Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Design practice sets

ANS-C01 Network Design • Complete Question Bank

ANS-C01 Network Design — All Questions With Answers

Complete ANS-C01 Network Design question bank — all 0 questions with answers and detailed explanations.

504
Questions
Free
No signup
Certifications/ANS-C01/Practice Test/Network Design/All Questions
Question 1mediummultiple choice
Read the full Network Design explanation →

A company is migrating its on-premises data center to AWS. The network team needs to establish connectivity between the on-premises network and multiple VPCs in a single AWS Region. The company has a Direct Connect connection and wants to minimize latency and cost while maximizing bandwidth utilization. Which solution meets these requirements?

Question 2hardmultiple choice
Read the full VPN explanation →

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

Question 3easymultiple choice
Read the full Network Design explanation →

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

Question 4hardmultiple choice
Read the full Network Design explanation →

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs in the same AWS Region. The company wants to use AWS Transit Gateway to simplify connectivity between these VPCs and their on-premises network. Which steps are required to integrate the existing Direct Connect connection with Transit Gateway?

Question 5mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

Question 6hardmulti select
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Transit Gateway. The company has three VPCs (VPC-A, VPC-B, VPC-C) all attached to the same Transit Gateway. The on-premises network connects to the Transit Gateway via a Direct Connect gateway. The company needs to ensure that VPC-C can communicate with the on-premises network but not with VPC-A or VPC-B. Which TWO actions should the network engineer take?

Question 7mediummulti select
Read the full VPN explanation →

A company is deploying a new application in a VPC. The application consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB must only receive traffic from the company's on-premises network via an AWS Site-to-Site VPN. Which THREE steps should the network engineer take to meet this requirement?

Question 8mediummultiple choice
Read the full VPN explanation →

A network engineer has configured an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer checks the VPN status and sees the output above. What is the MOST likely cause of Tunnel2 being down?

Exhibit

Refer to the exhibit.

```
Tunnel1:
  State: UP
  Last Status Change: 2024-03-15 10:23:45 UTC
  Details: Tunnel is in UP state with BGP established.
Tunnel2:
  State: DOWN
  Last Status Change: 2024-03-15 10:25:12 UTC
  Details: Tunnel is in DOWN state due to phase 2 negotiation failure.
```
Question 9hardmultiple choice
Review the full routing breakdown →

A network engineer is setting up a cross-account Route 53 Resolver rule association. The engineer creates the above resource-based policy on a resolver rule in account 111111111111. The engineer then tries to associate the rule from account 222222222222 but receives an access denied error. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": [
        "route53resolver:AssociateResolverRule",
        "route53resolver:DisassociateResolverRule"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 10mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer in the public subnets distributes traffic to EC2 instances in the private subnets. The security group for the EC2 instances allows inbound traffic from the ALB security group. Users report intermittent timeouts. What is the most likely cause?

Question 11easymultiple choice
Review the full subnetting walkthrough →

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway attached. The on-premises network advertises a specific route 10.0.0.0/16, but the VPC uses the same CIDR 10.0.0.0/16. The company requires connectivity to the VPC from on-premises but cannot change the VPC CIDR. What is the most cost-effective solution?

Question 13mediummultiple choice
Read the full VPN explanation →

A company's VPC has an internet gateway and a NAT Gateway in a public subnet. The private subnet route table has a default route pointing to the NAT Gateway. EC2 instances in the private subnet can access the internet, but cannot access an on-premises network connected via AWS Site-to-Site VPN. What is the most likely cause?

Question 14easymultiple choice
Read the full Network Design explanation →

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

Question 15mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?

Question 16hardmulti select
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?

Question 17hardmultiple choice
Review the full subnetting walkthrough →

A company runs a multi-tier web application on AWS. The web servers in public subnets need to send traffic to the application servers in private subnets. The application servers must only accept traffic from the web servers. Both tiers are in the same VPC. Which design meets these requirements without introducing a single point of failure or unnecessary complexity?

Question 18mediummultiple choice
Open the full BGP breakdown →

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to minimize operational overhead. The on-premises network uses BGP to advertise routes to AWS. Which design meets these requirements?

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which combination of route tables and security groups achieves this?

Question 20mediummultiple choice
Read the full Network Design explanation →

A company is deploying an application that requires low-latency communication between EC2 instances in two different AWS Regions. The application traffic is latency-sensitive and the company wants to minimize jitter. Which network design provides the lowest and most consistent latency?

Question 21hardmultiple choice
Open the full BGP breakdown →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to two on-premises data centers, each with overlapping CIDR blocks (192.168.0.0/16). The company wants to use AWS Site-to-Site VPN with dynamic routing (BGP). Which design allows the VPC to reach both data centers without route conflicts?

Question 22easymulti select
Read the full Network Design explanation →

Which TWO of the following are valid components of an AWS Transit Gateway design for connecting multiple VPCs and on-premises networks?

Question 23hardmulti select
Read the full Network Design explanation →

Which THREE of the following are valid considerations when designing a multi-Region active-active application using AWS Global Accelerator?

Question 24hardmultiple choice
Review the full subnetting walkthrough →

A network engineer analyzes a VPC Flow Log entry showing an ACCEPT for a TCP connection from 203.0.113.50 (internet) to 10.0.1.5 on port 443. The security group for the instance allows inbound HTTPS only from 10.0.0.0/16, and the NACL for the subnet has the rules shown. Why was the traffic accepted?

Exhibit

Refer to the exhibit.

VPC Flow Logs entry:
2 123456789010 eni-12345678 10.0.1.5 203.0.113.50 443 38000 6 20 5000 1450670868 1450670868 ACCEPT OK

And the following security group inbound rule:
Type: Custom TCP, Protocol: TCP, Port Range: 443, Source: 10.0.0.0/16

And NACL inbound rule:
Rule #100: Type: HTTP (80), Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0, Allow
Rule #120: Type: HTTPS (443), Protocol: TCP, Port Range: 443, Source: 10.0.0.0/16, Allow
Rule #*: Type: All traffic, Protocol: All, Port Range: All, Source: 0.0.0.0/0, Deny
Question 25hardmultiple choice
Read the full Network Design explanation →

A company is designing a multi-Region architecture using AWS Transit Gateway and Direct Connect. They have VPCs in us-east-1 and eu-west-1, each with an attached Transit Gateway. The Direct Connect gateway is associated with the Transit Gateway in us-east-1. They need to enable communication between VPCs across Regions using the Direct Connect gateway. What is the correct design to achieve this?

Question 26mediummultiple choice
Review the full subnetting walkthrough →

A company has a hub-and-spoke network topology using AWS Transit Gateway in us-east-1. The hub VPC hosts centralized inspection appliances from a third-party vendor. The spokes include VPCs with application workloads and a Direct Connect VIF attached to a Direct Connect gateway which is associated with the Transit Gateway. The company notices that traffic from the on-premises network to the spoke VPCs is not being inspected by the centralized appliances. They have verified that the Transit Gateway route tables are correctly configured with static routes pointing to the inspection VPC for all spoke CIDRs, and the inspection appliances are properly configured to forward traffic. What is the most likely cause of this issue?

Question 27easymultiple choice
Read the full NAT/PAT explanation →

A startup is launching a new web application on AWS and needs to design a highly available and secure network architecture. The application will run on EC2 instances in an Auto Scaling group across two Availability Zones in a single region. The application must be accessible from the internet over HTTPS. The company expects variable traffic and wants to reduce costs where possible. They also need to protect against common web exploits like SQL injection and cross-site scripting. Which combination of AWS services should be used for the network design?

Question 28mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company is designing a hybrid network architecture using AWS Direct Connect. They have a Direct Connect connection with a public VIF and a private VIF. The private VIF is associated with a Direct Connect gateway that is attached to a Transit Gateway in us-east-1. The Transit Gateway has attachments to a production VPC and a shared services VPC. The company wants to ensure that all traffic from the on-premises network to the production VPC flows through a centralized inspection appliance in the shared services VPC for security compliance. Additionally, traffic from the production VPC to the internet must use a NAT gateway in the shared services VPC. The inspection appliance in the shared services VPC performs stateful inspection and must see both directions of traffic. The network engineer configured the following route tables: In the Transit Gateway route table associated with the Direct Connect gateway attachment, a static route for 0.0.0.0/0 points to the shared services VPC attachment. In the Transit Gateway route table associated with the production VPC attachment, a static route for the on-premises CIDR (10.0.0.0/8) points to the shared services VPC attachment. In the Transit Gateway route table associated with the shared services VPC attachment, a static route for the on-premises CIDR points to the Direct Connect gateway attachment, and a static route for 0.0.0.0/0 points to the Direct Connect gateway attachment (for outbound internet traffic, the shared services VPC has its own internet gateway and NAT gateway). The production VPC has a default route (0.0.0.0/0) pointing to the Transit Gateway. The shared services VPC has a default route pointing to the NAT gateway. However, traffic from on-premises to the production VPC is not being inspected; it goes directly to the production VPC. What is the most likely reason?

Question 29hardmultiple choice
Review the full subnetting walkthrough →

A large e-commerce company operates a multi-tier application across multiple AWS accounts. The web tier is in a VPC (10.0.0.0/16) in Account A, and the application tier is in a separate VPC (10.1.0.0/16) in Account B. Both VPCs are connected via a VPC peering connection. The application tier uses an NLB to distribute traffic to EC2 instances in private subnets. The web tier sends traffic to the NLB's private IP address. Recently, the company migrated the application tier to use AWS PrivateLink instead of the VPC peering connection, creating a VPC endpoint service in Account B and an interface VPC endpoint in Account A. After the migration, the web tier cannot connect to the application tier. The security groups and NACLs allow the traffic. Which of the following is the MOST likely cause of the connectivity issue?

