50 AWS Certified Advanced Networking - Specialty Practice Questions: Question Bank 2025

A company wants to enable IPv6 for workloads in a VPC, but the workloads must still reach the internet through existing IPv4-only egress controls and public endpoints. The company wants the simplest solution that avoids deploying a separate egress proxy fleet. Which approach should the company use?

A company needs to connect an on-premises data center to AWS with predictable low latency and consistent throughput. The company also requires encrypted traffic over the connection. Which solution meets these requirements with the least operational overhead?

A network engineer is configuring AWS Transit Gateway (TGW) to connect multiple VPCs. After attaching a new VPC, instances in that VPC cannot reach instances in other VPCs. The TGW attachment is available, and routes exist in the TGW route table. What is the MOST likely missing configuration?

A company uses AWS Network Firewall in a centralized inspection VPC connected to multiple spoke VPCs using AWS Transit Gateway. The company must ensure that all egress traffic from spoke VPCs to the internet is inspected, while traffic between spoke VPCs stays private and does not traverse the firewall. Which design meets these requirements?

An application running on Amazon EC2 in a private subnet must access an AWS service endpoint without traversing the public internet. The company wants to keep existing route tables unchanged as much as possible. Which solution should be used?

A company is troubleshooting intermittent connectivity from on-premises to EC2 instances over an AWS Site-to-Site VPN. The VPN tunnels are up, but some TCP sessions reset under load. The company recently enabled jumbo frames on the on-premises routers. What is the MOST likely cause and fix?

A company must restrict inbound access to an internet-facing Application Load Balancer (ALB) so that only specific corporate public IP ranges can connect. The company wants a solution that is easy to maintain and auditable. Which solution should the company use?

A company has multiple AWS accounts connected to a central AWS Transit Gateway. The security team requires that no VPC in a spoke account can advertise more specific routes that could override central routing policies (for example, 0.0.0.0/0 or overlapping CIDRs). Which Transit Gateway feature should be used to enforce this requirement?

A company uses Amazon Route 53 Resolver for hybrid DNS with on-premises. Some AWS VPCs must resolve a private hosted zone name, but those names must not be resolvable from other VPCs for compliance reasons. Which solution best meets the requirement?

A company runs a multi-tier application behind an ALB. The security team needs to quickly identify the original client IP address at the application instances for incident response and logging. The application is HTTP-based and runs on EC2 instances in private subnets. What should the company do?

A company wants to centralize outbound internet access for multiple VPCs in the same AWS Region. The company requires that instances in spoke VPCs cannot have public IPv4 addresses and that all egress traffic is inspected by a firewall appliance in a dedicated inspection VPC. Which architecture best meets these requirements with minimal operational overhead?

An application running on Amazon EC2 in a private subnet cannot resolve public DNS names. The subnet route table includes a default route (0.0.0.0/0) to a NAT gateway. Security groups allow outbound UDP/TCP 53. What is the MOST likely cause?

A security team needs to restrict access to an internal HTTPS application hosted behind an internal Application Load Balancer (ALB). Only a set of on-premises networks connected through AWS Direct Connect should be able to reach the ALB. Which solution is the MOST appropriate?

A company uses AWS Direct Connect to connect its on-premises network to AWS. It advertises 10.0.0.0/16 from on premises to AWS and also has a VPC with the same 10.0.0.0/16 CIDR. Instances in that VPC cannot reliably reach on-premises resources. What is the BEST fix that avoids renumbering the on-premises network?

A network engineer needs end-to-end visibility into packet drops and latency between an EC2 instance in a private subnet and an on-premises server over a Site-to-Site VPN. The engineer wants to identify whether drops occur due to security group/NACL rules, route table issues, or VPN tunnel problems. Which combination of AWS features provides the MOST direct troubleshooting path?

A company needs to allow third-party vendors to access a specific internal service hosted in a VPC. Vendors connect from their own AWS accounts and VPCs. The company must avoid exposing the service to the internet and wants to minimize IP allowlisting management. Which solution is MOST appropriate?

