AWS Certified Advanced Networking Specialty Exam Questions 2026

AWS Certified Advanced Networking Specialty Exam Questions 2026 AWS Certified Advanced Networking Specialty Questions 2026 Contains 370+ exam questions to pass the exam in first attempt. SkillCertPro offers real exam questions for practice for all major IT certifications.  For a full set of 375 questions. Go to htt ps://skillcertpro.com/product/aws - certified - advanced - networking - specialty - practice - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Below are the free 10 sample questions. Question 1: Which of the following is incorrect with regards to Security Groups A. By default, security groups allow all outbound traffic. B. Security groups are stateless C. You can't create rules that deny access D. Rules are applied immediately to instances Answer: B Explanation: The AWS documentation mentions the following The following are the characteristics of security group rules: 1) By default, security groups allow all outbound traffic. 2) Security group rules are always permissive; you can’t create rules that deny access. 3) Security groups are stateful —if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. 4) You can add and remove rules at any time. Your changes are automatically applied to the instances associated with the security group after a short period. For more information on Security Groups, please refer to below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network- security.html Question 2: Which of the following services can be used to help protect against DDos attacks on your AWS infrastructure A.AWS Config B.AWS WAF C.AWS Shield D.AWS Shield Advanced Answer: B, C and D Explanation: AWS Services for DDoS Protection AWS provides a layered security approach to help protect resources against Distributed Denial of Service (DDoS) attacks, primarily utilizing AWS WAF and AWS Shield. AWS WAF (Web Application Firewall) • Function: You can use AWS WAF Web Access Control List s (Web ACLs) to create rules that filter and control traffic access to your web applications. • DDoS Role: WAF rules help minimize the effects of a DDoS attack by blocking common attack patterns and excessive requests before they reach your backend resources. AWS Shield Standard • Inclusion: AWS Shield Standard is automatically included with all AWS services at no extra cost. • Protection Level: It provides always -on detection and inline mitigation of the most common, frequently occurring network and transport layer (Layer 3 and 4) DDoS attacks. AWS Shield Advanced • Enhanced Protection: For a higher level of defense, AWS offers AWS Shield Advanced. • Benefits: It provides expanded DDoS attack protection for specific, application - facing resources, including: ○ Amazon EC2 instances ○ Elastic Load Balancing load balancers ○ Amazon CloudFront distributions ○ Amazon Route 53 hosted zones • Value: Shield Advanced provides specialized tools and 24/7 access to the AWS DDoS Response Team (DRT). Question 3: You have used the VPC Wizard to create a VPC with the private and public subnet option along with the NAT instance. You been told that the VPC is no longer required. You are trying to delete the VPC but are not able to do so. Why is this the case? A. It ’ s because the VPC needs to dissociated from the subnets first B. The NAT instance needs to be deleted first C. The Internet gateway needs to be detached first D. The route tables need to be deleted first Answer: B Explanation: Deleting a VPC and Subnets When attempting to delete an Amazon Virtual Private Cloud (VPC), you must ensure that all associated resources are terminated first. Deletion Dependency Subnets: A VPC cannot be deleted until all its associated subnets are empty. Instances: Subnets cannot be deleted if there are any active resources — including EC2 instances, NAT Gateways, or NAT instances — present within them. Action Required: If a NAT instance (which is an EC2 instance configured to provide NAT services) is running within the VPC, it must be deleted first to empty the associated subnet. Once the subnet is empty, it can be deleted, allowing the VPC deletion to proceed. Further Reading For comprehensive information on managing and working with VPCs in AWS, refer to the official documentation: https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html Question 4: What is the minimum and maximum allowed block size for a VPC? Choose 2 answers from the options given below A. Minimum - /16 B. Minimum - /8 C. Maximum - /24 D. Maximum - /28 Answer: A and D Explanation: AWS VPC IPv4 CIDR Block Requirements When you create a Virtual Private Cloud (VPC) in AWS, you are required to define its IP address range using an IPv4 CIDR block. This CIDR block dictates the size and range of private IP addresses available within your VPC. Allowed CIDR Block Size The AWS documentation specifies the following constraints for the VPC's primary IPv4 CIDR block: • Maximum Size: The largest allowed CIDR block size is /16 (netmask). ○ This provides the maximum number of usable IP addresses: $\mathbf{65,536}$ addresses. • Minimum Size: The smallest allowed CIDR block size is /28 (netmask). ○ This provides the minimum number of usable IP addresses: $\mathbf{16}$ addresses. Further Reading For more details on VPCs, subnets, and address assignment rules, refer to the official AWS documentation: https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html Question 5: When configuring AWS Cloudhub, which of the below implementation steps would you carry out. Choose 2 answers from the options given below A. Create multiple customer gateways each with a public IP address B. Create multiple customer gateways each with the same public IP address C. Create a VPN connection between each customer gateway and an individual virtual private gateway D. Create a VPN connection between each customer gateway and a common virtual private gateway Answer: A and D Explanation: Configuring AWS VPN CloudHub AWS VPN CloudHub enables secure communication between multiple customer branch offices using a simple hub-and-spoke model with the AWS Virtual Private Gateway (VGW) acting as the central hub. Configuration Steps The configuration involves using the AWS Management Console to set up the necessary components: 1. Create Multiple Customer Gateways: ○ For each remote customer site or branch office that needs to connect, you must create a corresponding Customer Gateway object in AWS. ○ For each Customer Gateway, you must specify: § The public IP address of the customer's on-premises gateway device. § The ASN (Autonomous System Number) of the customer's on-premises gateway device. 2. Create VPN Connections: ○ You then create a separate VPN connection from each of these newly created Customer Gateways to a single, common Virtual Private Gateway (VGW) associated with your VPC. ○ The VGW functions as the central hub, allowing each branch office to communicate with all other connected branch offices. Further Reading For more detailed information on AWS VPN CloudHub and its implementation, refer to the official AWS documentation: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html  For a full set of 375 questions. Go to https://skillcertpro.com/product/aws - certified - advanced - networking - specialty - practice - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCe rtPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Question 6: You currently have 2 EC2 Instances that host a web application. One is a primary server and the other is a backup server. What would you configure in Route53 to ensure that if the primary server goes down for any reason, the users will be directed to the backup server? Choose 2 answers from the options given below A. Configure the latency based routing policy B. Configure health checks C. Configure DNS failover D. Configure server failover Answer: B and C Explanation: Amazon Route 53 DNS Failover DNS Failover is a key feature in Amazon Route 53 that enhances the availability and fault tolerance of your applications by automatically redirecting traffic away from unhealthy resources. How DNS Failover Works • Health Checks: You configure Route 53 to perform health checks against you r multiple resources (e.g., EC2 instances, load balancers, etc.) that perform the same function. • Traffic Routing: If a resource is determined to be unhealthy based on the results of the health checks, Route 53 stops routing DNS queries to that endpoint. • Redirection: Route 53 then automatically routes the traffic to a healthy resource within your configuration. Example • If you have two identical web servers serving your website, and one server becomes unreachable (unhealthy), Route 53's DNS Failover mechanism detects this. • It will then update the DNS response to direct all incoming client traffic exclusively to the other, healthy web server, ensuring continuous service availability for your users. Further Reading For more details on setting up and managing DNS failover, please refer to the official AWS documentation: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html Question 7: What are the general steps carried out when enabling Origin access identity in Cloudfront? Choose 2 answers from the options given below A. Create a special Cloudfront group B. Create a special Cloudfront user C. Apply read only permission for the identity to the bucket via Bucket ACL D. Apply read only permission for the identity to the bucket via Bucket policies Answer: B and D Explanation: Enabling Origin Access Identity (OAI) for CloudFront To serve private content from an Amazon S3 bucket via Amazon CloudFront while restricting direct user access to the S3 bucket, you must use an Origin Access Identity (OAI). This creates a secure "virtual user" for CloudFront to use. Configuration Steps The general steps for enabling OAI in CloudFront are: 1. Create and Associate the OAI ○ You must first create an Origin Access Identity (OAI). This OAI is a special, dedicated CloudFront user that represents your distribution. ○ You then associate this OAI with your CloudFront distribution when configuring the S3 origin. This tells the distribution to use the OAI when requesting files from S3. 