Question 30mediumdrag order
Read the full Network Design explanation →

Arrange the steps to configure an AWS Transit Gateway with attachments to multiple VPCs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediumdrag order
Read the full Network Design explanation →

Arrange the steps to configure VPC Flow Logs for a VPC and publish logs to CloudWatch Logs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 32mediummatching
Read the full Network Design explanation →

Match each AWS Direct Connect term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Logical connection over a Direct Connect link to access AWS services

Bundle of multiple physical connections for higher bandwidth and redundancy

Document authorizing you to connect to an AWS Direct Connect location

Globally available resource to connect multiple VPCs across regions

Layer 2 encryption for Direct Connect connections

Question 33mediummatching
Read the full Network Design explanation →

Match each AWS networking feature to its use case for hybrid connectivity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central hub connecting multiple VPCs and on-premises networks

Connect multiple VPCs across regions to a single Direct Connect

Hub-and-spoke VPN topology between multiple on-premises sites

Managed OpenVPN-based service for remote users

Private access to S3 and DynamoDB without internet gateway

Question 34mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application servers are in private subnets behind Network Load Balancers (NLBs). The company needs to ensure that traffic from a client is consistently routed to the same ALB endpoint for the duration of a session. Which configuration should be used?

Question 35hardmultiple choice
Study the full multicast explanation →

A company is migrating a legacy on-premises application to AWS. The application requires multicast traffic between instances within a VPC. The network engineer must design a solution that supports multicast without modifying the application. Which AWS service or feature should be used?

Question 36easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets in three Availability Zones. The company hosts a web application on Amazon EC2 instances in the private subnets. The instances need to download security patches from the internet but must not be directly accessible from the internet. Which solution meets these requirements with the least operational overhead?

Question 37mediummultiple choice
Read the full Network Design explanation →

A company is deploying a critical application on AWS and needs to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet the encryption requirement?

Question 38hardmultiple choice
Read the full Network Design explanation →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The company wants to use the same Direct Connect connection to access multiple VPCs in the same AWS Region. Which solution should the company implement?

Question 39easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. The company needs to peer with another VPC that has a CIDR block of 10.0.0.0/16. What should the network engineer do to enable connectivity between the two VPCs?

Question 40mediummultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and uses BGP for dynamic routing. The on-premises router supports BGP multipath. Which configuration ensures the highest availability for the Direct Connect connection?

Question 41hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and uses AWS Direct Connect with a private VIF to connect to on-premises. The on-premises network uses 10.0.0.0/8. The company wants to access an AWS service (e.g., S3) privately from the VPC without using public endpoints. Which solution avoids IP overlap and meets the requirement?

Question 42easymultiple choice
Review the full subnetting walkthrough →

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, while the application and database tiers must be in private subnets. The company wants to minimize the number of load balancers. Which design should be used?

Question 43mediummulti select
Open the full BGP breakdown →

A company is designing a VPC with the following requirements: (1) Ability to connect to on-premises via AWS Direct Connect with BGP, (2) Ability to route traffic between multiple VPCs, (3) Centralized inspection of traffic between VPCs. Which AWS services should the company use? (Choose TWO.)

Question 44hardmulti select
Review the full routing breakdown →

A company is designing a global network with multiple VPCs connected via AWS Transit Gateway. The company wants to route traffic between VPCs through a centralized inspection VPC that hosts firewalls. Which configurations are required? (Choose THREE.)

Question 45mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and uses an AWS Direct Connect private VIF for connectivity to on-premises. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection, while internet traffic uses an internet gateway. Which configurations must be applied? (Choose TWO.)

Question 46hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a VPN connection between an on-premises network (172.16.0.0/16) and an AWS VPC (10.0.0.0/16). The VPN status is 'available' but traffic is not passing. The engineer runs the command shown in the exhibit. What is the most likely cause of the issue?

Network Topology
$ aws ec2 describe-vpn-connectionsvpn-connection-ids vpn-12345678Refer to the exhibit.```"VpnConnections": ["VpnConnectionId": "vpn-12345678","State": "available","CustomerGatewayConfiguration": "...","Type": "ipsec.1","CustomerGatewayId": "cgw-12345678","VpnGatewayId": "vgw-12345678","Options": {"TunnelOptions": ["OutsideIpAddress": "203.0.113.1","TunnelInsideCidr": "169.254.10.0/30"},"OutsideIpAddress": "203.0.113.2","TunnelInsideCidr": "169.254.10.4/30""Routes": ["DestinationCidrBlock": "172.16.0.0/16","Source": "static","State": "available"
Question 47easymultiple choice
Read the full VPN explanation →

A network engineer is creating an IAM policy for a DevOps team. The team needs to manage VPN connections. What is the effect of this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpnConnection",
        "ec2:DeleteVpnConnection",
        "ec2:DescribeVpnConnections",
        "ec2:CreateCustomerGateway",
        "ec2:DeleteCustomerGateway",
        "ec2:CreateVpnGateway",
        "ec2:AttachVpnGateway",
        "ec2:DetachVpnGateway"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 48mediummultiple choice
Read the full Network Design explanation →

A network engineer is troubleshooting a Direct Connect private VIF. The VIF is in 'available' state but traffic is not flowing to the VPC. The VGW is attached to the VPC. What is the most likely cause?

Network Topology
$ aws directconnect describe-virtual-interfacesvirtual-interface-id dxvif-12345678Refer to the exhibit.```"virtualInterfaces": ["ownerAccount": "123456789012","virtualInterfaceId": "dxvif-12345678","location": "EqDC1","connectionId": "dxcon-12345678","virtualInterfaceType": "private","virtualInterfaceName": "MyPrivateVIF","vlan": 100,"asn": 64512,"authKey": "abc123","amazonAddress": "169.254.10.1/30","customerAddress": "169.254.10.2/30","addressFamily": "ipv4","virtualInterfaceState": "available","customerRouterConfig": "...","virtualGatewayId": "vgw-12345678","directConnectGatewayId": null,"routeFilterPrefixes": [{"cidr": "10.0.0.0/16"}
Question 49easymultiple choice
Read the full Network Design explanation →

A company wants to connect its on-premises data center to AWS using a dedicated, private network connection. Which AWS service should be used to establish a 1 Gbps dedicated connection?

Question 50mediummultiple choice
Read the full Network Design explanation →

A company has multiple VPCs across different AWS Regions and wants to enable communication between them using AWS's global network backbone. Which solution meets these requirements with minimal operational overhead?

Question 51hardmultiple choice
Read the full Network Design explanation →

A company designs a multi-account AWS environment using AWS Organizations. The networking team wants a centralized inspection VPC for traffic between VPCs and on-premises. Which architecture ensures that all inter-VPC traffic passes through the inspection VPC?

Question 52easymultiple choice
Review the full subnetting walkthrough →

A company needs to provide internet access to instances in a private subnet while preventing inbound connections from the internet. Which AWS service should be used?

Question 53mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with both IPv4 and IPv6 CIDR blocks. The application team wants to allow internet traffic to an IPv6-enabled web server. Which resource must be configured?

Question 54hardmultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network with AWS Direct Connect. They have multiple VPCs in the same Region and want to use a single Direct Connect connection to access all VPCs. Which AWS resource should be used?

Question 55easymultiple choice
Read the full DNS explanation →

A company needs to resolve DNS names within a VPC using a custom domain. Which AWS service should be used?

Question 56mediummultiple choice
Read the full Network Design explanation →

A company wants to monitor network traffic between two VPCs that are peered. Which AWS feature can capture IP traffic information for analysis?

Question 57hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet goes through a centralized firewall. Which design should be used?

Question 58mediummulti select
Read the full Network Design explanation →

Which TWO options are valid methods to connect multiple VPCs together in a hub-and-spoke topology? (Select TWO.)

Question 59hardmulti select
Read the full Network Design explanation →

Which THREE are benefits of using AWS Transit Gateway over VPC peering in a multi-VPC environment? (Select THREE.)

Question 60easymulti select
Read the full Network Design explanation →

Which TWO AWS services can be used to provide inbound internet connectivity to resources in a VPC? (Select TWO.)

Question 61mediummultiple choice
Review the full subnetting walkthrough →

A network engineer configured VPC Flow Logs for a subnet to capture all traffic. After reviewing the logs in CloudWatch Logs, they notice that some logs show 'NODATA' for the log-status field. What does 'NODATA' indicate?

Network Topology
$ aws ec2 describe-flow-logsregion us-east-1Refer to the exhibit.```"FlowLogs": ["Id": "fl-12345678","FlowLogStatus": "ACTIVE","ResourceId": "subnet-12345678","TrafficType": "ALL","LogDestinationType": "cloud-watch-logs","LogDestination": "arn:aws:logs:us-east-1:123456789012:log-group:my-flow-logs",
Question 62hardmultiple choice
Review the full routing breakdown →

