Amazon ANS-C00 - Amazon AWS Advanced Networking Specialty Certification Exam
Question #1 (Topic: demo questions)
Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF). The security team is calling this new connection a “backdoor”, and you have been asked to clarify the risk to the company. Which concern from the security team is valid and should be addressed?
Correct Answer: B
Explanation:
Question #2 (Topic: demo questions)
You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet and from an on-premises network. The on-premises network is connected to your VPC over an AWS Direct Connect link. How should you design routing to meet these requirements?
Correct Answer: D
Explanation:
A VPC route table can have only one active route for a given destination prefix. Since the application must be reachable from both the Internet and the on-premises network via AWS Direct Connect, the best practice is:
A VPC route table can have only one active route for a given destination prefix. Since the application must be reachable from both the Internet and the on-premises network via AWS Direct Connect, the best practice is:-
Configure a default route (0.0.0.0/0) to the Internet Gateway (IGW) for Internet-bound traffic.
-
Advertise specific on-premises network prefixes (for example, 10.0.0.0/8, 172.16.0.0/12, etc.) through BGP over Direct Connect to the Virtual Private Gateway (VGW).
-
The VPC routing table will then send Internet traffic to the IGW and on-premises traffic to the VGW based on the more specific route match.
Why the other options are wrong:- A: Two default routes (0.0.0.0/0) in the same route table pointing to different targets would create ambiguity and is not a valid design.
- B: A subnet can be associated with only one route table at a time, so associating both route tables with every subnet is impossible.
- C: Advertising a default route from on-premises would cause all outbound traffic (including Internet traffic) to prefer the Direct Connect/VGW path, defeating the requirement to use the IGW for Internet access.
In summary: Use a route table with 0.0.0.0/0 → IGW and advertise specific on-premises routes via Direct Connect/VGW. AWS routing uses longest prefix match, so on-premises traffic follows the specific routes while all other traffic uses the Internet Gateway. Therefore, D is the correct answer.