ANS-C00: AWS Certified Advanced Networking – Specialty Practice Exam

Exam Name	ANS-C00 Practice Exam – AWS Certified Advanced Networking Specialty (2026 Updated)
Exam Provider	Amazon Web Services (AWS)
Certification Type	Advanced Specialty Certification (Cloud Networking & Hybrid Architecture)
Total Practice Questions	150 Advanced MCQs (Real Exam-Level + Scenario-Based + Architecture + Troubleshooting)
Exam Domains Covered	• Hybrid Connectivity (VPN, Direct Connect, Multi-Region Design) • Core AWS Networking (VPC, Subnets, Routing, IP Addressing) • Network Security & Compliance (WAF, Shield, Firewall Manager, PrivateLink) • DNS & Traffic Management (Route 53, Resolver, Routing Policies) • Performance Optimization (Global Accelerator, CloudFront, Load Balancing) • Monitoring & Troubleshooting (Flow Logs, Traffic Mirroring, GuardDuty)
Questions in Real Exam	• Total: 65 Questions • Mix of scenario-based and advanced technical questions • Focus on real-world architecture decisions and trade-offs
Exam Duration	• Total Time: 170 Minutes • Long, scenario-heavy questions requiring deep analysis • Time management is critical due to complex architectures
Passing Score	• Scaled Score: 750 / 1000 • Requires strong conceptual clarity and scenario accuracy • Partial scoring applied in some multi-step questions
Question Format	• Multiple Choice (Single & Multiple Answer) • Scenario-Based Architecture Questions • Network Troubleshooting Cases • Design Optimization & Cost-Efficiency Questions • Security & Compliance Decision-Making
Difficulty Level	Advanced to Expert (Deep Networking + Real-World Scenarios + AWS Architecture)
Key Knowledge Areas	• VPC design, CIDR planning, subnetting strategies • Hybrid networking (VPN, Direct Connect, Transit Gateway) • DNS architecture (Route 53, Resolver, split-horizon DNS) • Traffic routing and failover strategies (latency, weighted, failover) • Network security layers (Security Groups, NACLs, WAF, Shield) • Performance optimization (Global Accelerator, CloudFront, ENA) • Monitoring and troubleshooting (Flow Logs, Traffic Mirroring) • Multi-account and multi-region architectures
Common Exam Traps	• Choosing VPC Peering instead of Transit Gateway for scale • Ignoring CIDR overlap issues in hybrid environments • Confusing PrivateLink vs VPC Peering vs Endpoints • Selecting DNS routing policies incorrectly (latency vs failover) • Overlooking asymmetric routing in inspection architectures • Missing security layers (WAF vs Shield vs NACL vs SG) • Choosing VPN instead of Direct Connect for performance needs
Skills Developed	• Advanced cloud network architecture design • Hybrid and multi-region connectivity planning • Deep troubleshooting of network issues • Performance tuning and optimization strategies • Security architecture and compliance implementation • Decision-making under complex real-world scenarios
Study Strategy	• Master core networking fundamentals (CIDR, routing, DNS) • Practice scenario-based questions daily • Focus on architecture trade-offs (cost vs performance vs security) • Learn when to use each AWS networking service • Take full-length timed mock exams regularly • Review rationales deeply to understand AWS decision logic • Identify weak domains and reinforce with targeted practice
Best For	• Cloud Network Engineers & Solutions Architects • AWS Certified Professionals aiming for Specialty level • DevOps Engineers working with complex infrastructures • IT professionals designing hybrid or multi-region systems
Career Benefits	• Validates expert-level AWS networking skills • High demand in cloud architecture and DevOps roles • Increases salary potential and global job opportunities • Strengthens credibility in enterprise cloud solutions
Updated	2026 Latest Version – Based on Current AWS Exam Guide & Real Exam Patterns

1.

A company needs hybrid DNS resolution between on-premises and AWS. Which solution is best?

A. Route 53 public hosted zone
B. Route 53 Resolver inbound and outbound endpoints
C. CloudFront with custom domain
D. AWS Global Accelerator

Answer: B
Rationale: Route 53 Resolver endpoints enable bi-directional DNS resolution between on-premises and VPC environments. Inbound endpoints allow on-prem queries to AWS, while outbound endpoints let AWS resolve on-prem domains. This ensures seamless hybrid DNS without exposing records publicly.

---

2.

Which AWS service provides static anycast IP addresses for global applications?

A. CloudFront
B. Route 53
C. Global Accelerator
D. ELB

Answer: C
Rationale: AWS Global Accelerator uses anycast IPs to route traffic to optimal endpoints based on health and latency. Unlike CloudFront, it supports non-HTTP protocols and improves availability and failover performance across regions.

---

3.

You need to inspect traffic between subnets in a VPC. What should you use?

A. Security Groups
B. NACLs
C. VPC Traffic Mirroring
D. Flow Logs

Answer: C
Rationale: VPC Traffic Mirroring allows copying network traffic from ENIs to monitoring appliances for deep inspection. Security groups and NACLs control traffic, while Flow Logs only capture metadata, not full packet data.

---

4.

Which routing protocol does AWS Direct Connect support?

A. OSPF
B. BGP
C. EIGRP
D. RIP

Answer: B
Rationale: AWS Direct Connect uses BGP for dynamic routing between on-premises and AWS. BGP enables automatic route advertisement and failover, making it ideal for hybrid connectivity and redundancy scenarios.

---

5.

What is the maximum number of VPC peering connections per VPC?

A. 50
B. 100
C. 125
D. 200

Answer: C
Rationale: AWS allows up to 125 VPC peering connections per VPC (subject to change via quota increase). This limit ensures manageable routing complexity and avoids excessive route table entries.

---

6.

Which service enables private connectivity to AWS services without internet access?

