Practice ANS-C01 Network Management and Operations questions with full explanations on every answer.
Start practicing
Network Management and Operations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?
2A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?
3A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?
4A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?
5A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?
6A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)
7A company has a Direct Connect connection with multiple virtual interfaces (VIFs). The network team notices that traffic to a specific VPC is intermittently failing. The team suspects an issue with BGP routing. Which THREE steps should the team take to troubleshoot the BGP session? (Choose THREE.)
8A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?
9A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?
10A company has deployed a web application in a VPC with public subnets for the web servers and private subnets for the database servers. The web servers need to access the internet for software updates. The network engineer configured a NAT Gateway in the public subnet and added a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway. However, the web servers cannot reach the internet. What is the most likely cause?
11A company uses AWS Client VPN to provide remote access to its VPC resources. Users report that they can connect to the VPN but cannot reach any resources in the VPC. The VPN endpoint is associated with a subnet in VPC A. The VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint. The security group assigned to the VPN endpoint allows inbound traffic from the VPN clients. What is the most likely cause of the issue?
12A company is using an AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect. The network team notices that traffic from an on-premises network (CIDR 172.16.0.0/12) to a VPC (CIDR 10.0.0.0/16) is being dropped. The transit gateway route table shows a static route for 10.0.0.0/16 pointing to the VPC attachment. The Direct Connect virtual interface (VIF) is associated with the transit gateway and the on-premises router is advertising 172.16.0.0/12 via BGP. What is the most likely cause of the traffic being dropped?
13A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team needs to monitor the Direct Connect connection for performance issues and receive alerts when latency exceeds a certain threshold. Which TWO actions should the team take to meet these requirements? (Choose TWO.)
14A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team observes that traffic between two VPCs (VPC A and VPC B) is not being forwarded correctly. The transit gateway route table is configured with static routes for the VPC CIDRs. Which THREE steps should the engineer take to troubleshoot this issue? (Choose THREE.)
15Refer to the exhibit. A network engineer is analyzing VPC Flow Logs to troubleshoot connectivity issues. The engineer notices that traffic from 10.0.1.5 to 192.168.1.1 on port 80 is logged as ACCEPT, but the application team reports that the web request failed. What is the most likely cause?
16A company is experiencing intermittent connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS regions. VPC A has CIDR 10.0.0.0/16 and VPC B has CIDR 10.1.0.0/16. The route tables in both VPCs have been updated to include routes pointing to the peering connection. Security groups and network ACLs are configured to allow all traffic for testing. However, traffic from VPC A to VPC B fails intermittently. Which of the following is the most likely cause of this intermittent failure?
17A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?
18A company is using AWS Direct Connect with a private VIF to access their VPC. Users report intermittent connectivity issues. You check the Direct Connect console and see that the virtual interface state is 'down'. What is the MOST likely cause?
19A network engineer is troubleshooting high latency on an AWS Transit Gateway that connects multiple VPCs and an on-premises network via AWS Site-to-Site VPN. The engineer wants to identify potential causes. Which TWO actions should the engineer take? (Choose two.)
20Arrange the steps to configure a site-to-site VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA in the correct order.
21Arrange the steps to configure BGP on a Cisco router for a Direct Connect private virtual interface:
22Arrange the steps to configure an AWS Client VPN endpoint for remote access:
23Match each AWS service or feature to its primary function in network architecture.
24Match each VPN term to its correct description in the context of AWS Site-to-Site VPN.
25Match each BGP attribute to its role in route selection.
26A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking an unexpected path. Which AWS service should be used to analyze the packet-level traffic flow and identify the path?
27A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over a Direct Connect connection. The engineer has verified that the VPC route tables, Direct Connect virtual interface, and on-premises routing are correctly configured. Which tool should be used to verify the path MTU and identify fragmentation issues?
28A company has a multi-account AWS environment with hundreds of VPCs connected via a transit gateway. The network team needs to centrally monitor network traffic and detect anomalies such as unusual outbound data transfers. Which combination of services would provide the most scalable and cost-effective solution?
29A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team wants to monitor the latency and packet loss on the Direct Connect virtual interfaces. Which AWS service should be used to measure these metrics?
30A company has a hybrid network architecture with multiple VPCs connected via a transit gateway and on-premises via Direct Connect. The network team wants to automate the response to a BGP session failure on a Direct Connect virtual interface. Which AWS service can be used to monitor the BGP status and trigger an automated action?
31A company is using a centralized egress VPC model with a NAT gateway for outbound traffic from multiple VPCs. The network team notices that some EC2 instances are having connectivity timeouts when accessing the internet. The team has verified the route tables and security groups. Which additional check should be performed to troubleshoot the issue?
32A network engineer is configuring a new AWS Direct Connect connection and needs to establish BGP peering with the AWS side. The engineer has received the BGP configuration from the AWS Direct Connect endpoint. Which information is required to complete the BGP configuration on the on-premises router?
33A company is using AWS Site-to-Site VPN connections to connect multiple branch offices to a central VPC. The network team wants to ensure high availability and automatic failover if one VPN tunnel goes down. Which configuration should be implemented?
34A company is migrating its on-premises data center to AWS and wants to use AWS Direct Connect for private connectivity. The network team plans to advertise the company's public IP prefixes to AWS via BGP. Which AWS resource must be configured to allow advertisement of these prefixes?
35Which TWO options are valid ways to monitor network traffic in an AWS environment? (Choose 2.)
36Which THREE are best practices for designing a highly available AWS Direct Connect connection? (Choose 3.)
37Which TWO services can be used to centrally manage and monitor VPN connections across multiple AWS accounts? (Choose 2.)
38A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team notices that traffic from an on-premises data center to a VPC is intermittently dropping. CloudWatch metrics show no errors on the Direct Connect virtual interface. What is the most likely cause of the intermittent drops?
39A global company is designing a multi-region Active-Active application using Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) fronting Auto Scaling groups. The application requires sticky sessions based on the user's source IP. The network team notices that users are frequently switched to a different region mid-session, causing errors. What should the team do to resolve this issue?
40A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over AWS Site-to-Site VPN. The VPN tunnel status is UP, and BGP is established. The engineer can ping the on-premises server's private IP from the EC2 instance, but TCP connections to a specific port (e.g., 443) are timing out. What is the most likely cause?
41A company is using AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon VPC with public and private subnets, NAT gateways, and route tables. After deployment, the EC2 instances in the private subnet cannot access the internet. The NAT gateway is in a public subnet with an Internet Gateway attached. What is the most likely cause?
42A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs. The company wants to use the same Direct Connect connection for both VPCs, but the on-premises router only has one physical port. The network engineer configures a single BGP session over a VLAN-tagged interface. After configuration, only one VPC is reachable. What is the most likely reason?
43A company is using AWS Global Accelerator to improve performance for a web application hosted in two AWS Regions. The application uses an Application Load Balancer (ALB) in each region. The company wants to ensure that traffic is directed to the closest healthy endpoint. Which routing configuration should be used?
44A network engineer is configuring AWS Client VPN for remote access. The engineer creates a Client VPN endpoint and associates it with a target network (subnet) in the VPC. After associating, clients can connect to the VPN but cannot access resources in the VPC. The security groups and network ACLs allow all traffic. What is the most likely issue?
