Amazon AWS Certified Advanced Networking – Specialty ANS-C01 Exam Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam dumps and practice test questions.

Question 41

A company needs to allow its on-premises applications to resolve private Route 53 records hosted in AWS. They already have a Site-to-Site VPN to a VPC. What should they configure?

A) Create a Route 53 Resolver inbound endpoint in the VPC
B) Create a Route 53 Resolver outbound endpoint in the VPC
C) Use Route 53 Private Hosted Zones with Public Hosted Zone forwarding
D) Use Route 53 Resolver DNS Firewall rules

Answer: A)

Explanation: 

The first choice refers to creating a Route 53 Resolver inbound endpoint, which allows DNS queries originating from on-premises systems to be forwarded into AWS for the purpose of resolving private hosted zone records. This setup permits hybrid environments to access internal DNS information in AWS through an existing VPN or Direct Connect link. The inbound endpoint exposes specific IPs inside the VPC that the on-prem DNS forwarders can target. This mechanism ensures that private zone resolution does not require exposing DNS to the internet and remains fully internal. Because the requirement is to allow on-premises systems to resolve internal AWS DNS names, this is the mechanism purposely designed for inbound hybrid DNS resolution.

The second choice refers to creating a Route 53 Resolver outbound endpoint, which does the opposite direction of traffic. Outbound endpoints are meant for VPC resources that need to resolve private, on-premises domains by forwarding DNS queries from AWS to on-premises DNS servers. This is not applicable in this scenario because the DNS query direction is reversed. The company needs to resolve AWS private zones from on-premises, not resolve on-prem zones from AWS.

The third choice refers to mixing Private Hosted Zones with Public Hosted Zone forwarding, which is not possible. Public Hosted Zones handle internet-facing DNS and cannot forward queries to private zones that exist solely for internal AWS resolution. Furthermore, public zones are meant for public domains and cannot meet the requirement for secure internal DNS resolution from on-premises over a VPN.

The fourth choice refers to the Route 53 Resolver DNS Firewall, which provides filtering and protection of DNS queries against malicious domains. While useful for security enforcement, it does not enable DNS resolution across environments. DNS Firewall does not facilitate directional DNS query forwarding from on-prem to AWS.

Therefore, the correct selection is the inbound endpoint because it specifically enables DNS queries initiated on-premises to resolve AWS private hosted zone domains over hybrid connectivity.

Question 42

A customer needs high-speed encrypted connectivity between multiple branch offices and AWS without using SD-WAN hardware. Which AWS service best matches this requirement?

A) AWS Cloud WAN with VPN attachments
B) AWS Client VPN
C) AWS Direct Connect Gateway
D) AWS Network Firewall

Answer: A)

Explanation: 

The first selection relates to AWS Cloud WAN with VPN attachments, providing a cloud-native global network fabric that allows customers to interconnect multiple sites using encrypted VPN tunnels without needing SD-WAN hardware. Cloud WAN centralizes routing, segmentation, and policy enforcement. It also supports scaling to many branch offices while relying only on software-based connectivity from each location to the Cloud WAN core. Because the requirement includes high-speed encrypted connectivity between branches and AWS while explicitly avoiding SD-WAN devices, Cloud WAN VPN attachments fulfill the requirement.

The second selection involves AWS Client VPN, designed primarily for individual user devices requiring secure remote access. This solution is not suitable for connecting entire branch networks or for achieving high-throughput branch connectivity. Client VPN endpoints also operate at lower throughput and do not scale efficiently for site-to-site architecture.

The third selection refers to the Direct Connect Gateway. While Direct Connect provides high bandwidth and low latency, it does not inherently provide encrypted connections unless IPsec is layered separately. Additionally, each branch would need physical Direct Connect or hosted connections, which contradicts the requirement for software-based connectivity without additional hardware. Since branches rarely have direct DX circuits, this method would not meet the customer’s constraints.

The fourth selection concerns AWS Network Firewall, which is a VPC-level firewall designed to enforce traffic filtering policies. It does not provide WAN connectivity, does not form VPN tunnels, and does not interconnect branches.

Thus, Cloud WAN with VPN attachments is the correct answer because it provides a centralized, scalable, software-based, encrypted WAN architecture without requiring SD-WAN appliances.

Question 43

A company wants to implement centralized inspection of outbound VPC traffic using AWS Gateway Load Balancer (GWLB). What must they deploy in the inspection VPC?

