Amazon AWS Certified Advanced Networking – Specialty ANS-C01 Exam Dumps and Practice Test Questions Set 8 Q141-160

Visit here for our full Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam dumps and practice test questions.

Question 141 

A company wants to ensure that critical applications continue running without downtime if the underlying host fails. Which AWS feature should they enable?

A) AWS Fault Tolerance with EC2 Auto Recovery
B) Elastic Load Balancing
C) Route 53 Latency Routing
D) NAT Gateway

Answer: A)

Explanation: 

AWS provides fault-tolerance mechanisms for EC2 instances that ensure critical applications continue running during underlying hardware failures. EC2 Auto Recovery detects instance or hardware failures and automatically recovers the instance on healthy infrastructure, minimizing downtime. Combined with high-availability architectures, such as deployment across multiple Availability Zones, this provides continuous operation for critical workloads. Fault-tolerant designs leverage redundant components to maintain service continuity even if one component fails.

Elastic Load Balancing (ELB) distributes incoming traffic across multiple instances but does not recover individual failed instances automatically. While it improves availability, it is not a replacement for host-level fault tolerance.

Route 53 latency routing optimizes user requests for lowest-latency regions and provides failover based on endpoint health, but it does not protect individual instances from underlying hardware failures.

NAT Gateway allows outbound connectivity from private subnets but does not provide fault tolerance for application workloads.

Thus, EC2 Auto Recovery and fault-tolerance mechanisms ensure applications remain available during hardware or host failures.

Question 142 

A company wants to capture all network traffic from EC2 instances for detailed inspection. Which AWS service should they use?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) CloudTrail
D) GuardDuty

Answer: A)

Explanation: 

VPC Traffic Mirroring allows administrators to capture full packet-level traffic from Elastic Network Interfaces (ENIs) of EC2 instances. This enables detailed inspection, including payload analysis, intrusion detection, and compliance monitoring. Traffic can be mirrored selectively or for all flows, ensuring flexibility. Captured traffic can be sent to monitoring appliances or SIEM systems for analysis. This service supports both east-west (within VPC) and north-south traffic, providing full visibility into network communications.

VPC Flow Logs capture metadata, including source/destination IPs, ports, protocols, and packet/byte counts. While useful for monitoring traffic patterns, they cannot provide payload-level inspection.

CloudTrail records AWS API calls for auditing, not network traffic. It cannot capture packets or traffic flows for security analysis.

GuardDuty analyzes logs and VPC flow data for threats but does not provide full packet-level capture or inspection.

Therefore, VPC Traffic Mirroring is the correct service for capturing detailed network traffic from EC2 instances.

Question 143 

A company wants to deploy applications requiring extremely low latency for mobile 5G users. Which AWS service should they use?

A) AWS Wavelength Zones
B) Local Zones
C) Outposts
D) Snowball Edge

Answer: A)

Explanation: 

AWS Wavelength Zones are designed specifically for applications that require ultra-low latency, particularly for mobile 5G users. The core idea behind Wavelength is to bring AWS compute and storage resources physically closer to end users by placing infrastructure at telecom provider edge locations adjacent to 5G base stations. By deploying workloads at the edge, the distance that network packets must travel is significantly reduced, allowing latency to drop to single-digit milliseconds. This capability is critical for real-time applications where even small delays can degrade user experience, such as augmented and virtual reality (AR/VR), cloud gaming, autonomous vehicles, industrial IoT, and streaming applications.

Wavelength integrates seamlessly with the broader AWS ecosystem. Developers can leverage familiar AWS services, APIs, and orchestration tools while ensuring that latency-sensitive portions of the workload run in Wavelength Zones. Traffic entering a Wavelength Zone remains on the AWS backbone network, avoiding the public internet, which reduces variability in latency and improves reliability and jitter for real-time applications. This makes it especially beneficial for applications that require predictable, consistent, and extremely low latency for mobile clients connected via 5G.

Alternative AWS solutions, while helpful in other low-latency scenarios, are not ideal for mobile 5G workloads. Local Zones extend AWS infrastructure into metropolitan areas to reduce latency for nearby users, but they are not co-located with telecom 5G networks. Local Zones primarily benefit applications with fixed locations and do not achieve the same millisecond-level latency for mobile users traveling across cellular networks. AWS Outposts deploy AWS hardware on-premises for workloads that require local processing, compliance, or data residency. While Outposts reduce latency for local users, they do not provide real-time access for mobile 5G devices that connect to distributed cellular networks. Snowball Edge is a physical appliance intended for offline data transfer, edge computing, or processing in remote locations; it is not designed to handle high-performance, latency-sensitive mobile workloads.