A. NAT Gateway
B. Internet Gateway
C. VPC Endpoint
D. VPN Gateway

Answer: C
Rationale: VPC Endpoints allow private access to AWS services via AWS backbone. Interface endpoints use ENIs, and gateway endpoints support S3/DynamoDB, eliminating need for NAT or internet gateways.

---

7.

Which load balancer operates at Layer 7?

A. NLB
B. ALB
C. GWLB
D. CLB

Answer: B
Rationale: Application Load Balancer operates at Layer 7 and supports HTTP/HTTPS routing based on host/path rules. It enables advanced routing, authentication, and microservices architectures.

---

8.

What is required for cross-region VPC peering?

A. Same CIDR blocks
B. Non-overlapping CIDR blocks
C. Same account
D. Same AZ

Answer: B
Rationale: VPC peering requires non-overlapping CIDR ranges to avoid routing conflicts. Cross-region peering works across accounts and regions but still requires unique IP ranges.

---

9.

Which AWS service helps mitigate DDoS attacks automatically?

A. WAF
B. Shield Standard
C. GuardDuty
D. Inspector

Answer: B
Rationale: AWS Shield Standard provides automatic DDoS protection at no additional cost. It protects against common network and transport layer attacks without user configuration.

---

10.

Which feature improves VPN performance using AWS backbone?

A. Accelerated VPN
B. Direct Connect
C. Transit Gateway
D. NAT Gateway

Answer: A
Rationale: Accelerated Site-to-Site VPN uses AWS Global Accelerator to route traffic over the AWS global network, reducing latency and improving throughput compared to standard internet VPN.

---

11.

Which service centralizes routing across multiple VPCs?

A. VPC Peering
B. Transit Gateway
C. Route 53
D. NAT Gateway

Answer: B
Rationale: Transit Gateway acts as a hub-and-spoke router connecting multiple VPCs and on-prem networks. It simplifies routing management compared to full-mesh VPC peering.

---

12.

Which DNS routing policy supports latency-based routing?

A. Simple
B. Weighted
C. Latency
D. Failover

Answer: C
Rationale: Latency routing directs users to the region with lowest latency based on AWS measurements, improving user experience for globally distributed applications.

---

13.

Which protocol does ALB support?

A. TCP
B. UDP
C. HTTP/HTTPS
D. ICMP

Answer: C
Rationale: ALB operates at Layer 7 and supports HTTP/HTTPS only. For TCP/UDP, Network Load Balancer should be used.

---

14.

What is the main benefit of AWS PrivateLink?

A. Public access
B. Secure private service access
C. Faster DNS
D. Load balancing

Answer: B
Rationale: PrivateLink enables secure, private connectivity to services over AWS network without exposing them to public internet, enhancing security and compliance.

---

15.

Which service monitors DNS queries for threats?

A. CloudWatch
B. GuardDuty
C. Inspector
D. Macie

Answer: B
Rationale: GuardDuty analyzes DNS logs, VPC Flow Logs, and CloudTrail events to detect malicious activity such as data exfiltration and compromised instances.

---

16.

Which AWS service provides edge caching?

A. Route 53
B. CloudFront
C. Global Accelerator
D. ELB

Answer: B
Rationale: CloudFront caches content at edge locations globally, reducing latency and improving performance for static and dynamic content delivery.

---

17.

Which component allows outbound internet access from private subnet?

A. IGW
B. NAT Gateway
C. VPC Endpoint
D. Transit Gateway

Answer: B
Rationale: NAT Gateway allows instances in private subnets to initiate outbound connections to internet while preventing inbound connections.

---

18.

Which routing table entry enables internet access?

A. Local route
B. IGW route
C. NAT route
D. Peering route

Answer: B
Rationale: A route pointing to an Internet Gateway enables internet connectivity for public subnets, allowing inbound and outbound traffic.

---

19.

Which AWS service supports TLS termination?

A. NLB
B. ALB
C. Route 53
D. Transit Gateway

Answer: B
Rationale: ALB supports TLS termination, offloading SSL processing from backend servers and improving performance and security.

---

20.

Which service aggregates logs across accounts?

A. CloudTrail
B. CloudWatch Logs
C. S3
D. All of the above

Answer: D
Rationale: All listed services can aggregate logs across accounts using central logging strategies, providing visibility and compliance.

---

21.

Which AWS feature allows traffic inspection appliances?

A. GWLB
B. ALB
C. NLB
D. CloudFront

Answer: A
Rationale: Gateway Load Balancer integrates with third-party appliances for traffic inspection, scaling them automatically and maintaining flow stickiness.

---

22.

Which AWS service provides DNS failover?

A. Route 53
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Route 53 failover routing directs traffic to healthy endpoints based on health checks, ensuring high availability.

---

23.

Which connectivity option provides lowest latency hybrid connection?

A. VPN
B. Direct Connect
C. Peering
D. NAT

Answer: B
Rationale: Direct Connect offers dedicated private connectivity with consistent low latency and high bandwidth compared to internet-based VPN.

---

24.

Which AWS feature supports multicast?

A. VPC Peering
B. Transit Gateway
C. IGW
D. NAT

Answer: B
Rationale: Transit Gateway supports multicast, enabling efficient distribution of data streams like video or financial feeds across multiple receivers.

---

25.

Which service enables centralized firewall management?

A. WAF
B. Firewall Manager
C. Shield
D. GuardDuty

Answer: B
Rationale: AWS Firewall Manager allows centralized configuration of firewall rules across accounts, ensuring consistent security posture.

---

26.

Which AWS service provides network-level protection?

A. Shield
B. WAF
C. GuardDuty
D. Inspector

Answer: A
Rationale: Shield protects against network and transport layer DDoS attacks, while WAF operates at application layer.