A team is configuring an AWS Site-to-Site VPN to a customer gateway. The tunnels are up, but traffic from on premises to an EC2 instance in a private subnet fails. VPC route tables have propagated routes to the virtual private gateway (VGW). Security groups allow the traffic. Which issue is the MOST likely cause?

A company has multiple accounts connected through AWS Transit Gateway. They want to ensure that a shared services VPC (DNS, patching, AD) is reachable from all spoke VPCs, but spoke VPCs must not be able to communicate with each other. What is the BEST approach?

A regulated workload requires that east-west traffic between subnets in the same VPC be inspected by a centralized set of appliances. The appliances must see the original source and destination IPs and the solution must support scaling without manual route updates per subnet. Which design is MOST suitable?

A global company uses AWS Cloud WAN to interconnect multiple AWS Regions and several on-premises sites. A new compliance requirement states that traffic between a specific group of VPCs must not traverse any third-party network and must remain on the AWS backbone. The company also needs centralized policy-based segmentation that can be audited. Which solution BEST meets these needs?

A company uses AWS Site-to-Site VPN to connect a branch office to a VPC. Users report brief connectivity drops during maintenance events on the AWS side. The company wants to improve availability without changing the on-premises ISP. What is the MOST appropriate solution?

A network engineer needs to allow a VPC to communicate with an on-premises network over AWS Direct Connect. The VPC is already attached to a virtual private gateway (VGW). Which Direct Connect component is required to advertise and learn routes between the on-premises router and the VGW?

A company wants to ensure that all outbound internet traffic from workloads in private subnets is inspectable and that instances do not receive public IP addresses. Which design meets this requirement with the LEAST architectural change?

A company has centralized inspection in a security VPC using AWS Network Firewall. Spoke VPCs connect to an AWS Transit Gateway (TGW). The company wants all north-south internet egress from spoke VPCs to be forced through the inspection VPC before reaching the internet gateway. Which approach is MOST appropriate?

An application in a VPC must call an Amazon S3 bucket without traversing the public internet. The company also needs to ensure that only that bucket is reachable from the VPC. Which solution meets these requirements?

A company uses AWS Direct Connect with a private virtual interface to a VGW. During troubleshooting, an engineer sees that the BGP session is established but routes from AWS are not being installed on the on-premises router. Which is the MOST likely cause?

A company needs to monitor for unauthorized changes to VPC security group rules and automatically revert any changes that open inbound access to 0.0.0.0/0 on TCP port 22. Which solution best meets this requirement?

A global application uses AWS Global Accelerator (GA) with endpoints behind an internal Application Load Balancer (ALB) in multiple Regions. A new compliance requirement mandates that client IP addresses must be preserved and visible to the application. The application currently only sees GA edge IPs. What should the network engineer do?

An organization uses AWS Transit Gateway with multiple VPC attachments. One VPC hosts shared services and must be reachable from all other VPCs, but the other VPCs must NOT be able to communicate with each other. Which design accomplishes this requirement?

A company has two on-premises data centers connected to AWS through Direct Connect. They use a transit gateway with a Direct Connect gateway association to share connectivity with multiple VPCs across accounts. During a failover test, traffic from VPCs continues to prefer data center A even when engineers want to shift traffic to data center B without changing VPC route tables. What is the BEST way to influence the path selection?

A company uses AWS Transit Gateway (TGW) to connect multiple VPCs. A new VPC is attached, but instances in existing VPCs cannot reach it. The VPC route tables include routes to the TGW attachment. What is the MOST likely missing configuration?

A network engineer needs to quickly identify which AWS resource a specific private IP address belongs to within an account to troubleshoot connectivity. Which AWS capability provides this mapping MOST directly?

A workload in a private subnet needs outbound internet access for software updates. The company must prevent unsolicited inbound connections from the internet. Which design meets the requirement?