Question 144 

A company wants to accelerate large uploads to S3 from global users without changing client applications. Which service should they use?

A) S3 Transfer Acceleration
B) DataSync
C) Snowball Edge
D) CloudFront

Answer: A)

Explanation: 

Amazon S3 Transfer Acceleration is specifically designed to optimize and accelerate the transfer of large objects over long distances to S3. It works by leveraging Amazon CloudFront’s globally distributed edge locations. When a client initiates an upload to an S3 bucket with Transfer Acceleration enabled, the upload is first sent to the nearest AWS edge location, reducing the latency associated with long-haul internet connections. From the edge location, data is transferred over AWS’s private backbone network directly to the target S3 bucket. This architecture ensures higher throughput, lower latency, and improved upload reliability, especially for global users who may be located far from the bucket’s AWS region.

One of the key advantages of S3 Transfer Acceleration is its compatibility with existing S3 APIs. This means clients can continue using the same PUT and POST requests without any modification to their application logic. Minimal client-side configuration is required—essentially updating the endpoint URL to the Transfer Acceleration-enabled S3 endpoint—making it straightforward to integrate into existing workflows without development overhead.

Other solutions are less suitable for this scenario. AWS DataSync is designed for efficient, automated data transfer between on-premises storage and AWS, particularly for large-scale migrations or periodic synchronization tasks. It does not provide the same global upload acceleration and relies on network conditions between the source and AWS, without using the optimized edge network. AWS Snowball Edge is a physical, offline appliance intended for large-scale data migrations when network transfers are impractical or extremely slow. While it supports large datasets, it is unsuitable for real-time uploads from globally distributed users. Amazon CloudFront, although a global content delivery network, is primarily optimized for low-latency download distribution rather than uploads, and it cannot directly accelerate S3 upload traffic.

By using S3 Transfer Acceleration, organizations can reduce upload times significantly—sometimes by 50% or more for clients far from the bucket region—improving user experience, reducing time to data availability, and enabling more efficient global workflows. The solution is fully managed, scales automatically with demand, and requires no additional infrastructure or operational maintenance, making it ideal for enterprises needing fast, reliable uploads across multiple geographies.

Question 145 

A company wants to centralize inspection of encrypted traffic across multiple VPCs without modifying client applications. Which AWS service should they use?

A) Gateway Load Balancer with inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway
D) Security groups

Answer: A)

Explanation: 

AWS Gateway Load Balancer (GWLB) is purpose-built to centralize traffic inspection in a scalable, transparent manner. Many organizations need to monitor network traffic for security threats, compliance, or operational analytics, including encrypted traffic flows. GWLB simplifies this process by acting as a transparent, inline load balancer that forwards traffic from multiple VPCs or accounts to inspection appliances without requiring changes to client applications. The appliances can decrypt traffic, perform deep packet inspection for malware, intrusion detection, or policy enforcement, and then re-encrypt the traffic before forwarding it to its destination.

A critical advantage of GWLB is its seamless integration with AWS networking constructs. It works alongside Transit Gateway or direct VPC routing to aggregate traffic from multiple VPCs, hybrid networks, or accounts, enabling centralized inspection at scale. Organizations benefit from automated scaling and high availability; as traffic volumes increase, GWLB can scale horizontally with attached inspection appliances, ensuring consistent performance and security enforcement. Additionally, the architecture supports failover and redundancy, maintaining inspection continuity even if an appliance fails.

Alternative solutions have limitations. Classic Load Balancer supports SSL termination but only works with HTTP/S traffic and cannot inspect non-HTTP/S flows or operate across multiple VPCs. Manual certificate management is required, increasing operational overhead and risk. NAT Gateways provide IP translation for outbound traffic but cannot decrypt, inspect, or enforce security policies on encrypted data. Security groups operate at the network layer (L3/L4) and can filter traffic based on IPs or ports but are incapable of inspecting payloads or analyzing encrypted content.

By deploying GWLB with inspection appliances, organizations achieve enterprise-grade security and visibility without touching client devices or applications. It is ideal for scenarios with strict regulatory requirements, multi-VPC architectures, or hybrid environments where traffic inspection must be consistent and centrally managed. This solution allows for both operational simplicity and robust security enforcement across AWS and hybrid networks.

