Amazon AWS Certified Advanced Networking – Specialty ANS-C01 Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam dumps and practice test questions.

Question 121 

A company wants to securely connect multiple VPCs across AWS accounts with overlapping CIDR ranges. Which AWS service should they use?

A) AWS PrivateLink
B) VPC Peering
C) Transit Gateway
D) Direct Connect gateway

Answer: A)

Explanation: 

AWS PrivateLink enables secure, private connectivity between services across multiple VPCs and accounts, even when the VPCs have overlapping IP address ranges. It works by creating interface endpoints that act as entry points to services within a VPC. These endpoints use the AWS private network to route traffic, ensuring it never traverses the public internet. PrivateLink allows granular access control via endpoint policies, enabling administrators to restrict which services and accounts can access a particular endpoint. It provides a scalable and secure way to connect services without the IP conflicts that arise with overlapping CIDR ranges.

VPC Peering requires non-overlapping IP ranges between VPCs. When CIDRs overlap, peering cannot resolve routing conflicts, making it unsuitable for networks with overlapping addresses.

Transit Gateway centralizes connectivity for multiple VPCs and accounts but also requires non-overlapping CIDRs for correct routing. While TGW scales well, it cannot solve overlapping address conflicts without additional NAT solutions.

Direct Connect gateway is primarily used for connecting on-premises networks to multiple VPCs. It does not address inter-VPC communication within AWS or handle overlapping CIDRs.

Thus, AWS PrivateLink is the correct solution for secure cross-VPC communication with overlapping CIDR ranges, providing private connectivity, access control, and scalability without network conflicts.

Question 122 

A company wants to route users to the AWS region with the lowest latency while automatically failing over unhealthy endpoints. Which Route 53 policy should they use?

A) Latency-based routing with health checks
B) Weighted routing
C) Geolocation routing
D) Simple routing

Answer: A)

Explanation: 

Latency-based routing directs users to the AWS region that offers the lowest network latency from their location. When combined with health checks, Route 53 automatically excludes unhealthy endpoints from DNS responses, ensuring high availability and seamless failover. This approach improves global application performance and reliability by dynamically adjusting traffic based on real-time network latency and endpoint health.

Weighted routing distributes traffic according to predefined percentages. While useful for gradual rollouts or A/B testing, it does not optimize for latency or automatically handle endpoint failover.

Geolocation routing directs users based on their geographic location rather than real-time network conditions. It ensures compliance or region-specific content delivery but does not guarantee the lowest latency path.

Simple routing returns a single IP without considering endpoint health or latency. It cannot provide automatic failover or optimize performance for global users.

Therefore, latency-based routing with health checks is the correct choice for directing users to the lowest-latency, healthy endpoints worldwide.

Question 123 

A company wants to centrally inspect east-west traffic between multiple VPCs and accounts. Which AWS architecture should they deploy?

A) Transit Gateway in appliance mode with Gateway Load Balancer
B) VPC peering
C) Internet Gateway with security groups
D) Direct Connect

Answer: A)

Explanation: 

Transit Gateway in appliance mode allows centralized routing of traffic across VPCs and accounts while supporting asymmetric routing through inspection appliances. Gateway Load Balancer (GWLB) distributes traffic to multiple appliances for scalable and redundant inspection. This architecture centralizes east-west traffic inspection, enforces consistent security policies, and simplifies management. It integrates with SIEM and monitoring tools for enterprise-scale deployments, supporting multi-account and multi-VPC scenarios.

VPC peering creates direct connections between VPCs but does not provide centralized routing or inspection. Peering scales poorly with hundreds of VPCs and lacks traffic inspection capabilities.

Internet Gateway with security groups can filter traffic at L3/L4 but cannot inspect traffic centrally or enforce consistent policies across VPCs.

Direct Connect provides hybrid connectivity between on-premises networks and AWS VPCs. It is not suitable for centralized inspection of VPC-to-VPC traffic.

Thus, Transit Gateway in appliance mode with Gateway Load Balancer is the correct architecture for scalable, centralized east-west traffic inspection.

Question 124 

A company wants to capture packet-level network traffic from EC2 instances for security and compliance purposes. Which AWS service should they use?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) GuardDuty
D) CloudTrail

Answer: A)

Explanation: 

VPC Traffic Mirroring allows packet-level capture of network traffic from Elastic Network Interfaces (ENIs) attached to EC2 instances. The mirrored traffic can be sent to monitoring, security, or SIEM appliances for deep inspection, intrusion detection, and compliance auditing. Traffic Mirroring supports east-west and north-south traffic and can selectively capture specific flows to optimize storage and processing costs. This provides complete visibility into payloads and application behavior, essential for compliance and detailed security analysis.