45A company is deploying a hybrid network using AWS Direct Connect and a VPN backup. The Direct Connect connection is established, and BGP is running over the private VIF. The company wants to use the VPN as a backup only when Direct Connect fails. The network engineer configures BGP communities on the Direct Connect VIF to influence route preference. However, during a Direct Connect failure, failover to VPN takes several minutes. What can the engineer do to reduce failover time?
46A company uses VPC Flow Logs to monitor network traffic. The flow logs are published to Amazon S3. The security team wants to analyze the logs for suspicious traffic patterns using Amazon Athena. After creating the Athena table, queries return zero results. The logs are in the correct S3 bucket. What is the most likely cause?
47A company is designing a VPN connection between an on-premises network and AWS. The network engineer wants to ensure high availability and fast failover. Which TWO actions should the engineer take? (Select TWO.)
48A company is using AWS Transit Gateway to connect multiple VPCs and Direct Connect. The network team wants to monitor network performance and detect anomalies. Which THREE AWS services should the team use together to achieve this goal? (Select THREE.)
49A company has a Direct Connect connection with a private VIF to a VPC. The network engineer needs to ensure that traffic from the on-premises network to the VPC uses the Direct Connect path, while internet-bound traffic from the VPC uses an Internet Gateway. Which TWO configurations are required? (Select TWO.)
50A company is using AWS Global Accelerator to improve performance for a global application. The application uses an Application Load Balancer (ALB) in each region. The network team wants to ensure that traffic is distributed evenly across regions and that failover happens quickly. Which THREE steps should the team take? (Select THREE.)
51A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that traffic between two VPCs in different regions is being dropped intermittently. What is the most likely cause?
52A network engineer is troubleshooting high latency on an AWS Direct Connect connection. The engineer checks the CloudWatch metrics for the virtual interface and sees that 'ConnectionBpsEgress' and 'ConnectionBpsIngress' are both below 50% of the provisioned bandwidth. Which additional metric should be examined to identify potential bufferbloat?
53A company has a multi-account AWS environment using AWS Organizations. They want to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the management account. The management account S3 bucket policy allows the log delivery service to write logs. However, flow logs are failing to deliver from member accounts. What is the most likely reason?
54A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices intermittent packet loss and latency spikes during peak hours. Which action should the team take to diagnose the issue?
55A network engineer is designing a hybrid network with AWS Direct Connect and a VPN backup. The company has multiple VPCs connected to an AWS Transit Gateway. The on-premises network advertises the same prefixes over both Direct Connect (via private VIF) and VPN (via BGP). The engineer wants to ensure that traffic from the VPCs to on-premises prefers the Direct Connect path. What should the engineer do?
56A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region but different accounts. The engineer verifies that the route tables and security group rules are correctly configured. However, instances in VPC A cannot ping instances in VPC B. What is the most likely cause?
57A company uses AWS Client VPN to provide remote access to its corporate network. Users report that they can connect to the VPN but cannot reach resources in the VPC. The VPN is configured with mutual authentication and authorization rules. What should the network engineer verify first?
58A company wants to monitor network traffic between its EC2 instances and determine which IP addresses are generating the most traffic. Which AWS service should be used to capture and analyze this traffic?
59A company has a Direct Connect connection with a private VIF and a public VIF. The private VIF is used to access VPC resources, and the public VIF is used to access AWS public services. Recently, the company enabled AWS Global Accelerator for its application. The network team notices that traffic to the application via Global Accelerator is not using the Direct Connect connection but is going over the internet. What should the team do to ensure traffic uses the Direct Connect public VIF?
60A company has an AWS Direct Connect connection with a private VIF to a VPC. They notice that traffic from the on-premises network to the VPC is being routed through the internet instead of the Direct Connect. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely cause?
61A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has a NAT Gateway in the public subnet. The network team notices that instances in the private subnets cannot reach the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT Gateway. What could be the issue?
62A company uses AWS Global Accelerator to improve performance for a global application. The application is deployed in two AWS regions behind Network Load Balancers. Users in Asia report high latency even though the accelerator should route them to the nearest endpoint. What is the most likely reason?
63A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure that if the primary VPN tunnel goes down, traffic automatically fails over to the secondary tunnel. Which configuration is required?
64A network engineer is monitoring network traffic using VPC Flow Logs. The engineer wants to capture traffic that is rejected by security groups and network ACLs. Which flow log format should be used?
65A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path, going through the on-premises network instead of staying within AWS. What is the most likely cause?
66A company is migrating its on-premises data center to AWS. The network team needs to establish a site-to-site VPN connection with dynamic routing using BGP. The on-premises router supports BGP but does not support BGP communities. The VPN connection is established, but the VPC does not learn the on-premises routes. What is the most likely cause?
67A company has a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic only from the ALB security group. However, the health checks are failing. What is the most likely cause?
68A network engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a public subnet and an on-premises server over AWS Direct Connect. The instance can reach the internet but cannot reach the on-premises server. Which TWO actions should the engineer take to diagnose the issue?
69A company is deploying a web application on EC2 instances behind an ALB. The application must be accessible only over HTTPS. Which security group rule should be added to the ALB security group?
70A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure high availability by using two tunnels. Which two components must be configured to achieve this? (Choose TWO.)
71A company is using AWS Transit Gateway with multiple VPCs and Direct Connect Gateway. They want to ensure that traffic between VPCs and on-premises is encrypted. Which TWO solutions can achieve this?
72A company is using AWS Direct Connect with a private VIF to connect to multiple VPCs in the same region. The company wants to use AWS Transit Gateway to simplify management. Which three components are required to achieve this? (Choose THREE.)
73A network engineer is configuring a site-to-site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE components should the engineer check?
74A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer wants to use monitoring tools to identify the source of the latency. Which two AWS services can provide metrics and logs to help diagnose the issue? (Choose TWO.)
75A network engineer is troubleshooting an issue where an EC2 instance launched in VPC vpc-0abcd1234efgh5678 cannot resolve DNS names for other instances using their private DNS names. The VPC has DHCP options set with domain-name-servers=AmazonProvidedDNS. What is the most likely cause?
76A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic is intermittently dropping and the BGP session between the on-premises router and the AWS Direct Connect virtual interface goes down. Which configuration should be checked first to resolve this issue?
77A network engineer is configuring VPC Flow Logs to deliver to an S3 bucket in a different account. The bucket policy is shown. The flow logs are not being delivered. What is the most likely reason?
78A network engineer is designing a multi-region architecture using AWS Transit Gateway and wants to minimize inter-region latency for data transfer between VPCs. The application requires high throughput and low latency. Which design should be used?
79A network engineer is troubleshooting SSH connectivity to an EC2 instance in subnet subnet-0abcd1234efgh5678, which is associated with the network ACL shown. The security group allows inbound SSH. Why can't the engineer SSH to the instance?
80A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance has a route to a NAT Gateway in the public subnet. However, the instance cannot reach the internet. Which step should the network engineer take to troubleshoot?
81A network engineer needs to capture TCP traffic between an EC2 instance (eni-abc123) and an RDS instance (eni-def456) in the same VPC for troubleshooting. Which AWS service should be used to capture the traffic and store it in S3?