Question 146 

A company wants to enforce domain-level outbound DNS filtering across multiple VPCs and hybrid networks. Which service should they use?

A) Route 53 Resolver DNS Firewall
B) NAT Gateway
C) Internet Gateway
D) Security groups

Answer: A)

Explanation: 

Amazon Route 53 Resolver DNS Firewall enables organizations to centrally manage and enforce domain-level filtering for outbound DNS queries across AWS VPCs and hybrid networks. This is particularly useful for security-conscious enterprises that need to prevent access to malicious, non-compliant, or unapproved domains. Firewall rules are defined in rule groups, which can specify allowlists or blocklists of domains. These rule groups can then be associated with one or more VPCs, providing consistent policy enforcement across multiple accounts or regions.

The service also integrates with Resolver endpoints, which can forward queries from on-premises networks to AWS DNS infrastructure. This allows hybrid environments to benefit from the same filtering rules applied within AWS VPCs, providing centralized control and consistent security policies for both cloud and on-premises workloads. Logs can be sent to Amazon CloudWatch or S3 for auditing, compliance, and threat detection, enabling detailed visibility into DNS traffic patterns.

Other solutions are inadequate for domain-level filtering. NAT Gateway provides IP address translation for outbound traffic but lacks domain-level filtering capabilities. Internet Gateway allows outbound internet access but does not inspect or enforce policies at the DNS level. Security groups operate at L3/L4 and can filter traffic by IP, port, or protocol but cannot enforce domain-based filtering.

Route 53 Resolver DNS Firewall offers a fully managed, scalable, and automated approach to DNS security. It eliminates the need for custom proxy servers, appliances, or network-based inspection for domain-level filtering, reducing operational complexity and cost. By using DNS Firewall, organizations can proactively block access to known malicious or non-compliant domains, enforce regulatory policies, and gain comprehensive visibility into DNS traffic, all without requiring changes to client applications. This ensures both security and operational simplicity across hybrid and multi-VPC architectures.

Question 147 

A company wants to monitor hybrid network performance across AWS regions and on-premises sites. Which service should they use?

A) Transit Gateway Network Manager with CloudWatch
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

AWS Transit Gateway Network Manager is designed for monitoring, visualizing, and optimizing hybrid network environments that span multiple AWS regions and on-premises locations. It provides a centralized view of network topologies, including Transit Gateway attachments, VPN connections, and Direct Connect links. Network Manager allows administrators to proactively monitor performance metrics such as latency, packet loss, jitter, and throughput across these connections, providing a holistic view of both cloud and on-premises networks.

Integration with Amazon CloudWatch enhances monitoring by collecting detailed metrics and enabling custom dashboards, alarms, and notifications for performance anomalies. This allows organizations to identify degraded performance in near real-time, troubleshoot issues quickly, and take corrective action before users are affected. The visualization capabilities of Network Manager make it easier to understand complex network topologies, including multiple regions, VPCs, and on-premises sites.

Other AWS services do not provide equivalent hybrid network performance monitoring. VPC Flow Logs capture metadata about traffic within a single VPC but do not provide end-to-end performance metrics across regions or on-premises networks. Amazon GuardDuty focuses on threat detection and security intelligence rather than network performance. AWS Config monitors configuration changes and compliance but does not track network latency, packet loss, or throughput.

By using Transit Gateway Network Manager with CloudWatch, enterprises gain a unified, scalable, and fully managed solution for monitoring hybrid networks, improving operational efficiency, and ensuring network reliability. This approach simplifies network troubleshooting, provides actionable insights into traffic performance, and supports capacity planning for complex global environments, making it ideal for large enterprises with multi-region and hybrid architectures.

Question 148 

A company wants to connect multiple VPCs across accounts with overlapping IP ranges securely. Which service should they use?

A) AWS PrivateLink
B) VPC Peering
C) Transit Gateway
D) Direct Connect gateway

Answer: A)

Explanation: 

AWS PrivateLink provides private connectivity between services across AWS accounts and VPCs, even when IP ranges overlap. It achieves this through interface endpoints, which expose services as private IP addresses within a VPC. Traffic between VPCs is routed over the AWS private backbone network, avoiding the public internet entirely. This eliminates the risks associated with overlapping CIDR blocks, which prevent traditional VPC Peering or Transit Gateway routing.

PrivateLink also supports fine-grained access control through endpoint policies, enabling organizations to enforce which consumers can access specific services. It ensures secure, scalable, and consistent connectivity across VPCs without complex NAT, routing, or firewall configurations. Additionally, traffic remains encrypted in transit, satisfying security and compliance requirements.