VPC Flow Logs capture network metadata, including source and destination IPs, ports, protocols, and bytes transferred. While useful for monitoring and troubleshooting, they do not provide payload-level inspection.

GuardDuty detects security threats by analyzing logs but does not provide raw packet-level visibility or allow deep inspection of traffic.

CloudTrail records AWS API calls for auditing and compliance. It does not capture network traffic or packet-level data.

Therefore, VPC Traffic Mirroring is the correct solution for packet-level traffic capture across multiple VPCs for security and compliance.

Question 125 

A company wants to deploy low-latency edge compute for real-time 5G applications. Which AWS service should they use?

A) AWS Wavelength Zones
B) Local Zones
C) Outposts
D) Snowball Edge

Answer: A)

Explanation: 

AWS Wavelength Zones embed AWS compute and storage resources in telecom provider networks near 5G base stations. By co-locating applications close to end users, latency is reduced to milliseconds, making it suitable for real-time applications such as AR/VR, gaming, and IoT. Wavelength integrates with standard AWS services, simplifying orchestration and deployment. Traffic remains on the AWS backbone network, ensuring consistent performance and low latency.

Local Zones extend AWS services into metropolitan areas, reducing latency for urban users but not co-located with 5G infrastructure. They provide improved latency but are not optimized for mobile 5G workloads.

Outposts deliver AWS infrastructure on-premises. They are ideal for private datacenter workloads but cannot provide ultra-low-latency access to mobile users over 5G networks.

Snowball Edge is a physical device for offline data transfer or edge compute. It does not support continuous, real-time low-latency processing required for 5G workloads.

Thus, AWS Wavelength Zones are the correct solution for low-latency edge computing in 5G environments.

Question 126 

A company wants to accelerate large S3 uploads from global clients with minimal client configuration changes. Which AWS service should they use?

A) S3 Transfer Acceleration
B) DataSync
C) Snowball Edge
D) CloudFront

Answer: A)

Explanation: 

S3 Transfer Acceleration is specifically designed to improve the performance of large file uploads and downloads to Amazon S3 by leveraging the global AWS edge network. When a client initiates an upload to an S3 bucket with Transfer Acceleration enabled, the traffic is automatically routed to the nearest AWS edge location using Amazon CloudFront’s globally distributed edge infrastructure. From there, the data travels over the high-speed, low-latency AWS backbone network to the target S3 bucket. This significantly reduces latency and optimizes throughput for geographically dispersed clients, particularly when uploading large files such as media content, backups, or scientific datasets.

One of the key advantages of S3 Transfer Acceleration is that it requires minimal changes on the client side. Applications can continue to use the standard S3 APIs, with the only change being the endpoint URL pointing to the Transfer Acceleration-enabled bucket. This seamless integration reduces operational overhead, allowing organizations to accelerate uploads without modifying existing workflows or reengineering applications. In global deployment scenarios, latency improvements can be dramatic because the AWS global network avoids internet bottlenecks and congestion that typically occur when clients upload directly to S3 over the public internet.

Other solutions such as AWS DataSync, Snowball Edge, or CloudFront do not meet the same use case effectively. DataSync is optimized for automated, high-speed transfers between on-premises storage and AWS, but it does not use the global edge network to optimize performance for clients worldwide. Snowball Edge is a physical appliance designed for bulk offline data transfer or edge computing, and is unsuitable for real-time or frequent online uploads. CloudFront is a content delivery network optimized for fast delivery of content to end users (downloads), and does not provide a mechanism to accelerate uploads from clients to S3.

For organizations with clients distributed globally that require high-performance S3 uploads with minimal client-side configuration, S3 Transfer Acceleration offers a scalable, fully managed, and easy-to-deploy solution. Its use of edge locations combined with the AWS backbone network ensures both lower latency and higher throughput while maintaining standard S3 API compatibility, making it the ideal choice for accelerating global uploads.

Question 127 

A company wants to enforce service-to-service encryption across multiple AWS accounts without manual TLS certificate management. Which service should they use?