A) A fleet of third-party virtual appliances behind a Gateway Load Balancer
B) A NAT Gateway with custom route tables
C) An internet gateway configured for packet filtering
D) A VPC endpoint service for Amazon S3

Answer: A)

Explanation: 

The first selection involves deploying a fleet of virtual appliances behind a Gateway Load Balancer. GWLB is designed to distribute traffic to virtual security appliances such as intrusion detection systems, firewalls, or inspection engines. This architecture enables autoscaling, highly available inspection, and transparent insertion of security services. In a centralized architecture, inspected VPCs route their outbound traffic to the inspection VPC through a GWLB endpoint. The appliances behind the load balancer perform deep packet inspection before forwarding packets to their destinations.

The second selection refers to NAT Gateways and custom route tables. While NAT Gateways manage outbound internet access for private subnets, they cannot perform security inspection or integrate with GWLB. NAT Gateways are managed services with no capability to insert third-party inspection software.

The third selection involves an internet gateway configured for packet filtering. Internet gateways cannot perform inspection or filtering. Traffic flowing through an internet gateway is either NATed (if going through a NAT device) or directly routed if the subnet is public. No packet-level filtering can be applied at the IGW level.

The fourth selection mentions a VPC endpoint service for S3, which provides private access to S3 but has no relevance to traffic inspection or GWLB. Endpoint services expose services for other VPCs to consume but are not used for analyzing outbound traffic.

Therefore, deploying a fleet of security inspection appliances behind GWLB is the correct approach for centralized outbound inspection.

Question 44

A business has multiple AWS accounts and needs to simplify cross-account VPC connectivity using AWS Transit Gateway. They want full-mesh connectivity between all VPCs. Which attachment approach should they use?

A) Attach each VPC to a shared centralized Transit Gateway
B) Peer each VPC individually with every other VPC
C) Connect VPCs through VPC Lattice services
D) Create multiple Transit Gateways and peer them together

Answer: A)

Explanation: 

The first selection refers to attaching all VPCs across accounts to a single centralized Transit Gateway, which automatically allows hub-and-spoke connectivity. Full-mesh communication is achieved by routing rather than manual peering. This approach is the intended way to scale VPC-to-VPC connectivity across many accounts with reduced operational overhead. It also supports route tables for segmentation and simplifies governance across the organization.

The second selection mentions peering each VPC individually with every other VPC. This results in N-squared connections, which quickly becomes unmanageable. VPC peering does not scale for environments with more than a few VPCs and offers no centralized route control or propagation.

The third selection refers to VPC Lattice, which focuses on service-to-service communication rather than full network-level connectivity. Lattice cannot replace the Transit Gateway for routing entire VPC CIDR ranges.

The fourth selection suggests creating multiple Transit Gateways and peering them. While TGW peering exists, it is unnecessary when all VPCs can attach to one TGW. Peering also introduces complexity and is typically used for inter-region designs rather than intra-organization connectivity.

Thus, attaching all VPCs to a centralized Transit Gateway is the simplest and most scalable solution.

Question 45

A company needs deterministic routing between AWS and on-premises via Direct Connect and wants automatic failover to a Site-to-Site VPN. Which AWS routing mechanism should they use?

A) BGP on both Direct Connect and the VPN
B) Static routes with high preference
C) Route 53 Health Checks for route failover
D) NAT Gateway-based route switching

Answer: A)

Explanation: 

The first selection involves using BGP on both Direct Connect and the VPN connection. BGP allows dynamic routing, exchange of prefixes, and preference setting through AS-path length or BGP attributes. AWS prioritizes Direct Connect BGP routes over VPN routes automatically when identical prefixes exist. If DX fails, the BGP route is withdrawn and the VPN route becomes active. This mechanism is reliable and designed for hybrid failover.

The second selection refers to static routes, which lack dynamic failover. Static routes do not change when connectivity fails, unless manual updates occur. This makes them unsuitable for automated switchover.

The third selection references Route 53 health checks, which relate to DNS failover, not routing failover for network connectivity paths. DNS cannot influence hybrid routing between AWS and on-premises.

The fourth selection involves NAT Gateways, which operate at the subnet edge and do not influence hybrid routing decisions. NAT Gateways only apply to outbound IPv4 translation from private subnets and are irrelevant to this requirement.

Therefore, BGP on both connections is the correct choice for automated failover.

Question 46

A company uses AWS Network Firewall and needs to inspect all VPC-to-VPC traffic through a centralized inspection VPC. Which architecture accomplishes this?

