AWS Certified Advanced Networking - Specialty Intermediate Practice Exam: Medium Difficulty 2025

A financial services company has a VPC with multiple subnets across three Availability Zones. They need to establish connectivity to their on-premises data center using AWS Direct Connect with a requirement for redundancy and automatic failover. The solution must ensure that if the Direct Connect connection fails, traffic can route through a VPN connection without manual intervention. Which architecture should the network engineer implement?

A company is deploying a multi-tier application across three VPCs in the same AWS Region: a shared services VPC, a production VPC, and a development VPC. The production and development VPCs must access shared resources in the shared services VPC, but production and development VPCs must not be able to communicate with each other. All VPCs use non-overlapping CIDR blocks. What is the most efficient solution to achieve this connectivity requirement?

A media streaming company uses AWS Global Accelerator to serve content to users worldwide. They notice that some users in specific geographic regions experience connection timeouts during peak hours. The application runs on EC2 instances behind Application Load Balancers in three AWS Regions. Network engineers need to ensure traffic is routed to the closest healthy endpoint while preventing overload. What configuration should they implement?

A healthcare organization requires that all traffic between their VPC and Amazon S3 must not traverse the public internet to comply with regulatory requirements. The VPC hosts applications across both public and private subnets. The solution must allow EC2 instances in private subnets to access S3 without requiring NAT Gateway charges, while instances in public subnets should use the same secure path. What implementation meets these requirements?

A company's security team has identified that their production VPC's CIDR block (10.0.0.0/16) is running out of available IP addresses. The VPC hosts multiple production workloads and cannot be recreated. They need to expand the address space while maintaining existing resources and network configurations. Which approach should the network architect take?

A company uses AWS Transit Gateway to connect 15 VPCs across multiple AWS accounts in an organization. The security team requires that VPCs in the production account can only communicate with VPCs in the shared services account, while development VPCs can communicate with both production and shared services. Additionally, all traffic between production and shared services must be inspected by a firewall appliance in a dedicated security VPC. How should this be architected?

An e-commerce application running on EC2 instances behind a Network Load Balancer experiences intermittent connection failures. The instances are in private subnets across three Availability Zones. VPC Flow Logs show REJECT entries for traffic from the NLB to target instances on the health check port. The security group attached to the instances allows inbound traffic on the application port (443) and health check port (80) from the VPC CIDR. What is the most likely cause and solution?

A SaaS company needs to provide secure, private connectivity to their service running in AWS for multiple customer VPCs across different AWS accounts. Customers should be able to access the service using private IP addresses without requiring VPC peering or exposing the service to the internet. The solution must scale to hundreds of customers with minimal operational overhead. What AWS service should be implemented?

A financial institution has a compliance requirement to log and monitor all DNS queries made from their VPC for security analysis. The VPC uses the default Amazon-provided DNS resolver. The security team needs to capture query logs, analyze them for suspicious domains, and retain them for 7 years. Which solution meets these requirements with the least operational complexity?

A company operates a hybrid cloud architecture with multiple VPCs connected to on-premises data centers via AWS Direct Connect. They are experiencing asymmetric routing issues where traffic from AWS to on-premises uses Direct Connect, but return traffic from on-premises routes through a backup internet VPN connection, causing connection failures. BGP is configured on both connections. What is the most effective solution to ensure symmetric routing?