A) AWS VPC Lattice
B) VPC Peering
C) Transit Gateway
D) AWS PrivateLink

Answer: A)

Explanation:

AWS VPC Lattice is designed to provide secure, scalable, service-to-service connectivity across multiple AWS accounts and VPCs without requiring manual management of TLS certificates or other encryption mechanisms. VPC Lattice implements automatic transport-layer encryption, ensuring that communication between services is encrypted end-to-end by default. It also provides centralized authentication, service discovery, and access control, allowing administrators to define fine-grained policies that determine which services can communicate with each other.

This capability is particularly valuable in multi-account AWS environments, where managing TLS certificates and encryption policies manually across each VPC and service can quickly become complex and error-prone. With VPC Lattice, developers can focus on building services without worrying about manually configuring or renewing certificates. VPC Lattice enforces zero-trust principles, ensuring that every connection is authenticated and encrypted, which significantly enhances security posture while reducing operational overhead.

Alternative connectivity solutions do not provide the same level of automated service-layer security. For instance, VPC Peering establishes network-level connectivity between VPCs, allowing IP-level communication but without any enforcement of service-level encryption or authentication. Applications still need to implement TLS independently, which adds complexity and operational overhead. Transit Gateway centralizes routing between VPCs and on-premises networks but does not provide automatic service-to-service encryption or certificate management. AWS PrivateLink enables private connectivity to services, but it requires manual TLS configuration and does not natively enforce authentication between service endpoints.

By leveraging AWS VPC Lattice, organizations gain a secure, operationally efficient solution that automatically handles encryption, authentication, and policy enforcement. It simplifies the complexity of multi-account service communication, reduces the risk of misconfigurations, and ensures consistent security practices across distributed environments. Additionally, it integrates seamlessly with other AWS services, providing centralized observability and auditing for compliance requirements.

For companies seeking encrypted, authenticated, and policy-driven service-to-service communication across multiple accounts without the burden of managing TLS certificates manually, AWS VPC Lattice is the most suitable solution, offering both security and operational simplicity at scale.

Question 128 

A company wants to monitor hybrid network performance across multiple AWS Regions and on-premises sites. Which AWS service should they use?

A) Transit Gateway Network Manager with CloudWatch
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

Transit Gateway Network Manager (TGNM) is a centralized solution for monitoring, managing, and visualizing hybrid network architectures that span multiple AWS regions and on-premises environments. It provides end-to-end visibility into network connectivity between VPCs, VPNs, Direct Connect links, and other hybrid components. By integrating with Amazon CloudWatch, Network Manager collects performance metrics such as latency, packet loss, jitter, throughput, and availability, allowing administrators to proactively monitor network health and identify performance bottlenecks.

A critical advantage of using Network Manager is its ability to provide a global view of complex network topologies. Administrators can visualize connections between VPCs across regions, on-premises sites, and third-party networks, all in a single pane of glass. This centralized visibility makes it easier to troubleshoot connectivity issues, optimize routing, and plan capacity. For enterprises operating hybrid networks with multiple regions, maintaining this visibility manually can be challenging, time-consuming, and prone to errors. TGNM automates both visualization and monitoring, providing actionable insights that help maintain high performance and uptime.

Alternative AWS services do not fully meet these requirements. VPC Flow Logs capture metadata about traffic at the ENI level but do not provide real-time performance metrics or a global network view. GuardDuty focuses on threat detection by analyzing logs for malicious activity, and it does not provide performance monitoring or hybrid network visualization. AWS Config monitors resource configuration compliance but does not track traffic or performance metrics. Therefore, while these services are useful for specific tasks, they do not offer the comprehensive, performance-oriented monitoring needed for hybrid network operations.

By combining TGNM with CloudWatch, organizations can track trends over time, create alarms for anomalies, and generate reports to ensure service-level agreements are met. Additionally, Network Manager supports integration with third-party network monitoring tools via APIs, allowing hybrid network operations teams to maintain consistency across AWS and on-premises environments.

Transit Gateway Network Manager, when integrated with CloudWatch, provides the most complete solution for monitoring hybrid network performance across multiple AWS regions and on-premises sites. It offers centralized visibility, end-to-end metrics, proactive alerting, and performance trend analysis, enabling enterprises to optimize their global network infrastructure and ensure reliable connectivity for mission-critical applications.

Question 129 

A company wants to inspect encrypted traffic centrally across multiple VPCs without modifying client applications. Which service should they use?

A) Gateway Load Balancer with inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway
D) Security groups

Answer: A)

Explanation: 

Gateway Load Balancer (GWLB) provides a scalable and centralized method to inspect network traffic across multiple VPCs without requiring any modifications to client applications. GWLB transparently routes traffic to third-party inspection appliances capable of performing deep packet inspection, decryption, intrusion detection, and malware analysis. This allows enterprises to enforce consistent security policies across their cloud network while maintaining application performance and scalability.