2. Update S3 Permissions ○ Next, you must change the permissions on your Amazon S3 bucket (or on the specific objects within the bucket). ○ The permissions must be modified to grant read permission only to the newly created Origin Access Identity (OAI). ○ This ensures that end users cannot access the S3 objects directly using the public S3 URL, and the content can only be accessed through the secure CloudFront URL. Further Reading For detailed information on configuring CloudFront for private content using OAI, refer to the official AWS documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/privat e-content-restricting-access-to-s3.html Question 8: If you need to set up HTTPS on Cloudfront which uses S3 as the origin, which of the following Viewer protocol policy’ s can be used. Choose 2 answers from the options given below. A.Match Viewer B.Redirect HTTP to HTTPS C.HTTPS Only D.HTTP Only Answer: B and C Explanation: Requiring HTTPS Between CloudFront and S3 To ensure that the communication between your Amazon CloudFront distribution and its Amazon S3 origin is always secure using HTTPS, you must configure the Viewer Protocol Policy setting. Configuration Requirement • Setting: The Viewer Protocol Policy for the relevant cache behavior in your CloudFront distribution controls the protocol viewers (end-users) can use to access the content. • HTTPS Enforcement: To require HTTPS for all communication, including the request that CloudFront forwards to S3, you must change the value of the Viewer Protocol Policy to one of the following options: ○ Redirect HTTP to HTTPS: This allows users to request content over HTTP, but CloudFront automatically returns an HTTP 301 response, redirecting the user to the HTTPS URL. The request CloudFront forwards to S3 will then be over HTTPS. ○ HTTPS Only: This immediately blocks any HTTP requests and requires that all viewer requests use HTTPS. The request CloudFront forwards to S3 will then be over HTTPS. Further Reading For more detailed information on using HTTPS with CloudFront and S3 origins, refer to the official AWS documentation: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using- https-cloudfront-to-s3-origin.html Question 9: You are planning on setting up Cloudfront with a custom origin. For the moment , the performance of the requests is not on priority , but rather the costs associated with Cloudfront. Which of the below costing options for Cloudfront can be utilized to reduce the costs if this is the case. A. Price class B. Spot requests C. Reserved pricing D. On-demand pricing Answer: A Explanation: CloudFront Price Classes and Performance AWS CloudFront uses a global network of edge locations to deliver content with low latency. You can control which regions CloudFront uses to serve your content by selecting a Price Class, which balances performance with cost. Default Behavior (Best Performance) • Performance -Based Delivery: By default, CloudFront is optimized for performance. • Lowest Latency: Objects are served from the edge location that offers the lowest latency for the viewer making the request, utilizing all available CloudFront regions worldwide. Controlling Cost with Price Classes • Trade -off: If you are willing to accept potentially higher latency for viewers in some geographic regions in exchange for lower overall cost, you can restrict the set of edge locations used. • Price Class Selection: You can choose a Price Class that does not include all CloudFront regions. • Impact: Restricting the regions used via Price Class generally lowers the cost, as you are not incurring the transfer costs associated with the most expensive, highly specialized regions (often those providing the lowest latency to certain parts of the world). Further Reading For a detailed breakdown of the different price classes and their associated regions, refer to the official AWS documentation: https://aws.amazon.com/cloudfront/pricing/ Question 10: You have just peered 2 VPC’s. You plan to host instances in these VPC’s that need to communicate with each other. Which of the following would you do to ensure that optimal network communication can be in place between the instances? A. Ensure the instances are chosen with the Instance type that supports Enhanced Networking B. Set the MTU of the instances to 1500 C. Create two subnets in the same AZ and create a placement group D. Create two subnets in different AZs and create a placement group Answer: A and C Explanation: AWS EC2 Cluster Placement Groups A Cluster Placement Group is a strategy for launching a group of interdependent EC2 instances close together within the AWS infrastructure. This grouping is specifically designed to meet the demanding networking requirements of certain applications. Key Characteristics • Logical Grouping: A cluster placement group is a logical grouping of instances located within a single Availability Zone (AZ). • Benefits: They are highly recommended for applications that require: ○ Low Network Latency: The close proximity of instances minimizes network transmission delay. ○ High Network Throughput: Instances can communicate with significantly higher network speeds. ○ Both low latency and high throughput. Performance Optimization • Enhanced Networking: To achiev e the lowest latency and the highest packet- per-second (PPS) network performance within your placement group, you should choose an instance type that supports enhanced networking (e.g., using SR-IOV technology). Further Reading For detailed information on configuring and using placement groups, refer to the official AWS documentation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html  For a full set of 375 questions. Go to https://skillcertpro.com/product/aws - certified - advanced - networking - specialty - practice - exam - questions/  SkillCertPro offers detailed explanat ions to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time fr ee updates  SkillCertPro assures 100% pass guarantee in first attempt.