An IAM policy is attached to a user who needs to manage VPC peering connections. The policy allows creating and accepting peering connections, but the user reports they cannot add routes to the route table of their VPC (vpc-11111111) for the peered connection. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcPeeringConnection",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DeleteVpcPeeringConnection"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateRoute",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "ec2:Vpc": ["arn:aws:ec2:us-east-1:111111111111:vpc/vpc-11111111"]
        }
      }
    }
  ]
}
```
Question 63mediummultiple choice
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a web server in subnet with network ACL 'acl-12345678'. The web server is on port 443. The administrator finds that traffic from IP 10.0.1.5 is being denied. Why is the traffic being denied?

Network Topology
$ aws ec2 describe-network-aclsregion us-west-2Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0","PortRange": {"From": 443,"To": 443},"RuleNumber": 200,"Protocol": "-1","RuleAction": "deny","CidrBlock": "10.0.0.0/8","PortRange": {}
Question 64mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in us-east-1 and a Network Load Balancer (NLB) in eu-west-1. They need to route traffic from the ALB to the NLB using a fixed IP address. Which AWS service should be used to provide a static IP for the NLB and enable cross-region load balancing?

Question 65hardmultiple choice
Review the full routing breakdown →

A company is deploying a critical application across three AWS Regions using an active-active architecture with Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) as the endpoint. The application health checks are configured to check the /health endpoint every 10 seconds. During a regional failure, some users experience timeouts while others are redirected correctly. What is the most likely cause?

Question 66easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has an internet gateway attached to the VPC and a NAT gateway in a public subnet. Which route table configuration is required for the private subnets to access the internet?

Question 67mediummultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network with an AWS Direct Connect connection. They have two virtual interfaces (VIFs): a private VIF to a VPC and a public VIF to access AWS public services. They want to ensure that traffic to Amazon S3 in the same region uses the Direct Connect connection and not the internet. Which configuration should be applied?

Question 68hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to peer with another VPC with CIDR 10.0.0.0/16. They plan to use a transit gateway to connect the VPCs. What is the correct approach to handle the overlapping CIDR ranges?

Question 69easymultiple choice
Read the full NAT/PAT explanation →

A company wants to provide internet access to instances in a private subnet using a NAT gateway. The NAT gateway is deployed in a public subnet with an Elastic IP. The private subnet route table has a default route pointing to the NAT gateway. However, instances in the private subnet cannot access the internet. What is the most likely cause?

Question 70mediummultiple choice
Read the full VPN explanation →

A company uses AWS Direct Connect to connect its on-premises network to a VPC. They have a private VIF attached to a virtual private gateway. They want to use AWS Site-to-Site VPN as a backup connection. Which configuration ensures automatic failover?

Question 71hardmultiple choice
Review the full subnetting walkthrough →

A company is designing a network for a multi-account architecture using AWS Resource Access Manager (RAM) to share VPC subnets across accounts. They want to ensure that instances in shared subnets can communicate with instances in the owner's VPC using private IP addresses. What is required?

Question 72easymultiple choice
Read the full Network Design explanation →

A company has an application that requires fixed IP addresses for whitelisting by third-party partners. The application is hosted on an Application Load Balancer (ALB) in a VPC. Which solution provides static IP addresses for the ALB?

Question 73mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with a CIDR of 10.0.0.0/16. They need to create subnets for a three-tier application (web, application, database) across two Availability Zones. They also need a /20 subnet for a future expansion. Which TWO subnet CIDR allocations are valid and efficient?

Question 74hardmulti select
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. Both connections will terminate at the same Direct Connect gateway. Which TWO steps are required to enable BGP multipath (ECMP) across the two connections?

Question 75easymulti select
Read the full Network Design explanation →

A company wants to enable communication between two VPCs (VPC A and VPC B) in the same AWS account and region. They want to use private IP addresses and avoid using the internet. Which THREE options can achieve this?

Question 76mediummultiple choice
Read the full Network Design explanation →

A company is designing a multi-Region Active-Active architecture using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application requires sticky sessions (session affinity) and must maintain session persistence even during failover. Which configuration should be used to achieve this?

Question 77hardmultiple choice
Read the full Network Design explanation →

A company is migrating a legacy on-premises application to AWS. The application uses a large number of short-lived TCP connections and requires low latency. The network team is considering using either a Network Load Balancer (NLB) or a Gateway Load Balancer (GWLB). Which of the following is a key advantage of using NLB over GWLB for this use case?

Question 78easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which design will meet this requirement most securely?

Question 79hardmulti select
Open the full BGP breakdown →

A company is connecting its on-premises data center to AWS using AWS Direct Connect. The company has two Direct Connect connections and wants to ensure high availability. The on-premises network uses BGP to advertise routes to AWS. Which combination of steps should be taken to achieve the most resilient design? (Choose TWO.)

Question 80mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across two Availability Zones. They are designing a highly available web application using an Application Load Balancer (ALB) and EC2 instances in an Auto Scaling group. Which of the following is the most resilient and cost-effective design for the network layer?

Question 81mediummultiple choice
Read the full Network Design explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs in different regions is encrypted. Which solution should be used?

Question 82hardmultiple choice
Review the full routing breakdown →

A company is designing a network for a real-time gaming application that requires the lowest possible latency across AWS Regions. The application uses UDP traffic. Which AWS service should be used to optimize traffic routing?

Question 83easymultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity to the VPC and allow resources in a private subnet to access the internet via IPv6. Which design should be used?

Question 84hardmultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network using AWS Direct Connect and AWS Site-to-Site VPN as backup. They want to ensure that traffic from on-premises to AWS uses Direct Connect when available and fails over to VPN automatically. Which BGP configuration should be used?

Question 85easymultiple choice
Read the full Network Design explanation →

A company has multiple VPCs that need to communicate with each other and with an on-premises network. They want to minimize operational overhead and avoid peering mesh complexity. Which AWS service should be used?

Question 86hardmultiple choice
Review the full routing breakdown →

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to establish a central inspection VPC for traffic inspection using a Gateway Load Balancer (GWLB). Traffic from all other VPCs should be routed through the inspection VPC before reaching the internet or on-premises. Which architecture should be used?

Question 87mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to monitor network traffic in their VPC for troubleshooting and security analysis. They need to capture IP traffic information, including source/destination IPs, ports, and protocol, but not the packet payload. Which AWS service should be used?

Question 88easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The private subnet instances need to access an S3 bucket. Which configuration provides the most secure and efficient access without traversing the internet?

Question 89mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-Region Active-Active architecture with an Application Load Balancer (ALB) in us-east-1 and us-west-2. They want to route users to the nearest healthy endpoint using a custom domain name. Which AWS service should they use to accomplish this with the lowest latency and minimal operational overhead?

Question 90hardmultiple choice
Read the full VPN explanation →

A company is deploying a VPC with a public and private subnet in each of three Availability Zones. They need to provide internet access to instances in the private subnets while ensuring that all outbound traffic is logged and that traffic to a particular on-premises CIDR (10.0.0.0/8) is routed via an AWS Direct Connect Virtual Private Gateway. The company has a VPN connection as a backup. Which design should they use?

Question 91easymultiple choice
Read the full VPN explanation →

A company is designing a hybrid network where an Amazon VPC is connected to an on-premises data center via AWS Direct Connect and a VPN backup. They have a VPC with CIDR 10.0.0.0/16 and on-premises CIDR 192.168.0.0/16. They want to ensure that all traffic between the VPC and on-premises uses the Direct Connect connection when it is available, and automatically fails over to the VPN if Direct Connect fails. What should they do?

Question 92mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets in three Availability Zones. They have EC2 instances in private subnets that need to download patches from the internet. The company requires that all outbound traffic to the internet is logged and inspected. Which solution meets these requirements with the highest availability?

Question 93hardmultiple choice
Read the full Network Design explanation →

A company is designing a global application that will use Amazon CloudFront to serve content from an Application Load Balancer (ALB) in us-east-1. They want to restrict access to the ALB so that it only accepts traffic from CloudFront. Additionally, they want to ensure that if someone bypasses CloudFront and directly accesses the ALB, the request is denied. Which solution should they implement?

Question 94easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. They plan to use AWS Direct Connect with a private virtual interface. What should they do to resolve the overlapping CIDR conflict?

Question 95mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. The application requires that user sessions are maintained (sticky sessions) and that the ALB can offload SSL/TLS termination. Which configuration should they use?

Question 96hardmultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier application in a VPC. The web tier is in public subnets, and the application tier is in private subnets. The application tier needs to communicate with an on-premises database via an AWS Direct Connect connection. The company wants to minimize latency and maximize throughput. Which design should they use?

Question 97easymultiple choice
Review the full routing breakdown →

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. They need to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the routing?

Question 98mediummulti select
Read the full Network Design explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in a VPC. They need to ensure that the application can handle a sudden increase in traffic and that the ALB can scale automatically. Which TWO actions should they take? (Choose two.)

Question 99hardmulti select
Review the full subnetting walkthrough →

A company is designing a hybrid network using AWS Direct Connect. They have a VPC with CIDR 10.0.0.0/16 and an on-premises network with CIDR 192.168.0.0/16. They want to establish a Direct Connect private virtual interface with a virtual private gateway. Which THREE steps are required to complete the connectivity? (Choose three.)

Question 100mediummulti select
Read the full Network Design explanation →

A company is designing a network for a critical application that requires low-latency communication between EC2 instances in the same AWS Region. They want to maximize network throughput and minimize latency. Which TWO design choices should they make? (Choose two.)

Question 101mediummultiple choice
Read the full Network Design explanation →

A company is designing a multi-region application with Amazon RDS for MySQL as the primary database. The application requires read-after-write consistency across regions. Which design should the company choose to meet this requirement?

Question 102hardmultiple choice
Read the full NAT/PAT explanation →

A company is running a latency-sensitive application in a VPC with a public subnet and a private subnet. The application in the private subnet needs to access an Amazon S3 bucket in the same region. The company wants to minimize latency and avoid using a NAT gateway. Which solution meets these requirements?

Question 103easymultiple choice
Read the full Network Design explanation →

A solutions architect needs to design a highly available web application that uses an Application Load Balancer (ALB) and spans multiple Availability Zones (AZs) in a single region. The application must be able to handle a sudden increase in traffic without manual intervention. Which feature should the architect enable on the ALB to meet this requirement?

Question 104hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company must meet PCI DSS compliance requirements. The company's VPC contains a web server in a public subnet and an application server in a private subnet. The application server must communicate with a third-party payment gateway over the internet, but the security team prohibits using an Elastic IP address or a NAT gateway due to auditing concerns. Which solution satisfies these requirements?

Question 105mediummultiple choice
Review the full subnetting walkthrough →

A company is migrating a legacy application to AWS. The application requires a fixed IP address for outbound traffic to a partner's firewall. The application will run on Amazon EC2 instances in a private subnet. Which design meets the requirement without exposing the instances to inbound internet traffic?

Question 106easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to an on-premises network using AWS Direct Connect. The on-premises CIDR is 10.1.0.0/16. To enable communication between the VPC and on-premises, which component must be configured?

Question 107hardmultiple choice
Read the full Network Design explanation →

A company runs a critical application on Amazon EC2 instances in an Auto Scaling group behind a Network Load Balancer (NLB). The application requires that all packets from a given client session are sent to the same target instance for the duration of the session. Which feature should be enabled on the NLB to meet this requirement?

Question 108mediummultiple choice
Read the full VPN explanation →

A company is designing a hybrid network architecture that connects multiple VPCs in different AWS regions to an on-premises data center. The company wants to minimize the number of VPN tunnels and reduce management overhead. Which AWS service should be used to simplify this design?

Question 109easymultiple choice
Review the full routing breakdown →

A company has an Amazon Route 53 private hosted zone associated with a VPC. The company wants to resolve custom domain names for resources within that VPC. Which configuration is required for EC2 instances in the VPC to resolve these private hosted zone records?

Question 110hardmulti select
Review the full subnetting walkthrough →

A company is designing a network architecture for a multi-tier web application. The application includes a public-facing Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an Amazon RDS database in a private subnet. The company requires that the database is not directly accessible from the application servers except through specific ports, and that traffic between the web servers and the database is encrypted. Which TWO actions should the company take to meet these requirements? (Choose two.)

Question 111mediummulti select
Read the full Network Design explanation →

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The application requires outbound internet access to download updates, but the company does not want to assign public IP addresses to the tasks. Which TWO actions should the company take to provide internet access to the tasks? (Choose two.)

Question 112hardmulti select
Read the full Network Design explanation →

A company wants to connect its on-premises data center to AWS using AWS Direct Connect and wants to use the same connection to access multiple VPCs in the same AWS region. The company also needs to maintain private IP connectivity between the VPCs. Which THREE components should the company use to meet these requirements? (Choose three.)

Question 113mediummultiple choice
Read the full Network Design explanation →

A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:CreateNetworkInterface",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVpc",
      "Resource": "*"
    }
  ]
}
```
Question 114hardmultiple choice
Read the full DNS explanation →

