNS reliability and reduce dependency on the VPC resolver for high query rates. Which solution is MOST appropriate?

A security team wants to detect and block data exfiltration from a set of sensitive EC2 instances in private subnets. The instances must be able to access specific AWS services (S3 and DynamoDB) privately, but must not be able to reach any other internet destinations or arbitrary public AWS endpoints. Which approach provides the STRONGEST preventative control with centralized governance?