Alternative approaches have limitations. VPC Peering requires non-overlapping IP addresses and cannot function if CIDRs conflict. Transit Gateway centralizes routing but also requires unique CIDRs for proper routing without NAT translation. Direct Connect gateway is intended for connecting on-premises networks to AWS, not for VPC-to-VPC communication with overlapping IP ranges.

By implementing PrivateLink, organizations can securely expose services to multiple VPCs or accounts while avoiding IP conflicts, minimizing attack surfaces, and reducing operational complexity. This approach is ideal for multi-account, multi-VPC architectures where services need to communicate privately and securely without restructuring IP allocations.

Question 149 

A company wants to route traffic to the AWS region with the lowest latency while automatically failing over unhealthy endpoints. Which Route 53 policy should they use?

A) Latency-based routing with health checks
B) Weighted routing
C) Geolocation routing
D) Simple routing

Answer: A)

Explanation: 

Latency-based routing (LBR) in Amazon Route 53 directs users to the endpoint that provides the lowest network latency between the user’s location and AWS regions hosting the application. Latency is measured dynamically by monitoring response times from different AWS regions to user queries. This approach ensures that users experience optimal performance, especially for latency-sensitive applications such as real-time gaming, streaming, or collaborative tools.

Health checks can be associated with latency-based routing policies to automatically detect unhealthy endpoints. When an endpoint fails a health check, Route 53 removes it from the DNS rotation, ensuring users are routed to healthy resources. This combination provides high availability, fault tolerance, and improved user experience without manual intervention.

Other routing policies are less appropriate. Weighted routing distributes traffic by fixed percentages, useful for testing or gradual rollouts, but does not optimize latency. Geolocation routing sends traffic based on user location but does not measure real-time network latency. Simple routing directs traffic to a single IP address without failover or performance optimization.

Using latency-based routing with health checks allows enterprises to deliver fast, reliable, and resilient global applications. It provides seamless failover, performance optimization, and minimal operational overhead.

Question 150 

A company wants to enforce service-to-service encryption across multiple accounts without manual TLS certificate management. Which service should they use?

A) AWS VPC Lattice
B) VPC Peering
C) Transit Gateway
D) PrivateLink

Answer: A)

Explanation: 

AWS VPC Lattice provides a fully managed solution for secure service-to-service communication across multiple AWS accounts, enforcing automatic encryption, authentication, and authorization at the transport layer. It abstracts the complexity of TLS certificate management by automatically handling certificate issuance, rotation, and validation, allowing developers to focus on application logic instead of security operations.

VPC Lattice also provides centralized service discovery, enabling services in different accounts or VPCs to locate and communicate with each other securely. Traffic between services is automatically encrypted, ensuring a zero-trust model without requiring manual certificate management or additional infrastructure. Policies for authorization and access control can be centrally defined, reducing operational risk and complexity.

Other options are less suitable. VPC Peering connects VPCs at the network layer but does not provide automatic TLS encryption or certificate management. Transit Gateway enables centralized routing but does not manage service-layer security. PrivateLink provides private connectivity but does not handle automatic encryption or service authentication.

By leveraging VPC Lattice, organizations can achieve secure, compliant, and scalable service-to-service communication across accounts, eliminating manual TLS overhead, simplifying operations, and enforcing consistent security policies, making it ideal for multi-account, multi-VPC architectures.

Question 151 

A company wants to centrally inspect all traffic between multiple VPCs for compliance and security purposes. Which AWS architecture should they deploy?

A) Transit Gateway in appliance mode with Gateway Load Balancer
B) VPC Peering
C) Internet Gateway with security groups
D) NAT Gateway

Answer: A)

Explanation: 

When organizations operate multiple VPCs across accounts, ensuring consistent security and compliance requires centralized visibility into traffic flows between VPCs. Deploying a Transit Gateway in appliance mode together with a Gateway Load Balancer (GWLB) is an optimal architecture for this purpose. Transit Gateway acts as a central hub for routing traffic among hundreds of VPCs, simplifying network topology compared to point-to-point VPC Peering, which becomes increasingly complex and difficult to manage at scale. In appliance mode, Transit Gateway can direct traffic through security and monitoring appliances, enabling centralized inspection without requiring modifications to individual VPCs.