A) AWS Transit Gateway with appliance mode enabled
B) VPC Peering with route tables pointing to the firewall
C) Edge association to an internet gateway
D) S3 VPC endpoint policy enforcement

Answer: A)

Explanation: 

Transit Gateway with appliance mode enabled is the architecture specifically designed for centralized traffic inspection using appliances such as AWS Network Firewall. Appliance mode preserves the original source IP and supports asymmetric routing paths that typically occur when traffic flows through inspection environments. Without appliance mode, Transit Gateway could modify or drop asymmetric flows, preventing proper inspection or causing session failures. By enabling appliance mode, the organization can route all VPC-to-VPC traffic through a central inspection VPC, ensuring that every east-west connection undergoes the same firewall policies. This creates a scalable, hub-and-spoke inspection architecture suitable for large multi-VPC environments.

VPC Peering, while useful for low-latency connections between VPCs, does not support transitive routing. This architectural limitation prevents forwarding traffic through a third VPC for inspection. Even if route tables attempted to point to a firewall in another VPC, the traffic would be dropped because peering connections are strictly point-to-point. For this reason, VPC peering cannot support centralized inspection models.

Edge associations with an internet gateway apply only to north-south traffic destined for or arriving from the internet. Internal VPC-to-VPC traffic does not traverse an IGW and therefore cannot be inspected using this approach. Internet gateways do not serve as routers for internal AWS communication.

S3 VPC endpoint policies are limited to managing access to Amazon S3. They cannot inspect or influence general traffic patterns and have nothing to do with packet-level analysis or firewall enforcement. They are not a mechanism for managing east-west traffic security.

Therefore, Transit Gateway with appliance mode is the only architecture that enables centralized VPC-to-VPC inspection with AWS Network Firewall while preserving proper routing and session handling.

Question 47

A company needs to extend its IPv6 network from on-premises to AWS using Direct Connect. What should they configure?

A) BGP over Direct Connect using IPv6 addressing
B) NAT64 for hybrid connectivity
C) IPv6-only VPC with no routing configuration
D) IGW routing overrides for DX traffic

Answer: A)

Explanation: 

BGP over Direct Connect using IPv6 addressing is the correct solution for extending an on-premises IPv6 network into AWS. AWS Direct Connect supports native IPv6 BGP advertisements on dedicated connections and transit virtual interfaces. With this configuration, customers can exchange IPv6 prefixes bidirectionally between their data center and their AWS VPC. This ensures consistent end-to-end IPv6 connectivity without relying on translation or tunneling mechanisms. Once the BGP session is established using IPv6 address families, AWS can propagate IPv6 routes into the VPC, enabling hybrid applications to communicate seamlessly using their global IPv6 address space.

NAT64 is intended for translating IPv6 traffic to IPv4 in cases where backend resources do not support IPv6. In a hybrid architecture where both sides support IPv6 routing, translation is unnecessary and would break end-to-end IPv6 connectivity. NAT64 also introduces complexity and is not part of Direct Connect’s hybrid routing model.

An IPv6-only VPC with no routing configuration cannot establish hybrid connectivity. Hybrid networks require explicit route propagation from Direct Connect or manual static routes. If no BGP or Direct Connect VIF is configured, the VPC will not know how to reach on-premises IPv6 subnets, and on-premises will not know how to reach AWS subnets. Simply enabling IPv6 inside a VPC does not create connectivity.

Modifying IGW routing is irrelevant because internet gateways handle Internet-bound IPv6 and IPv4 traffic, not Direct Connect flows. DX traffic bypasses IGWs completely, using private virtual interfaces and private routing domains. Therefore, IGW routing overrides cannot influence hybrid connectivity.

Thus, configuring BGP over Direct Connect using IPv6 addressing provides the required native hybrid IPv6 extension.

Question 48

A business wants to enforce DNS inspection and filtering across all VPCs via a centralized model. Which AWS service enables this?

A) Route 53 Resolver DNS Firewall
B) Amazon GuardDuty
C) AWS WAF
D) S3 Block Public Access

Answer: A)

Explanation: 

Route 53 Resolver DNS Firewall is specifically designed for DNS-level threat prevention and filtering across VPCs. With DNS Firewall, administrators create rule groups that define which domain queries should be allowed, blocked, or redirected. These rule groups can be applied at the VPC level or centrally managed across accounts using AWS Organizations. This makes DNS Firewall suitable for multi-VPC environments where consistent DNS inspection is required. Because Route 53 Resolver already handles VPC DNS queries, attaching DNS Firewall policies to it ensures that all outbound DNS traffic is evaluated regardless of application or network path.