A company has created a VPC Interface Endpoint for Amazon ECR (Docker registry API) as shown in the exhibit. However, an EC2 instance in the same VPC is unable to authenticate with the ECR registry using the private DNS name. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsvpc-endpoint-ids vpce-12345678Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-12345678","VpcEndpointType": "Interface","ServiceName": "com.amazonaws.us-east-1.ecr.dkr","State": "available","SubnetIds": ["subnet-aaa", "subnet-bbb"],"NetworkInterfaceIds": ["eni-1111", "eni-2222"],"PrivateDnsEnabled": false
Question 115mediummultiple choice
Study the full AAA explanation →

A network engineer is troubleshooting connectivity between a VPC (10.0.0.0/16) and a peered VPC (10.1.0.0/16). The route table shown is associated with subnet-aaa. An EC2 instance in subnet-aaa cannot reach an instance in the peered VPC. What is the issue?

Network Topology
$ aws ec2 describe-route-tablesroute-table-ids rtb-12345Refer to the exhibit.```"RouteTables": ["RouteTableId": "rtb-12345","VpcId": "vpc-1111","Routes": ["DestinationCidrBlock": "10.0.0.0/16","GatewayId": "local"},"DestinationCidrBlock": "0.0.0.0/0","NatGatewayId": "nat-12345""DestinationCidrBlock": "10.1.0.0/16","VpcPeeringConnectionId": "pcx-12345"],"Associations": ["SubnetId": "subnet-aaa","RouteTableAssociationId": "rtbassoc-1111"
Question 116mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture for disaster recovery. They need to use Route 53 to route traffic to the nearest healthy endpoint. Which routing policy should they use?

Question 117hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in three Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and a fleet of EC2 instances in the private subnets. The ALB needs to send traffic to the instances on port 443. What is the most secure way to configure the security groups?

Question 118easymultiple choice
Read the full Network Design explanation →

A company wants to connect an on-premises data center to AWS using a dedicated private connection that does not traverse the internet. Which AWS service should they use?

Question 119mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They want to create a subnet that can host at least 2000 EC2 instances. Which subnet size should they choose?

Question 120hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They launch an EC2 instance in subnet A and another in subnet B. The security groups for both instances allow all traffic from the other instance's private IP. However, the instances cannot communicate. What is the most likely cause?

Question 121easymultiple choice
Read the full Network Design explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is inspected by a network virtual appliance. Which architecture should they use?

Question 122mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 172.16.0.0/16. They have a subnet 172.16.1.0/24 for web servers and another subnet 172.16.2.0/24 for database servers. The web servers need to access the database servers on port 3306. Which configuration is required?

Question 123hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. Instances in the private subnet need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, instances cannot reach the internet. What is a possible cause?

Question 124easymultiple choice
Read the full DNS explanation →

A company needs to resolve DNS names for their EC2 instances using custom domain names like "app.example.com". Which AWS service should they use?

Question 125mediummulti select
Read the full NAT/PAT explanation →

A company is designing a VPC with multiple subnets. They want to ensure that EC2 instances in a private subnet can access S3 buckets without going through a NAT Gateway or Internet Gateway. Which TWO methods can accomplish this?

Question 126hardmulti select
Read the full VPN explanation →

A company is setting up a Site-to-Site VPN connection between their on-premises network and AWS. Which THREE components are required for a VPN connection?

Question 127mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to another VPC with CIDR 10.0.0.0/16 via VPC Peering. They encounter an error because of overlapping CIDRs. Which TWO actions can resolve this issue?

Question 128hardmultiple choice
Review the full subnetting walkthrough →

The EC2 instance has a private IP 10.0.1.5. The first two hops are 10.0.1.1 (the subnet's default gateway) and 10.0.0.1. Based on the traceroute, what is the most likely configuration of the VPC?

Exhibit

Refer to the exhibit.

CLI output from an EC2 instance:
[ec2-user@ip-10-0-1-5 ~]$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  10.0.1.1 (10.0.1.1)  1.123 ms  1.089 ms  1.045 ms
 2  10.0.0.1 (10.0.0.1)  1.234 ms  1.198 ms  1.167 ms
 3  * * *
 4  * * *
...
Question 129mediummultiple choice
Read the full Network Design explanation →

A network engineer needs to create a set of IAM permissions for a DevOps team to monitor network resources. The policy above is proposed. What critical missing permission is required to allow the team to list and describe VPCs?

Exhibit

Refer to the exhibit.

IAM Policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "elasticloadbalancing:Describe*",
        "cloudwatch:GetMetricStatistics"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "arn:aws:ec2:us-east-1:123456789012:network-interface/*"
    }
  ]
}
Question 130mediummultiple choice
Review the full subnetting walkthrough →

A network engineer deploys this CloudFormation template. After deployment, an EC2 instance launched in PublicSubnet1 cannot reach the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation template snippet:
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: "10.0.0.0/16"
  PublicSubnet1:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: "10.0.1.0/24"
      MapPublicIpOnLaunch: true
  PublicSubnet2:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: "10.0.2.0/24"
      MapPublicIpOnLaunch: true
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PublicRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: "0.0.0.0/0"
      GatewayId: !Ref InternetGateway
  PublicSubnet1RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet1
      RouteTableId: !Ref PublicRouteTable
  PublicSubnet2RouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet2
      RouteTableId: !Ref PublicRouteTable
Question 131mediummultiple choice
Read the full VPN explanation →

A company is designing a hybrid network with AWS Direct Connect and AWS Site-to-Site VPN as backup. The primary Direct Connect connection uses a private VIF to a VPC. If the Direct Connect fails, traffic should automatically fail over to the VPN connection. What is the MOST reliable way to achieve this failover?

Question 132hardmultiple choice
Review the full subnetting walkthrough →

A financial services company must meet PCI DSS compliance for its VPC design. It requires that all traffic between application tiers be encrypted in transit and that no traffic can bypass the encryption. The architecture includes a public-facing Application Load Balancer (ALB), a web tier in public subnets, an app tier in private subnets, and a database tier in isolated subnets. Which design meets these requirements?

Question 133easymultiple choice
Review the full routing breakdown →

A company is deploying a multi-region Active-Active application using Amazon Route 53 latency-based routing. The application runs on EC2 instances behind Network Load Balancers (NLBs) in two AWS regions. The health checks are configured for the NLBs. What should the company do to ensure that traffic is sent only to healthy endpoints?

Question 134mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. It needs to connect to an on-premises data center over AWS Direct Connect. The on-premises network uses the 10.0.0.0/8 address space. The company cannot change the on-premises addressing. Which solution will allow connectivity without overlapping IP addresses?

Question 135hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet has a NAT gateway for outbound internet access from private subnets. The private subnets have EC2 instances that need to access an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. What is the MOST cost-effective solution?

Question 136easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The private subnet contains Amazon RDS instances that should only be accessed by EC2 instances in the same VPC. The EC2 instances are in a security group named 'App-SG'. Which configuration will meet the requirement?

Question 137mediummultiple choice
Open the full BGP breakdown →

A company is designing a Direct Connect solution with two connections to provide high availability. The company has two customer routers, each connected to a separate AWS Direct Connect location. The company uses BGP to advertise the same prefixes from both routers. What is the correct way to configure the BGP attributes to ensure that traffic uses both connections actively?

Question 138hardmultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a VPC with public and private subnets across multiple Availability Zones. The template includes a NAT gateway in each public subnet. The company wants to ensure that the private subnet route tables automatically update when the NAT gateway ID changes. Which feature should be used?

Question 139easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. It needs to add an additional non-overlapping CIDR for new workloads. Which CIDR should be used?

Question 140mediummulti select
Read the full Network Design explanation →

A company is designing a network for a three-tier web application that must be highly available across multiple Availability Zones. The application uses an Application Load Balancer (ALB) for the web tier, EC2 instances for the application tier, and an Amazon RDS Multi-AZ database for the database tier. Which TWO design choices improve availability and fault tolerance?

Question 141hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The private subnet hosts Amazon RDS instances. The security team wants to ensure that the RDS instances are not accessible from the internet. Which TWO actions should be taken?

Question 142easymulti select
Read the full Network Design explanation →

A company is planning to connect its on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to ensure that if one Direct Connect connection fails, traffic automatically fails over to another. Which THREE design elements should be included?

Question 143mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in three Availability Zones. They want to provide outbound internet access to instances in private subnets while preventing inbound traffic from the internet. Which solution meets these requirements with the least operational overhead?

Question 144hardmultiple choice
Review the full routing breakdown →

A global company is designing a multi-region architecture with an Active-Passive setup. They want to use Amazon Route 53 to route traffic to the active region and fail over to the passive region during an outage. They need to ensure that the failover is automatic based on health checks. Which routing policy should they use?

Question 145mediummultiple choice
Review the full routing breakdown →

A company is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company wants to ensure high availability and avoid a single point of failure. The on-premises router connects to two separate AWS Direct Connect locations. Which configuration should be used to meet these requirements?