The Gateway Load Balancer further enhances this architecture by providing scalable, transparent traffic distribution to inspection appliances such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), or monitoring solutions. GWLB handles high availability and failover, ensuring that inspection continues even if an appliance fails. Traffic inspection can be applied to both north-south traffic (entering or leaving the VPC) and east-west traffic (traffic between VPCs), allowing organizations to enforce compliance policies, detect anomalies, and prevent security breaches consistently across all VPCs.

Alternative approaches have significant limitations. VPC Peering creates direct point-to-point connectivity between VPCs, but it does not provide centralized traffic inspection or scale well for hundreds of VPCs. Each peering connection requires separate routing management, making centralized security enforcement extremely difficult. Internet Gateway with security groups only operates at Layer 3/4, filtering traffic based on IP addresses and ports, and does not provide deep packet inspection or centralized logging for compliance purposes. NAT Gateway primarily translates IP addresses for outbound traffic and does not inspect packets, route traffic between VPCs, or enforce security policies.

By combining Transit Gateway in appliance mode with GWLB, enterprises gain a centralized, scalable, and highly available security architecture. They achieve full visibility into inter-VPC traffic, enforce security policies consistently, and simplify network operations. This design aligns with best practices for multi-VPC architectures, regulatory compliance, and modern security operations where east-west traffic inspection and automated traffic distribution are essential for operational security and governance.

Question 152 

A company wants to capture packet-level traffic from EC2 instances for security audits. Which AWS service should they use?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) GuardDuty
D) CloudTrail

Answer: A)

Explanation: 

Organizations with stringent compliance, audit, or security requirements often need full packet-level visibility into network traffic. VPC Traffic Mirroring enables exactly this by capturing packets traversing Elastic Network Interfaces (ENIs) of EC2 instances and sending the traffic to monitoring appliances, SIEM systems, or other inspection tools. Unlike higher-level logging solutions, Traffic Mirroring provides access to the payload itself, including packet headers, protocols, and application data, which is critical for intrusion detection, forensic analysis, and detailed security audits.

Traffic Mirroring supports selective capture, allowing administrators to mirror specific ENIs or filter traffic based on protocols, ports, or packet types. This selective approach optimizes storage and processing costs while providing visibility into the traffic that matters most. It enables analysis of east-west traffic between VPCs and north-south traffic entering or leaving the VPC. Security teams can deploy firewalls, IDS/IPS, or analytics pipelines to monitor mirrored traffic, detect anomalies, identify threats, or verify compliance with internal policies and regulatory requirements such as PCI DSS, HIPAA, or SOC2.

Alternative AWS services have limitations in this context. VPC Flow Logs capture metadata such as source/destination IP addresses, ports, and protocol, but they do not include packet payloads or application-level details. They are valuable for traffic analysis or troubleshooting but insufficient for full packet inspection. AWS GuardDuty analyzes logs, flow data, and threat intelligence to detect suspicious activity, but it does not provide raw traffic capture for independent analysis. CloudTrail records AWS API calls for auditing management events and changes to resources, but it does not monitor network traffic or payload data.

Question 153 

A company wants to deploy applications requiring ultra-low latency for mobile 5G users. Which AWS service should they use?

A) AWS Wavelength Zones
B) Local Zones
C) Outposts
D) Snowball Edge

Answer: A)

Explanation: 

Applications targeting mobile 5G users, such as augmented and virtual reality (AR/VR), cloud gaming, autonomous systems, and real-time IoT analytics, require ultra-low latency—often measured in single-digit milliseconds. Traditional cloud deployments, even in the nearest AWS regions, introduce latency that can negatively affect user experience and real-time interactions. AWS Wavelength Zones address this by extending AWS infrastructure to telecom provider edge locations that are co-located with 5G base stations. By placing compute and storage resources at the network edge, Wavelength drastically reduces the distance data travels between the end-user device and the cloud, achieving ultra-low latency.

Wavelength seamlessly integrates with AWS services such as EC2, ECS, EKS, and networking services, allowing developers to deploy workloads using familiar AWS APIs while ensuring latency-sensitive processing occurs as close as possible to the user. Traffic entering Wavelength Zones remains on the AWS backbone network, bypassing the public internet and reducing jitter, packet loss, and latency variability. This is particularly valuable for applications where real-time responsiveness is critical, such as interactive gaming, live video streaming, AR/VR simulations, and industrial IoT monitoring.