Amazon GuardDuty provides threat detection through machine learning and anomaly analysis but does not block DNS queries. It may detect suspicious domains or DNS behaviors but cannot enforce blocking policies. It operates at a detection level, not at a DNS enforcement level.

AWS WAF is designed to protect HTTP and HTTPS applications running on CloudFront, ALB, or API Gateway. It does not inspect DNS protocol traffic and cannot apply domain-based blocking to DNS requests. Its rule engine focuses on layer-7 HTTP filtering, not recursive DNS requests originating from EC2 or VPC resources.

S3 Block Public Access focuses on preventing public access to S3 buckets. While important for security, it has no relationship to DNS and cannot influence or filter DNS queries.

Therefore, only Route 53 Resolver DNS Firewall provides centralized DNS inspection and filtering across multiple VPCs.

Question 49

A company wants to interconnect workloads across multiple AWS Regions using encrypted tunnels but without the complexity of maintaining many VPN connections. Which service should they use?

A) Transit Gateway inter-region peering
B) VPC Peering
C) Site-to-Site VPN mesh
D) Client VPN

Answer: A)

Explanation: 

Transit Gateway inter-region peering provides a highly scalable way to interconnect workloads across multiple AWS Regions using encrypted infrastructure-managed tunnels. When two Transit Gateways are peered across Regions, AWS automatically establishes fully encrypted communication between them using the AWS backbone. This eliminates the operational burden and configuration complexity associated with building and maintaining many individual Site-to-Site VPN connections. Applications in VPCs attached to different Transit Gateways can communicate through the peering connection without manually configuring static routes or BGP on multiple VPN tunnels. This approach offers predictable performance and simplifies cross-Region network topologies.

VPC Peering offers connectivity between two VPCs, but it does not scale across numerous Regions or many VPCs. Each additional VPC requires a dedicated peering connection, leading to a full-mesh requirement if many VPCs need to communicate. It is also not centrally managed and offers no hub-and-spoke capability.

Building a Site-to-Site VPN mesh becomes difficult to maintain as the number of Regions or VPCs grows. Each VPN requires its own tunnel endpoints, BGP configuration, routing propagation, health monitoring, and redundancy configuration. For a large environment, this becomes unmanageable and far less resilient than using Transit Gateway peering.

Client VPN is intended for user remote access rather than connecting VPCs to each other. It cannot provide consistent inter-VPC encrypted connectivity.

Thus, Transit Gateway inter-region peering is the most efficient and scalable solution.

Question 50

A company uses AWS Direct Connect with private VIFs and needs to access multiple VPCs across accounts. What should they configure?

A) Direct Connect Gateway
B) Multiple physical Direct Connect links, one per VPC
C) VPC Peering from the DX VPC
D) Virtual Private Gateway routing override

Answer: A)

Explanation: 

Direct Connect Gateway is specifically designed to allow a single Direct Connect connection to be shared across multiple VPCs, even across multiple AWS accounts and Regions. When customers attach a Direct Connect Gateway to virtual private gateways or Transit Gateways in different accounts, they gain the ability to route private traffic from on-premises to all associated VPCs. This architecture dramatically simplifies hybrid connectivity by removing the need for multiple Direct Connect circuits. It also centralizes routing while maintaining strong separation between VPCs at the account level.

Provisioning multiple physical Direct Connect links, one per VPC, is unnecessary, costly, and operationally wasteful. Direct Connect circuits are high-bandwidth and designed to be shared. Building one per VPC would contradict AWS best practices.

VPC Peering cannot share Direct Connect connectivity. Even if one VPC has Direct Connect access, peering does not forward that access to other VPCs. Peering connections are non-transitive and cannot act as edge routers for other VPCs.

Virtual Private Gateway routing overrides cannot extend DX connectivity to multiple VPCs or accounts. A VGW only attaches to a single VPC and cannot distribute DX routes to other environments.

Therefore, Direct Connect Gateway is the correct architecture to enable multi-account, multi-VPC DX access.

Question 51

A company is designing a multi-account AWS environment. They want shared outbound internet access for all VPCs using a centralized egress VPC. Which networking feature must they implement to ensure that all VPCs’ outbound traffic passes through this egress VPC?