82A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its data center to a VPC. The network team needs to ensure high availability and failover in case the primary connection fails. Which solution provides the most cost-effective high availability?
83A company has deployed a transit gateway with multiple VPC attachments and VPN attachments. The network team notices that traffic between two VPCs is taking an unexpected path and experiencing high latency. Which tool should be used to trace the path and identify the specific transit gateway route table that is being used?
84A network engineer is troubleshooting connectivity issues between two VPCs that are connected via VPC peering. The VPCs are in the same region and have overlapping CIDR blocks. The engineer can ping the private IP of an instance in the peered VPC from an instance in the first VPC. However, traffic on TCP port 443 (HTTPS) fails. Which is the most likely cause?
85A company has a VPC with multiple subnets. They want to centrally manage and inspect all traffic between subnets using a security appliance. Which AWS service should be used to achieve this?
86A company is using AWS Direct Connect with a private VIF to connect to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot establish TCP connections to an EC2 instance's private IP. The security groups and NACLs are configured to allow the traffic. What is the most likely cause of this issue?
87A company has multiple AWS accounts and wants to centralize VPC flow logs for analysis. The flow logs are published to Amazon S3 in each account. A central account needs to access these logs. Which solution meets the requirements with the least operational overhead?
88A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel status shows 'UP' but traffic is not passing. The engineer checks the route tables and finds that the VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely missing configuration?
89A network engineer is configuring an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer creates a customer gateway, VPN connection, and virtual private gateway. The VPN tunnel status shows 'down'. Which configuration step is most likely missing?
90A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance is associated with an Elastic IP address. The route table for the private subnet has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in the public subnet and has an Elastic IP. Despite this, the instance cannot reach the internet. The security groups and NACLs are properly configured. What is the likely cause?
91A company has a VPC with resources that need to access an S3 bucket in the same region. To minimize latency and avoid internet traffic, which configuration should be used?
92A network engineer needs to monitor the number of packets dropped by a VPC flow log for a specific network interface. Which Amazon CloudWatch metric should be used?
93A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and a VPC over a Direct Connect connection. The engineer reviews the CloudWatch metrics for the virtual interface and sees an increase in 'ConnectionReset' and 'PacketDropRate'. Which TWO actions should the engineer take to resolve the issue? (Choose TWO.)
94A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They want to ensure that traffic from on-premises to a specific VPC uses a specific VIF for security compliance. The VPC is associated with a virtual private gateway. Which configuration ensures this?
95A company has a global application deployed across multiple AWS regions. The application uses Application Load Balancers (ALBs) and Auto Scaling groups. The network team wants to route traffic to the nearest region based on latency, and also wants to failover to another region if the primary region becomes unhealthy. Which THREE services should be used together to achieve this? (Choose THREE.)
96A company wants to monitor network traffic in its VPC for security analysis and troubleshooting. Which TWO AWS services can be used to capture and analyze IP traffic information? (Choose TWO.)
97A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC peering connection is active, and the route tables have appropriate routes. However, instances in VPC A cannot reach instances in VPC B. The security groups in both VPCs allow all traffic. What is the most likely issue?
98A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team notices increased latency and packet loss during peak hours. The Direct Connect virtual interface (VIF) is configured as a private VIF to a VPC. What is the MOST likely cause of the issue?
99A company wants to centralize VPC flow log management from multiple accounts into a single S3 bucket in the management account. Which combination of AWS services should be used?
100A network engineer needs to monitor traffic between a VPC and an on-premises network over an AWS Site-to-Site VPN. Which AWS service should be used to capture packet-level information for troubleshooting?
101A network engineer is diagnosing connectivity issues between an on-premises network and AWS over a Direct Connect connection. The BGP session is established, and the engineer can ping the VPC's private IP addresses. However, TCP connections to EC2 instances are failing. Which TWO actions should the engineer take to identify the issue?
102A company has a multi-account AWS environment using AWS Transit Gateway with multiple VPC attachments. The network team wants to centralize logging of all network traffic crossing the Transit Gateway. Which TWO services can be used together to achieve this?
103A company is using a transit gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that some VPCs can communicate with each other but not with the on-premises network. The transit gateway route tables are configured correctly. Which TWO configurations should the team check?
104A network engineer created a VPC interface endpoint for a third-party SaaS service using AWS PrivateLink. The endpoint shows 'available' state, but on-premises clients cannot connect to the service via the private endpoint DNS name. What is the MOST likely reason?
105A network engineer needs to monitor network performance between two EC2 instances in different Availability Zones. Which THREE metrics from Amazon CloudWatch should the engineer use?
106A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway for outbound internet access. The security team wants to audit all traffic from the private subnets to the internet. Which TWO steps should be taken to capture this traffic?
107A network engineer configured a custom network ACL for a VPC. An EC2 instance in a subnet associated with this ACL cannot receive ping (ICMP) from the internet. The security group allows ICMP. Which rule is causing the issue?
108A company is deploying a new application that requires low latency between EC2 instances. Which THREE placement group strategies should the network engineer consider?
109A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team wants to monitor BGP session status for all Transit Gateway attachments. Which AWS service should be used?
110A network engineer is troubleshooting why an EC2 instance (with the above security group) is not responding to HTTP requests from the internet. The instance is in a public subnet with an Internet Gateway attached. The route table has a default route to the Internet Gateway. What is the most likely cause?
111A company has a VPC with both IPv4 and IPv6 CIDR blocks. The network engineer needs to capture all traffic between the VPC and the internet. Which THREE resources must have VPC Flow Logs enabled?
112A network engineer has created a VPC endpoint for a VPC endpoint service. The endpoint is 'available' but the application cannot connect to the service using the private DNS name. The engineer checks the Route 53 private hosted zone and finds that no record exists for the endpoint. What is the most likely cause?
113A network engineer troubleshoots a VPN connection that shows 'available' state but traffic is not passing. The on-premises firewall logs show that the tunnel is established, but no traffic. The engineer checks the VPN configuration. Based on the exhibit, what is the MOST likely cause of the problem?
114A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The issue occurs only during peak business hours. CloudWatch metrics show increased latency and packet loss at the Direct Connect virtual interface. What is the MOST likely cause?
115A company needs to centrally manage network security policies across multiple VPCs and on-premises networks. Which AWS service provides a centralized dashboard for managing firewall rules?
116A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They want to centralize outbound internet traffic through a single VPC with a NAT gateway. The security team requires that all traffic to the internet must be logged. Which solution is MOST operationally efficient?
117A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway. The network team wants to monitor DNS queries from EC2 instances in private subnets to a custom DNS resolver on-premises over a VPN. Which TWO services can capture this traffic?
118A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They notice that traffic from on-premises to a VPC is being dropped. The VPC is associated with a private VIF. The on-premises router has a BGP route to the VPC's CIDR. The VPC's route table has a route to the virtual private gateway. What is the MOST likely cause of the dropped traffic?
119A network engineer needs to verify the routing path between two EC2 instances in different subnets within the same VPC. Which AWS tool can provide this information?
120A company is using AWS Transit Gateway with multiple VPC attachments. They need to ensure that traffic between two specific VPCs is encrypted in transit. The VPCs are in the same AWS region. What is the SIMPLEST solution?
