Amazon AWS Certified Advanced Networking – Specialty ANS-C01 Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam dumps and practice test questions.

Question 61 

A company needs to connect multiple branch offices to AWS using AWS Cloud WAN. They require segmentation, centralized policy management, and integration with existing SD-WAN appliances. Which AWS Cloud WAN feature enables this architecture?

A) Core network
B) Virtual private gateway
C) AWS Site-to-Site VPN accelerated by Global Accelerator
D) Transit VPC

Answer: A)

Explanation: 

The core network in AWS Cloud WAN serves as the foundational component enabling global connectivity, centralized policy management, and segmentation across multiple branch locations. The core network allows an administrator to create segments, attach VPCs, and integrate on-premises networks using SD-WAN or physical devices. It provides the centralized orchestration layer that organizations require when expanding connectivity across multiple geographical regions. It also supports policy-driven routing, making it possible to separate traffic by department, compliance boundary, or network domain.

A virtual private gateway does not provide the segmentation or centralized orchestration required for Cloud WAN deployments. It enables a single Site-to-Site VPN or Direct Connect connection to a VPC, which lacks multi-segment routing or centralized multi-site management. A virtual private gateway does not integrate with SD-WAN orchestrators in the same way Cloud WAN does.

AWS Site-to-Site VPN accelerated by Global Accelerator improves VPN performance and reduces packet loss, but it does not provide segmentation, global policy enforcement, or SD-WAN integration. It is limited to point-to-point improvements rather than global network orchestration.

A transit VPC was historically used with third-party appliances to connect multiple sites using VPN, but this pattern has largely been replaced by AWS Transit Gateway and AWS Cloud WAN. Transit VPC lacks Cloud WAN features such as built-in segmentation, automated network mapping, and centralized global policies.

Thus, the core network is the correct answer because it provides segmentation, SD-WAN integration, global policy management, and multi-Region network orchestration required for modern global enterprise architectures.

Question 62 

A company wants to extend its IPv6-only VPC to communicate with IPv4-only on-premises networks using a hybrid environment. Which feature enables automatic translation?

A) NAT64 with DNS64
B) NAT Gateway
C) Egress-only Internet Gateway
D) IPv6 BYOIP

Answer: A)

Explanation: 

NAT64 with DNS64 enables communication from IPv6-only environments to IPv4-only networks by automatically translating IPv6 addresses to IPv4 endpoints. DNS64 synthesizes AAAA records for IPv4-only DNS names, enabling IPv6 clients to initiate communication. NAT64 then performs protocol translation, allowing seamless interoperability. This mechanism is specifically designed for hybrid architectures where applications need to maintain IPv6-only infrastructure while still reaching IPv4 systems.

A NAT gateway supports IPv4-to-IPv4 translation only. It cannot translate IPv6 traffic or enable IPv6-only clients to communicate with IPv4 resources. It is useful in VPCs requiring IPv4 outbound Internet access but not for IPv6 translation.

An egress-only Internet gateway allows IPv6-enabled instances to initiate outbound-only IPv6 connections to the Internet but does not translate protocols. It prevents inbound IPv6 connections, serving security purposes but not hybrid IPv4/IPv6 communication.

IPv6 BYOIP allows organizations to bring their own IPv6 address ranges to AWS but does not offer translation between IPv4 and IPv6. It is strictly an addressing feature and has no role in hybrid protocol compatibility.

Therefore, NAT64 with DNS64 is the correct solution because it enables automatic translation between IPv6-only VPCs and IPv4-only on-premises environments.

Question 63 

A company’s Direct Connect connection is experiencing route flapping. They want to prevent routes from being advertised to AWS during unstable periods. What should they use?

A) BGP dampening
B) Transit Gateway route table filtering
C) Static routes
D) AWS Network Firewall

Answer: A)

Explanation: 

BGP dampening is used to suppress unstable routes that flap frequently. It assigns penalties to routes that change state repeatedly and suppresses their advertisement until stability is restored. This is a widely used mechanism in large-scale networks and is supported in AWS Direct Connect environments. Implementing BGP dampening helps maintain routing stability and prevents propagation of unstable paths.

Transit Gateway route table filtering controls propagation between attachments but does not address route instability originating from BGP sessions. It cannot suppress flapping routes.

Static routes do not respond to changing network conditions and are not appropriate for dynamic hybrid environments. They also cannot prevent unstable dynamic routes from being advertised.

AWS Network Firewall provides inspection and threat prevention, not BGP behavior control. It cannot address route flapping.

Thus, BGP dampening is the correct mechanism to stabilize route advertisements during periods of instability.