Other AWS offerings provide latency reductions but do not meet the requirements for mobile 5G ultra-low-latency workloads. Local Zones extend AWS services into metropolitan areas to improve latency for nearby users, but they are not co-located with 5G networks and primarily benefit fixed-location workloads rather than mobile users. AWS Outposts deploy infrastructure on-premises for local processing and regulatory compliance but are unsuitable for dynamically mobile users connected via 5G. Snowball Edge is a physical device for offline data transfer or edge computing in remote locations; it cannot provide real-time low-latency access for mobile users.

Question 154 

A company wants to accelerate uploads of large files to S3 from global users with minimal client changes. Which AWS service should they use?

A) S3 Transfer Acceleration
B) DataSync
C) Snowball Edge
D) CloudFront

Answer: A)

Explanation: 

Amazon S3 Transfer Acceleration (TA) is designed to optimize and accelerate uploads of large objects to S3 across global networks. The service works by routing client traffic to the nearest AWS edge location, which is part of Amazon CloudFront’s worldwide network of edge points of presence (PoPs). Once the data reaches an edge location, it is then transferred over the highly optimized AWS backbone to the destination S3 bucket. This approach significantly reduces the latency associated with long-distance uploads and provides higher throughput, particularly for users located far from the bucket’s region or when uploading large files such as media assets, backups, or scientific datasets.

One of the key benefits of S3 Transfer Acceleration is its compatibility with existing S3 APIs. Clients can continue using standard PUT and POST requests with minimal changes, typically only updating the endpoint URL to the Transfer Acceleration-enabled bucket. This makes integration simple and avoids rewriting applications or installing additional software on client devices. The service automatically scales to handle increased traffic, providing consistent performance for high-volume or bursty workloads without manual intervention.

Alternative services do not meet the same global acceleration requirement. AWS DataSync is optimized for bulk or scheduled migration of data between on-premises storage and AWS, but it does not leverage edge locations and is not designed for real-time global acceleration. AWS Snowball Edge provides physical appliances for offline data transfer and edge compute scenarios, making it unsuitable for immediate or online uploads. Amazon CloudFront is primarily a content delivery network optimized for low-latency downloads to end users, but it does not accelerate uploads to S3 directly.

By using Transfer Acceleration, enterprises can achieve significant improvements in upload performance, sometimes reducing transfer times by up to 50% for geographically distant clients. It is fully managed, requires no additional infrastructure, automatically scales with demand, and integrates seamlessly into existing applications. S3 TA is therefore the most practical and reliable solution for accelerating global uploads to S3 while minimizing operational complexity and client-side modifications.

Question 155 

A company wants to centrally inspect encrypted traffic across multiple VPCs without modifying client applications. Which service should they use?

A) Gateway Load Balancer with inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway
D) Security groups

Answer: A)

Explanation: 

AWS Gateway Load Balancer (GWLB) is engineered to centralize traffic inspection in environments where encrypted flows must be analyzed without altering client applications. Many organizations have compliance and security requirements that necessitate deep inspection of all network traffic, including SSL/TLS-encrypted data. GWLB acts as a transparent, inline load balancer that directs traffic to inspection appliances capable of decrypting, analyzing, and re-encrypting traffic before it continues to its destination. This ensures that security policies, malware detection, and intrusion prevention are applied consistently across the network.

GWLB integrates seamlessly with Transit Gateway and VPC routing to handle traffic from multiple VPCs or accounts, enabling scalable, centralized inspection for enterprise environments. The architecture allows appliances to scale horizontally, maintaining high availability even under increased traffic loads. This ensures uninterrupted security enforcement and supports automatic failover if an appliance fails.

Other services are insufficient for multi-VPC encrypted inspection. Classic Load Balancer only supports HTTP/S traffic and requires manual SSL certificate management, limiting its applicability to arbitrary protocols or multi-VPC traffic. NAT Gateway provides outbound IP translation but cannot inspect traffic content. Security groups operate at L3/L4, filtering based on IP and port, but cannot inspect encrypted payloads.

By deploying GWLB with inspection appliances, organizations achieve enterprise-grade visibility and security without client-side modifications. This solution provides centralized management, scalable inspection, and high reliability, making it ideal for hybrid or multi-VPC environments where secure traffic inspection is mandatory.

Question 156 

A company wants to enforce domain-level outbound DNS filtering across multiple VPCs and hybrid networks. Which AWS service should they use?

A) Route 53 Resolver DNS Firewall
B) NAT Gateway
C) Internet Gateway
D) Security groups

Answer: A)

Explanation: 

Amazon Route 53 Resolver DNS Firewall provides a centralized mechanism for enforcing domain-level filtering on outbound DNS queries across AWS VPCs and hybrid networks. Enterprises can define firewall rules that allow, block, or redirect DNS queries based on domain names. These rules are grouped into rule groups that can be associated with multiple VPCs or AWS accounts, ensuring consistent enforcement of DNS policies across the organization.