A key advantage of GWLB is that it integrates seamlessly with Transit Gateway or VPC routing to centralize traffic inspection across multiple VPCs or AWS accounts. This centralized approach reduces operational complexity compared to deploying inspection appliances individually in each VPC. Appliances connected to GWLB can handle encrypted traffic, such as TLS flows, by decrypting it for inspection and then re-encrypting it before forwarding it to its destination. This ensures that traffic remains secure end-to-end while meeting compliance and security requirements.

Other options, while useful in specific contexts, do not provide the same level of functionality. Classic Load Balancer with SSL termination only supports HTTP/S traffic and requires applications to manage TLS configurations, making it unsuitable for inspecting traffic across multiple VPCs or for non-HTTP protocols. NAT Gateway translates IP addresses but does not inspect packet payloads or encrypted traffic. Security groups operate at the L3/L4 level, enforcing rules based on IP addresses and ports, but cannot inspect encrypted payloads or enforce deep security policies.

GWLB also supports enterprise-grade features such as automatic scaling, high availability, and appliance chaining, enabling organizations to deploy multiple inspection appliances in parallel or sequence for redundancy and enhanced security. Centralized logging and monitoring of inspected traffic allow security teams to analyze threats, detect anomalies, and maintain compliance with regulatory frameworks.

For organizations requiring centralized inspection of encrypted or unencrypted traffic across multiple VPCs without modifying client applications, Gateway Load Balancer with inspection appliances provides a scalable, highly available, and secure solution. It reduces operational overhead, enhances visibility, and enables consistent security enforcement, making it the optimal choice for large-scale, multi-VPC AWS environments.

Question 130 

A company wants to enforce domain-level outbound DNS filtering across multiple VPCs and hybrid networks. Which AWS service should they use?

A) Route 53 Resolver DNS Firewall
B) NAT Gateway
C) Internet Gateway
D) Security groups

Answer: A)

Explanation: 

Route 53 Resolver DNS Firewall enables organizations to enforce granular, domain-level outbound DNS filtering across multiple VPCs and hybrid networks. It works by associating firewall rule groups with VPCs, which define allowed or blocked domains. Queries that match firewall rules are either allowed or blocked, providing fine-grained control over outbound DNS traffic. Resolver endpoints can extend these policies to on-premises networks, ensuring consistent DNS security enforcement across hybrid environments.

This service is particularly useful for organizations aiming to reduce the risk of malware communication, data exfiltration, or access to unauthorized domains. Firewall rules can be managed centrally and applied across multiple accounts and VPCs, simplifying policy administration while maintaining consistency. Additionally, Route 53 Resolver DNS Firewall provides query logging, which delivers visibility into DNS activity for auditing, troubleshooting, and compliance purposes. Organizations can monitor which domains were queried, whether the query was allowed or blocked, and which VPC or network initiated the query.

Alternative options are limited in scope. NAT Gateway performs IP address translation but cannot inspect DNS queries or apply domain-specific rules. Internet Gateway provides general internet access but offers no mechanism to filter DNS queries. Security groups operate at the IP and port level, which does not allow filtering based on domain names, rendering them ineffective for outbound DNS control at a granular level.

Route 53 Resolver DNS Firewall also supports hierarchical firewall rule groups, allowing administrators to define global rules while retaining the ability to create VPC-specific exceptions. This flexibility ensures that DNS security policies are both robust and adaptable to the needs of complex, multi-account environments. The solution also integrates seamlessly with hybrid architectures, ensuring that on-premises DNS queries routed through AWS can be filtered in the same way as cloud-originating queries.

For enterprises needing centralized, domain-level outbound DNS filtering across multiple VPCs and hybrid networks, Route 53 Resolver DNS Firewall offers the most comprehensive solution. It provides policy consistency, detailed logging, easy scalability, hybrid network support, and minimal client-side configuration, ensuring secure and controlled DNS activity across the organization.

Question 131 

A company wants to enforce end-to-end encryption for service-to-service communication across multiple AWS accounts without managing TLS certificates manually. Which service should they use?

A) AWS VPC Lattice
B) VPC Peering
C) Transit Gateway
D) AWS PrivateLink

Answer: A)

Explanation: 

AWS VPC Lattice enables secure, service-to-service connectivity with automatic transport-layer encryption, authentication, and service-level access policies. This ensures that services communicate securely across multiple accounts without requiring manual TLS certificate management. Lattice integrates centralized service discovery, allowing services to discover and communicate securely with minimal operational overhead. It enforces zero-trust principles by ensuring that each request is authenticated, authorized, and encrypted at the transport layer.