121A network engineer created an IAM policy for a user to manage VPC Flow Logs. The user reports they cannot create flow logs and receive an 'AccessDenied' error. What is the MOST likely reason?
122A network engineer is setting up a site-to-site VPN connection between an on-premises network and AWS. After configuring the customer gateway, virtual private gateway, and VPN tunnel, the tunnel status shows 'DOWN'. Which step should the engineer take FIRST to troubleshoot?
123A company has a VPC with multiple subnets across Availability Zones. An application load balancer (ALB) is deployed in public subnets. The network team notices that traffic from the ALB to targets in private subnets is intermittently failing. The targets are healthy. What is the MOST likely cause?
124A financial company has a multi-account AWS environment using AWS Organizations. They have deployed a centralized inspection VPC with a third-party firewall appliance. All VPCs are attached to a Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by the firewall. The firewall is deployed in an Auto Scaling group behind a Network Load Balancer (NLB). What is the BEST way to route traffic to the firewall?
125A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection in real time. Which AWS service should be used?
126A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. The two connections will terminate on different AWS Direct Connect locations. Which configuration will provide the HIGHEST availability?
127A company's VPC includes a public subnet with a NAT gateway and a private subnet with EC2 instances. The EC2 instances in the private subnet need to access the internet for software updates. The NAT gateway's Elastic IP is associated correctly, and the route tables are configured. However, the EC2 instances cannot reach the internet. What is the most likely cause?
128A network engineer is troubleshooting intermittent connectivity issues between two VPCs that are peered. The VPC peering connection is in the 'active' state. ICMP ping from an instance in VPC A to an instance in VPC B fails intermittently. What is the most likely cause?
129A company has a VPC with public and private subnets. The private subnets need internet access for software updates. The company wants to minimize costs and management overhead. Which solution should they use?
130A company uses AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that the BGP session for the public VIF is flapping intermittently. Which configuration change on the customer router would most likely stabilize the BGP session?
131A company has a Direct Connect connection with a public VIF to access AWS public services. They notice that traffic to Amazon S3 is taking a suboptimal path via the internet instead of the Direct Connect. What is the MOST likely cause?
132A company has multiple AWS accounts and wants to centrally manage VPC flow logs for compliance. The logs should be published to a central S3 bucket in the logging account. The logging account has an S3 bucket policy that allows cross-account writes. However, flow logs are not being delivered. What is the most likely missing configuration?
133A network engineer is troubleshooting high latency on a Direct Connect connection. Which TWO actions should the engineer take to diagnose the issue?
134A solutions architect is designing a hybrid network using AWS Transit Gateway with multiple VPN attachments. The on-premises network uses BGP dynamic routing. What is the best practice to achieve high availability and fast failover?
135A company is designing a multi-region network with Direct Connect. They have two Direct Connect connections in each region. They want to achieve the HIGHEST availability and lowest latency for cross-region traffic. Which THREE design elements should they include?
136A company is using AWS Client VPN to provide remote access to employees. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a subnet, and authorization rules are configured. What is the most likely cause?
137A company wants to monitor network traffic between two VPCs connected via a Transit Gateway. Which THREE AWS services can be used to capture and analyze this traffic?
138A network engineer notices that traffic from an EC2 instance in a public subnet to the internet is not working. The instance has a public IP assigned and is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What should the engineer check next?
139Refer to the exhibit. A network engineer has established a VPC peering connection between VPC A (10.0.0.0/16) in account 111111111111 and VPC B (192.168.0.0/16) in account 222222222222. The peering connection status is 'active'. However, instances in VPC A cannot reach instances in VPC B. What is the MOST likely cause?
140A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company wants to ensure that traffic to the VPC uses the Direct Connect connection instead of the internet. Which configuration is required?
141Refer to the exhibit. The IAM policy above is attached to a user in account A (123456789012). The user needs to create a VPC peering connection with account B and accept it. The user in account A can create the peering request, but the accept fails with an 'UnauthorizedOperation' error. What is the MOST likely reason?
142A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that some VPCs cannot communicate with each other even though they are attached to the same transit gateway. What is the most likely cause?
143Refer to the exhibit. A Direct Connect private virtual interface is in the 'available' state, and the BGP session is up. However, the on-premises network cannot reach any resources in the VPC attached to the Direct Connect gateway. What is the MOST likely cause?
144Which TWO configuration steps are required to enable VPC Flow Logs to be published to an S3 bucket in a different AWS account? (Select TWO.)
145A company is designing a highly available Direct Connect connection. Which THREE components should be deployed to meet this requirement? (Select THREE.)
146A company uses AWS Direct Connect and VPN as backup. The network team notices that during a VPN failover, traffic drops for several minutes. The VPN tunnels are configured with BGP dynamic routing. Which configuration change would MOST likely reduce failover time?
147Which TWO actions should a network engineer take to troubleshoot a BGP session that is not establishing between an on-premises router and AWS Direct Connect? (Select TWO.)
148A network engineer needs to monitor network traffic to an Amazon RDS instance for security analysis. Which AWS service should be used to capture and analyze network traffic?
149An engineer is trying to create a VPC Flow Log that delivers to a CloudWatch Logs log group in the same account. The IAM role used has the above trust policy. However, the flow log creation fails with an error. What is the most likely reason?
150A company has a hybrid network with multiple AWS Direct Connect connections to different VPCs. The on-premises network uses BGP to advertise prefixes to AWS. The network team notices that some on-premises prefixes are not being received by the VPCs. What is the MOST likely cause?
151An EC2 instance with the attached network interface shown above is unable to reach the internet. The instance is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What is the most likely cause?
152A company uses a centralized inspection VPC for traffic inspection. All VPCs route traffic to the inspection VPC via Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by a network virtual appliance in the inspection VPC. Which Transit Gateway feature should be configured?
153An engineer is troubleshooting connectivity from on-premises to a VPC via Direct Connect private VIF. The BGP session is up, traffic is flowing, but the on-premises network cannot reach some subnets in the VPC. The VPC CIDR is 10.0.0.0/16. What is the most likely cause based on the exhibit?
154A network engineer is troubleshooting high latency to an application hosted in Amazon EC2. The application uses an Application Load Balancer. Which metrics in Amazon CloudWatch should be examined to identify if the load balancer is causing latency?
155A company has a Direct Connect connection with a private VIF to a VPC. The network team notices intermittent packet loss on the link. CloudWatch metrics show no errors on the connection. What should the team do next to isolate the issue?
156A company has a global application deployed across multiple AWS Regions. Users are routed to the nearest Region using Amazon Route 53. The application uses an Application Load Balancer in each Region. The network team wants to ensure that traffic is always routed to a healthy Region in case of a Regional failure. Which Route 53 routing policy should be used?
157A network engineer is troubleshooting an issue where an on-premises server cannot reach an EC2 instance in a VPC over a Site-to-Site VPN. The VPN tunnel is up, and BGP is established. The engineer checks the route tables and sees the on-premises CIDR in the VPC route table pointing to the virtual private gateway. What is the most likely cause?
158A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that S3 traffic is taking a suboptimal path over the internet instead of the Direct Connect. Which configuration is MOST likely missing?