The service integrates with Resolver endpoints to support hybrid environments, allowing on-premises queries to traverse the firewall for consistent security and policy enforcement. Logs can be collected in CloudWatch or S3 for auditing, compliance, and threat detection, giving visibility into DNS activity without requiring changes to client applications.

Alternative solutions are limited. NAT Gateway only performs IP address translation without domain-level filtering. Internet Gateway enables internet connectivity but does not filter DNS queries. Security groups filter at the network layer but cannot inspect DNS payloads or enforce domain-based rules.

Route 53 Resolver DNS Firewall provides a fully managed, scalable, and consistent DNS security solution. It eliminates the need for proxies or custom appliances, reduces operational complexity, and ensures enterprise-grade policy enforcement across both cloud and hybrid environments.

Question 157 

A company wants to monitor hybrid network performance across AWS regions and on-premises sites. Which service should they use?

A) Transit Gateway Network Manager with CloudWatch
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

AWS Transit Gateway Network Manager allows centralized monitoring and visualization of hybrid networks spanning multiple AWS regions and on-premises sites. It supports a variety of connectivity types, including Transit Gateway attachments, VPNs, and Direct Connect links. Network Manager provides a single pane of glass for observing end-to-end connectivity, allowing administrators to monitor latency, packet loss, jitter, and throughput.

Integration with CloudWatch enables the collection of granular metrics, alarms, and dashboards, providing real-time insight into network performance. Organizations can quickly identify bottlenecks, troubleshoot issues, and optimize routing. VPC Flow Logs, while useful for traffic metadata within individual VPCs, do not provide global hybrid network performance visibility. GuardDuty focuses on threat detection rather than performance. AWS Config audits configuration compliance but does not monitor performance metrics.

Transit Gateway Network Manager ensures enterprises have the tools to maintain reliable, high-performance networks across complex multi-region, hybrid architectures. It reduces operational overhead, improves troubleshooting efficiency, and supports proactive optimization of hybrid network performance.

Question 158 

A company wants to connect multiple VPCs across accounts that have overlapping IP ranges. Which AWS service should they use?

A) AWS PrivateLink
B) VPC Peering
C) Transit Gateway
D) Direct Connect gateway

Answer: A)

Explanation: 

AWS PrivateLink is specifically designed to enable secure and scalable connectivity between services across Virtual Private Clouds (VPCs) and AWS accounts, even when the VPCs have overlapping IP address ranges. Traditional network-level connectivity methods, such as VPC Peering or Transit Gateway, rely on non-overlapping CIDR blocks because they create routing tables that assume each subnet has unique IP addresses. Overlapping IP ranges introduce routing conflicts, making these solutions unsuitable for organizations that have independent VPCs with overlapping private networks.

PrivateLink solves this problem by creating interface endpoints in the consumer VPC that map directly to service endpoints in the provider VPC. This traffic flows entirely over the AWS private network, ensuring data does not traverse the public internet. Because the connectivity is abstracted via the endpoint, the underlying IP ranges of the consumer and provider VPCs do not conflict. This makes PrivateLink an ideal solution for multi-account architectures where independent teams or business units may choose overlapping subnets.

Additionally, PrivateLink provides fine-grained access control through endpoint policies. These policies enable administrators to specify which principals (IAM users, roles, or accounts) can access the service, ensuring that only authorized services can communicate. The solution scales efficiently because new consumers can create their own interface endpoints without modifying the provider VPC or CIDR allocations. Organizations can thus support cross-account service consumption at scale without complex NAT or firewall configurations.

In contrast, VPC Peering requires non-overlapping IP ranges because it relies on routing table entries that cannot distinguish between duplicate IP addresses. Attempting peering with overlapping ranges would lead to routing conflicts, dropped packets, and potential network outages. Transit Gateway, while effective for centralizing VPC connectivity, also cannot handle overlapping CIDRs natively without complex NAT configurations. Direct Connect gateways primarily facilitate hybrid connectivity between on-premises networks and AWS but do not address cross-VPC communication in cases of overlapping IPs.

Overall, AWS PrivateLink enables secure, high-performance service connectivity across accounts, supports overlapping CIDRs, simplifies management with interface endpoints, and allows precise access control. Its abstraction layer ensures traffic is routed correctly without IP conflicts, making it the definitive choice for this use case.