---

27.

Which AWS service supports UDP load balancing?

A. ALB
B. NLB
C. CLB
D. CloudFront

Answer: B
Rationale: Network Load Balancer supports TCP, UDP, and TLS, making it ideal for high-performance and low-latency workloads.

---

28.

Which AWS feature logs API activity?

A. CloudTrail
B. CloudWatch
C. GuardDuty
D. Inspector

Answer: A
Rationale: CloudTrail records API calls across AWS services, enabling auditing, compliance, and security analysis.

---

29.

Which service provides private DNS for VPC?

A. Route 53 Private Hosted Zone
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Private hosted zones allow DNS resolution within a VPC, ensuring internal services are not exposed publicly.

---

30.

Which AWS service enables centralized network connectivity?

A. Transit Gateway
B. VPC Peering
C. IGW
D. NAT Gateway

Answer: A
Rationale: Transit Gateway centralizes network connectivity, simplifying architecture and reducing complexity compared to managing multiple peering connections.

31.

A company needs to route traffic between 50 VPCs with minimal management overhead. What is the best solution?

A. Full mesh VPC peering
B. Transit Gateway
C. Site-to-Site VPN
D. Direct Connect

Answer: B
Rationale: Full mesh peering would require hundreds of connections and complex route tables. Transit Gateway simplifies this with a hub-and-spoke model, centralizing routing and reducing operational overhead significantly.

---

32.

Which feature ensures deterministic routing in AWS Direct Connect?

A. Static routing
B. BGP local preference
C. Route 53
D. NAT Gateway

Answer: B
Rationale: BGP local preference allows control over preferred paths for inbound and outbound traffic, ensuring predictable routing decisions in hybrid architectures using Direct Connect.

---

33.

A company wants to prevent overlapping CIDR conflicts across multiple VPCs. What is recommended?

A. Use same CIDR
B. IPAM
C. NAT Gateway
D. IGW

Answer: B
Rationale: AWS IP Address Manager (IPAM) helps centrally plan and manage CIDR allocations across accounts and regions, preventing overlaps and ensuring scalable IP management.

---

34.

Which service allows transparent insertion of security appliances?

A. ALB
B. GWLB
C. NLB
D. Route 53

Answer: B
Rationale: Gateway Load Balancer enables transparent deployment of third-party appliances like firewalls using GENEVE encapsulation while maintaining flow consistency and scalability.

---

35.

Which AWS service improves TCP performance globally?

A. Route 53
B. Global Accelerator
C. CloudFront
D. Direct Connect

Answer: B
Rationale: Global Accelerator optimizes TCP connections using AWS global network and anycast IPs, improving latency, failover, and performance for global users.

---

36.

Which VPC component blocks traffic explicitly?

A. Security Group
B. NACL
C. Route Table
D. IGW

Answer: B
Rationale: Network ACLs are stateless and support explicit allow/deny rules, making them suitable for blocking traffic. Security groups only allow rules and cannot explicitly deny traffic.

---

37.

Which service supports cross-account VPC sharing?

A. Transit Gateway
B. Resource Access Manager
C. CloudFormation
D. Route 53

Answer: B
Rationale: AWS RAM enables sharing of VPC subnets and resources across accounts, allowing centralized network management and reducing duplication.

---

38.

Which protocol is used in Site-to-Site VPN tunnels?

A. HTTP
B. IPSec
C. TCP
D. UDP

Answer: B
Rationale: AWS Site-to-Site VPN uses IPSec tunnels for secure encrypted communication between on-premises and AWS infrastructure over the internet.

---

39.

Which AWS feature enables failover between regions automatically?

A. Latency routing
B. Failover routing
C. Weighted routing
D. Simple routing

Answer: B
Rationale: Route 53 failover routing uses health checks to automatically redirect traffic to a secondary region when the primary endpoint becomes unhealthy.

---

40.

Which service allows inspection of encrypted traffic?

A. NACL
B. GWLB with appliance
C. Route 53
D. IGW

Answer: B
Rationale: GWLB with integrated security appliances can decrypt, inspect, and re-encrypt traffic, providing deep packet inspection even for encrypted data flows.

---

41.

Which AWS service logs VPC network metadata?

A. CloudTrail
B. VPC Flow Logs
C. GuardDuty
D. Inspector

Answer: B
Rationale: VPC Flow Logs capture metadata about network traffic, including source, destination, and ports, useful for troubleshooting and security analysis.

---

42.

Which service supports HTTP header-based routing?

A. NLB
B. ALB
C. GWLB
D. Route 53

Answer: B
Rationale: ALB supports advanced routing based on HTTP headers, paths, and hostnames, making it ideal for microservices and containerized applications.

---

43.

Which AWS feature reduces DNS query latency globally?

A. Route 53 Resolver
B. Route 53 latency routing
C. CloudFront
D. Global Accelerator

Answer: B
Rationale: Latency routing ensures users are directed to the nearest AWS region based on DNS query latency, improving response times.

---

44.

Which AWS service detects port scanning?

A. GuardDuty
B. Inspector
C. Macie
D. WAF

Answer: A
Rationale: GuardDuty analyzes VPC Flow Logs and DNS logs to detect suspicious activities like port scans, brute force attempts, and reconnaissance.

---

45.

Which service allows IPv6-only workloads?

A. NAT Gateway
B. Egress-only IGW
C. Transit Gateway
D. VPC Peering

Answer: B
Rationale: Egress-only Internet Gateway allows outbound IPv6 traffic while blocking inbound connections, enabling secure IPv6-only architectures.

---

46.

Which service handles SSL certificates in AWS?

A. IAM
B. ACM
C. CloudTrail
D. Route 53

Answer: B
Rationale: AWS Certificate Manager provisions, manages, and deploys SSL/TLS certificates for use with AWS services like ALB and CloudFront.