Question 146easymultiple choice
Read the full Network Design explanation →

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is internet-facing and receives traffic from clients. The company wants to improve security by adding an additional layer of protection against common web exploits like SQL injection and cross-site scripting. Which AWS service should they use?

Question 147hardmultiple choice
Read the full VPN explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have an on-premises network with CIDR 172.16.0.0/12 connected via AWS Site-to-Site VPN. The company also has a second VPC (VPC B) with CIDR 10.1.0.0/16 peered with the first VPC. They notice that instances in VPC B cannot reach the on-premises network. What is the most likely cause?

Question 148mediummultiple choice
Read the full Network Design explanation →

A company is designing a network for a three-tier web application in AWS. The web tier must be accessible from the internet, but the application and database tiers must be private. The company wants to use a single AWS Region and ensure high availability across multiple Availability Zones. What is the MOST cost-effective network design that meets these requirements?

Question 149easymultiple choice
Read the full Network Design explanation →

A company is migrating an on-premises application to AWS. The application requires low-latency, high-throughput connectivity between the on-premises data center and the AWS VPC. The company wants a dedicated, private connection that bypasses the internet. Which AWS service should they use?

Question 150hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They have an Amazon RDS for MySQL database in a private subnet. The application team needs to access the database for maintenance from a bastion host in a public subnet. The security group for the database allows inbound traffic from the security group of the bastion host on port 3306. However, the application team cannot connect. What is the most likely cause?

Question 151easymultiple choice
Read the full DNS explanation →

A company wants to use Amazon Route 53 to resolve DNS queries for a domain they own. They want to ensure that DNS queries are answered quickly and that there is no single point of failure. Which configuration should they use?

Question 152mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC architecture with a public subnet and a private subnet. They want to allow instances in the private subnet to download software updates from the internet. Which TWO options satisfy this requirement? (Choose TWO.)

Question 153hardmulti select
Study the full ACL explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). An EC2 instance in subnet A needs to communicate with an RDS database in subnet B. Both subnets have network ACLs that allow all inbound and outbound traffic. However, the instance cannot connect to the database. Which TWO configuration changes could solve this issue? (Choose TWO.)

Question 154mediummulti select
Read the full Network Design explanation →

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to centralize network management and enable VPC connectivity across accounts. Which THREE services should they consider? (Choose THREE.)

Question 155mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. The company currently has two Direct Connect connections from different providers terminating at two different AWS Direct Connect locations. Which solution provides the most resilient and high-performance connectivity?

Question 156easymultiple choice
Read the full NAT/PAT explanation →

A company is planning to connect multiple VPCs in different AWS accounts using AWS Transit Gateway. The VPCs must be able to communicate with each other, but the company wants to centralize egress traffic to the internet through a single VPC that has a NAT gateway. Which configuration meets these requirements?

Question 157hardmultiple choice
Read the full Network Design explanation →

A company has a multi-VPC architecture with VPCs in the same region. They need to ensure that traffic between VPCs never traverses the public internet and is encrypted in transit. Which solution meets these requirements with the lowest operational overhead?

Question 158mediummultiple choice
Read the full Network Design explanation →

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which VPC design meets these requirements with the highest security?

Question 159easymultiple choice
Review the full subnetting walkthrough →

A company needs to provide internet access to instances in a private subnet. The instances must not be directly accessible from the internet. Which AWS service should be used?

Question 160hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a global application with users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. To reduce latency, the company wants to route users to the nearest region and provide automatic failover. Which combination of AWS services should be used?

Question 161mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to capture and analyze network traffic between EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?

Question 162hardmultiple choice
Read the full Network Design explanation →

A company is designing a network for a real-time gaming application that requires extremely low latency between players. The application will be deployed on EC2 instances in multiple AWS regions. Which AWS service provides the best latency performance by using the AWS global network and anycast IPs?

Question 163easymultiple choice
Read the full Network Design explanation →

A company needs to connect its on-premises data center to a VPC in AWS using a dedicated, private, and high-bandwidth connection. Which AWS service should be used?

Question 164mediummulti select
Review the full routing breakdown →

A company is designing a multi-region active-active application. They need to ensure that traffic is routed to the closest healthy region and that failover happens automatically. Which TWO services should be used together to achieve this?

Question 165hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They want to implement a bastion host to allow secure SSH access to instances in private subnets. Which TWO components are required for this design?

Question 166mediummulti select
Read the full Network Design explanation →

A company is designing a network for a critical application that requires maximum availability. The application will be deployed across multiple Availability Zones in a single region. Which THREE design choices improve network availability?

Question 167mediummultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network architecture that connects an on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that the on-premises network can reach all VPCs in the AWS account using a single Direct Connect virtual interface. Which solution should the architect use?

Question 168hardmultiple choice
Read the full Network Design explanation →

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application must have the lowest possible latency for global users. Which design meets these requirements?

Question 169easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need internet access for updates, but must not be directly reachable from the internet. Which AWS service should be used?

Question 170mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a network for a three-tier web application. The web tier must be able to scale out and in automatically based on CPU utilization. The database tier must be highly available and use Multi-AZ deployment. Which combination of AWS services should the architect use?

Question 171hardmultiple choice
Read the full Network Design explanation →

A company is deploying a critical application across multiple AWS accounts. The network team wants to simplify IP address management and ensure that VPCs in different accounts can communicate securely. The company has a centralized network account with a transit gateway. Which architecture should the company use?

Question 172easymultiple choice
Read the full NAT/PAT explanation →

A company wants to provide secure access to an S3 bucket from a VPC without using an internet gateway or NAT device. Which AWS feature should be used?

Question 173mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. The company needs to add a secondary CIDR block for additional subnets. Which CIDR block can be used?

Question 174hardmultiple choice
Review the full routing breakdown →

A company is designing a network for a real-time gaming application that requires low latency and high throughput between game servers in multiple regions. The application uses UDP traffic. Which AWS service should be used to route traffic between regions?

Question 175easymultiple choice
Open the full BGP breakdown →

A company has an on-premises data center connected to AWS via a Site-to-Site VPN. The VPN connection uses BGP for dynamic routing. The company wants to add an additional VPN tunnel for redundancy. What must be configured?

Question 176mediummulti select
Read the full Network Design explanation →

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS region? (Select TWO.)

Question 177hardmulti select
Read the full Network Design explanation →

Which THREE of the following are benefits of using AWS Global Accelerator over Amazon CloudFront for a global application that uses TCP traffic? (Select THREE.)

Question 178easymulti select
Read the full VPN explanation →

Which TWO of the following are required to establish an AWS Site-to-Site VPN connection? (Select TWO.)

Question 179mediummultiple choice
Read the full Network Design explanation →

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs in different AWS Regions is encrypted. Which solution should they use?

Question 180hardmultiple choice
Review the full subnetting walkthrough →

A financial services company must meet PCI DSS compliance requirements. They have a VPC with public and private subnets. The web servers in the public subnets must only accept traffic from the internet on ports 80 and 443. The application servers in the private subnets must only accept traffic from the web servers. Which network design ensures least-privilege access?

Question 181easymultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Direct Connect. They want to extend their on-premises network to multiple VPCs in the same AWS Region. Which resource should they use to achieve this?

Question 182mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity for their internet-facing applications. The VPC currently has an internet gateway attached. What is the MOST efficient way to enable IPv6?

Question 183hardmultiple choice
Read the full Network Design explanation →

A company is designing a network for a critical application that requires low latency between EC2 instances. The instances are in the same AWS Region but different Availability Zones. Which configuration will provide the lowest latency?

Question 184easymultiple choice
Read the full Network Design explanation →

A company needs to monitor network traffic to and from EC2 instances for security analysis. Which AWS service should they use?

Question 185mediummultiple choice
Read the full Network Design explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises data centers. They want to centralize internet traffic through a single VPC that has an internet gateway. Which Transit Gateway feature should they enable?

Question 186hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 172.16.0.0/20. They need to create subnets for three tiers: web, application, and database. The web tier must be public and support at least 1000 hosts. The application and database tiers must be private. Which subnet design meets the requirements?

Question 187easymultiple choice
Read the full Network Design explanation →

A company wants to allow their employees to securely access resources in a VPC from their home offices. Which AWS service should they use?

Question 188mediummulti select
Read the full Network Design explanation →

Which TWO of the following are valid methods to connect a VPC to an on-premises network? (Choose 2.)

Question 189mediummulti select
Read the full Network Design explanation →

Which THREE AWS services can be used to improve the availability of a web application across multiple AWS Regions? (Choose 3.)

Question 190hardmulti select
Review the full subnetting walkthrough →

Which TWO actions can be taken to reduce the attack surface of a VPC's public subnets? (Choose 2.)

Question 191mediummultiple choice
Read the full Network Design explanation →

Refer to the exhibit. A network engineer is analyzing VPC Flow Logs for an EC2 instance with IP 10.0.1.5. Based on the logs, which statement is true?

Exhibit

Refer to the exhibit.

VPC Flow Logs record:
2 123456789010 eni-1235abcde 10.0.1.5 10.0.1.8 443 34567 6 10 5000 1620140761 1620140821 ACCEPT OK
2 123456789010 eni-1235abcde 10.0.1.8 10.0.1.5 34567 443 6 12 7000 1620140821 1620140881 ACCEPT OK
2 123456789010 eni-1235abcde 10.0.1.5 203.0.113.5 443 34568 6 8 4000 1620140761 1620140821 ACCEPT OK
2 123456789010 eni-1235abcde 203.0.113.5 10.0.1.5 34568 443 6 10 5000 1620140821 1620140881 ACCEPT OK
Question 192hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A developer created this CloudFormation template to create a public subnet. However, instances in the subnet cannot access the internet. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
  MySubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: us-east-1a
  MyIGW:
    Type: AWS::EC2::InternetGateway
  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref MyIGW
  MyRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  MyRoute:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref MyRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref MyIGW
  MySubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref MySubnet
      RouteTableId: !Ref MyRouteTable
Question 193mediummultiple choice
Read the full Network Design explanation →

Refer to the exhibit. A network architect is reviewing an IAM policy for a junior engineer. What is the security concern with this policy?