VPC Peering connects VPCs at the network level but does not enforce service-layer encryption or authentication. Traffic between services must be encrypted manually via TLS or other mechanisms, increasing operational complexity.

Transit Gateway centralizes routing for multiple VPCs and accounts but does not provide service-to-service encryption or authentication. It operates at the network layer, leaving TLS management to individual applications.

AWS PrivateLink enables private connectivity between services across VPCs and accounts. While it keeps traffic private and secure at the network level, it does not automatically manage TLS certificates or enforce service-level encryption, meaning developers must still configure and maintain TLS manually.

Thus, AWS VPC Lattice is the correct solution for automated, secure, service-to-service communication across accounts with minimal administrative effort.

Question 132 

A company wants to inspect encrypted traffic between multiple VPCs centrally without modifying client applications. Which AWS service should they use?

A) Gateway Load Balancer with inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway
D) Security groups

Answer: A)

Explanation: 

Gateway Load Balancer (GWLB) allows transparent routing of traffic through inspection appliances that can decrypt and analyze encrypted traffic. By deploying GWLB alongside Transit Gateway or VPC routing, organizations can inspect traffic across multiple VPCs and accounts without altering client applications. Inspection appliances can enforce security policies, detect malware, and perform intrusion detection. GWLB ensures high availability and scalability by distributing traffic across multiple appliances and maintaining seamless failover. This architecture is suitable for enterprise environments with multiple VPCs requiring centralized inspection.

Classic Load Balancer with SSL termination only supports HTTP/S traffic and requires manual certificate management for clients. It cannot inspect arbitrary protocols or provide multi-VPC inspection.

NAT Gateway performs IP address translation for outbound traffic but cannot inspect encrypted traffic.

Security groups operate at L3/L4 layers and cannot inspect payloads or encrypted flows.

Thus, Gateway Load Balancer with inspection appliances is the correct solution for centralized, transparent inspection of encrypted traffic.

Question 133 

A company wants to route users to the nearest healthy AWS region with automatic failover. Which Route 53 policy should they use?

A) Latency-based routing with health checks
B) Weighted routing
C) Geolocation routing
D) Simple routing

Answer: A)

Explanation: 

Latency-based routing in Amazon Route 53 is designed to optimize global application performance by directing users to the AWS region that offers the lowest network latency. It continuously evaluates network conditions between clients and available endpoints, dynamically selecting the region that can respond most quickly. When paired with health checks, latency-based routing also ensures high availability by automatically removing unhealthy endpoints from DNS responses. This combination of low-latency routing and health-aware failover ensures that users experience both fast response times and reliable access, even during regional outages or endpoint failures.

The dynamic nature of latency-based routing provides a distinct advantage for globally distributed applications. DNS responses are continuously adjusted based on real-time performance measurements, which allows the system to adapt to changing network conditions. This improves user experience by minimizing application response times and reducing delays for end users located in diverse geographic regions. Additionally, the integration of health checks enables automatic failover, reducing the risk of downtime and eliminating the need for manual intervention in case of service disruptions.

Other Route 53 routing policies do not achieve the same combination of performance and resilience. Weighted routing distributes traffic according to predefined percentages, which is useful for A/B testing, canary deployments, or staged rollouts, but it does not consider network latency or automatically reroute traffic when endpoints fail. Geolocation routing directs users based on their geographic location, supporting compliance and regional content delivery, but it does not optimize for latency or endpoint performance. Simple routing returns a single IP address and provides no consideration for endpoint health or network conditions, offering neither failover capabilities nor performance optimization.

Latency-based routing with health checks is the optimal choice for organizations seeking low-latency, globally optimized, and highly available application routing. It balances speed and reliability, ensuring users are automatically directed to the fastest and healthiest endpoints, delivering the best possible experience worldwide.

Question 134 

A company wants to monitor performance of a hybrid network connecting on-premises sites to multiple AWS regions. Which AWS service should they use?

A) Transit Gateway Network Manager with CloudWatch
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

Transit Gateway Network Manager (TGNM) provides centralized monitoring and visualization for hybrid network architectures that span multiple VPCs, AWS regions, and on-premises sites. It enables organizations to gain a comprehensive, end-to-end view of their network connectivity, allowing administrators to efficiently manage complex cloud and hybrid environments. By integrating with Amazon CloudWatch, Network Manager collects a wide range of performance metrics, including latency, packet loss, jitter, and throughput. These metrics provide actionable insights into network health and performance trends, enabling teams to detect potential issues before they impact applications.