---

47.

Which service supports DNS query logging?

A. Route 53 Resolver logs
B. CloudFront logs
C. ELB logs
D. NAT logs

Answer: A
Rationale: Route 53 Resolver query logging captures DNS queries within a VPC, enabling monitoring and security analysis of DNS activity.

---

48.

Which AWS service enables centralized DNS management?

A. Route 53
B. CloudFront
C. ELB
D. NAT

Answer: A
Rationale: Route 53 supports public and private hosted zones, health checks, and routing policies, making it central to DNS management in AWS.

---

49.

Which AWS feature supports jumbo frames?

A. ALB
B. ENA
C. CloudFront
D. Route 53

Answer: B
Rationale: Elastic Network Adapter supports jumbo frames (up to 9001 MTU), improving performance for high-throughput workloads.

---

50.

Which service supports multi-region failover?

A. Route 53
B. ALB
C. NLB
D. NAT Gateway

Answer: A
Rationale: Route 53 enables DNS-based failover across regions using health checks and routing policies, ensuring high availability.

---

51.

Which AWS service enables packet-level capture?

A. Flow Logs
B. Traffic Mirroring
C. GuardDuty
D. CloudTrail

Answer: B
Rationale: Traffic Mirroring captures full packet data, enabling deep inspection and troubleshooting, unlike Flow Logs which only provide metadata.

---

52.

Which AWS service provides private connectivity to SaaS providers?

A. VPC Peering
B. PrivateLink
C. Transit Gateway
D. NAT Gateway

Answer: B
Rationale: PrivateLink enables secure private access to SaaS and AWS services without exposing traffic to the public internet.

---

53.

Which service improves application availability globally?

A. Global Accelerator
B. Route 53 simple routing
C. NAT Gateway
D. IGW

Answer: A
Rationale: Global Accelerator routes traffic to healthy endpoints across regions using anycast IPs, improving availability and failover speed.

---

54.

Which AWS service protects against SQL injection?

A. Shield
B. WAF
C. GuardDuty
D. Inspector

Answer: B
Rationale: AWS WAF filters HTTP requests and protects applications from SQL injection and other web exploits at the application layer.

---

55.

Which routing method distributes traffic proportionally?

A. Simple
B. Weighted
C. Latency
D. Failover

Answer: B
Rationale: Weighted routing distributes traffic based on assigned weights, useful for A/B testing and gradual deployments.

---

56.

Which AWS service supports hybrid DNS forwarding?

A. Route 53 Resolver
B. CloudFront
C. ELB
D. NAT

Answer: A
Rationale: Route 53 Resolver supports conditional forwarding between on-premises and AWS, enabling hybrid DNS architectures.

---

57.

Which AWS feature ensures high availability for VPN?

A. Single tunnel
B. Dual tunnels
C. NAT Gateway
D. IGW

Answer: B
Rationale: AWS VPN provides two tunnels for redundancy. If one fails, traffic automatically switches to the other, ensuring availability.

---

58.

Which service supports connection draining?

A. ALB
B. Route 53
C. NAT
D. IGW

Answer: A
Rationale: ALB supports connection draining (deregistration delay), allowing in-flight requests to complete before removing instances.

---

59.

Which AWS service provides centralized threat visibility?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty aggregates threat detection across accounts and services, providing centralized security insights and anomaly detection.

---

60.

Which AWS service simplifies multi-account networking?

A. Transit Gateway
B. VPC Peering
C. NAT Gateway
D. IGW

Answer: A
Rationale: Transit Gateway integrates with AWS Organizations and RAM, enabling scalable and centralized networking across multiple accounts.

61.

A company needs to route traffic from on-prem to multiple VPCs using a single connection. What should they use?

A. VPC Peering
B. Transit Gateway with Direct Connect
C. NAT Gateway
D. Internet Gateway

Answer: B
Rationale: Transit Gateway combined with Direct Connect allows centralized routing from on-premises to multiple VPCs through a single connection. This reduces complexity compared to managing multiple VPNs or peering connections and improves scalability.

---

62.

Which AWS service provides consistent IP addresses for failover across regions?

A. Route 53
B. Global Accelerator
C. CloudFront
D. ALB

Answer: B
Rationale: Global Accelerator provides static anycast IP addresses that remain constant even during failover across regions, unlike Route 53 which relies on DNS changes that may take time to propagate.

---

63.

Which AWS feature ensures symmetric routing through appliances?

A. ALB
B. GWLB
C. NLB
D. Route 53

Answer: B
Rationale: Gateway Load Balancer ensures traffic flows symmetrically through security appliances using flow stickiness, which is critical for stateful inspection and maintaining session integrity.

---

64.

Which solution reduces latency for global TCP applications?

A. Route 53 simple routing
B. Global Accelerator
C. NAT Gateway
D. IGW

Answer: B
Rationale: Global Accelerator routes traffic over AWS global backbone instead of public internet, improving latency, jitter, and reliability for TCP and UDP applications globally.

---

65.

Which AWS service allows DNS split-horizon architecture?

A. Route 53 public zone
B. Route 53 private hosted zone
C. CloudFront
D. ELB

Answer: B
Rationale: Private hosted zones enable internal DNS resolution within VPCs, allowing split-horizon DNS where internal and external users resolve different IPs for the same domain.

---

66.

Which AWS feature allows centralized inspection of VPC traffic?

A. VPC Peering
B. Transit Gateway with appliance mode
C. NAT Gateway
D. IGW

Answer: B
Rationale: Transit Gateway appliance mode enables routing traffic through centralized inspection VPCs, ensuring all traffic passes through security appliances for monitoring and compliance.

---

67.

Which service supports HTTP/2 and gRPC?