Exhibit

Refer to the exhibit.

IAM policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateSubnet",
        "ec2:DeleteVpc",
        "ec2:DeleteSubnet"
      ],
      "Resource": "*"
    }
  ]
}
Question 194mediummultiple choice
Read the full Network Design explanation →

A company wants to connect multiple VPCs across different AWS Regions using AWS Transit Gateway. Which feature allows the VPCs to communicate with each other using private IP addresses without creating peering connections?

Question 195hardmultiple choice
Read the full Network Design explanation →

A network engineer is designing a hybrid network with multiple AWS accounts. The company wants to simplify management by using a single AWS Direct Connect connection shared among accounts. Which service should be used to achieve this?

Question 196easymultiple choice
Study the full IPv6 explanation →

A company is designing a VPC with both IPv4 and IPv6 CIDR blocks. The VPC must support internet-facing applications accessible via IPv6. Which resource must be configured as IPv6-enabled to allow internet traffic?

Question 197mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a web application in a VPC with public and private subnets. The web servers in public subnets must be protected from direct internet access, but they need to receive traffic from an Application Load Balancer (ALB). Which architecture should be used?

Question 198hardmultiple choice
Read the full Network Design explanation →

A company has multiple VPCs connected via AWS Transit Gateway. One VPC contains a shared services endpoint (e.g., Amazon S3) using a VPC Gateway Endpoint. How can other VPCs access this endpoint?

Question 199easymultiple choice
Read the full Network Design explanation →

A company needs to connect its on-premises data center to AWS using a dedicated, low-latency connection. Which AWS service should be used?

Question 200mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region active-active architecture with an Application Load Balancer in each region. Which service can route traffic to the closest ALB based on latency?

Question 201hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. The security team requires that all outbound traffic from the VPC to the internet must traverse a centralized inspection appliance for traffic inspection. Which architecture should be used?

Question 202easymultiple choice
Read the full VPN explanation →

A company wants to provide its employees with secure access to internal applications running on AWS without using a VPN. Which AWS service can be used?

Question 203mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with a public subnet and a private subnet. The private subnet instances need to access the internet for software updates. Which TWO options allow outbound internet access while preventing inbound connections? (Choose two.)

Question 204hardmulti select
Read the full Network Design explanation →

A company has multiple VPCs connected via a Transit Gateway. They want to implement network segmentation so that only specific VPCs can communicate with each other. Which TWO methods can achieve this? (Choose two.)

Question 205easymulti select
Read the full Network Design explanation →

A company is designing a high-availability architecture for an application that will be deployed across multiple Availability Zones. Which THREE components are recommended for this design? (Choose three.)

Question 206mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. A route table shows routes for a VPC. What is the correct interpretation of this route table?

Network Topology
aws ec2 describe-route-tablesroute-table-ids rtb-12345678Refer to the exhibit.```"RouteTables": ["RouteTableId": "rtb-12345678","Routes": ["DestinationCidrBlock": "10.0.0.0/16","GatewayId": "local","Origin": "CreateRouteTable","State": "active"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": "igw-12345678","Origin": "CreateRoute","DestinationCidrBlock": "192.168.0.0/16","GatewayId": "pcx-12345678",
Question 207hardmultiple choice
Read the full Network Design explanation →

Refer to the exhibit. A bucket policy allows access to an S3 bucket. What is the intended effect?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
```
Question 208mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A VPN connection has two tunnels. Which statement is correct about this VPN configuration?

Network Topology
aws ec2 describe-vpn-connectionsvpn-connection-ids vpn-12345678Refer to the exhibit.```"VpnConnections": ["VpnConnectionId": "vpn-12345678","State": "available","CustomerGatewayConfiguration": "...","VpnGatewayId": "vgw-12345678","Category": "IPsec.1","Options": {"TunnelOptions": ["OutsideIpAddress": "203.0.113.1","TunnelInsideCidr": "169.254.10.0/30"},"OutsideIpAddress": "203.0.113.2","TunnelInsideCidr": "169.254.10.4/30""Routes": ["DestinationCidrBlock": "10.0.0.0/8","Source": "static","State": "available"
Question 209mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture using AWS Global Accelerator and Application Load Balancers (ALBs) in two AWS Regions. They want to route traffic to the closest healthy endpoint and minimize latency. Which configuration best meets these requirements?

Question 210hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates but must not be directly reachable from the internet. The company wants to minimize cost and operational overhead. Which solution meets these requirements?

Question 211easymultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network connecting an on-premises data center to AWS via AWS Direct Connect. The company requires high availability and wants to avoid a single point of failure. Which design meets these requirements?

Question 212mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with subnets in multiple Availability Zones (AZs) for a web application. The application must be fault-tolerant and highly available. Which design should the network engineer implement?

Question 213hardmultiple choice
Read the full Network Design explanation →

A company is migrating a legacy application to AWS. The application requires a fixed IP address that must not change. The application will be deployed on Amazon EC2 instances behind an Application Load Balancer. Which solution meets the requirement for a static IP address?

Question 214easymultiple choice
Read the full Network Design explanation →

A company wants to securely connect two VPCs in the same region. The VPCs must be able to communicate using private IP addresses, and connectivity should be highly available. Which solution meets these requirements?

Question 215mediummultiple choice
Read the full Network Design explanation →

An e-commerce company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. During a flash sale, the application experiences high latency. The network team notices that the ALB is receiving more traffic than expected. What is the most likely cause?

Question 216hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to add a new CIDR block 10.1.0.0/16 to accommodate more subnets. The VPC already has multiple subnets and route tables. What is the impact of adding this secondary CIDR?

Question 217easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC for a three-tier application (web, application, database). The database tier should not be accessible from the internet, but the web tier must be accessible. Which subnet design should the network engineer use?

Question 218hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with CIDR 10.0.0.0/16 and two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). The company wants to add a new subnet for a third tier. Which of the following are valid subnet CIDRs that can be added? (Select TWO.)

Question 219mediummulti select
Read the full Network Design explanation →

A company is designing a Direct Connect solution for high availability. Which of the following are best practices? (Select THREE.)

Question 220hardmulti select
Study the full IPv6 explanation →

A company is designing a VPC with IPv6. Which components are required to enable IPv6 communication between instances in the VPC and the internet? (Select TWO.)

Question 221hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on EC2 instances in a VPC with a single private subnet (10.0.1.0/24) in us-east-1a. The instances need to download security updates from the internet. The company currently uses a NAT Gateway in a public subnet (10.0.0.0/24) in us-east-1a. Recently, an Availability Zone failure caused us-east-1a to become unavailable, and the application could not reach the internet. The company wants to redesign the network to be highly available across multiple AZs for internet access. The application must continue to use private IP addresses for outbound traffic. The company has a limited budget and wants to minimize costs while meeting high availability. Which solution should the company implement?

Question 222mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with CIDR 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private) in us-west-2a. They have an EC2 instance in the private subnet that needs to access an S3 bucket for log uploads. The company wants to avoid using a NAT Gateway to reduce costs. The S3 bucket is in the same region. Which solution should the network engineer implement?

Question 223easymultiple choice
Review the full routing breakdown →

A company is designing a multi-Region application using Amazon Route 53 latency-based routing. The application must be highly available and failover automatically if an AWS Region becomes unavailable. What should the company do to meet these requirements?

Question 224mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to access the internet for software updates. The company must ensure that traffic from the private instances uses a single, predictable public IP address. What is the MOST cost-effective solution?

Question 225hardmultiple choice
Read the full VPN explanation →

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company has a single hosted virtual interface (VIF) with a private VIF to a VPC. The network team notices that traffic from on-premises to AWS is asymmetric—some packets go through the Direct Connect while others use a VPN backup. The team wants all traffic to use Direct Connect when available. What should they do?

Question 226easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What is the MOST likely cause?

Question 227mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT Gateway in the public subnet. The download is failing. Which configuration should the network engineer check FIRST?

Question 228hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a network for a critical application that requires high availability across three Availability Zones in a single AWS Region. The application uses Network Load Balancers (NLBs) and Application Load Balancers (ALBs). The company must ensure that cross-zone load balancing is enabled for the NLBs and that the ALBs have a fixed response timeout. Which combination of settings meets these requirements?

Question 229easymultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The VPN is configured with a server certificate and mutual authentication. Some users report that they cannot connect to the VPN. What should the administrator check FIRST?

Question 230mediummulti select
Read the full VPN explanation →

A company is designing a hybrid network using AWS Direct Connect and VPN backup. The company wants to ensure that traffic always uses Direct Connect when it is available. Which TWO configurations should be implemented? (Choose TWO.)

Question 231hardmulti select
Read the full Network Design explanation →

A company has a multi-account AWS environment using AWS Organizations. The network team wants to centralize VPC traffic inspection using a Transit Gateway and a firewall appliance in a central account. Which THREE steps are required to implement this design? (Choose THREE.)

Question 232easymulti select
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets. The company needs to provide internet access to instances in the private subnets. Which TWO components are required? (Choose TWO.)

Question 233hardmultiple choice
Study the full ACL explanation →

A company runs a multi-tier web application in a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier uses EC2 instances in private subnets. The database tier uses an RDS MySQL Multi-AZ instance in private subnets. The company has implemented a network ACL (NACL) on the private subnets to allow only traffic from the ALB security group. Recently, the application tier instances are unable to connect to the RDS database. The security group for RDS allows inbound traffic on port 3306 from the application tier security group. The network team has verified that the application tier instances can reach the internet through a NAT Gateway. What is the MOST likely cause of the connectivity issue?

Question 234mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a new application in a VPC that uses a single Availability Zone. The application consists of an Application Load Balancer (ALB) in a public subnet and EC2 instances in a private subnet. The EC2 instances need to send logs to an Amazon S3 bucket. The company has created a VPC gateway endpoint for S3 and associated it with the route table for the private subnet. The EC2 instances have an instance profile that grants access to the S3 bucket. However, the log delivery fails. The network team has verified that the route table for the private subnet includes a route to the S3 prefix list via the gateway endpoint. What is the MOST likely cause of the failure?

Question 235easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an Amazon DynamoDB table. The company wants to avoid sending traffic over the internet. A VPC gateway endpoint for DynamoDB is created and attached to the route table of the private subnet. The EC2 instance has an IAM role that grants access to DynamoDB. However, the application running on the instance cannot connect to DynamoDB. The network team confirms that the route table has a route to the DynamoDB prefix list. What is the MOST likely cause?

Question 236mediummultiple choice
Open the full VLAN trunking answer →

A company is designing a hybrid network architecture that requires a dedicated, private, and consistent connection between its on-premises data center and AWS. The connection must support multiple VLANs and provide a service-level agreement (SLA) of 99.99% availability. Which AWS service should be used to meet these requirements?

Question 237hardmultiple choice
Read the full Network Design explanation →

An administrator needs to create an interface VPC endpoint for Amazon S3 in a VPC and attach an elastic network interface (ENI) to an EC2 instance. The administrator applies the IAM policy shown in the exhibit. Which action will be DENIED by this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeSubnets",
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcEndpoint",
        "ec2:DescribeVpcEndpoints",
        "ec2:ModifyVpcEndpoint"
      ],
      "Resource": "*"
    }
  ]
}
```
Question 238easymultiple choice
Read the full Network Design explanation →

A company wants to ensure that traffic between two VPCs in the same region is encrypted and does not traverse the public internet. Which solution meets these requirements?