159A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team wants to monitor the amount of data transferred between VPCs for cost allocation. Which AWS feature should they use?
160An organization has a multi-account setup using AWS Organizations. The security team wants to centrally manage and enforce security group rules across all VPCs in all accounts. Which solution should they implement?
161A network engineer needs to capture and analyze DNS query logs generated by Amazon Route 53. Which AWS service should be used to store and query these logs?
162A company has a Direct Connect connection with a public VIF to access AWS public services. The on-premises network team reports that they can reach S3 but not DynamoDB. The route table on the customer router shows a default route to the public VIF. What is the most likely cause?
163A company has a multi-account AWS environment using AWS Transit Gateway. The network team wants to centralize network logging from all accounts into a single account for analysis. Which combination of services should be used to achieve this?
164A network engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?
165A network engineer is diagnosing a connectivity issue between an on-premises network and an Amazon VPC connected via a site-to-site VPN. The VPN tunnel is up, but traffic is not reaching the VPC. Which TWO actions should the engineer take to troubleshoot the issue? (Choose two.)
166A company is using AWS Direct Connect with a private VIF to connect to a VPC. They want to ensure high availability by having a second Direct Connect connection. Which configuration provides the most resilient setup?
167A company is designing a highly available hybrid network using two AWS Direct Connect connections from different providers. The company wants to use BGP to advertise the same on-premises prefixes to AWS. Which THREE practices should be followed to ensure high availability and optimal traffic flow? (Choose three.)
168A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket. The VPC has a NAT Gateway in the public subnet. The security group for the EC2 instance allows outbound HTTPS to 0.0.0.0/0. The NACL for the private subnet allows outbound HTTPS to 0.0.0.0/0 and inbound ephemeral ports from 0.0.0.0/0. The instance still cannot reach S3. What is the most likely cause?
169A network engineer is setting up a VPC peering connection between two VPCs in the same AWS account and Region. Which TWO steps are required to enable communication between instances in the peered VPCs? (Choose two.)
170A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to limit traffic between specific VPCs for security purposes. Which feature should they use?
171A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a VPC and an on-premises data center over a Direct Connect virtual interface. The engineer notices that the BGP session is flapping. Which configuration should the engineer verify first?
172A network engineer is diagnosing a connectivity issue between two VPCs connected via VPC peering. The engineer has confirmed that the route tables in both VPCs have appropriate routes and the security groups allow traffic. However, traffic from VPC A to VPC B fails. Which TWO steps should the engineer take to troubleshoot? (Select TWO.)
173A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to access the internet. The instance has a route table with a default route to a NAT gateway. However, the instance cannot reach the internet. What is the most likely cause?
174A company is deploying a new application across multiple Availability Zones in a single region. The application requires low-latency communication between instances in different AZs. Which THREE design choices help achieve high availability and low latency? (Select THREE.)
175A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. After adding a new VPC attachment, traffic from the on-premises network cannot reach the new VPC. The on-premises BGP route table shows the prefixes of the new VPC as received. What should the engineer check?
176A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while blocking inbound internet traffic. Which TWO components are required? (Select TWO.)
177A company is experiencing intermittent connectivity issues between a VPC and an on-premises data center over an AWS Direct Connect connection. The network engineer checks the Direct Connect virtual interface status and sees it is 'up'. However, BGP sessions are flapping. Which action should the engineer take to diagnose the issue?
178A company has a global application deployed across multiple AWS regions using Application Load Balancers (ALBs) and AWS Global Accelerator. Users in Asia report high latency. The network team wants to monitor the performance of the Global Accelerator endpoints. Which AWS service should they use to collect and analyze network metrics?
179A network engineer is troubleshooting high latency on an AWS Transit Gateway attachment to a VPN. The VPN tunnel is established, and traffic flows, but latency spikes are observed during peak hours. The engineer suspects packet loss. Which diagnostic step should be taken first?
180A network engineer is designing a hybrid network with Direct Connect and VPN backup. The company has multiple VPCs connected via Transit Gateway. They want to use BGP to exchange routes. Which BGP feature should be configured to fail over from Direct Connect to VPN if the Direct Connect link goes down?
181A company uses AWS CloudFormation to manage its network infrastructure. After a recent update, the stack fails to update, with an error indicating that a security group rule conflicts with an existing rule. What is the most likely cause?
182A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to a partner VPC with CIDR 10.0.0.0/16. Both VPCs are in the same region. They want to use VPC Peering. After creating the peering connection and adding routes, connectivity fails. What is the most likely cause?
183A company is designing a multi-region architecture using AWS Transit Gateway inter-region peering. They need to ensure that traffic between VPCs in different regions can traverse the TGW peering attachment without being inspected by a central security appliance. Which configuration should be used?
184A company wants to monitor network traffic to and from an EC2 instance to detect anomalous outbound traffic. Which AWS service should they use to capture and analyze the traffic?
185A network engineer is configuring an AWS Site-to-Site VPN with dynamic routing (BGP). The customer gateway device is a Cisco router. The VPN tunnel is established, but BGP is not forming. Which configuration on the Cisco router is most likely missing?
186A company has a Direct Connect connection with a private virtual interface. The on-premises network team reports that they cannot reach EC2 instances in a VPC. The VPC has a virtual private gateway attached. The route table in the VPC has a route to the on-premises CIDR via the virtual private gateway. What should the network engineer verify?
187A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team notices that traffic from on-premises to an EC2 instance in the VPC is taking a suboptimal path through the internet instead of the Direct Connect. What is the most likely cause?
188A company uses AWS Direct Connect and VPN as backup. They have a Transit Gateway with multiple VPC attachments. The network engineer wants to ensure that traffic uses Direct Connect when available and fails over to VPN. Which configuration should be applied?
189A network engineer needs to capture and analyze traffic crossing a VPC peering connection for troubleshooting. Which AWS service should be used?
190A company is troubleshooting a slow network connection between two EC2 instances in the same VPC but different Availability Zones. Which TWO tools can be used to measure throughput and diagnose performance issues?
191A company is migrating from a legacy MPLS network to AWS using Direct Connect. The network team wants to ensure high availability with a backup connection. They have two Direct Connect connections from different providers, both terminating at the same AWS Direct Connect location. Which configuration provides the most resilient setup?
192A company has a Direct Connect connection and wants to use it for both private and public resources. Which TWO components are required to achieve this?
193A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a NAT Gateway in the public subnet. However, the instance cannot reach the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause?
194A network engineer is analyzing VPC Flow Logs and notices that some rejected traffic is not logged. Which THREE conditions could cause this?
195A network engineer is troubleshooting an issue where an EC2 instance in a VPC cannot reach an S3 bucket via a gateway endpoint. The instance is in a private subnet with a route table that has a route for the S3 prefix list pointing to the gateway endpoint. Which TWO actions should the engineer take to diagnose the problem?
196A network engineer is troubleshooting an AWS Lambda function that needs to create and manage ENIs in a VPC. The Lambda function is unable to create ENIs. The IAM policy attached to the Lambda execution role is shown in the exhibit. What is the issue?
197A company is deploying a multi-tier application across two Availability Zones. The web tier must be highly available and scale based on traffic. The application load balancer (ALB) is internet-facing. Which TWO configurations are required to ensure the ALB can route traffic to the web instances across both AZs?