Question 64 

A global application requires low-latency DNS responses and intelligent routing based on geography. Which Route 53 routing policy should be used?

A) Geolocation routing
B) Weighted routing
C) Multivalue answer routing
D) Simple routing

Answer: A)

Explanation: 

Geolocation routing provides responses based on the geographical origin of the DNS query. This ensures users are directed to the most appropriate endpoint for their region. It can be used to meet compliance requirements, improve latency, or localize content delivery. For applications that require geographic intelligence, geolocation routing is the designed policy.

Weighted routing distributes traffic in specified proportions but does not consider user geography.

Multivalue answer routing returns multiple healthy IPs but also does not consider geography. It improves availability but not latency based on user location.

Simple routing returns a single record and offers no routing intelligence.

Thus, geolocation routing meets the requirement for geography-based DNS responses.

Question 65 

A company wants to enable encrypted communication across VPCs without using the Internet or VPN. They require automatic encryption at the transport layer. What should they use?

A) AWS PrivateLink
B) AWS VPC Lattice
C) VPC peering
D) Transit Gateway with tunneling

Answer: B)

Explanation: 

AWS VPC Lattice provides service-to-service connectivity with built-in encryption, authentication, and authorization across VPCs without requiring mesh proxies or manual TLS configuration. It ensures end-to-end secure communication across application services, regardless of the underlying network boundaries. VPC Lattice automatically manages encryption at the transport layer, fulfilling the requirement.

AWS PrivateLink exposes services privately but does not automatically establish encrypted communication across arbitrary VPC-to-VPC service relationships. It is limited to interface endpoint connections.

VPC peering allows direct communication but does not automatically enforce encrypted transport-layer communication.

Transit Gateway with tunneling can encrypt traffic only if configured manually, often requiring customer-managed VPN overlays. It does not automatically encrypt traffic natively.

Thus, AWS VPC Lattice is the correct service for encrypted, managed service-to-service connectivity across VPCs.

Question 66 

A company requires accelerated data transfer between on-premises and S3 for large datasets. Which service should they choose?

A) AWS DataSync
B) S3 Transfer Acceleration
C) AWS Snowball Edge
D) S3 Multi-Region Access Points

Answer: B)

Explanation: 

The requirement is for accelerated data transfer between on-premises environments and Amazon S3 for large datasets. S3 Transfer Acceleration is specifically designed to meet this use case. It leverages Amazon’s globally distributed edge locations to optimize data transfer over long distances. When a client uploads data to an accelerated S3 bucket, the request is automatically routed to the nearest AWS edge location. From there, AWS uses its high-speed, private backbone network to route the data efficiently to the destination S3 bucket. This approach significantly reduces latency and accelerates upload speeds, particularly for geographically dispersed locations or situations with high network latency.

AWS DataSync is a fully managed data transfer service that automates movement between on-premises storage and AWS services. It is highly efficient for transferring large amounts of data on a scheduled or recurring basis and supports incremental transfers. However, DataSync does not utilize edge locations to accelerate transfers over long distances. Its focus is automation, reliability, and scheduling, rather than low-latency global transfer. While DataSync can handle large datasets efficiently, it is not optimized for latency-sensitive uploads where performance improvements over WAN connections are critical.

AWS Snowball Edge is an appliance-based service designed for offline or bulk data transfer. Organizations can physically load data onto Snowball devices and ship them to AWS for ingestion into S3. Snowball Edge is ideal for scenarios with extremely large datasets or limited network bandwidth, but it is not intended for continuous, accelerated online transfers. Therefore, it does not meet the requirement of speeding up on-premises uploads over a network connection.

S3 Multi-Region Access Points enable applications to access the nearest copy of data in multiple regions, providing low-latency read access and cross-region replication capabilities. While this improves access performance for applications, it does not accelerate uploads from on-premises locations to S3.

In conclusion, S3 Transfer Acceleration is uniquely suited for accelerating large data transfers over long distances from on-premises to S3. By routing uploads through the closest AWS edge location and then across AWS’s private backbone, it reduces the impact of network latency, ensures faster throughput, and is ideal for distributed teams or remote offices transferring high-volume datasets. This makes it the clear choice for organizations seeking accelerated, online transfers to S3.

Question 67 

A company requires granular application-layer protection for traffic entering ALBs and NLBs. Which solution should they adopt?