One of the key strengths of Network Manager is its ability to visualize the network topology. Administrators can see how VPCs, VPN connections, Direct Connect links, and Transit Gateway attachments interconnect, making it easier to identify bottlenecks, misconfigurations, or points of failure. This visualization supports proactive troubleshooting, capacity planning, and optimization of routing strategies. By offering a global perspective across regions and on-premises sites, TGNM simplifies operational complexity and enhances situational awareness for enterprise networks.

Alternative AWS services do not provide the same comprehensive monitoring capabilities. VPC Flow Logs capture metadata about traffic at the Elastic Network Interface level within a VPC but do not provide performance metrics or a holistic view across hybrid networks. GuardDuty analyzes logs for security threats but does not monitor latency, throughput, or end-to-end connectivity. AWS Config focuses on auditing resource configuration and compliance but does not track network performance or trends in connectivity.

Transit Gateway Network Manager, combined with CloudWatch, delivers centralized, scalable, and detailed monitoring for hybrid networks. It provides both metric collection and topology visualization, allowing organizations to maintain high-performance, reliable connectivity across AWS regions and on-premises environments while reducing operational complexity and improving overall network visibility.

Question 135 

A company wants to capture packet-level traffic from EC2 instances for compliance auditing. Which AWS service should they use?

A) VPC Traffic Mirroring
B) VPC Flow Logs
C) GuardDuty
D) CloudTrail

Answer: A)

Explanation: 

VPC Traffic Mirroring captures packet-level traffic from Elastic Network Interfaces (ENIs) attached to EC2 instances. Mirrored traffic can be sent to monitoring or security appliances for deep packet inspection, intrusion detection, or compliance auditing. Traffic Mirroring supports both east-west and north-south flows and can be configured to capture only selected traffic, optimizing storage and analysis costs. This enables complete visibility into application-level traffic, payloads, and security events, satisfying compliance requirements.

VPC Flow Logs capture metadata such as IP addresses, ports, and protocols. While useful for monitoring and troubleshooting, they do not provide full packet payloads needed for deep inspection.

GuardDuty detects threats from analyzed logs but does not provide raw packet-level visibility or full payload inspection.

CloudTrail logs API calls for auditing purposes but does not capture network traffic or packet-level data.

Thus, VPC Traffic Mirroring is the correct solution for packet-level traffic capture for compliance auditing.

Question 136 

A company wants to accelerate large uploads to S3 from clients worldwide. Which AWS service should they use?

A) S3 Transfer Acceleration
B) DataSync
C) Snowball Edge
D) CloudFront

Answer: A)

Explanation: 

S3 Transfer Acceleration is designed to optimize and accelerate uploads of large files to Amazon S3 from geographically dispersed clients by leveraging AWS’s global edge network. When a client uploads data to an S3 bucket with Transfer Acceleration enabled, the data is first routed to the nearest AWS edge location. From the edge location, it travels over the AWS global backbone network, which is high-speed, low-latency, and optimized for reliability. This reduces round-trip times and congestion compared to sending data directly over the public internet to an S3 bucket in a single AWS region.

This solution is particularly beneficial for large datasets, including media files, backups, scientific data, or content for global applications. Clients do not need to change their underlying S3 integration significantly—Transfer Acceleration works with standard S3 APIs by simply pointing to a special acceleration-enabled endpoint URL. This minimal configuration requirement ensures that existing workflows and applications can immediately benefit from reduced upload latency and higher throughput without requiring complex network engineering changes.

Other AWS solutions, while useful in different scenarios, do not meet this specific need. DataSync is designed to automate data transfer between on-premises storage systems and S3 but does not optimize for uploads from global clients over the internet. Snowball Edge is a physical appliance intended for offline data transfer or edge computing and is not suitable for real-time, online accelerated uploads. CloudFront is a content delivery network optimized for distributing data to end-users efficiently (downloads), but it does not accelerate client uploads to S3.

S3 Transfer Acceleration also includes built-in performance optimizations such as TCP window scaling and intelligent routing, ensuring consistent performance even for high-latency or lossy network connections. Organizations with globally distributed teams, partners, or customers can leverage Transfer Acceleration to meet service-level agreements for upload performance while maintaining simplicity in application architecture.

