AWS Certified Advanced Networking - Specialty ANS-C01 Actual Exam Q & A
Q 1. A company is planning to create a service that requires encryption in transit. The traffic
must not be decrypted between the client and the backend of the service. The company will
implement the service by using the gRPC protocol over TCP port 443. The service will scale up to
thousands of simultaneous connections. The backend of the service will be hosted on an
Amazon Elastic Kubernetes Service (Amazon EKS) cluster with the Kubernetes Cluster Autoscaler
and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-
way authentication between the client and the backend.
Which solution will meet these requirements?
A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a
Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of
the backend service Pods.
B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an
Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP
addresses of the backend service Pods.
C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target.
Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the
target group.
D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target.
Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target
group. - *answers * A. Install the AWS Load Balancer Controller for Kubernetes. Using that
controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic
to the IP addresses of the backend service Pods.
Q 2. A company is deploying a new application in the AWS Cloud. The company wants a highly
available web server that will sit behind an Elastic Load Balancer. The load balancer will route
requests to multiple target groups based on the URL in the request. All traffic must use HTTPS.
TLS processing must be offloaded to the load balancer. The web server must know the user’s IP
address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?
A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to
forward the traffic to the correct target group. Include the X-Forwarded-For request header with
traffic to the targets.
B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based
routing rules to forward the traffic to the correct target group for each domain. Include the X-
Forwarded-For request header with traffic to the targets.
, AWS Certified Advanced Networking - Specialty ANS-C01 Actual Exam Q & A
C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward
the traffic to the correct target group. Configure client IP address preservation for traffic to the
targets.
D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing
rules to forward the traffic to the correct target group for each domain. Configure client IP
address preservation for traffic to the targets. - *answers * A. Deploy an Application Load
Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the
correct target group. Include the X-Forwarded-For request header with traffic to the targets.
Q 3. A company has developed an application on AWS that will track inventory levels of vending
machines and initiate the restocking process automatically. The company plans to integrate this
application with vending machines and deploy the vending machines in several markets around
the world. The application resides in a VPC in the us-east-1 Region. The application consists of
an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer
(ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection
over the internet to the ALB endpoint.
Which solution will meet these requirements?
A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding
routes in the subnet route tables to point to the internet gateway. Configure the accelerator
with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only
allow inbound traffic from the internet on the ALB listener port.
B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint
groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound
traffic from the internet on the ALB listener port.
C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the
subnet route tables to point to the internet gateway. Configure the accelerator with endpoint
groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound
traffic from the accelerator's IP addresses on the ALB listener port.
D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in
the subnet route tables to point to the internet gateway. Configure the accelerator with
endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow
inbound traffic from the accelerator's IP addresses on the ALB listener port. - *answers * A.
Q 1. A company is planning to create a service that requires encryption in transit. The traffic
must not be decrypted between the client and the backend of the service. The company will
implement the service by using the gRPC protocol over TCP port 443. The service will scale up to
thousands of simultaneous connections. The backend of the service will be hosted on an
Amazon Elastic Kubernetes Service (Amazon EKS) cluster with the Kubernetes Cluster Autoscaler
and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-
way authentication between the client and the backend.
Which solution will meet these requirements?
A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a
Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of
the backend service Pods.
B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an
Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP
addresses of the backend service Pods.
C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target.
Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the
target group.
D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target.
Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target
group. - *answers * A. Install the AWS Load Balancer Controller for Kubernetes. Using that
controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic
to the IP addresses of the backend service Pods.
Q 2. A company is deploying a new application in the AWS Cloud. The company wants a highly
available web server that will sit behind an Elastic Load Balancer. The load balancer will route
requests to multiple target groups based on the URL in the request. All traffic must use HTTPS.
TLS processing must be offloaded to the load balancer. The web server must know the user’s IP
address so that the company can keep accurate logs for security purposes.
Which solution will meet these requirements?
A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to
forward the traffic to the correct target group. Include the X-Forwarded-For request header with
traffic to the targets.
B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based
routing rules to forward the traffic to the correct target group for each domain. Include the X-
Forwarded-For request header with traffic to the targets.
, AWS Certified Advanced Networking - Specialty ANS-C01 Actual Exam Q & A
C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward
the traffic to the correct target group. Configure client IP address preservation for traffic to the
targets.
D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing
rules to forward the traffic to the correct target group for each domain. Configure client IP
address preservation for traffic to the targets. - *answers * A. Deploy an Application Load
Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the
correct target group. Include the X-Forwarded-For request header with traffic to the targets.
Q 3. A company has developed an application on AWS that will track inventory levels of vending
machines and initiate the restocking process automatically. The company plans to integrate this
application with vending machines and deploy the vending machines in several markets around
the world. The application resides in a VPC in the us-east-1 Region. The application consists of
an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer
(ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP
addresses of the accelerator in the vending machines for application endpoint access. The
application must be accessible only through the accelerator and not through a direct connection
over the internet to the ALB endpoint.
Which solution will meet these requirements?
A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding
routes in the subnet route tables to point to the internet gateway. Configure the accelerator
with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only
allow inbound traffic from the internet on the ALB listener port.
B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint
groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound
traffic from the internet on the ALB listener port.
C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the
subnet route tables to point to the internet gateway. Configure the accelerator with endpoint
groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound
traffic from the accelerator's IP addresses on the ALB listener port.
D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in
the subnet route tables to point to the internet gateway. Configure the accelerator with
endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow
inbound traffic from the accelerator's IP addresses on the ALB listener port. - *answers * A.