A) AWS WAF
B) Security groups
C) Network ACLs
D) Shield Standard

Answer: A)

Explanation: 

The requirement is granular, application-layer protection for traffic entering both Application Load Balancers (ALBs) and Network Load Balancers (NLBs). The correct solution for this scenario is AWS WAF (Web Application Firewall). WAF operates at Layer 7, inspecting HTTP and HTTPS traffic for threats such as SQL injection, cross-site scripting (XSS), HTTP protocol violations, and automated bot activity. It allows organizations to define custom rules or use managed rule sets to filter traffic based on request attributes, headers, query strings, or body content. AWS WAF integrates seamlessly with ALBs and CloudFront distributions, enabling centralized and fine-grained control of application traffic. This ensures that malicious requests are blocked before reaching backend instances, reducing the risk of exploitation.

Security groups, while a critical component of AWS network security, operate at Layer 4 and provide instance-level or ENI-level control. They allow filtering based on IP addresses, ports, and protocols but cannot inspect or filter traffic based on application-layer content. As a result, they cannot address threats such as SQL injection or XSS, which occur at the HTTP/S layer.

Network ACLs provide stateless packet filtering at the subnet level, controlling inbound and outbound traffic based on IP addresses, ports, and protocols. While useful for basic network segmentation, NACLs also cannot inspect application payloads or provide granular Layer 7 filtering.

AWS Shield Standard provides DDoS protection by automatically mitigating common volumetric and network-level attacks. While it protects against denial-of-service threats, it does not offer deep inspection of HTTP/S requests or application-level traffic filtering. Therefore, Shield Standard alone cannot meet the requirement for application-layer security.

By deploying AWS WAF, the organization gains flexible, rule-based filtering and the ability to respond dynamically to evolving threats. WAF also supports logging, monitoring, and automated responses via CloudWatch or Lambda, providing comprehensive visibility and actionable insights into traffic patterns. For organizations that require granular, application-specific protection for ALBs and NLBs, AWS WAF is the only service among the options capable of inspecting and mitigating threats at the application layer while integrating directly with AWS load balancing services.

Question 68 

A company wants to centralize outbound Internet access from multiple VPCs and enforce domain-based filtering. What should they use?

A) Route 53 Resolver DNS Firewall with centralized outbound VPC
B) NAT gateways in each VPC
C) Egress-only Internet gateway
D) VPC peering with security groups

Answer: A)

Explanation: 

The organization seeks centralized outbound Internet access from multiple VPCs while enforcing domain-based filtering. The optimal solution for this is Route 53 Resolver DNS Firewall integrated with a centralized outbound VPC. This architecture allows all DNS queries from various VPCs to be routed to a single, centralized outbound resolver. DNS Firewall policies can then inspect the requested domains and block or allow them based on predefined rules. This approach enables consistent, organization-wide control of DNS resolution and ensures that only approved domains are accessible from internal resources. It also allows centralized logging of DNS queries for auditing, compliance, or security analysis.

Deploying NAT gateways in each VPC allows instances to access the Internet over IPv4. While NAT provides basic outbound connectivity, it does not provide DNS-level or domain-based filtering. It only translates private IP addresses to public ones and routes traffic, lacking the ability to enforce content-specific security policies.

An egress-only Internet gateway enables outbound IPv6 traffic from a VPC, ensuring that IPv6-only instances can reach the Internet. However, it cannot filter domains or inspect DNS queries, making it unsuitable for centralized domain-based access control.

VPC peering allows direct network connectivity between two VPCs using private IPs. While it can facilitate traffic routing, it does not provide centralized egress capabilities or DNS filtering. Each peered VPC retains its own routing and DNS policies, making it difficult to enforce consistent domain-level security across multiple VPCs.

By using Route 53 Resolver DNS Firewall with a centralized outbound VPC, organizations gain multiple benefits. First, all VPCs can rely on a single outbound resolver for DNS queries, simplifying management and policy enforcement. Second, DNS Firewall allows fine-grained control, blocking access to malicious or unapproved domains while allowing legitimate traffic. Third, this setup integrates with AWS logging and monitoring tools to provide visibility into attempted connections, policy violations, and usage trends.

This solution is especially effective in multi-VPC environments where security, compliance, and consistent outbound controls are critical. By centralizing outbound Internet access and using domain-based filtering, organizations can protect against malware, phishing domains, and unauthorized Internet access, while maintaining operational simplicity and consistent policy enforcement. Hence, Route 53 Resolver DNS Firewall in a centralized outbound VPC is the most appropriate solution.