A. NLB
B. ALB
C. GWLB
D. Route 53

Answer: B
Rationale: ALB supports HTTP/2 and gRPC, enabling modern microservices communication with improved performance and multiplexing capabilities.

---

68.

Which AWS service provides DDoS protection at Layer 7?

A. Shield Standard
B. Shield Advanced
C. WAF
D. GuardDuty

Answer: C
Rationale: AWS WAF protects at the application layer (Layer 7), filtering malicious HTTP requests such as SQL injection and XSS, complementing Shield’s network-layer protection.

---

69.

Which feature enables route prioritization in BGP?

A. MED
B. Local Preference
C. AS Path
D. All of the above

Answer: D
Rationale: BGP path selection considers multiple attributes including local preference, AS path length, and MED to determine the best route, allowing fine-grained traffic engineering.

---

70.

Which AWS service enables centralized logging for DNS queries?

A. Route 53 Resolver Query Logging
B. CloudTrail
C. GuardDuty
D. Inspector

Answer: A
Rationale: Route 53 Resolver query logging captures DNS queries within VPCs and sends them to CloudWatch or S3, enabling monitoring and security analysis.

---

71.

Which AWS feature supports IPv6 outbound-only traffic?

A. NAT Gateway
B. IGW
C. Egress-only IGW
D. Transit Gateway

Answer: C
Rationale: Egress-only Internet Gateway allows outbound IPv6 traffic while blocking inbound connections, similar to NAT behavior for IPv4 but designed specifically for IPv6.

---

72.

Which service provides centralized VPC connectivity and segmentation?

A. VPC Peering
B. Transit Gateway
C. NAT Gateway
D. IGW

Answer: B
Rationale: Transit Gateway enables segmentation using route tables and attachments, allowing fine-grained control over traffic flow between VPCs and networks.

---

73.

Which AWS service supports UDP-based applications globally?

A. ALB
B. NLB
C. CloudFront
D. Route 53

Answer: B
Rationale: NLB supports UDP and provides high throughput and low latency, making it suitable for gaming, VoIP, and real-time streaming applications.

---

74.

Which AWS service enables secure service exposure across accounts?

A. VPC Peering
B. PrivateLink
C. Transit Gateway
D. NAT Gateway

Answer: B
Rationale: PrivateLink allows exposing services securely across accounts without requiring public IPs or routing changes, improving security posture.

---

75.

Which AWS service improves availability with health checks?

A. Route 53
B. CloudFront
C. NAT Gateway
D. IGW

Answer: A
Rationale: Route 53 health checks monitor endpoints and reroute traffic automatically when failures are detected, ensuring high availability.

---

76.

Which AWS feature enables deep packet inspection?

A. Flow Logs
B. Traffic Mirroring
C. CloudTrail
D. GuardDuty

Answer: B
Rationale: Traffic Mirroring captures full packet data for analysis, enabling deep packet inspection by third-party tools for security and troubleshooting.

---

77.

Which AWS service supports TLS passthrough?

A. ALB
B. NLB
C. CloudFront
D. Route 53

Answer: B
Rationale: NLB supports TLS passthrough, allowing backend instances to handle encryption, which is useful for end-to-end encryption scenarios.

---

78.

Which AWS service supports DNS failover with health checks?

A. Route 53
B. ALB
C. NLB
D. NAT Gateway

Answer: A
Rationale: Route 53 integrates health checks with failover routing policies to automatically redirect traffic to healthy endpoints.

---

79.

Which AWS service helps detect data exfiltration?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty analyzes DNS logs and traffic patterns to detect suspicious behavior like data exfiltration attempts.

---

80.

Which AWS feature supports multi-region traffic steering?

A. Route 53
B. NAT Gateway
C. IGW
D. NACL

Answer: A
Rationale: Route 53 routing policies like latency, weighted, and failover enable traffic steering across multiple regions.

---

81.

Which AWS service allows centralized firewall rule enforcement?

A. WAF
B. Firewall Manager
C. Shield
D. GuardDuty

Answer: B
Rationale: Firewall Manager enables centralized management of WAF rules and security policies across multiple AWS accounts.

---

82.

Which AWS feature ensures high throughput networking?

A. ENA
B. NAT Gateway
C. IGW
D. Route 53

Answer: A
Rationale: Elastic Network Adapter provides enhanced networking with higher bandwidth, lower latency, and support for advanced features like SR-IOV.

---

83.

Which AWS service supports global edge locations?

A. CloudFront
B. Route 53
C. Global Accelerator
D. All of the above

Answer: D
Rationale: All these services leverage AWS global infrastructure and edge locations to improve performance, availability, and routing efficiency.

---

84.

Which AWS feature enables routing segmentation in Transit Gateway?

A. Route tables
B. Security groups
C. NACLs
D. IGW

Answer: A
Rationale: Transit Gateway route tables allow segmentation and isolation of traffic between different VPCs and networks.

---

85.

Which AWS service supports DNS forwarding rules?

A. Route 53 Resolver
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Route 53 Resolver supports conditional forwarding rules, enabling hybrid DNS resolution between AWS and on-premises systems.

---

86.

Which AWS service provides real-time threat detection?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty continuously monitors logs and network activity to detect threats in real time using machine learning and threat intelligence.

---

87.

Which AWS feature supports cross-region load balancing?

A. Route 53
B. ALB
C. NLB
D. NAT Gateway

Answer: A
Rationale: Route 53 enables cross-region load balancing using DNS-based routing policies like latency and weighted routing.

---

88.

Which AWS service enables hybrid connectivity with encryption?

A. Direct Connect
B. VPN
C. Transit Gateway
D. VPC Peering

Answer: B
Rationale: VPN provides encrypted connectivity over the internet, while Direct Connect does not encrypt traffic unless combined with VPN.