Question 239mediummultiple choice
Review the full routing breakdown →

An organization has multiple VPCs connected to a common Transit Gateway. The network team wants to centrally manage and enforce routing policies, such as allowing or denying traffic between specific VPCs based on tags. Which AWS feature should be used to implement this requirement?

Question 240hardmultiple choice
Read the full Network Design explanation →

A network engineer is troubleshooting connectivity to a VPC endpoint service. The engineer runs the CLI command shown in the exhibit. The output shows two service names. Which statement is correct based on this output?

Network Topology
$ aws ec2 describe-vpc-endpoint-servicesfilter Name=service-typeRefer to the exhibit.```"ServiceNames": ["com.amazonaws.vpce.us-east-1.vpce-svc-0123456789abcdef0","com.amazonaws.vpce.us-east-1.vpce-svc-0fedcba9876543210"
Question 241easymultiple choice
Read the full Network Design explanation →

A company is designing a disaster recovery solution that requires replicating data from an on-premises database to an Amazon RDS instance in a different AWS region. The data transfer must be encrypted in transit and should not traverse the public internet. Which approach meets these requirements?

Question 242mediummultiple choice
Review the full routing breakdown →

A company has multiple VPCs in the same AWS region that need to communicate with each other. The network team wants to minimize the number of connections and simplify management. The solution must support transitive routing between all VPCs. Which AWS service should be used?

Question 243hardmultiple choice
Read the full Network Design explanation →

An enterprise is migrating a critical application to AWS. The application requires low latency (under 5 ms) between two EC2 instances that are in different VPCs in the same region. The company also needs to ensure that traffic is encrypted in transit and that the connection is highly available. Which design should be used?

Question 244easymultiple choice
Read the full Network Design explanation →

A company wants to provide its employees with secure access to internal applications hosted in a VPC. The employees work remotely and use personal laptops. The solution must authenticate users against the company's existing identity provider (IdP) and must support both Windows and macOS clients. Which AWS service should be used?

Question 245mediummulti select
Read the full Network Design explanation →

A company is designing a network architecture for a multi-tier web application. The application consists of web servers, application servers, and database servers. The web servers must be accessible from the internet. The application servers should only be accessible from the web servers. The database servers should only be accessible from the application servers. Which TWO actions should the company take to meet these requirements? (Choose two.)

Question 246hardmulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet contains a NAT gateway and a bastion host. The private subnet contains application servers. The company wants to ensure that the application servers can download patches from the internet. Which TWO steps should be taken to allow this while maintaining security? (Choose two.)

Question 247mediummulti select
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Direct Connect. The company wants to use the same Direct Connect connection to access both VPC resources and public AWS services (such as S3 and DynamoDB) from its on-premises network. Which THREE components are required to meet this goal? (Choose three.)

Question 248hardmultiple choice
Review the full subnetting walkthrough →

A company has deployed a multi-tier application across three VPCs (VPC-A, VPC-B, VPC-C) in the us-east-1 region. Each VPC has its own CIDR block (10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16 respectively). All VPCs are attached to an AWS Transit Gateway. The web tier is in VPC-A, the application tier is in VPC-B, and the database tier is in VPC-C. The application servers in VPC-B need to connect to the database servers in VPC-C on TCP port 3306. The database servers are in a private subnet with a security group (sg-db) that allows inbound traffic from the application server security group (sg-app). The application servers have a security group (sg-app) that allows outbound traffic to the database servers. However, the application servers cannot connect to the database servers. The route tables in VPC-B and VPC-C have routes pointing to the Transit Gateway for the other VPC CIDRs. The Transit Gateway has attachments in all three VPCs and has a default route table with propagation enabled. What is the MOST likely cause of the connectivity failure?

Question 249mediummultiple choice
Review the full routing breakdown →

A company is setting up a new AWS environment for a project. The network architect decides to use a hub-and-spoke model with a central inspection VPC for east-west traffic inspection. The inspection VPC (VPC-Hub) contains a firewall appliance that inspects traffic between spoke VPCs. All VPCs are attached to an AWS Transit Gateway. The architect creates a route table in the Transit Gateway for the inspection VPC and another route table for the spoke VPCs. The inspection VPC route table has a default route (0.0.0.0/0) pointing to the firewall appliance. The spoke VPCs have route tables that point to the inspection VPC for traffic to other spoke VPCs. The firewall appliance is configured to forward traffic after inspection. However, traffic between spoke VPCs is not being routed through the inspection VPC. Which configuration change should the architect make to ensure traffic between spoke VPCs is inspected?

Question 250easymultiple choice
Study the full ACL explanation →

A company has an existing VPC with a public subnet and a private subnet. The company launches an EC2 instance in the private subnet. The instance needs to access an S3 bucket to download software updates. The company does not want the instance to have a public IP address. The company creates a VPC endpoint for S3 (Gateway type) in the VPC, and associates it with the private subnet route table by adding a route for the S3 prefix list. However, the instance still cannot access the S3 bucket. The security group for the instance allows all outbound traffic. The network ACL for the private subnet allows all inbound and outbound traffic. What is the MOST likely reason for the connectivity failure?

Question 251mediummultiple choice
Read the full MPLS explanation →

A company is designing a hybrid network with AWS Direct Connect and a VPN backup. They have two on-premises sites connected via MPLS. They want to ensure that if the Direct Connect fails, traffic automatically fails over to the VPN without manual intervention. Which routing configuration should they use?

Question 252hardmulti select
Read the full NAT/PAT explanation →

A company is designing a network architecture for a multi-account AWS environment using AWS Transit Gateway. They need to meet the following requirements: (1) Centralized inspection of traffic between VPCs using a firewall appliance. (2) Isolated development environments that cannot communicate with each other but can access the internet via a centralized NAT gateway. (3) Compliance with PCI DSS for production workloads, requiring encryption in transit between VPCs. Which TWO actions should they take?

Question 253mediummulti select
Read the full Network Design explanation →

A company is deploying a web application across multiple Availability Zones in a single AWS Region. The application consists of an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group, and an Amazon RDS Multi-AZ database. The company needs to ensure that the application can survive the loss of an entire Availability Zone. Which THREE actions should they take? (Select THREE.)

Question 254hardmulti select
Read the full Network Design explanation →

A company is designing a network for a real-time data analytics platform that ingests data from thousands of IoT devices. The devices send data via UDP to a UDP-based collector service running on EC2 instances. The collector service must be highly available and scalable. The data is then processed by a stream processing application. The company wants to minimize latency and jitter. Which TWO architectural choices should they make?

Question 255hardmultiple choice
Read the full Network Design explanation →

Refer to the exhibit. An AWS administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile is associated with an IAM role that has the above trust policy. The S3 bucket policy allows s3:GetObject only for the role's ARN. What is the most likely cause of the access failure?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Question 256hardmultiple choice
Open the full BGP breakdown →

A large financial services company is migrating its on-premises data center to AWS. The network design must meet strict low-latency requirements for trading applications that communicate with external exchanges. The company has two AWS Direct Connect connections from two different providers to two different AWS Direct Connect locations in the same region. They have a VPC with multiple subnets across three Availability Zones. The trading applications are deployed on EC2 instances in private subnets and need to communicate with external exchanges over the Direct Connect connections. The company also requires high availability and automatic failover if one Direct Connect connection fails. The network team has configured two virtual interfaces (VIFs) for private connectivity to the VPC, one on each Direct Connect connection, and has set up BGP sessions. However, during a failover test, traffic does not fail over as expected. The team notices that the VPC route tables have static routes pointing to the virtual private gateway (VGW) with the same prefix, but no BGP routes are propagated. What is the most likely cause of the failover issue, and what should be done to resolve it?

Question 257hardmultiple choice
Read the full DNS explanation →

A company is designing a global application that will serve users across North America and Europe. The application consists of a static website hosted on Amazon S3, a REST API hosted on Amazon API Gateway, and a backend application running on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to minimize latency for users by serving content from the closest AWS region. They also want to ensure high availability and automatic failover if a region becomes unavailable. The company is considering using Amazon Route 53 with a latency-based routing policy. However, they are concerned about DNS caching and propagation delays during failover. Which additional service should they use to improve the failover experience and provide a single endpoint for users?

Question 258mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application in a VPC. The architecture includes an internet-facing Application Load Balancer (ALB) in public subnets, a fleet of EC2 instances in private subnets, and an Amazon RDS database in a separate private subnet. The security team requires that the web application logs be stored in an Amazon S3 bucket for compliance. The EC2 instances have an instance profile that grants write access to the S3 bucket. The EC2 instances are in a private subnet that does not have a route to the internet. The company wants to ensure that the EC2 instances can upload logs to the S3 bucket without traversing the internet. Which solution should they implement?