Question 69 

An organization needs fine-grained network insights, including flow records, metadata extraction, and real-time packet-level analysis. Which AWS service provides this?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) CloudTrail
D) GuardDuty

Answer: A)

Explanation: 

The requirement is for fine-grained network visibility, including packet-level captures, metadata extraction, and real-time network traffic analysis. The AWS service that fulfills this need is VPC Traffic Mirroring. Traffic Mirroring allows the duplication of network traffic from Elastic Network Interfaces (ENIs) of EC2 instances to monitoring and security appliances for analysis. This includes full packet-level data, not just metadata, enabling organizations to inspect application protocols, detect anomalies, perform deep packet inspection, or feed traffic into advanced monitoring solutions like intrusion detection systems (IDS) or SIEM tools.

VPC Flow Logs capture metadata about network traffic, such as source and destination IP addresses, ports, protocol types, and the number of bytes and packets transferred. While VPC Flow Logs are valuable for auditing, troubleshooting, and high-level network visibility, they do not capture payloads. Therefore, they cannot be used for detailed forensic analysis or to inspect the content of network traffic.

AWS CloudTrail logs API calls made within the AWS environment. It provides visibility into actions performed on AWS resources, including the user, source IP, and parameters of the API request. CloudTrail is crucial for auditing and compliance but does not provide network-level traffic visibility or packet capture capabilities.

AWS GuardDuty is a managed threat detection service that analyzes various AWS data sources, including VPC Flow Logs, CloudTrail events, and DNS logs. GuardDuty identifies suspicious activity or potential threats, such as reconnaissance or compromised instances. However, it operates on metadata rather than raw packet captures, limiting its ability to provide detailed, packet-level analysis.

By using VPC Traffic Mirroring, organizations gain the ability to monitor network traffic in real time with high granularity. Security teams can detect anomalies, investigate security incidents, perform protocol analysis, and support forensic investigations. Traffic Mirroring is particularly useful for hybrid security solutions that require detailed insight into internal traffic between workloads. It provides comprehensive visibility into both east-west traffic within a VPC and north-south traffic between VPCs or on-premises networks.

Given the requirement for deep, fine-grained network insights that include full packet capture, metadata extraction, and real-time analysis, VPC Traffic Mirroring is the only service among the options that meets all criteria. It empowers organizations to proactively monitor, secure, and troubleshoot their AWS networks with a level of detail beyond what Flow Logs, CloudTrail, or GuardDuty can provide.

Question 70 

A company wants cross-Region private connectivity between VPCs with overlapping CIDR blocks. What should they use?

A) AWS PrivateLink
B) VPC peering
C) Transit Gateway peering
D) Direct Connect gateway associations

Answer: A)

Explanation: 

The requirement is cross-Region private connectivity between VPCs with overlapping CIDR blocks. The appropriate solution is AWS PrivateLink, which enables private, secure connectivity to services across VPCs, accounts, and regions without exposing overlapping network ranges. PrivateLink works using interface endpoints, which are Elastic Network Interfaces (ENIs) with private IP addresses in the VPC, providing access to a service hosted in another VPC. Because traffic flows through these endpoints, there is no need for the VPCs to have unique CIDR blocks, allowing organizations to connect networks with overlapping IP ranges.

VPC peering is a traditional method of connecting two VPCs directly. While it provides private connectivity, it requires non-overlapping CIDR blocks because the routing between peered VPCs relies on unique IP ranges. If the CIDR ranges overlap, routing conflicts occur, making peering infeasible in such scenarios.

Transit Gateway peering is another method of interconnecting VPCs via a central Transit Gateway. Similar to VPC peering, Transit Gateway requires non-overlapping CIDR blocks between attached VPCs for proper route propagation. Overlapping networks cannot be connected directly through Transit Gateway peering because the routing tables cannot distinguish between identical IP ranges in different VPCs.

Direct Connect gateway associations allow private connectivity between on-premises networks and multiple VPCs through Direct Connect. While Direct Connect supports routing to multiple VPCs, it does not inherently solve the overlapping CIDR problem for VPC-to-VPC connectivity. Direct Connect provides high-throughput private connectivity to AWS, but additional services like PrivateLink are needed to handle overlapping CIDRs between VPCs.

By using AWS PrivateLink, organizations can expose services hosted in one VPC as endpoints in another VPC, regardless of overlapping IP ranges. This is particularly beneficial in multi-account or multi-tenant architectures where CIDR conflicts are common. PrivateLink also enhances security by keeping traffic within the AWS network, eliminating the need for public IPs, NAT, or VPNs. It supports cross-region communication through inter-region VPC endpoints, enabling private, low-latency connectivity between VPCs in different regions.

Question 71 

A company wants to inspect all inbound and outbound traffic for multiple VPCs using third-party security appliances. The traffic should be centralized and scalable. Which AWS architecture supports this?