---

89.

Which AWS service supports container-based networking?

A. ALB
B. NLB
C. AWS App Mesh
D. Route 53

Answer: C
Rationale: AWS App Mesh provides service mesh capabilities for containerized applications, enabling traffic routing, observability, and resilience.

---

90.

Which AWS feature improves failover speed compared to DNS?

A. Route 53
B. Global Accelerator
C. CloudFront
D. NAT Gateway

Answer: B
Rationale: Global Accelerator uses health checks and anycast routing for near-instant failover, avoiding DNS propagation delays seen in Route 53 failover.

91.

A company has overlapping CIDR ranges across multiple acquired VPCs. They need full connectivity without re-IP. What is the best solution?

A. VPC Peering
B. Transit Gateway
C. PrivateLink
D. NAT Gateway

Answer: C
Rationale: VPC Peering and Transit Gateway both require non-overlapping CIDR ranges. PrivateLink allows communication via interface endpoints without exposing IP ranges, effectively bypassing overlap issues while maintaining secure service-level connectivity.

---

92.

A workload requires deterministic failover within seconds globally. Which solution is best?

A. Route 53 failover
B. Route 53 latency routing
C. Global Accelerator
D. CloudFront

Answer: C
Rationale: Global Accelerator provides near-instant failover using health checks and anycast IPs, unlike DNS-based failover which depends on TTL and propagation delays, making it slower and less predictable.

---

93.

A company needs to inspect east-west traffic across VPCs centrally. What is the best architecture?

A. VPC Peering
B. Transit Gateway with inspection VPC
C. NAT Gateway
D. IGW

Answer: B
Rationale: Transit Gateway with an inspection VPC allows routing traffic through centralized security appliances using appliance mode, ensuring consistent inspection across all VPCs without complex peering setups.

---

94.

Which AWS service is best for exposing internal services securely to third parties?

A. VPC Peering
B. PrivateLink
C. Transit Gateway
D. IGW

Answer: B
Rationale: PrivateLink allows secure, private exposure of services without requiring public IPs or direct routing between networks, minimizing attack surface and simplifying access control.

---

95.

A company needs hybrid DNS where on-prem queries resolve AWS private domains. What is required?

A. Public hosted zone
B. Resolver inbound endpoint
C. Resolver outbound endpoint
D. NAT Gateway

Answer: B
Rationale: Resolver inbound endpoints allow on-prem systems to query Route 53 private hosted zones, enabling seamless hybrid DNS resolution without exposing records publicly.

---

96.

Which scenario requires Transit Gateway over VPC peering?

A. Two VPCs only
B. Hundreds of VPCs
C. Single region
D. Static routing

Answer: B
Rationale: Transit Gateway is designed for scalability. With hundreds of VPCs, peering becomes unmanageable due to exponential connections, while TGW simplifies architecture with centralized routing.

---

97.

Which AWS feature ensures stateful firewall inspection across flows?

A. NACL
B. Security Group
C. GWLB
D. Route 53

Answer: C
Rationale: GWLB ensures symmetric traffic flow and session stickiness, enabling stateful inspection by appliances. Stateless components like NACLs cannot maintain connection state.

---

98.

Which service supports traffic steering based on geographic location?

A. Route 53 geo routing
B. CloudFront
C. Global Accelerator
D. ALB

Answer: A
Rationale: Route 53 geolocation routing directs users based on geographic location, useful for compliance and localization requirements.

---

99.

Which AWS feature minimizes asymmetric routing issues?

A. NAT Gateway
B. GWLB
C. Route 53
D. CloudFront

Answer: B
Rationale: GWLB ensures traffic flows through the same appliance in both directions, preventing asymmetric routing issues that can break stateful inspection.

---

100.

A company wants to migrate from VPN to dedicated connection with encryption. What should they use?

A. Direct Connect only
B. Direct Connect + VPN
C. Transit Gateway
D. NAT Gateway

Answer: B
Rationale: Direct Connect provides private connectivity but is not encrypted. Combining it with VPN ensures encryption while maintaining consistent performance.

---

101.

Which AWS service enables application-level filtering?

A. Shield
B. WAF
C. GuardDuty
D. Inspector

Answer: B
Rationale: WAF operates at Layer 7 and filters HTTP requests based on rules, protecting against attacks like SQL injection and XSS.

---

102.

Which AWS feature supports centralized routing control across accounts?

A. VPC Peering
B. Transit Gateway + RAM
C. NAT Gateway
D. IGW

Answer: B
Rationale: Transit Gateway combined with AWS RAM allows sharing across accounts, centralizing routing and simplifying multi-account network management.

---

103.

Which AWS service improves DNS resolution performance globally?

A. Route 53 latency routing
B. CloudFront
C. NAT Gateway
D. IGW

Answer: A
Rationale: Latency routing ensures DNS queries are answered with the lowest-latency endpoint, improving user experience globally.

---

104.

Which AWS feature enables packet capture for troubleshooting?

A. Flow Logs
B. Traffic Mirroring
C. CloudTrail
D. GuardDuty

Answer: B
Rationale: Traffic Mirroring captures full packets, enabling deep analysis. Flow Logs only provide metadata, which is insufficient for packet-level debugging.

---

105.

Which AWS service supports static IPs for load balancing?

A. ALB
B. NLB
C. CloudFront
D. Route 53

Answer: B
Rationale: NLB supports static IP addresses, making it suitable for applications requiring fixed endpoints or firewall whitelisting.

---

106.

Which AWS feature enables hybrid DNS forwarding?

A. Route 53 Resolver rules
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Resolver rules allow conditional forwarding between AWS and on-prem DNS systems, enabling hybrid DNS architectures.

---

107.

Which AWS service provides visibility into API calls?