S3 Transfer Acceleration is the most effective and practical choice for enabling high-speed, low-latency uploads to Amazon S3 from global clients. It combines AWS’s edge network, backbone optimization, and seamless integration with standard APIs, delivering both performance improvements and minimal operational overhead, making it ideal for any scenario that demands accelerated global S3 uploads.

Question 137 

A company wants to inspect encrypted traffic across multiple VPCs without modifying client applications. Which AWS service should they use?

A) Gateway Load Balancer with inspection appliances
B) Classic Load Balancer with SSL termination
C) NAT Gateway
D) Security groups

Answer: A)

Explanation: 

Gateway Load Balancer (GWLB) provides a scalable, centralized mechanism for inspecting network traffic, including encrypted flows, across multiple VPCs without requiring any changes to client applications. By integrating with Transit Gateway or VPC routing, GWLB transparently directs traffic to third-party inspection appliances capable of decrypting, inspecting, and re-encrypting traffic. These appliances can perform deep packet inspection, enforce security policies, detect malware, and implement intrusion detection and prevention.

The key advantage of GWLB is its ability to centralize inspection across multiple VPCs or accounts, eliminating the need to deploy inspection appliances individually in each VPC. This reduces complexity and operational overhead while maintaining high availability and scalability. Traffic inspection occurs transparently, allowing applications and clients to operate without any modifications or additional configurations, which is crucial for organizations seeking enterprise-grade security without disrupting existing workflows.

Alternative AWS options do not provide the same capabilities. Classic Load Balancer with SSL termination is limited to HTTP/S protocols and requires manual TLS certificate management. It cannot inspect arbitrary protocols or provide centralized inspection for multiple VPCs. NAT Gateway performs IP address translation but offers no traffic inspection or decryption functionality. Security groups operate at the network and transport layers (L3/L4) and are designed to filter traffic based on IP addresses and ports; they cannot inspect encrypted payloads or enforce complex security policies.

GWLB also supports enterprise features such as automatic scaling, appliance chaining for redundancy, and high availability, enabling organizations to maintain uninterrupted inspection even during peak loads or appliance failures. Centralized logging and monitoring further enhance security operations, providing insight into potential threats and compliance with regulatory requirements.

Gateway Load Balancer with inspection appliances is the optimal solution for organizations that require centralized inspection of encrypted traffic across multiple VPCs. It provides transparent, scalable, and secure traffic inspection, minimizes operational complexity, and ensures high availability for enterprise networks, making it the ideal choice for modern, security-focused AWS architectures.

Question 138 

A company wants to enforce domain-level outbound DNS filtering across multiple VPCs and accounts. Which service should they use?

A) Route 53 Resolver DNS Firewall
B) NAT Gateway
C) Internet Gateway
D) Security groups

Answer: A)

Explanation: 

Route 53 Resolver DNS Firewall enables organizations to enforce centralized, domain-level DNS filtering across multiple VPCs and AWS accounts. It allows administrators to define firewall rule groups to block, allow, or redirect DNS queries based on domain names. These rules can be applied to multiple VPCs, providing consistent policy enforcement across an organization’s cloud footprint. Additionally, Resolver endpoints can route DNS queries from on-premises networks through the firewall, ensuring hybrid environments adhere to the same DNS security policies.

DNS Firewall provides visibility into query activity through logging, enabling auditing, compliance tracking, and threat detection. Organizations can monitor which domains are being accessed, whether queries are allowed or blocked, and which VPCs initiated the requests. This level of visibility helps identify potential malware communication, phishing attempts, or unauthorized access attempts, strengthening the organization’s security posture.

Alternative solutions are limited in their capabilities. NAT Gateway performs network address translation but does not inspect or filter DNS queries. Internet Gateway provides internet access for VPCs but cannot perform domain-based filtering or enforce DNS policies. Security groups filter traffic based on IP, port, and protocol, but they cannot inspect DNS queries at the domain level. Therefore, these options do not provide the granular control necessary for centralized DNS security.

DNS Firewall is highly scalable, allowing organizations to manage rules across many VPCs and accounts centrally. Its integration with hybrid networks ensures that even on-premises DNS traffic can be filtered according to cloud-based policies. This reduces the administrative burden of maintaining multiple independent DNS filtering solutions and ensures that policies are consistently enforced, minimizing security risks.

Route 53 Resolver DNS Firewall is the ideal solution for enforcing centralized, domain-level outbound DNS filtering across multiple VPCs and hybrid environments. It provides robust control, detailed logging, easy scalability, and consistency across cloud and on-premises networks, ensuring DNS security without requiring changes to client applications or workloads.