A) Transit Gateway with appliance mode and Gateway Load Balancer
B) VPC Peering with a NAT Gateway
C) Direct Connect with VPN fallback
D) Internet Gateway with Route 53

Answer: A)

Explanation: 

The first selection refers to combining AWS Transit Gateway in appliance mode with Gateway Load Balancer (GWLB). Transit Gateway provides centralized routing for multiple VPCs, allowing all traffic to be directed to an inspection VPC. Appliance mode enables asymmetric routing, ensuring that traffic can flow to the security appliances and back without being dropped due to source/destination mismatches. GWLB distributes the traffic across multiple security appliances in a highly available, scalable way. This combination allows inspection of all traffic, including east-west (VPC-to-VPC) and north-south (internet-bound), while maintaining centralized management and the ability to scale appliances according to load. It is the recommended AWS pattern for centralized inspection architectures in multi-VPC environments.

The second selection, VPC Peering with a NAT Gateway, is limited because VPC peering does not allow transitive routing. Peering connections only allow communication between the peered VPCs, so routing traffic through a centralized inspection VPC is not feasible. NAT Gateways only provide IPv4 address translation for outbound internet traffic and do not perform packet inspection.

The third selection, Direct Connect with VPN fallback, is a hybrid connectivity solution for connecting on-premises networks to AWS. While Direct Connect provides low-latency, high-bandwidth connectivity, it does not inspect traffic or provide centralized security inspection. VPN fallback allows redundancy but does not scale inspection across multiple VPCs.

The fourth selection, Internet Gateway with Route 53, provides basic internet connectivity and DNS services, which cannot perform packet inspection or centralize traffic monitoring. IGWs handle north-south routing but offer no centralized filtering, and Route 53 is a DNS service with no role in packet-level inspection.

Thus, Transit Gateway with appliance mode combined with GWLB is the correct solution because it enables centralized, scalable, and comprehensive inspection of all traffic across multiple VPCs.

Question 72 

A company wants to enforce outbound domain-level filtering across all VPCs while maintaining hybrid connectivity with on-premises. Which AWS service should they use?

A) Route 53 Resolver DNS Firewall
B) NAT Gateway
C) Network ACLs
D) Security groups

Answer: A)

Explanation: 

Route 53 Resolver DNS Firewall enables domain-based filtering for outbound DNS queries from VPCs. By creating firewall rule groups and associating them with VPCs, organizations can block or allow specific domains. This approach allows centralized management of outbound domain access while maintaining hybrid connectivity through Direct Connect or Site-to-Site VPN. It supports multiple accounts using AWS Organizations and ensures consistent policy enforcement across all VPCs. Resolver endpoints can be created to handle DNS queries from on-premises systems as well.

NAT Gateways provide IPv4 address translation for outbound traffic but do not filter based on DNS or domain names. NAT Gateways operate at the L3/L4 level and cannot perform application-layer domain filtering.

Network ACLs are stateless, subnet-level firewalls that filter traffic based on IP, protocol, or port but cannot inspect DNS queries or block specific domain names. They also require complex configuration for multi-VPC environments and do not support centralized enforcement.

Security groups are stateful, instance-level firewalls that filter traffic by IP, protocol, or port. They cannot filter traffic based on domain names or enforce policies across multiple VPCs in a centralized manner.

Therefore, Route 53 Resolver DNS Firewall is the correct choice because it provides centralized, domain-based filtering for outbound DNS queries across multiple VPCs and hybrid networks.

Question 73 

A company wants to send AWS service traffic privately without exposing the traffic to the Internet and enforce strict service-level policies. Which solution meets this requirement?

A) VPC Endpoints with policy enforcement
B) NAT Gateway
C) Internet Gateway
D) Transit Gateway peering

Answer: A)

Explanation: 

VPC Endpoints, particularly interface endpoints, allow private connectivity to AWS services such as S3, DynamoDB, or custom services in other VPCs. By attaching endpoint policies, organizations can enforce service-specific permissions, restrict access to particular accounts, and control which principals can connect. This enables traffic to remain entirely on the AWS private network, avoiding exposure to the public internet. Endpoint services integrate with AWS PrivateLink, allowing secure, service-level access between VPCs and across accounts without managing IP overlap or routing issues.

NAT Gateways translate private subnet traffic to public IPs for internet access but cannot enforce service-level policies. They provide no mechanism for restricting access to particular AWS services or accounts.

Internet Gateways provide public internet access for VPCs. Traffic flows over the internet and cannot be restricted to private AWS services. Policies at the service level are not enforceable through IGW.