A. CloudTrail
B. CloudWatch
C. GuardDuty
D. Inspector

Answer: A
Rationale: CloudTrail logs API activity across AWS services, enabling auditing and compliance tracking.

---

108.

Which AWS service is best for real-time network anomaly detection?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty uses machine learning and threat intelligence to detect anomalies like unusual traffic patterns and potential compromises.

---

109.

Which AWS feature supports multi-region disaster recovery?

A. Route 53 failover
B. NAT Gateway
C. IGW
D. NACL

Answer: A
Rationale: Route 53 failover routing ensures traffic shifts to healthy regions during outages, enabling disaster recovery.

---

110.

Which AWS service supports service-to-service connectivity without routing?

A. VPC Peering
B. PrivateLink
C. Transit Gateway
D. NAT Gateway

Answer: B
Rationale: PrivateLink provides connectivity at the service level via endpoints, avoiding routing complexity and improving security.

---

111.

Which AWS feature enables centralized traffic inspection?

A. Transit Gateway appliance mode
B. VPC Peering
C. NAT Gateway
D. IGW

Answer: A
Rationale: Appliance mode ensures traffic is routed through inspection appliances, maintaining flow symmetry and enabling centralized security.

---

112.

Which AWS service supports UDP at scale?

A. ALB
B. NLB
C. CloudFront
D. Route 53

Answer: B
Rationale: NLB supports UDP and high throughput, making it ideal for latency-sensitive workloads like gaming and streaming.

---

113.

Which AWS service enables centralized policy enforcement?

A. Firewall Manager
B. WAF
C. Shield
D. GuardDuty

Answer: A
Rationale: Firewall Manager centralizes security policies across accounts, ensuring consistent enforcement.

---

114.

Which AWS feature supports route segmentation?

A. Transit Gateway route tables
B. Security groups
C. NACLs
D. IGW

Answer: A
Rationale: TGW route tables allow segmentation between networks, controlling which VPCs can communicate.

---

115.

Which AWS service supports DNS split-view?

A. Route 53 private hosted zones
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Private hosted zones allow internal DNS resolution different from public DNS, enabling split-view architecture.

---

116.

Which AWS service supports traffic encryption automatically?

A. VPN
B. Direct Connect
C. NAT Gateway
D. IGW

Answer: A
Rationale: VPN encrypts traffic using IPSec, ensuring secure communication over public networks.

---

117.

Which AWS feature improves throughput using larger packet sizes?

A. ENA with jumbo frames
B. NAT Gateway
C. IGW
D. Route 53

Answer: A
Rationale: ENA supports jumbo frames, reducing overhead and improving performance for high-throughput applications.

---

118.

Which AWS service supports DNS-based weighted load balancing?

A. Route 53
B. ALB
C. NLB
D. CloudFront

Answer: A
Rationale: Route 53 weighted routing distributes traffic proportionally across endpoints, useful for canary deployments.

---

119.

Which AWS service provides centralized threat intelligence?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty aggregates threat intelligence feeds and analyzes logs to provide actionable security insights.

---

120.

Which AWS feature reduces dependency on internet routing?

A. Global Accelerator
B. NAT Gateway
C. IGW
D. Route 53

Answer: A
Rationale: Global Accelerator routes traffic over AWS global backbone, reducing reliance on public internet and improving performance and reliability.

121.

A company needs to provide on-prem users access to AWS services privately without traversing the internet. What should they use?

A. NAT Gateway
B. Internet Gateway
C. Direct Connect with VPC Endpoint
D. CloudFront

Answer: C
Rationale: Direct Connect provides private connectivity, and VPC Endpoints allow access to AWS services without internet exposure. This combination ensures secure, low-latency access entirely over the AWS backbone.

---

122.

Which AWS feature ensures route isolation between different business units using a shared Transit Gateway?

A. Security Groups
B. NACLs
C. Transit Gateway route tables
D. IGW

Answer: C
Rationale: Transit Gateway route tables allow segmentation of traffic between attached VPCs, enabling isolation between business units while still using shared infrastructure.

---

123.

A company experiences asymmetric routing issues in their inspection VPC. What should they implement?

A. NAT Gateway
B. GWLB
C. Route 53
D. CloudFront

Answer: B
Rationale: Gateway Load Balancer ensures symmetric routing by maintaining flow stickiness, ensuring traffic passes through the same appliance in both directions.

---

124.

Which AWS service allows sharing subnets across accounts?

A. VPC Peering
B. Transit Gateway
C. AWS RAM
D. Route 53

Answer: C
Rationale: AWS Resource Access Manager enables sharing of subnets and other resources across accounts, simplifying centralized network management.

---

125.

Which AWS service is best for exposing a TCP-based application globally with static IPs?

A. ALB
B. NLB + Global Accelerator
C. Route 53
D. CloudFront

Answer: B
Rationale: NLB supports TCP and static IPs, while Global Accelerator provides global anycast IPs and optimal routing, making this combination ideal for global TCP applications.

---

126.

Which AWS feature enables centralized DNS query forwarding to on-prem?

A. Route 53 outbound endpoint
B. Route 53 inbound endpoint
C. CloudFront
D. ELB

Answer: A
Rationale: Outbound endpoints forward DNS queries from AWS to on-prem DNS servers, enabling hybrid DNS resolution for internal domains.

---

127.

Which AWS service supports multi-account centralized network architecture?

A. VPC Peering
B. Transit Gateway
C. NAT Gateway
D. IGW

Answer: B
Rationale: Transit Gateway integrates with AWS Organizations and RAM, enabling centralized connectivity and management across multiple accounts.

---

128.

Which AWS feature allows inspection of encrypted HTTPS traffic?