Question 139

A company wants to monitor hybrid network performance across AWS regions and on-premises sites. Which service should they use?

A) Transit Gateway Network Manager with CloudWatch
B) VPC Flow Logs
C) GuardDuty
D) AWS Config

Answer: A)

Explanation: 

Transit Gateway Network Manager (TGNM) is a centralized AWS service designed to monitor and visualize hybrid networks that span multiple VPCs, regions, and on-premises sites. It integrates seamlessly with Amazon CloudWatch to collect real-time metrics such as latency, packet loss, jitter, and throughput across VPN connections, Direct Connect links, and Transit Gateway attachments. By consolidating these metrics, administrators can gain a comprehensive view of network performance and health across both cloud and on-premises environments.

Network Manager provides topology visualization, enabling administrators to understand the relationships between VPCs, VPNs, and data centers. This global perspective is crucial for identifying performance bottlenecks, troubleshooting connectivity issues, and planning capacity expansions. With CloudWatch integration, organizations can set alarms, monitor trends over time, and receive notifications for anomalous network behavior. This proactive approach allows for better operational planning and ensures high performance for critical applications across multiple regions and hybrid architectures.

Alternative AWS services are limited in scope. VPC Flow Logs capture metadata about traffic at the Elastic Network Interface (ENI) level within individual VPCs but do not provide end-to-end metrics for hybrid networks. GuardDuty analyzes logs for security threats but does not monitor network performance or provide performance visualization. AWS Config tracks configuration changes and compliance but does not collect performance metrics or analyze traffic patterns. Consequently, none of these services alone provide the holistic performance monitoring required for hybrid networks spanning multiple regions.

TGNM’s centralized approach simplifies the operational management of complex networks, reducing the need for multiple independent monitoring tools. It also supports hybrid integration, allowing metrics from on-premises routers and VPNs to be incorporated into the AWS monitoring framework. Organizations can correlate network performance with application behavior, enabling informed decisions for network optimization and troubleshooting.

Transit Gateway Network Manager with CloudWatch provides a complete solution for monitoring hybrid network performance across AWS regions and on-premises sites. It combines centralized visualization, real-time metrics, historical analysis, and alerting, allowing administrators to proactively maintain optimal network performance, improve reliability, and ensure seamless connectivity for enterprise applications.

Question 140 

A company wants to route traffic to the AWS region with the lowest latency while automatically failing over unhealthy endpoints. Which Route 53 routing policy should they use?

A) Latency-based routing with health checks
B) Weighted routing
C) Geolocation routing
D) Simple routing

Answer: A)

Explanation: 

Latency-based routing in Amazon Route 53 directs users to the AWS region that provides the lowest network latency. When combined with health checks, this routing policy not only optimizes performance by minimizing response times but also ensures high availability by automatically failing over from unhealthy endpoints. Route 53 continuously evaluates the health of endpoints and removes any failing servers from DNS responses, preventing clients from being directed to unavailable resources.

Latency-based routing is particularly valuable for global applications where users are distributed across multiple regions. By directing traffic based on real-time latency measurements, it ensures that end users experience the fastest possible application response times. This approach improves user experience, reduces perceived load times, and enhances the overall performance of globally distributed services.

Health checks complement latency-based routing by monitoring the status of each endpoint. If an endpoint fails a health check, Route 53 automatically reroutes traffic to the next best-performing, healthy region. This combination ensures both performance optimization and fault tolerance, addressing the dual goals of low latency and high availability.

Other Route 53 routing policies do not provide the same level of performance optimization. Weighted routing allows traffic to be distributed according to predefined weights but does not account for latency or endpoint health. Geolocation routing directs traffic based on the client’s geographic location, ignoring network performance or real-time latency. Simple routing returns a single IP address without any consideration of latency or health checks, making it unsuitable for dynamic failover or performance optimization.

Latency-based routing with health checks is also flexible, allowing organizations to define fallback regions, combine with multiple endpoints per region, and integrate with monitoring systems for proactive traffic management. It ensures that users are automatically connected to the most responsive and reliable endpoint without requiring manual intervention.

Latency-based routing with health checks provides an optimal global routing strategy. It dynamically routes clients to the region with the lowest network latency, automatically avoids unhealthy endpoints, and enhances both performance and reliability for distributed applications. For organizations aiming to deliver fast, resilient services to global users, this is the recommended Route 53 routing policy.