Transit Gateway peering connects VPCs across accounts or regions, enabling routing between networks, but does not provide service-level access enforcement. While TGW manages routing, it does not control which AWS services can be accessed, nor does it prevent internet exposure.

Thus, VPC Endpoints with policy enforcement are the correct solution because they enable private, service-specific access with strict policy control.

Question 74 

A company wants to centralize monitoring and analysis of packet-level traffic from multiple VPCs in real-time. Which AWS service should they deploy?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) GuardDuty
D) CloudTrail

Answer: A)

Explanation: 

VPC Traffic Mirroring enables packet-level capture of network traffic from EC2 instances, ENIs, or network appliances. Traffic is mirrored to monitoring or security appliances, providing full visibility into network sessions for deep packet inspection, threat analysis, and performance troubleshooting. It supports real-time monitoring and centralized inspection, making it ideal for environments with multiple VPCs where packet-level data is needed for security and compliance.

VPC Flow Logs capture metadata, such as source/destination IPs, ports, and protocols, but they do not include packet payloads. Flow logs are useful for trend analysis, auditing, or basic traffic monitoring but cannot support packet-level inspection.

GuardDuty analyzes logs from VPC Flow Logs, CloudTrail, and DNS queries to detect threats. While useful for security alerts, it does not provide packet-level data for analysis or inspection.

CloudTrail captures API activity within AWS accounts. It is valuable for auditing and compliance but is unrelated to network packet monitoring or real-time traffic inspection.

Therefore, VPC Traffic Mirroring is the correct choice because it provides detailed, packet-level visibility suitable for centralized, real-time monitoring.

Question 75 

A company wants to connect multiple VPCs with overlapping CIDR ranges across accounts while maintaining private connectivity. Which solution supports this?

A) AWS PrivateLink
B) VPC Peering
C) Transit Gateway peering
D) Direct Connect gateway

Answer: A)

Explanation:

AWS PrivateLink provides service endpoints using interface endpoints. Because the connectivity is service-level rather than network-level, overlapping VPC CIDRs do not cause conflicts. PrivateLink allows private communication between VPCs or accounts without requiring CIDR uniqueness. It is ideal for sharing services securely across accounts with overlapping IP ranges. Traffic remains on the AWS private network and is encrypted in transit.

VPC Peering requires non-overlapping CIDRs. Overlapping IP addresses in peered VPCs prevent proper routing and cause conflicts, making this solution unsuitable.

Transit Gateway peering also requires non-overlapping CIDRs for routing. Although TGW supports multi-account connections, it cannot manage overlapping networks without NAT or address translation.

Direct Connect gateway enables hybrid connectivity to multiple VPCs from on-premises networks but does not resolve overlapping CIDR conflicts. Routing between overlapping networks requires additional NAT configurations.

Therefore, PrivateLink is the correct choice for private service connectivity across VPCs with overlapping IP ranges.

Question 76 

A company needs low-latency access for mobile applications that require near real-time processing at 5G edge locations. Which AWS solution should they use?

A) AWS Wavelength Zones
B) Local Zones
C) Outposts
D) Snowball Edge

Answer: A)

Explanation: 

AWS Wavelength Zones extend AWS infrastructure to telecom provider locations that are close to 5G network base stations. This architecture is specifically designed to minimize latency for mobile and edge applications by hosting compute, storage, and networking resources at the network edge, physically near the end users. By positioning resources directly within the telecom provider’s data centers, Wavelength Zones reduce the distance that data must travel over the internet, effectively decreasing round-trip times from tens of milliseconds to single-digit milliseconds. This ultra-low-latency environment is critical for applications that require real-time processing, such as multiplayer gaming, live video streaming, augmented and virtual reality, autonomous vehicles, industrial IoT, and interactive mobile applications.

Wavelength integrates seamlessly with core AWS services, including Amazon EC2, Amazon ECS, Amazon EKS, Amazon S3, and networking services, allowing developers to deploy applications and workloads at the edge while maintaining a consistent operational experience with the AWS cloud. Traffic between Wavelength Zones and the main AWS Region is carried over the AWS network backbone, ensuring secure, high-bandwidth connectivity without traversing the public internet. This also allows hybrid architectures where the low-latency edge handles real-time processing, and the central AWS Region handles storage, analytics, and orchestration.

In contrast, AWS Local Zones place compute and storage closer to large metropolitan areas. They reduce latency compared to traditional AWS Regions, making them suitable for applications like media rendering, local content delivery, and regional workloads. However, Local Zones are typically located in data centers that are not directly integrated with telecom 5G networks. As a result, while they improve latency for general metropolitan workloads, they are not sufficient for ultra-low-latency, real-time mobile workloads that rely on 5G connectivity.