198A network engineer ran the command shown in the exhibit to check VPC peering connections. Two peering connections are active. The engineer wants to verify that routes are correctly configured. What additional step is needed to ensure that instances in vpc-11111111 can communicate with instances in vpc-33333333?
199A network team is planning a migration of a legacy application to AWS. The application requires a static IP address for the on-premises firewall whitelist. Which THREE AWS services can provide a static IP address for outbound traffic from a VPC?
200A network engineer is monitoring a Direct Connect connection. The exhibit shows CloudWatch metric data for the ConnectionState metric. The engineer sees that the average value is 0.0 for most of the day. What does this indicate?
201A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic from on-premises to the VPC is intermittently dropping. You check the Direct Connect virtual interface status and find it is 'down'. Which AWS service should you use to troubleshoot the physical layer connectivity?
202A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but different Availability Zones. Which AWS service can provide detailed network performance metrics to identify the source of latency?
203A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic from a specific VPC to an on-premises network is being dropped. All other VPCs can reach the on-premises network. Which configuration should be checked first?
204A company has a hybrid network with multiple AWS Direct Connect connections to multiple VPCs. They want to monitor network performance and receive alerts when latency exceeds a threshold. Which combination of AWS services should be used to achieve this?
205A network engineer is troubleshooting an issue where an EC2 instance in a public subnet cannot reach the internet. The instance has a public IP, and the route table has a default route to an internet gateway. What is the most likely cause?
206A company has a VPC with public and private subnets. The security team wants to analyze all traffic to and from the internet for security incidents. Which AWS service should be used to capture and analyze this traffic?
207A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. They need to ensure that traffic is distributed evenly across regions and that failover happens automatically. Which configuration should they use?
208A network engineer is designing a multi-region application that requires low-latency traffic between EC2 instances in two different AWS Regions. The engineer needs to ensure that traffic between the instances uses the AWS global network and not the public internet. Which AWS service should be used?
209A network administrator is setting up VPC Flow Logs to monitor traffic to an Amazon RDS instance. The logs are sent to Amazon S3. After enabling Flow Logs, the administrator notices that no logs are being delivered. What is the most likely cause?
210A company has a VPC with a NAT gateway in a public subnet. The security team wants to log all outbound traffic from private subnets to the internet. Which AWS service should be used to capture this traffic?
211A company is using AWS Direct Connect to connect its on-premises data center to AWS. The connection is up, but the network team cannot reach resources in a VPC. The virtual interface is in the 'available' state, and BGP session is established. What should the team check next?
212A company has a VPC with a VPN connection to an on-premises network. The network team reports that the VPN tunnel is flapping intermittently. You need to identify the cause. Which AWS service provides logs that can help troubleshoot the VPN tunnel status?
213A company has a VPC with multiple subnets and an internet gateway. The security team wants to detect and block malicious traffic patterns. Which AWS service should be used to provide intrusion detection and prevention?
214A company has a large AWS environment with hundreds of VPCs connected via Transit Gateway. They want to centrally manage network traffic flow and enforce security policies. Which service should they use to create a central network inspection architecture?
215A company wants to monitor network traffic between VPCs in the same AWS Region that are connected via VPC Peering. Which AWS service can provide visibility into the traffic?
216A network engineer is monitoring network performance between an EC2 instance and an on-premises server using AWS VPN. The engineer notices intermittent packet loss. Which AWS service can provide detailed network metrics and path visualization to troubleshoot?
217A network engineer is troubleshooting a VPN connectivity issue. The VPN tunnel is up, but traffic is not passing. Which TWO AWS services should the engineer use to diagnose the problem?
218A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect but cannot access any resources. The VPN is configured with a security group that allows all traffic. What should the administrator check?
219A company wants to implement a network monitoring solution that provides real-time traffic analysis and anomaly detection. Which THREE AWS services should be used together?
220A company has multiple VPCs connected via VPC peering. They want to simplify network management and reduce the number of peering connections. Which AWS service should they use?
221A network engineer needs to monitor network performance between an on-premises data center and AWS via Direct Connect. Which TWO metrics should the engineer monitor in Amazon CloudWatch?
222Which TWO actions are recommended to troubleshoot asymmetric routing in a VPC with multiple NAT gateways?
223Refer to the exhibit. A company has created a VPC endpoint for S3. However, an EC2 instance in the subnet associated with the route table cannot access S3 via the endpoint. The route table has a route to the endpoint. What is the most likely cause?
224Which THREE factors should be considered when designing a highly available AWS Site-to-Site VPN connection?
225Refer to the exhibit. A network engineer is creating an IAM policy to allow a user to manage VPC Peering connections. The user reports that they cannot delete a VPC Peering connection. What should the engineer add to the policy?
226Refer to the exhibit. A network engineer created a NAT gateway in a public subnet, but its state shows 'failed'. What is the most likely cause?
227Which TWO AWS services can be used to centrally manage and monitor network traffic across multiple VPCs and on-premises networks?
228A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The engineer notices that BGP sessions are flapping. What should the engineer check first?
229A company is experiencing intermittent SSH connection failures to their EC2 instances in a VPC. The instances are in a private subnet with a NAT gateway. The security group allows inbound SSH from the corporate CIDR. The network ACL is set to default allow all. The route table has a route to the NAT gateway for 0.0.0.0/0. What is the most likely cause of the intermittent failures?
230A company has a transit gateway with multiple VPC attachments and an on-premises VPN connection. The network team is seeing asymmetric routing and packet drops. What should they implement to resolve this?
231A network engineer is troubleshooting high latency on a VPN connection between an on-premises network and AWS. The VPN uses two tunnels to a virtual private gateway. The engineer notices that traffic is only using one tunnel, and the other tunnel is idle. What should the engineer do to ensure both tunnels are utilized?
232A financial services company uses AWS Direct Connect to connect its data center to multiple VPCs via a transit gateway. They need to meet PCI DSS compliance requirements by encrypting all traffic between the data center and AWS. What solution meets this requirement with the least operational overhead?
233A company uses AWS Direct Connect with a private VIF to connect to their VPC. They want to monitor the network latency between their on-premises router and the AWS Direct Connect location. Which AWS service should they use?
234A company has a VPC with public and private subnets. The private subnets use a NAT gateway for outbound internet access. The security team notices that some EC2 instances in the private subnets are able to reach the internet, but others are not. All instances have the same security group and are in the same private subnet. What is the most likely cause?
235A company uses AWS Client VPN to provide remote access to its VPC. Users report slow connection speeds. The CloudWatch metrics show high packet loss on the VPN connections. What is the most likely cause?
236A network engineer is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. The VPCs are in the same region. After accepting the peering request, instances in VPC-A cannot communicate with instances in VPC-B. What should the engineer check first?
237A company has deployed a Network Load Balancer (NLB) in front of a fleet of EC2 instances in a VPC. The NLB is configured with a TCP listener on port 443. Clients are experiencing timeouts. The target group health checks are passing. What is the most likely cause?
238A company runs a multi-account AWS environment using AWS Organizations. They need to centrally manage VPC flow logs across all accounts and enable analysis for security incidents. The flow logs must be stored in a central S3 bucket in the management account. What is the MOST scalable and cost-effective approach?
