Cost Blind Spot — AWS Advanced Networking (ANS-C01)
The architecturally correct answer was also the most expensive. The exam wanted the cost-optimized option that still meets requirements.
Redundant paths chosen, monthly bill ignored
Requirement: sub-50ms latency, 10 Gbps throughput, private connectivity to AWS. Competing choices: two 10 Gbps Dedicated Connections with active/active LAG, or one 10 Gbps Dedicated Connection with a backup Site-to-Site VPN. Deciding constraint: the scenario states cost-optimized. Two dedicated connections at full capacity doubles port fees plus data transfer costs — the VPN backup is the cost-aware answer, and ANS-C01 scenarios will specify enough signal to make that distinction.
The Scenario
The question describes a video transcoding pipeline processing uploaded files — fault-tolerant, no user-facing latency requirements, files reprocessable on failure. You choose a Multi-AZ ECS cluster with On-Demand Fargate tasks and auto-scaling. The correct answer uses EC2 Spot Instances in an Auto Scaling group with a Spot Fleet diversified across instance types and AZs. Same throughput, 60-90% less cost. The workload is explicitly fault-tolerant (files can be reprocessed), which is the textbook Spot qualification. The exam said "most cost-effective" and you optimized for availability that the scenario never required.
How to Spot It
- •When the question says "cost-effective" or "minimize cost," check whether the workload is fault-tolerant. Batch processing, media transcoding, CI/CD builds, data analysis, and any workload with "reprocessable on failure" are Spot Instance candidates. Spot saves 60-90% over On-Demand.
- •Multi-AZ deployments, provisioned IOPS, and dedicated hosts all add cost. If the scenario does not mention an SLA, uptime requirement, or "highly available," these features are cost traps the exam uses to test whether you add unnecessary resilience.
- •S3 Intelligent-Tiering adds a $0.0025/1000 objects monitoring fee. For billions of small objects, that monitoring fee exceeds the storage savings. The exam tests whether you know when Intelligent-Tiering costs more than just picking the right tier manually.
Decision Rules
Whether VPC Flow Logs plus Transit Gateway Flow Logs queried via CloudWatch Logs Insights satisfy a connection-metadata monitoring requirement, or whether VPC Traffic Mirroring is necessary — the decision turns on whether the stated requirement is for metadata-level visibility or payload-level inspection.
Whether connection-level metadata visibility (VPC Flow Logs and Transit Gateway Flow Logs surfaced through CloudWatch metric filters) is sufficient to diagnose intermittent hybrid connectivity drops, or whether payload-capture infrastructure (VPC Traffic Mirroring with a dedicated mirror target) is necessary — with the correct answer being that flow-level metadata fully satisfies the stated diagnostic requirement at materially lower cost and operational burden.
Choose VPC peering over Transit Gateway when the VPC count is small enough that the N*(N-1)/2 peering connections and per-VPC route-table entries are operationally manageable and the TGW per-GB processing fee would breach the stated cost constraint.
Whether to replace Transit Gateway with full-mesh VPC peering when VPC count is small enough that the combinatorial peering connection count (n*(n-1)/2) is operationally manageable and TGW's combined hourly-attachment plus per-GB data-processing charges demonstrably exceed the stated monthly budget.
Whether to deploy VPC Traffic Mirroring scoped to cardholder-data-environment subnet ENIs with session-level traffic filters (payload inspection at controlled cost) versus enabling Traffic Mirroring broadly across all ENIs without filters (audit-complete but cost-blind) or substituting VPC Flow Logs (cost-efficient but payload-blind and audit-insufficient).
Whether to overlay Site-to-Site VPN tunnels on the existing Direct Connect path for IPsec encryption (satisfies mandate but adds per-VPN-connection-hour and TGW-attachment charges at sustained scale) or enable MACsec on the Dedicated Direct Connect connection (satisfies the Layer 2 cryptographic mandate with no additive per-tunnel recurring cost).
Domain Coverage
Difficulty Breakdown
Related Patterns