AWS Outposts deliver fully managed AWS infrastructure on-premises, suitable for private data centers or edge deployments within corporate facilities. Outposts are ideal for workloads requiring low-latency access to on-premises systems or local processing for enterprise environments. However, they do not extend directly into 5G networks and therefore cannot achieve the same millisecond-level latency benefits for mobile users that Wavelength Zones provide.

AWS Snowball Edge is a physical, portable device used for offline data transfer or limited edge computing. While it can perform processing at the edge in disconnected or constrained environments, it does not provide live access to low-latency 5G mobile networks. It is intended for batch processing, data migration, and edge workloads with intermittent connectivity rather than real-time mobile interactions.

Question 77

A company wants to deploy centralized firewall inspection for all east-west and north-south traffic across hundreds of VPCs. Which architecture is recommended?

A) Transit Gateway with appliance mode and GWLB
B) Multiple VPC peering connections
C) IGWs with security groups
D) Direct Connect with BGP filters

Answer: A)

Explanation: 

The company requires centralized firewall inspection for all traffic, both east-west (VPC-to-VPC) and north-south (Internet-bound), across hundreds of VPCs. The recommended solution is AWS Transit Gateway in appliance mode combined with Gateway Load Balancer (GWLB). Transit Gateway (TGW) serves as a central hub connecting multiple VPCs and on-premises networks, providing scalable, transitive routing. In appliance mode, TGW ensures that traffic from multiple VPCs can be directed through a centralized inspection point, such as firewall appliances, before reaching its destination. This configuration enables asymmetric routing, allowing traffic from different VPCs to flow through shared inspection infrastructure without requiring complex routing logic in each VPC.

Gateway Load Balancer complements this architecture by distributing traffic across multiple firewall appliances. GWLB ensures high availability, automatic scaling, and redundancy, enabling the organization to inspect traffic efficiently at scale. Together, TGW in appliance mode and GWLB provide a robust framework for managing centralized inspection across large, multi-VPC environments. Traffic can be inspected for policy enforcement, threat detection, or compliance before continuing to the destination.

Alternative solutions are limited in scalability. Multiple VPC peering connections do not support transitive routing. Peering requires each VPC to establish direct connections with others, making it infeasible to route all traffic through a centralized firewall. As the number of VPCs increases, the number of peering connections grows exponentially, leading to management complexity and routing limitations.

Internet Gateways (IGWs) with security groups only manage north-south traffic and instance-level filtering. Security groups provide Layer 4 access control but cannot centralize traffic inspection for multiple VPCs or east-west traffic.

Direct Connect with BGP filters enables secure hybrid connectivity and some routing controls, but it does not inspect traffic within AWS or provide a centralized firewall solution. It is primarily designed for connecting on-premises networks to AWS with policy-based routing.

In conclusion, for an organization seeking centralized, scalable firewall inspection across hundreds of VPCs for both east-west and north-south traffic, Transit Gateway in appliance mode combined with GWLB is the most effective and manageable architecture. It ensures high availability, scalability, centralized policy enforcement, and the ability to route all traffic through inspection appliances efficiently.

Question 78 

A company requires failover between multiple Regions for a critical web application with minimal latency. Which solution should they use?

A) Route 53 latency-based routing with health checks
B) CloudFront only
C) VPC Peering
D) Direct Connect multi-region

Answer: A)

Explanation: 

The requirement is failover between multiple AWS Regions for a critical web application, ensuring minimal latency for users. The correct solution is Amazon Route 53 latency-based routing (LBR) with health checks. LBR allows Route 53 to route users to the AWS Region that provides the lowest network latency from their location. Each endpoint (application in a Region) is continuously monitored through health checks. If an endpoint becomes unhealthy or unavailable, Route 53 automatically removes it from DNS responses, directing traffic to the next best-performing Region. This ensures both high availability and optimal performance without requiring manual intervention.

LBR is particularly suited for global applications where users are distributed across continents. It reduces response times by minimizing latency while providing automatic failover, ensuring continuity of service even if one Region fails. The combination of latency-based routing and health checks allows organizations to maintain a seamless user experience across multiple Regions.

Alternative solutions do not meet the full requirement. CloudFront is a global Content Delivery Network (CDN) that caches and delivers content closer to users. While CloudFront improves latency for static and dynamic content, it does not provide full application failover across Regions. Dynamic applications or endpoints outside the cache layer would still require DNS-level failover for reliability.