A) Transit Gateway with appliance mode
B) VPC Peering with IGW in each VPC
C) PrivateLink endpoints for internet access
D) S3 VPC endpoints attached to the egress VPC

Answer: A)

Explanation: 

The first selection refers to the use of Transit Gateway with appliance mode enabled, which is required when implementing centralized egress architectures. Appliance mode ensures that return traffic is forwarded back to the firewall or NAT appliances, making asymmetric routing acceptable and allowing the firewall VPC to inspect and route outbound traffic on behalf of the connected VPCs. This ensures that all connected VPCs use the centralized egress VPC for outbound internet access while maintaining routing symmetry crucial for stateful inspection. This approach is a standard AWS-recommended architecture for large multi-account environments requiring centralized egress.

The second selection involves VPC Peering, but peering does not support transitive routing. Even with an internet gateway in each VPC, you cannot route VPC A’s internet-bound traffic to VPC B unless using NAT, firewall, or appliance mode routing frameworks that peering does not support. Peering connections are designed for limited-scale VPC-to-VPC communication, not centralized egress models.

The third selection refers to PrivateLink endpoints for internet access, which is not possible. PrivateLink is used for privately accessing AWS services or third-party services across VPC boundaries. It does not provide outbound internet access or NAT functionality. PrivateLink cannot route traffic generically through an egress VPC.

The fourth selection focuses on S3 VPC endpoints, which allow private access to Amazon S3 only. These endpoints do not facilitate internet access, routing of VPC traffic to an egress VPC, or any form of NAT capability. They serve a single AWS service and cannot function as a general egress mechanism.

Thus, Transit Gateway with appliance mode enabled is required because it is specifically designed to support centralized inspection and outbound egress architectures while maintaining routing states for traffic inspection appliances.

Question 52

A company needs to allow on-premises servers to send traffic to AWS services over private network paths using Direct Connect. They want to eliminate the need for public IP addresses. Which configuration enables this?

A) Direct Connect with a private VIF and VPC endpoints
B) Direct Connect with a public VIF and route filters
C) Site-to-Site VPN over public internet
D) NAT Gateway with Direct Connect

Answer: A)

Explanation: 

The first selection describes Direct Connect with a private virtual interface combined with VPC endpoints. This configuration enables on-premises systems to reach AWS services such as S3, DynamoDB, and others privately through endpoint services, without using public IP addressing. The private VIF establishes private routing between on-premises environments and the VPC. VPC endpoints extend this private access to AWS-managed services, making them reachable without internet exposure. This combination ensures secure, private connectivity with no dependency on public routing.

The second selection refers to using a public virtual interface with route filters. Although this allows private access to some AWS services through public IPs, the communication still takes place over public IP addressing schemes. This does not meet the requirement to eliminate public IP use. Traffic remains logically private due to Direct Connect but still uses publicly routable addressing.

The third selection involves a Site-to-Site VPN over the internet, which inherently relies on public IP addresses for the endpoints. Even though the traffic is encrypted, the requirement is specifically to avoid public IP addressing entirely. Thus, VPN is unsuitable here.

The fourth selection refers to NAT Gateway usage with Direct Connect, which has no relevance to private access from on-premises. NAT Gateways translate private IP addresses to public ones, which contradicts the requirement not to use public addresses. NAT Gateways are meant for outbound internet access from private subnets, not hybrid routing.

Therefore, the correct choice is the private VIF with VPC endpoints, as it is the only solution that ensures completely private routing between on-premises networks and AWS services.

Question 53

A company deploys an application behind Network Load Balancers in multiple AWS Regions. They want to route users to the closest healthy endpoint while supporting failover if one Region becomes unavailable. What service should they use?

A) Route 53 latency-based routing with health checks
B) CloudFront with Lambda@Edge
C) VPC Lattice service network
D) Direct Connect Gateway routing

Answer: A)

Explanation: 

The first selection points to Route 53 latency-based routing with health checks, which is designed to route clients to the AWS Region with the lowest latency while maintaining automatic failover if the health checks detect a failure. This aligns directly with the requirement because Route 53 evaluates DNS queries and selects the region with optimal performance. When a region’s Network Load Balancer fails health checks, Route 53 automatically removes it from service, ensuring seamless redirection to healthy endpoints.

The second selection refers to CloudFront with Lambda@Edge, which can improve performance and manipulate content delivery at the edge but does not provide full-region routing failover logic for Network Load Balancers. CloudFront does not serve as a regional failover mechanism in this context unless the application is built entirely around CloudFront origins.

The third selection involves VPC Lattice, which enables service-to-service communication within and across VPCs but does not provide global routing based on latency or health checks for external clients. Lattice solves internal service connectivity, not global client routing.

