nerdexam
ExamsANS-C01Questions#214
AmazonAmazon

ANS-C01 · Question #214

ANS-C01 Question #214: Real Exam Question with Answer & Explanation

The correct answer is A: Monitor the state of the VPN tunnels by using Amazon CloudWatch. Create a CloudWatch alarm. The task is to implement a solution that notifies schools of VPN connection loss, given that the VPN uses BGP and schools block ICMP.

Submitted by salim_om· Mar 6, 2026Network Management and Operation

Question

An education agency is preparing for its annual competition between schools. In the competition, students at schools from around the country solve math problems, complete puzzles, and write essays. The IP addressing plan of all the schools is well-known and is administered centrally. The competition is hosted in the AWS Cloud and is not publicly available. All competition traffic must be encrypted in transit. Only authorized endpoints can access the competition. All the schools have firewall policies that block ICMP traffic. A network engineer builds a solution in which all the schools access the competition through AWS Site-to-Site VPN connections. The network engineer uses BGP as the routing protocol. The network engineer must implement a solution that notifies schools when they lose connectivity and need to take action on their premises to address the issue. Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)

Options

  • AMonitor the state of the VPN tunnels by using Amazon CloudWatch. Create a CloudWatch alarm
  • BCreate a scheduled AWS Lambda function that pings each school's on-premises customer
  • CCreate a scheduled AWS Lambda function that uses the VPC Reachability Analyzer API to verify
  • DCreate an Amazon CloudWatch dashboard for each school to show all CloudWatch metrics for
  • ECreate a scheduled AWS Lambda function to monitor the existence of each school's routes in the

Explanation

The task is to implement a solution that notifies schools of VPN connection loss, given that the VPN uses BGP and schools block ICMP.

Common mistakes.

  • B. Creating a scheduled Lambda function that pings customer gateways is ineffective because the schools' firewalls block ICMP traffic, preventing successful ping responses even if the connection is healthy.
  • D. An Amazon CloudWatch dashboard displays metrics but does not actively notify users of connection loss; it requires manual monitoring.
  • E. While monitoring BGP routes is relevant, a scheduled Lambda function to monitor the existence of routes in the VPC route table (propagated via BGP from the VPN) is less direct for tunnel state than CloudWatch VPN metrics, and doesn't explicitly notify.

Concept tested. VPN tunnel monitoring and reachability verification

Reference. https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full ANS-C01 PracticeBrowse All ANS-C01 Questions