A company uses Route 53 private hosted zones for internal DNS. They create a new VPC and want it to resolve records from an existing private hosted zone. What must be done?

A company is implementing centralized egress inspection. Spoke VPCs connect to a Transit Gateway. All internet-bound traffic from spoke VPCs must be inspected by AWS Network Firewall in an inspection VPC before egressing via a NAT gateway. Which routing approach is MOST appropriate?

An application behind an internet-facing Application Load Balancer (ALB) must only be reachable through Amazon CloudFront. The company wants to block direct access to the ALB from the internet. Which solution is recommended?

A company uses AWS Direct Connect with a private VIF to access VPCs through a Direct Connect gateway and Transit Gateway. They want resilient connectivity and to automatically fail over to a Site-to-Site VPN if the Direct Connect path becomes unavailable. Which configuration BEST supports this goal?

A VPC has VPC Flow Logs enabled to CloudWatch Logs. During an incident, an engineer needs to quickly determine whether traffic from a specific source IP is being rejected by a network ACL or security group. What is the MOST effective first step?

A company operates a multi-account AWS environment with hundreds of VPCs. They must enforce that only approved CIDR ranges are used for new VPCs and that overlapping CIDRs across accounts are detected proactively. Which solution best meets these requirements with centralized governance?

A company deploys a stateful inspection appliance fleet behind a Gateway Load Balancer (GWLB) to inspect traffic from multiple VPCs. Some flows fail intermittently, and the appliance vendor reports asymmetric routing (return traffic bypassing the same appliance). Which configuration change is MOST likely required to preserve flow symmetry?

A company uses AWS Client VPN for remote access to a VPC. Users can connect successfully, but they cannot resolve private Route 53 hosted zone names (for example, internal.service.local). Public DNS works. Which configuration change will MOST likely fix the issue?

A workload in a VPC must access AWS services without traversing the public internet. The workload needs to call Amazon S3 and Amazon DynamoDB frequently and must minimize NAT gateway usage. Which solution is the MOST appropriate?

A security engineer wants to identify which VPC security group and network ACL rules are causing intermittent drops for a specific EC2 instance. The engineer needs packet-level visibility at the ENI. Which AWS feature should be used?

A company has two VPCs connected with a transit gateway (TGW). Instances in VPC-A cannot reach instances in VPC-B. VPC route tables point to the TGW attachments correctly. Security groups allow the traffic. What is the MOST likely missing configuration?

An enterprise uses AWS Direct Connect with a private VIF to reach a VPC through a Direct Connect gateway. The company wants to add a second AWS Region and connect additional VPCs using the same on-premises router while maintaining routing isolation between environments. Which approach is MOST appropriate?

A company has many spoke VPCs connected to a central Transit Gateway. The security team requires that all internet-bound traffic from spoke VPCs egress through a dedicated inspection VPC that contains AWS Network Firewall and NAT gateways. Which design meets this requirement with the LEAST operational overhead?

An application team reports that outbound connections from an Auto Scaling group sometimes fail immediately with "connection timeout" when calling a partner API on the internet. The instances are in private subnets and use a NAT gateway for egress. VPC Flow Logs show many REJECT entries on ephemeral ports for the NAT gateway ENI. What is the MOST likely cause?

A company needs to allow on-premises DNS servers to resolve private hosted zone records in Amazon Route 53. The company also needs EC2 instances to resolve on-premises DNS zones. Which solution meets BOTH requirements?

A financial services company must ensure that S3 access from a VPC is limited to specific buckets and that no other S3 buckets (including public buckets) are reachable from workloads in that VPC. The company uses an S3 gateway VPC endpoint. Which approach provides the STRONGEST control?

A company uses AWS Network Firewall for centralized inspection. They add a new firewall policy and notice that some flows are asymmetrically routed, causing stateful rule drops. They are using a Transit Gateway with multiple attachments and an inspection VPC. Which configuration change MOST directly addresses stateful inspection issues caused by asymmetric routing?