239A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to monitor the number of packets dropped due to route table limits. Which CloudWatch metric should they use?
240A network engineer is setting up an AWS Site-to-Site VPN connection. The customer gateway device is behind a NAT device that performs PAT. The VPN tunnel fails to come up. What is the most likely cause?
241A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach any resources in the VPC. What is the most likely cause?
242A company uses AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They notice that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What configuration change should be made to ensure optimal routing?
243A company has a VPC with an AWS Site-to-Site VPN connection to their on-premises network. The VPN uses dynamic routing with BGP. The on-premises network is advertising a specific route to the VPC. However, instances in the VPC cannot reach the on-premises network. The VPN tunnels are up and BGP sessions are established. What should the engineer check?
244A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The Direct Connect Gateway is associated with a Transit Gateway. The on-premises network advertises a prefix via BGP, but the prefix does not appear in the Transit Gateway route table. What is the most likely cause?
245A company is using AWS Direct Connect with a private VIF. They want to monitor the BGP session status and receive alerts if the session goes down. Which AWS service should they use?
246Which TWO are valid methods to monitor and troubleshoot AWS Direct Connect connections?
247A network engineer is troubleshooting a slow connection between an EC2 instance and an RDS database in the same VPC. The engineer wants to analyze network performance metrics. Which TWO metrics should the engineer examine? (Choose two.)
248Which THREE are best practices for managing network security in a multi-VPC AWS environment using AWS Transit Gateway?
249A company is designing a multi-region architecture with VPCs connected via VPC peering. They need to ensure high availability and low latency. Which THREE design principles should they follow? (Choose three.)
250Which TWO are requirements for using AWS Client VPN to provide secure remote access?
251A network engineer is troubleshooting intermittent connectivity issues between two VPCs connected via a VPC peering connection. The engineer notices that the route tables in both VPCs have the correct routes. What should the engineer check next?
252A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. They notice that traffic between VPCs is being dropped intermittently. Which TWO actions should the engineer take to diagnose the issue? (Choose two.)
253A company has set up a Direct Connect connection with a private VIF to its VPC. The BGP session is up, but traffic is not passing between the on-premises network and the VPC. Which configuration should be verified?
254A company has a VPC with a public subnet and a private subnet. The private subnet hosts a web application that needs to access an external API over the internet. The private subnet uses a NAT Gateway in the public subnet for outbound internet access. The web application is failing to reach the external API. The engineer has verified the following: the NAT Gateway has an Elastic IP attached, the route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway, the security group for the web application allows outbound HTTPS (TCP 443) to 0.0.0.0/0, the network ACL for the private subnet allows inbound and outbound TCP ephemeral ports (1024-65535) from and to 0.0.0.0/0, and the IAM role attached to the EC2 instance allows outbound HTTPS. The engineer also confirmed that the NAT Gateway is in the public subnet which has a route to an Internet Gateway. Despite all these checks, the web application still cannot reach the external API. What should the engineer do next?
255A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. After a network change, some VPCs cannot reach the on-premises network. The Transit Gateway route table shows the correct association and propagation. What is the most likely cause?
256A company has deployed a multi-VPC architecture with AWS Transit Gateway. The network team notices that traffic between two VPCs is intermittently dropped. Both VPCs are attached to the same transit gateway. Which action should the network engineer take to troubleshoot the issue?
257A network engineer needs to monitor the network traffic between EC2 instances in a VPC. Which AWS service should be used to capture IP traffic information?
258A company uses AWS CloudFormation to deploy a VPC with public and private subnets. The template includes an Internet Gateway and a NAT Gateway. After deployment, instances in the private subnet cannot access the internet. The network engineer checks the route tables and finds that the private subnet route table has a default route pointing to the NAT Gateway. What is the most likely cause of the issue?
259A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has set up a NAT gateway in the public subnet. However, instances in the private subnet cannot reach the internet. What is the most likely cause?
260A network engineer is monitoring network performance and needs to collect and analyze network metrics from multiple AWS services in a centralized dashboard. Which AWS service should be used to aggregate and visualize these metrics?
261A company has multiple AWS accounts and wants to centrally manage network resources using AWS Transit Gateway. Which feature allows sharing the Transit Gateway across accounts?
262A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to its VPC. The on-premises network team reports that they can ping the private IP address of an EC2 instance in the VPC, but cannot establish a TCP connection to a web server running on that instance. The network security group allows inbound TCP port 80 from the on-premises CIDR. What should the network engineer check next?
263A network engineer needs to troubleshoot high latency between two EC2 instances in the same VPC but in different Availability Zones. Which tool should be used to measure network performance?
264A company has set up a Site-to-Site VPN connection between its on-premises network and AWS. The VPN tunnel shows as 'UP' but traffic is not flowing. What should the engineer check?
265A company is experiencing high latency for traffic between EC2 instances in the same VPC but in different Availability Zones. The network team suspects the issue is related to the placement group used. The instances are in a spread placement group. What should the network engineer do to reduce latency?
266A company uses AWS Direct Connect with multiple virtual interfaces (VIFs) to connect to multiple VPCs. The network team wants to ensure high availability and failover. Which configuration provides the best resiliency?
267A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Site-to-Site VPN. The VPN tunnel status shows as UP. The on-premises network can ping the virtual private gateway (VGW) IP address, but cannot reach EC2 instances inside the VPC. What is the most likely cause?
268A company is designing a highly available network architecture using AWS Direct Connect. Which TWO actions should be taken to ensure redundancy?
269A company manages multiple VPCs connected via a transit gateway. Each VPC has a VPN connection to an on-premises data center. The network team wants to monitor the bandwidth utilization on each VPN connection. Which approach is the most efficient?
270A network engineer is troubleshooting a VPN connection that is not passing traffic. The tunnel status shows as 'UP'. Which THREE steps should the engineer take to diagnose the issue?
271A company has a VPC with a public subnet and a private subnet. The private subnet instances need to make outbound internet requests. A NAT Gateway is deployed in the public subnet. The network engineer notices that instances in the private subnet cannot reach the internet, but the NAT Gateway's Elastic IP is reachable from the internet. Which of the following is the most likely cause?
272A company wants to monitor network traffic in its VPC for security analysis. Which TWO AWS services can be used to capture and analyze network traffic?
273A network engineer is designing a highly available VPN connection between an on-premises network and AWS. The on-premises network has two internet connections from different ISPs. Which AWS VPN configuration should be used to provide the highest availability?
274A company has a hub-and-spoke network architecture using AWS Transit Gateway. The hub VPC contains a central inspection appliance (NVA) for traffic inspection. Spoke VPCs are attached to the Transit Gateway and have routes pointing to the Transit Gateway for all traffic. The Transit Gateway has a default route table that routes traffic to the NVA for inspection. Recently, the network team noticed that traffic between two spoke VPCs is not being inspected. The team verified that the Transit Gateway route tables are correctly configured and that the NVA is healthy. What should the team do to ensure that inter-spoke traffic is inspected?
275A network engineer is troubleshooting network connectivity issues in a VPC. The engineer suspects that the network ACL is blocking traffic. Which TWO actions should the engineer take to verify this?