The fourth selection references Direct Connect Gateway routing, which applies to private hybrid connectivity and has no role in public latency-based routing or global client-facing traffic distribution.

Thus, Route 53 latency-based routing with health checks is the correct solution.

Question 54

A financial services company must enforce strict inspection of all outbound TLS traffic using third-party appliances running in AWS. They want encrypted flows to be transparently intercepted. Which AWS networking capability supports this architecture?

A) Gateway Load Balancer with TLS inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway using TLS proxy mode
D) VPC Lattice with service policies

Answer: A)

Explanation: 

The first selection refers to Gateway Load Balancer paired with TLS inspection appliances, which is the AWS-recommended architecture for scalable, transparent, Layer 3/4 traffic inspection, including TLS decryption and re-encryption when supported by the third-party tools. GWLB allows traffic mirroring, service chaining, and stateful packet processing. It integrates seamlessly into centralized inspection VPC patterns and supports transparent interception across many VPCs when combined with VPC endpoints.

The second selection involves Classic Load Balancers, which are deprecated and not suitable for TLS inspection. They do not integrate with centralized traffic inspection patterns and cannot decrypt outbound flows for inspection.

The third selection mentions NAT Gateways with TLS proxy mode, which does not exist. NAT Gateways do not intercept traffic for inspection and cannot decrypt TLS sessions. Their only role is address translation for private subnets.

The fourth selection uses VPC Lattice service policies, which govern service calls but do not provide packet-level TLS interception. Lattice works at an application-service level rather than network packet inspection.

Thus, Gateway Load Balancer with inspection appliances is the correct answer.

Question 55

A company wants to reduce latency between its multi-region VPCs while maintaining encrypted connectivity and low operational overhead. Which AWS offering meets this requirement?

A) Transit Gateway inter-region peering
B) VPN mesh with dynamic routing
C) On-premises SD-WAN hub
D) Internet Gateway with BGP

Answer: A)

Explanation: 

The first option describes Transit Gateway inter-region peering, which provides AWS-managed connectivity between Transit Gateways in different regions. This architecture leverages the AWS global backbone, offering high-throughput, low-latency connections while ensuring traffic remains private and encrypted. By using managed inter-region peering, organizations can avoid the operational complexity of building multiple VPN tunnels between regions. Routing is simplified because route propagation can be centrally controlled, allowing administrators to segment networks, enforce security policies, and maintain a consistent topology across regions. This approach is optimized for multi-region deployments that require scalable connectivity, reduced latency, and simplified network management. It eliminates the need for manual configuration of per-VPC connections while providing native AWS integration for service-level and network-level controls.

The second option refers to establishing a VPN mesh with dynamic routing. While this approach provides encryption and secure connectivity, it relies on internet paths, which introduces additional latency and potential performance variability. Each region must maintain multiple tunnels to achieve a full-mesh topology, increasing management overhead and operational complexity. Additionally, scaling a VPN mesh to hundreds of VPCs or multiple regions quickly becomes cumbersome and error-prone.

The third option suggests using an on-premises SD-WAN hub. This design requires backhauling traffic from the cloud through a physical data center, which significantly increases latency, creates a single point of failure, and adds operational complexity. It is inefficient for global, cloud-native connectivity because traffic must traverse on-premises infrastructure unnecessarily.

The fourth option proposes using an internet gateway with BGP for inter-region connectivity. Internet gateways do not support BGP between regions and only provide access to the public internet. They cannot deliver private, encrypted inter-region communication, making this approach unsuitable for secure, multi-region network architectures.

Therefore, Transit Gateway inter-region peering is the optimal solution, offering scalable, low-latency, encrypted connectivity using AWS’s global backbone while reducing operational complexity and supporting centralized network management.

Question 56

A company must tightly control how VPCs in different accounts share services such as authentication and logging while avoiding full network connectivity. What AWS networking service enables selective, service-level connectivity?

A) VPC Lattice
B) VPC Peering
C) Transit Gateway
D) Direct Connect

Answer: A)

Explanation: 

VPC Lattice is the AWS service that directly addresses the challenge of providing fine-grained, service-level connectivity across multiple VPCs and AWS accounts while intentionally avoiding broad, full network connectivity. The requirement in this scenario highlights that the company must maintain very tight control over how shared services such as authentication, logging, or other internal service endpoints are exposed to other accounts. 