VPC Peering is purely intra-VPC networking and does not influence global user routing or failover. Peering connects VPCs privately but cannot manage DNS-based routing to direct users to the lowest-latency Region.

Direct Connect multi-region enables private network connectivity to AWS from on-premises locations. While it improves network performance and reliability for hybrid workloads, it does not provide user-facing failover or global DNS routing.

Question 79 

A company wants to analyze hybrid network performance and capture metrics for on-premises and AWS VPC connectivity. Which AWS feature supports this?

A) CloudWatch metrics with Transit Gateway Network Manager
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

The company wants to analyze hybrid network performance and capture detailed metrics for both on-premises networks and AWS VPC connectivity. The appropriate solution is AWS Transit Gateway Network Manager (TGW NM) integrated with CloudWatch metrics. TGW NM provides a centralized view of global network topology and health for VPCs connected via Transit Gateway, Direct Connect, and VPN connections. It collects metrics such as latency, jitter, packet loss, and traffic volumes, providing visibility into both AWS and on-premises segments. This capability is critical for organizations managing complex hybrid networks where performance monitoring, troubleshooting, and optimization are essential.

TGW Network Manager integrates with CloudWatch to provide real-time dashboards and alerting, enabling proactive identification of network issues. Network teams can visualize traffic paths, detect bottlenecks, and ensure connectivity SLAs are met. Additionally, it supports multiple Transit Gateways across regions, giving a unified view of hybrid network performance across the enterprise.

Alternative solutions provide partial visibility but do not meet hybrid performance requirements. VPC Flow Logs capture metadata about network traffic within a VPC, including source/destination IPs, ports, protocols, and bytes transferred. However, Flow Logs do not capture latency, jitter, or packet loss, making them insufficient for end-to-end performance analysis.

AWS GuardDuty detects potential security threats using VPC Flow Logs, CloudTrail events, and DNS logs. It is focused on security intelligence and anomaly detection rather than performance monitoring. While valuable for identifying malicious activity, it does not provide the latency and reliability metrics needed for hybrid network performance.

AWS Config audits and monitors AWS resource configurations for compliance. It tracks changes and maintains configuration history but does not provide network-level performance metrics or visibility into hybrid connectivity.

By using Transit Gateway Network Manager with CloudWatch, organizations gain both centralized monitoring and detailed performance analysis. Teams can correlate performance metrics across AWS and on-premises networks, optimize routing, and troubleshoot latency-sensitive workloads effectively. This solution enables proactive management of hybrid networks, ensuring reliability, performance, and operational efficiency.

Question 80 

A company requires private, service-to-service connectivity across multiple AWS accounts with automatic encryption and authentication. Which service meets this requirement?

A) AWS VPC Lattice
B) VPC Peering
C) Transit Gateway
D) Direct Connect

Answer: A)

Explanation: 

The requirement is private, service-to-service connectivity across multiple AWS accounts with automatic encryption and authentication. The correct solution is AWS VPC Lattice. VPC Lattice is a fully managed service that allows services in multiple VPCs and accounts to communicate securely without requiring overlapping CIDR adjustments. It provides built-in transport-layer encryption, mutual authentication, and IAM-based access control for inter-service communication. This simplifies the creation of secure, cross-account service meshes, eliminating the need for manual TLS configuration or extensive network-level setup.

VPC Lattice supports automatic traffic encryption and authentication between services, enabling secure multi-account architectures at the application layer. Administrators can define service-level access policies centrally, reducing operational complexity and ensuring consistent security standards across large organizations. This architecture is ideal for enterprise environments where services are deployed in multiple accounts for isolation, compliance, or billing separation.

Alternative solutions have limitations. VPC Peering provides only network-level connectivity. It requires non-overlapping CIDRs and does not automatically provide encryption or authentication between services. Organizations would need to configure TLS manually for each connection, which is operationally intensive and error-prone.

Transit Gateway enables network-level routing between VPCs, supporting scalable connectivity across accounts. However, TGW does not provide service-to-service authentication or automatic encryption. Services connected via TGW would require separate TLS configuration, leaving security enforcement at the network layer rather than at the service layer.

Direct Connect establishes private, high-bandwidth hybrid connections between on-premises networks and AWS but does not facilitate service-level communication between VPCs or accounts with automatic encryption and authentication.

By choosing VPC Lattice, the company achieves a fully managed, secure, and encrypted service mesh spanning multiple accounts and VPCs. It reduces administrative overhead, eliminates the need for CIDR adjustments, and ensures consistent security policies, making it the ideal solution for enterprises needing private, cross-account service connectivity with built-in security features.