A. NACL
B. GWLB with TLS termination appliance
C. Route 53
D. IGW

Answer: B
Rationale: GWLB allows insertion of appliances that can decrypt and inspect HTTPS traffic, providing visibility into encrypted data flows.

---

129.

Which AWS service reduces DNS failover time significantly?

A. Route 53 with low TTL
B. Global Accelerator
C. CloudFront
D. NAT Gateway

Answer: B
Rationale: Global Accelerator bypasses DNS propagation delays entirely by using static IPs and real-time health checks for rapid failover.

---

130.

Which AWS feature allows multiple routing domains within Transit Gateway?

A. Security groups
B. Route tables
C. NACLs
D. IGW

Answer: B
Rationale: Multiple route tables in Transit Gateway enable segmentation of traffic and creation of separate routing domains for different workloads.

---

131.

Which AWS service enables service discovery for microservices?

A. Route 53
B. Cloud Map
C. ELB
D. NAT Gateway

Answer: B
Rationale: AWS Cloud Map provides service discovery, allowing applications to locate services dynamically using DNS or API queries.

---

132.

Which AWS feature ensures high availability in VPN connections?

A. Single tunnel
B. Dual tunnels
C. NAT Gateway
D. IGW

Answer: B
Rationale: AWS VPN provides two tunnels for redundancy, ensuring continuous connectivity even if one tunnel fails.

---

133.

Which AWS service supports application-layer DDoS protection?

A. Shield
B. WAF
C. GuardDuty
D. Inspector

Answer: B
Rationale: AWS WAF protects applications from Layer 7 attacks such as SQL injection and cross-site scripting.

---

134.

Which AWS service allows routing traffic based on user location?

A. Route 53 geolocation routing
B. CloudFront
C. ALB
D. NLB

Answer: A
Rationale: Geolocation routing directs traffic based on user location, useful for compliance and localization strategies.

---

135.

Which AWS service supports traffic mirroring across accounts?

A. Traffic Mirroring
B. Flow Logs
C. GuardDuty
D. CloudTrail

Answer: A
Rationale: Traffic Mirroring allows capturing and forwarding packets to monitoring tools, including across accounts when configured properly.

---

136.

Which AWS feature enables private connectivity to AWS services without NAT?

A. VPC Endpoint
B. IGW
C. Transit Gateway
D. NAT Gateway

Answer: A
Rationale: VPC Endpoints allow direct private access to AWS services, eliminating the need for NAT or internet gateways.

---

137.

Which AWS service supports DNS health checks?

A. Route 53
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Route 53 health checks monitor endpoint health and integrate with routing policies for failover.

---

138.

Which AWS feature ensures high bandwidth networking?

A. ENA
B. NAT Gateway
C. IGW
D. Route 53

Answer: A
Rationale: Elastic Network Adapter supports high throughput and low latency networking with advanced features.

---

139.

Which AWS service supports multi-region active-active architecture?

A. Route 53 latency routing
B. NAT Gateway
C. IGW
D. NACL

Answer: A
Rationale: Latency routing enables active-active deployments by routing users to the nearest healthy region.

---

140.

Which AWS feature enables centralized logging across accounts?

A. CloudTrail organization trail
B. CloudWatch Logs
C. S3
D. All of the above

Answer: D
Rationale: All listed services can aggregate logs centrally, providing visibility and compliance across accounts.

---

141.

Which AWS service supports UDP load balancing globally?

A. ALB
B. NLB + Global Accelerator
C. CloudFront
D. Route 53

Answer: B
Rationale: NLB supports UDP, and Global Accelerator improves global performance and availability.

---

142.

Which AWS feature enables DNS forwarding rules?

A. Route 53 Resolver
B. CloudFront
C. ELB
D. NAT Gateway

Answer: A
Rationale: Resolver rules enable conditional DNS forwarding between AWS and on-prem environments.

---

143.

Which AWS service detects unusual DNS behavior?

A. GuardDuty
B. Inspector
C. Macie
D. Shield

Answer: A
Rationale: GuardDuty analyzes DNS logs to detect anomalies such as data exfiltration attempts.

---

144.

Which AWS service supports TLS termination at edge locations?

A. CloudFront
B. ALB
C. NLB
D. Route 53

Answer: A
Rationale: CloudFront terminates TLS at edge locations, improving performance and reducing load on origin servers.

---

145.

Which AWS feature enables segmentation of network traffic?

A. Transit Gateway route tables
B. Security groups
C. NACLs
D. IGW

Answer: A
Rationale: TGW route tables provide scalable segmentation across multiple networks.

---

146.

Which AWS service enables hybrid connectivity with predictable latency?

A. VPN
B. Direct Connect
C. NAT Gateway
D. IGW

Answer: B
Rationale: Direct Connect provides dedicated connectivity with consistent performance and lower latency.

---

147.

Which AWS service supports API-level logging?

A. CloudTrail
B. CloudWatch
C. GuardDuty
D. Inspector

Answer: A
Rationale: CloudTrail logs API calls across AWS services for auditing and compliance.

---

148.

Which AWS feature enables packet-level troubleshooting?

A. Traffic Mirroring
B. Flow Logs
C. GuardDuty
D. CloudTrail

Answer: A
Rationale: Traffic Mirroring provides full packet capture for detailed troubleshooting.

---

149.

Which AWS service supports DNS-based traffic splitting?

A. Route 53 weighted routing
B. ALB
C. NLB
D. CloudFront

Answer: A
Rationale: Weighted routing allows traffic distribution across endpoints for testing and deployments.

---

150.

Which AWS service improves resilience by routing traffic over AWS backbone?

A. Global Accelerator
B. NAT Gateway
C. IGW
D. Route 53

Answer: A
Rationale: Global Accelerator routes traffic over AWS global network, improving reliability and reducing latency compared to public internet routing.