100% Free Amazon ANS-C01 Practice Exam Questions Online 2026

Question 1

A company has three VPCs: X, Y, and Z. VPCs X and Z are both peered with VPC Y. The IP address ranges are as follows: VPC X: 10.1.0.0/16 VPC Y: 192.168.0.0/16 VPC Z: 10.1.0.0/16 Instance x-1 in VPC X has the IP address 10.1.0.10. Instance z-1 in VPC Z has the IP address 10.1.0.10. Instances y-1 and y-2 in VPC Y have the IP addresses 192.168.2.10 and 192.168.2.20 respectively. The instances y-1 and y-2 are in the subnet 192.168.2.0/24. The networking team at the company has mandated that y-1 must be able to communicate with x-1, and y-2 must be able to communicate with z-1. However, the team has noticed that both y-1 and y-2 are only able to communicate with x-1, instead of y-1 communicating with x-1 and y-2 communicating with z-1. Which of the following combination of steps will address this issue? (Select two)

A : Create two new subnets 192.168.2.0/28 and 192.168.2.16/28 in VPC Y. Move y-1 to subnet 192.168.2.0/28 and y-2 to subnet 192.168.2.16/28 by launching a new instance in the new subnet via an AMI created from the old instance

B : Create two route tables in VPC Y - one with a route for destination VPC X and another with a route for destination VPC Z

C : Create one route table in VPC Y - with distinct route entries for destination VPC X and VPC Z

D : Create two new subnets 192.168.2.0/29 and 192.168.2.16/29 in VPC Y. Move y-1 to subnet 192.168.2.0/29 and y-2 to subnet 192.168.2.16/29 by launching a new instance in the new subnet via an AMI created from the old instance

E : Create two new subnets 192.168.2.0/27 and 192.168.2.16/27 in VPC Y. Move y-1 to subnet 192.168.2.0/27 and y-2 to subnet 192.168.2.16/27 by launching a new instance in the new subnet via an AMI created from the old instance

Answer: A,B

Question 2

A company has configured an AWS Cloud WAN core network with edge locations in the us-east-1 Region and the us-west-1 Region. Each edge location has two segments: development and staging. The segments use the default core network policy. The company has attached VPCs to the core network. A development VPC is attached to the development segment in us-east-1 and is configured to use the 10.0.0.0 CIDR block. A staging VPC is attached to the staging segment in us-west-1 and is configured to use the 10.5.0.0 CIDR block. The company has updated the route tables for both VPCs with a route that directs any traffic for 0.0.0.0/0 to the core network. The companys network team needs to establish communication between the two VPCs by using the AWS Cloud WAN core network. The network team is not receiving a response during tests of communication between the VPCs. The network team has verified that security groups and network ACLs are not blocking the traffic. What should the network team do to establish this communication?

A : Update both VPC route tables to have a new static route. Configure a route on the development VPC to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route on the staging VPC to direct the traffic for 10.5.0.0 to the staging VPC attachment.

B : Update the segment filter to allow traffic on the development and staging segments.

C : Set the isolate-attachments parameter to False for the development and staging segments.

D : Update the core network policy to add a static route for each segment. Configure a route to direct the traffic for 10.0.0.0 to the development VPC attachment. Configure a route to direct the traffic for 10.5.0.0 to the staging VPC attachment.

Answer: D

Question 3

A company is planning to host external websites on AWS. The websites will include multiple tiers such as web servers, application logic services, and databases. The company wants to use AWS Network Firewall. AWS WAR and VPC security groups for network security. The company must ensure that the Network Firewall firewalls are deployed appropriately within relevant VPCs. The company needs the ability to centrally manage policies that are deployed to Network Firewall and AWS WAF rules. The company also needs to allow application teams to manage their own security groups while ensuring that the security groups do not allow overly permissive access. What is the MOST operationally efficient solution that meets these requirements?

A : Define Network Firewall firewalls. AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups in code Use AWS CloudFormation to deploy the objects and Initial policies and rule groups. Use CloudFormation to update the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.

B : Define Network Firewall firewalls. AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups in code. Use the AWS Management Console or the AWS CLI to manage the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to invoke an AWS Lambda function to evaluate the configured rules and remove any overly permissive rules.

C : Deploy AWS WAFv2 IP sets and AWS WAFv2 web ACLs with AWS CloudFormation. Use AWS Firewall Manager to deploy Network Firewall firewalls and VPC security groups where required and to manage the AWS WAFv2 web ACLs, Network Firewall policies, and VPC security groups.

D : Define Network Firewall firewalls. AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups in code. Use AWS CloudFormation to deploy the objects and initial policies and rule groups. Use AWS Firewall Manager to manage the AWS WAFv2 web ACLs. Network Firewall policies, and VPC security groups. Use Amazon GuardDuty to monitor for overly permissive rules.

Answer: D

Question 4

An ecommerce company is migrating its legacy web application to the AWS Cloud. Since the application is complex and may take several months to refactor, the CTO at the company tasked the development team to build an ad-hoc solution of using CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed. The ad-hoc solution has worked for several weeks, however, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header "X-Cache: Error from CloudFront". Network monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests. Which of the following will you attribute as the likely cause of the error and what is the solution to address this issue?

A : he SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server that is signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server

B : The SSL certificate on the legacy web application server has expired. Install a new self-signed certificate along with the full certificate chain onto the legacy web application server

C : The SSL certificate on the legacy web application server has expired. Reissue the SSL certificate on the web server via the AWS Certificate Manager (ACM) in the us-east-1 Region

D : The SSL certificate on the CloudFront distribution has expired. Reissue the SSL certificate on the CloudFront distribution via the AWS Certificate Manager (ACM) in the us-east-1 Region

Answer: A

Question 5

A company is deploying AWS Cloud WAN with edge locations in the us-east-1 Region and the ap-southeast2 Region. Individual AWS Cloud WAN segments are configured for the development environment, the production environment, and the shared services environment at each edge location. Many new VPCs will be deployed for the environments and will be configured as attachments to the AWS Cloud WAN core network. The company's network team wants to ensure that VPC attachments are configured for the correct segment. The network team will tag the VPC attachments by using the Environment key with a value of the corresponding environment segment name. The segment for the production environment in us-east-1 must require acceptance for attachment requests. AH other attachment requests must not require acceptance. Which solution will meet these requirements?

A : Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "or" value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag:Environment values to their respective segments.

B : Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "and" value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1. Create a rule with a number of 200 that does not require acceptance to map any tag:Environment values to their respective segments.

C : Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments. Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "and" value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1.

D : Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to the "or value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1.

Answer: B

Free Amazon ANS-C01 Practice Exam Questions and Answers 2026