Traditional network-layer constructs like VPC peering or Transit Gateway inherently expose full IP-level reachability, meaning any resource with a valid route could technically communicate unless further restricted with security groups or network ACLs. That creates operational overhead and contradicts the goal of offering only selective, service-specific connectivity. VPC Lattice, by design, abstracts applications away from IP networking and instead focuses on service-level exposure. 

It allows you to publish a specific service, register targets, set access policies, and share that service only with selected accounts, organizational units, or individual VPCs. Unlike routing-based solutions, it enforces identity-driven access controls at the service boundary, ensuring that no other part of the network becomes reachable unless explicitly authorized. 

Policies allow granular decision-making, working similarly to IAM policies for services rather than broad networking paths. This ensures each participating application or VPC can invoke only the permitted services, not the underlying subnets or hosts. In contrast, VPC peering creates a flat network with full bidirectional connectivity and provides no native mechanisms to restrict traffic to specific application endpoints.

Transit Gateway improves multi-VPC architecture and segmentation through route tables but still functions at the network layer, meaning connectivity is IP-based, not service-based. Organizations needing strict isolation between accounts or VPCs would still need to enforce traffic restrictions separately with security groups, Network Firewall, or inspection appliances, leading to significantly more complexity. Direct Connect is unrelated to intra-AWS application sharing and focuses on hybrid connectivity from on-premises to AWS. The question’s focus on selective, controlled service sharing aligns precisely with VPC Lattice’s purpose. It provides centralized service discovery, consistent connectivity, request-level authorization, and fine-grained policies across accounts and VPCs. 

Therefore, the correct answer for enabling controlled, service-level connectivity without exposing entire networks is VPC Lattice.

Question 57

A company needs to mirror traffic from EC2 instances for threat detection. Which feature meets this requirement?

A) VPC Traffic Mirroring
B) Flow Logs to CloudWatch
C) S3 Access Logs
D) GuardDuty DNS protection

Answer: A)

Explanation:

VPC Traffic Mirroring is the AWS-native feature designed to fulfill the requirement of capturing and analyzing network packets from EC2 instances in real time for threat detection, intrusion analysis, or deep packet inspection workflows. The scenario involves a company that needs to mirror actual traffic originating from ENIs, meaning the need goes far beyond metadata or event-level logging. VPC Traffic Mirroring operates directly at the elastic network interface layer and can capture raw packets, including payloads, headers, and protocol information. 

This makes it suitable for advanced cybersecurity operations such as identifying malicious command-and-control traffic, analyzing lateral movement attempts, detecting exfiltration behavior, and feeding NDR (Network Detection and Response) platforms. Administrators can create mirror sessions that forward captured packets to monitoring appliances such as IDS/IPS tools, security analytics platforms, or custom packet-processing systems hosted inside a VPC or via Gateway Load Balancer appliances. 

Unlike flow logs, which only capture metadata (source IP, destination IP, port, protocol, and accept/reject status), Traffic Mirroring allows full fidelity inspection. Flow logs are useful for high-level visibility but insufficient for packet-level analysis or threat hunting. S3 access logs provide request-level tracking for S3 buckets and have no relevance to network-layer inspection. GuardDuty DNS protection provides threat intelligence-based detection for DNS queries, spotting anomalies and known malicious domains, but it does not inspect network packets or mirror ENI traffic. 

Threat detection teams often require packet capture to analyze anomalies that signature-based or metadata-based detection cannot surface. VPC Traffic Mirroring supports filters, enabling teams to target only specific types of traffic to reduce cost and noise. It also integrates seamlessly with multi-VPC architectures, scaling with the environment. 

Therefore, Traffic Mirroring is the only option that meets the requirement for deep packet inspection and real-time monitoring.

Question 58

A telecom provider is deploying 5G edge workloads and needs extremely low latency access to AWS compute resources near their towers. Which AWS service meets the requirement?

A) AWS Wavelength Zones
B) Local Zones
C) Outposts servers
D) S3 Transfer Acceleration

Answer: A)

Explanation: 

AWS Wavelength Zones are purpose-built to deliver ultra-low-latency access to AWS compute and storage services at the edge of 5G networks. They are strategically deployed inside telecommunications provider data centers so that mobile devices and applications running on 5G networks can reach application endpoints hosted on AWS infrastructure with single-digit millisecond latency. The question describes a telecom provider that needs extremely low latency for 5G edge workloads, specifically emphasizing deployment “near their towers,” which directly aligns with the design goals of Wavelength. 