Question 159 

A company wants to route traffic to the AWS region with the lowest latency while automatically failing over unhealthy endpoints. Which Route 53 routing policy should they use?

A) Latency-based routing with health checks
B) Weighted routing
C) Geolocation routing
D) Simple routing

Answer: A)

Explanation: 

AWS Route 53 provides multiple routing policies to distribute client requests globally, but for organizations aiming to optimize performance and ensure high availability, latency-based routing combined with health checks is the ideal choice. Latency-based routing directs user requests to the AWS region that offers the lowest network latency at that moment. This ensures that applications respond quickly, reducing page load times or API response delays. The latency is measured in real-time between end users and AWS endpoints, dynamically adjusting DNS responses as network conditions change.

To ensure availability, combining latency-based routing with Route 53 health checks allows automatic failover. Health checks continuously monitor endpoints for responsiveness and correctness. If an endpoint becomes unhealthy—for example, due to an EC2 instance failure, network outage, or misconfiguration—Route 53 will automatically remove it from DNS responses. This guarantees that traffic is never routed to failing regions, maintaining uptime and reliability for users worldwide. This combination is particularly beneficial for global applications where consistent low-latency performance and resilience are crucial, such as video streaming platforms, SaaS applications, or online gaming.

Other routing policies do not meet both criteria simultaneously. Weighted routing distributes traffic according to predefined percentages, making it useful for A/B testing, gradual rollouts, or canary deployments, but it does not consider latency or failover. Geolocation routing directs traffic based on the user’s geographic location, which is useful for regulatory compliance, language-specific content, or region-based pricing, but it cannot dynamically optimize for latency or remove unhealthy endpoints automatically. Simple routing simply returns a single record, offering no traffic distribution or failover capabilities.

By combining latency-based routing with health checks, organizations can achieve optimized performance and robust fault tolerance without requiring complex client-side logic or multi-region application configurations. Users automatically connect to the fastest available endpoint, while Route 53 transparently removes unhealthy resources from consideration. This reduces manual intervention, enhances user experience, and maintains service reliability across multiple regions.

Therefore, latency-based routing with health checks is the correct solution when the goal is to simultaneously minimize latency and maximize availability across global AWS regions.

Question 160 

A company wants to enforce service-to-service encryption across multiple accounts without managing TLS certificates manually. Which service should they use?

A) AWS VPC Lattice
B) VPC Peering
C) Transit Gateway
D) PrivateLink

Answer: A)

Explanation: 

AWS VPC Lattice is a fully managed service that enables secure, scalable service-to-service communication across multiple VPCs and AWS accounts while automatically enforcing transport-layer encryption. One of the key operational challenges in multi-account architectures is the management of TLS certificates and service authentication. Traditionally, each service must maintain its own certificates, rotate them regularly, and ensure trust between communicating services. This introduces operational overhead, complexity, and risk of misconfiguration, potentially exposing sensitive data in transit.

VPC Lattice addresses these challenges by automatically encrypting all traffic between registered services. The service generates and manages TLS certificates on behalf of applications, relieving developers and operations teams from manual certificate issuance, rotation, and trust configuration. Additionally, VPC Lattice implements service discovery and access control, enabling organizations to define which services can communicate with each other across accounts. This enforces a zero-trust security model where traffic must be authenticated and authorized before reaching its destination.

Unlike VPC Peering, which provides only network-level connectivity, VPC Lattice operates at the service level and ensures encrypted communication by default. While Transit Gateway centralizes network routing, it does not automatically enforce service-level encryption, leaving TLS management to individual services. AWS PrivateLink allows private connectivity between services across VPCs and accounts, but it does not handle TLS certificate management or enforce encryption automatically. Without these features, organizations would need to configure TLS manually for each service, increasing complexity and operational risk.

By centralizing service-to-service encryption, authentication, and authorization, VPC Lattice reduces operational burden, ensures secure communication, and supports cross-account scalability. It is particularly advantageous for microservices architectures where hundreds of services may need to communicate securely across multiple VPCs. Lattice also integrates with AWS IAM, allowing administrators to define fine-grained permissions that control which services or accounts can access specific endpoints.

Overall, AWS VPC Lattice provides an automated, secure, and scalable solution for service-to-service encryption without requiring manual TLS certificate management. It simplifies security operations, enforces best practices, and enables reliable, encrypted communication across accounts, making it the optimal choice for organizations seeking robust, zero-trust service connectivity.