276A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB). The application is experiencing intermittent timeouts. CloudWatch metrics show that the ALB's RequestCount is within normal limits, but TargetResponseTime occasionally spikes to 10 seconds. What is the most likely cause?
277A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. The network engineer needs to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which THREE steps are necessary to achieve this?
278A network engineer is troubleshooting a VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA. The tunnel status shows 'UP' but no traffic passes. The engineer checks the route tables and finds the correct static routes on both sides. What should the engineer check next?
279A company uses AWS Direct Connect to connect its data center to a VPC. The VIF is up, and the BGP session is established. However, the on-premises router cannot ping the VPC's private IP addresses. Which configuration is most likely missing?
280A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team needs to monitor the BGP session status for each VPN attachment. Which TWO services can be used to monitor BGP status and receive alerts if a session goes down?
281A company has a VPC with public and private subnets. The public subnet has a NAT Gateway, and the private subnet has EC2 instances that need internet access. The private instances can reach the internet, but cannot access an S3 bucket in the same region using the S3 gateway endpoint. What is the most likely cause?
282A company has a hybrid network architecture with an AWS VPC (10.0.0.0/16) connected to an on-premises data center via AWS Direct Connect with a private VIF. The on-premises network uses 10.1.0.0/16. The VPC has subnets in two Availability Zones, each with a private subnet (10.0.1.0/24 and 10.0.2.0/24) and a public subnet. The company recently deployed a new application in the VPC that uses an Application Load Balancer (ALB) in the public subnets. The ALB targets EC2 instances in the private subnets. Users on-premises report that they cannot access the application using the ALB's DNS name. The on-premises network team confirms that they can ping the ALB's private IP address from on-premises. The VPC route tables have routes for the on-premises network pointing to the virtual private gateway (VGW). The security groups and network ACLs are configured to allow traffic from on-premises. What is the most likely cause of the issue?
283A network engineer is monitoring a hybrid network with a VPN connection to AWS. The engineer notices periodic packet loss and high latency during peak hours. The VPN tunnel uses static routing. The on-premises bandwidth is 100 Mbps, and the VPN connection is limited to 1.25 Gbps. What is the most likely cause?
284A company has a VPC with a CIDR of 172.16.0.0/16. The VPC contains an Amazon RDS for MySQL database in a private subnet. The database is accessed by EC2 instances in the same VPC and by on-premises servers via a Site-to-Site VPN. The network team recently enabled VPC Flow Logs and noticed that the database is receiving a high number of SYN packets from an IP address that is not part of the VPC or on-premises network. The security group for the database only allows inbound traffic on port 3306 from the EC2 instances' security group and the on-premises CIDR (10.0.0.0/8). The network ACL for the database subnet allows inbound and outbound traffic on all ports from all sources. What is the most likely cause of the unexpected traffic?
285A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network can reach some VPCs but not others. All VPCs are attached to the same Transit Gateway. What should the engineer check first?
286A company uses a VPC with multiple subnets in different Availability Zones. The VPC has a NAT Gateway in a public subnet of us-east-1a, and a second NAT Gateway in us-east-1b for high availability. Each private subnet in us-east-1a routes 0.0.0.0/0 to the NAT Gateway in us-east-1a, and private subnets in us-east-1b route to the NAT Gateway in us-east-1b. The company's EC2 instances in private subnets need to access an external service using IPv6. The VPC is not configured for IPv6. The network engineer needs to enable IPv6 connectivity for these instances. Which solution is the most cost-effective and scalable?
287A company has a VPC with a public subnet hosting a web server. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. The network ACL for the public subnet allows inbound HTTP from 0.0.0.0/0. Users report that they cannot access the website. The engineer verifies that the web server is running and has a public IP. What is the most likely issue?
288A company uses AWS Direct Connect to connect its on-premises network to a VPC. The network team notices intermittent packet loss on the Direct Connect virtual interface (VIF). Which AWS service should be used to monitor the latency and packet loss on the VIF?
289A company is using AWS Client VPN for remote access. Users can authenticate and establish a VPN connection, but they cannot access resources in the VPC. The Client VPN endpoint is associated with a subnet in the VPC. The security group for the Client VPN endpoint allows all traffic. What is the most likely cause?
290A company has a VPC with public and private subnets. The security team wants to detect and alert on any SSH traffic (port 22) that originates from the internet to any EC2 instance in the VPC. Which solution achieves this with minimal operational overhead?
291A company monitors its VPC using VPC Flow Logs. The logs are sent to CloudWatch Logs. The security team wants to detect traffic to known malicious IP addresses. Which AWS service can be used to analyze the flow logs in near real-time?
292A company has a global application deployed across multiple AWS Regions. The application uses Amazon Route 53 latency-based routing. The network team wants to monitor the health of the application endpoints. They configure Route 53 health checks with fast interval (10 seconds) for each endpoint. After a few days, they notice an increase in costs. Which change will reduce costs while maintaining adequate health monitoring?
293A company has a VPC with a public subnet and a private subnet. The public subnet has a bastion host (EC2) with a security group that allows SSH from a specific IP range. The private subnet has an RDS instance. The company wants to enable the bastion host to connect to the RDS instance. Which TWO steps are required?
294A company uses AWS Direct Connect with a public VIF to access S3. The on-premises network uses BGP to advertise a specific prefix to AWS. The company wants to ensure that traffic to S3 from on-premises always uses the Direct Connect connection and not the internet. Which TWO configurations must be in place?
295A company is using AWS Direct Connect to connect to its VPC. The network team wants to encrypt all traffic between the on-premises data center and the VPC. Which solution provides encryption?
296A company is designing a multi-account strategy using AWS Organizations. The security team wants to centrally manage VPC Flow Logs from all accounts. Which THREE steps are required to achieve this?
297A company has a VPC with a NAT Gateway in a public subnet. The network team notices that instances in private subnets cannot access the internet. Reviewing the route tables, the private subnet route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause of the issue?
298A company has a VPC with multiple subnets. The network engineer wants to monitor network traffic between two specific EC2 instances in different subnets. Which THREE methods can be used to capture and analyze this traffic?
299A company has a VPC with a Transit Gateway (TGW) connected to multiple VPCs and an on-premises network via Direct Connect. The network team wants to implement centralized inspection of all traffic between VPCs and between VPCs and on-premises. Which architecture should they use?
300A company has a production VPC with a public and private subnet across two Availability Zones. The public subnet hosts a Network Load Balancer (NLB) that distributes traffic to EC2 instances in the private subnet. The application experiences periodic failures where the NLB marks all targets as unhealthy for about 2 minutes, then they recover. The health checks are HTTP on port 80 with a 5-second interval, 2 consecutive successes to be healthy, and 2 consecutive failures to be unhealthy. The target group health check timeout is 5 seconds. The EC2 instances are behind an Auto Scaling group with a minimum of 2 instances per AZ. CPU utilization on the instances is stable at 40%. The NLB's CloudWatch metrics show HealthyHostCount drops to zero suddenly. The network engineer suspects a network issue. What is the most likely cause?
The Network Management and Operations domain covers the key concepts tested in this area of the ANS-C01 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all ANS-C01 domains — no account required.
The Courseiva ANS-C01 question bank contains 300 questions in the Network Management and Operations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Network Management and Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included