These zones extend the AWS infrastructure into telecom networks, ensuring traffic remains on the provider’s network until it enters the Wavelength Zone. This significantly reduces round-trip times by avoiding intermediate hops to regional AWS data centers. Local Zones, while also offering low-latency compute resources closer to end users, are not embedded inside telecom networks and therefore cannot provide the carrier-edge latency required for 5G-specific applications. 

They serve use cases such as real-time gaming, video rendering, and local data processing but do not match the ultra-low-latency demands of telecommunication edge deployments. AWS Outposts servers bring AWS hardware onto a customer’s premises, enabling hybrid cloud architectures with consistent APIs and services, but they do not inherently integrate with telecom 5G infrastructure and cannot provide the direct carrier edge placement required for the scenario. 

Their primary use case is on-premises or local facility hosting, not telecom tower adjacency. S3 Transfer Acceleration optimizes long-distance data transfers to S3 buckets using edge locations but is entirely unrelated to compute workload placement or low-latency infrastructure. In edge computing environments supporting augmented reality, autonomous systems, and 5G network functions, the priority is minimizing latency by moving application workloads as close as possible to the radio network. Wavelength Zones satisfy this by combining AWS services with telecom infrastructure, enabling consistent APIs, Kubernetes workloads, and orchestration capabilities directly where carriers need them. This makes AWS Wavelength the correct answer.

Question 59

A global company requires automated security enforcement and segmentation across all network traffic flowing through Transit Gateway. Which feature supports this?

A) Transit Gateway route tables and attachments
B) VPC Endpoints
C) NAT Gateways
D) CloudFront distributions

Answer: A)

Explanation: 

Transit Gateway route tables and attachment segmentation provide the mechanisms required to implement automated, large-scale security enforcement across a multi-VPC and multi-network architecture. The question emphasizes the need for automated controls and segmentation for all traffic traversing the Transit Gateway, which is exactly what Transit Gateway route tables allow you to accomplish. By using multiple route tables and selectively associating or propagating specific attachments, an organization can control how VPCs, VPNs, Direct Connect connections, and other networks communicate. 

This delivers hub-and-spoke segmentation similar to VRF architectures in traditional networks. The automation component typically comes from the integration of Transit Gateway with AWS Organizations or with IaC frameworks such as CloudFormation, Terraform, or AWS RAM sharing. This allows consistent, enforced routing behavior across global environments. VPC endpoints are unrelated to segmentation across many networks; their purpose is to enable private connectivity to AWS services. 

NAT Gateways provide outbound internet access and have nothing to do with multi-VPC security segmentation. CloudFront distributions serve content at edge locations, focusing on global content delivery rather than internal traffic segmentation. Transit Gateway route tables allow administrators to isolate sandbox environments, restrict production-to-nonproduction communication, implement centralized inspection, or forward specific segments through firewalls. 

This approach ensures that traffic is governed by deterministic routing rather than free-flowing connectivity. Thus, Transit Gateway route tables provide the required security enforcement.

Question 60

A company wants to build a private, full-mesh IPv6 network between hundreds of VPCs across AWS Regions. They prefer using AWS backbone and want consistent IPv6 support. What should they choose?

A) Transit Gateway multi-region design with IPv6 support
B) IPv6 VPC Peering
C) Site-to-Site VPN tunnels
D) S3 VPC endpoints

Answer: A)

Explanation: 

A multi-Region Transit Gateway architecture with IPv6 support is the scalable and efficient approach for connecting hundreds of VPCs using a private mesh that operates entirely on the AWS backbone. The question explicitly states several requirements: full-mesh connectivity, large scale, multi-Region capability, and consistent IPv6 support. Transit Gateway is designed for such scale, supporting thousands of attachments and simplifying inter-VPC connectivity by providing centralized, hub-style routing. 

When Regions are peered, Transit Gateways exchange routes over AWS’s private backbone, ensuring low latency and avoiding Internet paths. IPv6 support for Transit Gateway routing enables consistent behavior across VPCs using dual-stack or IPv6-only configurations. VPC peering, while supporting IPv6, does not scale for hundreds of VPCs because it requires N-squared connections to achieve full mesh. 

The operational overhead becomes unmanageable, and route limits are quickly reached. Site-to-Site VPN tunneling introduces unnecessary encryption overhead, higher latency, and potential bottlenecks; it also does not guarantee exclusive use of the AWS backbone. S3 VPC endpoints do not contribute to inter-VPC networking and are irrelevant to mesh design. 

Transit Gateway reduces complexity by consolidating routing and using regional peering to maintain a consistent, scalable, and native backbone-based IPv6 environment. This makes it the correct answer.