Question 259mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). The public subnet has an internet gateway attached, and the private subnet has a NAT Gateway in the public subnet for outbound internet access. The company is deploying an Amazon RDS for MySQL database in a Multi-AZ configuration. The database should be accessible only from the application servers running in the private subnet. The company wants to ensure that the database is highly available and that failover does not require any changes to the application. Which networking configuration should they use?

Question 260mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a network for a containerized microservices application running on Amazon ECS. The application consists of several microservices that need to communicate with each other. The company wants to use service discovery so that services can find each other by name. They also want to ensure that traffic between services is encrypted in transit. The microservices are deployed across multiple Availability Zones. Which combination of services should the company use?

Question 261hardmultiple choice
Open the full BGP breakdown →

A company is expanding its on-premises network to AWS using Direct Connect and VPN backup. They have two Direct Connect connections from different providers to two different Direct Connect locations in the same region. They have configured a private virtual interface (VIF) on each connection to a virtual private gateway (VGW) attached to a VPC. They have also configured a VPN connection as a backup. The company uses BGP to advertise the on-premises prefixes to AWS. They want to ensure that traffic is load-balanced across both Direct Connect connections under normal conditions and that the VPN is used only if both Direct Connect connections fail. They also want to minimize the cost of data transfer. Which BGP configuration should they use?

Question 262easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 172.16.0.0/16. They have a public subnet (172.16.1.0/24) and a private subnet (172.16.2.0/24). They have an internet gateway attached to the public subnet. They launch an EC2 instance in the public subnet with a public IP address. The instance is running a web server on port 80. They also launch an EC2 instance in the private subnet that needs to download updates from the internet. The private subnet does not have a route to the internet. The company wants to provide internet access to the private instance in a secure and cost-effective manner. Which solution should they implement?

Question 263easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They have an internet gateway attached to the public subnet. They deploy a web server on an EC2 instance in the public subnet and a database on an EC2 instance in the private subnet. The database should only be accessible from the web server. The company wants to secure the database by not assigning a public IP address to it. Which configuration will allow the web server to connect to the database?

Question 264easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 192.168.0.0/16. They have two subnets: Subnet A (192.168.1.0/24) and Subnet B (192.168.2.0/24). They launch an EC2 instance in Subnet A and another EC2 instance in Subnet B. They want to ensure that both instances can communicate with each other. The instances are in the same VPC. What is the simplest way to enable communication between these instances?

Question 265hardmultiple choice
Read the full Network Design explanation →

A company is designing a network for a real-time trading application that requires extremely low latency (sub-millisecond) between two EC2 instances located in the same AWS region. The instances are in different Availability Zones. The trading application uses a proprietary protocol over TCP. The company wants to minimize latency as much as possible. They are considering using a placement group. Which type of placement group should they use, and what network optimization should they apply?

Question 266mediummulti select
Review the full routing breakdown →

A company wants to design a multi-region active-active architecture with Amazon Route 53 latency-based routing and failover using health checks. Which TWO configurations are necessary? (Choose two.)

Question 267hardmulti select
Read the full VPN explanation →

A network engineer is designing a hybrid network with AWS Direct Connect and VPN backup. The goal is to maximize availability and ensure automatic failover. Which THREE steps should be taken? (Choose three.)

Question 268mediummultiple choice
Read the full NAT/PAT explanation →

A media company is designing a network for a new AWS environment. They have a VPC with public and private subnets in three Availability Zones. In the private subnets, they run a fleet of Amazon EC2 instances that process video files from an Amazon S3 bucket. The S3 bucket is in the same region. The company wants to ensure that all traffic to S3 stays within the AWS network and does not traverse the internet. They also need to allow the EC2 instances to access the internet for software updates, but only through a centralized NAT gateway. Currently, there is one NAT gateway in AZ1. The network engineer has created a VPC endpoint for S3 (Gateway type) and associated it with the route tables for the private subnets. However, the EC2 instances in AZ2 and AZ3 cannot reach the NAT gateway for internet access. What is the most likely cause?

Question 269hardmultiple choice
Review the full routing breakdown →

A financial services company has a multi-account AWS environment using AWS Organizations. They have a central security account with AWS Network Firewall and a central inspection VPC. All other VPCs are connected to the inspection VPC via AWS Transit Gateway. The company wants to enforce that all traffic between VPCs (east-west) and traffic to the internet (north-south) passes through the Network Firewall. They have configured the Transit Gateway route tables appropriately. However, they notice that traffic from an application VPC to another application VPC is not being inspected. The network engineer has verified that the application VPCs have a default route to the Transit Gateway, and the Transit Gateway route table has a route for the inspection VPC. What is the most likely reason that east-west traffic is bypassing the Network Firewall?

Question 270easymultiple choice
Review the full subnetting walkthrough →

A startup wants to design a cost-effective network for a new application. They expect low traffic initially but need to handle sudden spikes. They plan to use Amazon EC2 instances behind an Application Load Balancer (ALB) in a single VPC. The application must be highly available within the region. The network engineer has proposed using two public subnets in two Availability Zones for the ALB, and two private subnets for the EC2 instances. The EC2 instances need to access the internet for updates. What is the MOST cost-effective and highly available design?

Question 271mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They launch an Amazon RDS for MySQL DB instance in the private subnet. The DB instance needs to be accessed by an EC2 instance in the public subnet. The security group for the DB instance allows inbound traffic on port 3306 from the security group of the EC2 instance. However, the EC2 instance cannot connect to the DB instance. What is the most likely cause?

Question 272hardmultiple choice
Read the full Network Design explanation →

A large e-commerce company is designing a network for a new microservices architecture. They have hundreds of microservices running on Amazon ECS with Fargate launch type. The services need to communicate with each other and with external APIs. The company wants to minimize network latency and maximize security. They also need to ensure that traffic between services does not leave the VPC. The network engineer is considering using AWS PrivateLink to allow services to communicate via VPC endpoints. However, they are concerned about the cost of creating an endpoint for each service. Which design should the network engineer recommend?

Question 273mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private). They launch an EC2 instance in the private subnet and an Application Load Balancer (ALB) in the public subnet. The ALB needs to forward traffic to the EC2 instance on port 80. The security group for the EC2 instance allows inbound traffic on port 80 from the security group of the ALB. The ALB health checks are failing. What is the most likely cause?

Question 274easymultiple choice
Read the full VPN explanation →

A company is designing a network for a new VPC. They want to ensure that the VPC can connect to an on-premises data center via a site-to-site VPN. The on-premises network uses a CIDR block of 10.0.0.0/8. The VPC will use a CIDR block of 10.0.0.0/16. The network engineer is concerned about overlapping IP addresses. What is the best way to avoid IP address overlap?

Question 275mediummultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network connecting on-premises data centers to AWS via AWS Direct Connect. The company requires high availability with multiple connections. Which design ensures that a failure of a single Direct Connect location does not impact connectivity?

Question 276hardmultiple choice
Read the full Network Design explanation →

A company wants to connect multiple VPCs in different AWS accounts to on-premises networks using AWS Transit Gateway. Each VPC must be able to communicate with on-premises resources over AWS Direct Connect. What is the MINIMUM number of Transit Gateway attachments required if the company has 5 VPCs and 2 Direct Connect connections from different locations?

Question 277easymultiple choice
Read the full Network Design explanation →

A company is deploying an internet-facing application in AWS. The application must only accept traffic from specific IP addresses of business partners. Which AWS service should be used to enforce this restriction?

Question 278mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which configuration will allow this without exposing the instance to inbound internet traffic?

Question 279hardmultiple choice
Review the full subnetting walkthrough →

A company has multiple VPCs connected via a Transit Gateway. Each VPC has its own CIDR block. The company wants to isolate network traffic between specific VPCs. What is the most scalable way to achieve this?

Question 280easymultiple choice
Read the full Network Design explanation →

A company is deploying a multi-tier application in a VPC. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which architecture meets these requirements?

Question 281mediummultiple choice
Read the full Network Design explanation →

A company is designing a network for a critical application that requires low latency and high throughput between EC2 instances in the same AWS Region. Which network design should the company use?

Question 282hardmultiple choice
Read the full Network Design explanation →

A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The company wants to connect to multiple VPCs in the same AWS Region. What is the MOST cost-effective and scalable design?

Question 283easymultiple choice
Review the full subnetting walkthrough →

A company wants to ensure that all traffic to and from its VPC is inspected by a security appliance. The appliance must be able to inspect traffic between subnets within the VPC. Which architecture should the company use?

Question 284mediummulti select
Read the full Network Design explanation →

A company is designing a network for a multi-account AWS environment using AWS Organizations. The company must centralize internet egress for all accounts. Which TWO solutions should the company use? (Choose two.)

Question 285hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. The company needs to add a new subnet for a container cluster that requires at least 2000 IP addresses. Which TWO subnet CIDR blocks meet this requirement? (Choose two.)

Question 286hardmulti select
Read the full Network Design explanation →

A company is designing a global network with multiple AWS Regions. The company needs to connect VPCs in different Regions with low latency and high throughput. Which THREE services should the company consider? (Choose three.)

Question 287mediummultiple choice
Read the full Network Design explanation →

A company has a multi-tier web application running on EC2 instances in a VPC. The web tier must be accessible from the internet, but the application tier should only be accessible from the web tier. Which network design configuration meets these requirements?

Question 288hardmultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with a CIDR block of 10.0.0.0/16. The VPC will host multiple environments (dev, test, prod) and requires subnets in three Availability Zones. The network engineer must allocate subnets efficiently while reserving at least 25% of the address space for future growth. What is the minimum subnet size that should be used for each environment?

Question 289easymultiple choice
Study the full IPv6 explanation →

A solutions architect needs to design a VPC with both IPv4 and IPv6 support. The VPC will have public and private subnets. Resources in private subnets need outbound IPv6 access to the internet. Which combination of resources should be used?

Question 290hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An EC2 instance launched in subnet-1a is unable to access the internet. Which is the most likely cause?

Exhibit

Refer to the exhibit.

AWS CLI output:
{
    "Vpc": {
        "VpcId": "vpc-0123456789abcdef0",
        "CidrBlock": "10.0.0.0/16",
        "Ipv6CidrBlock": "2001:db8:1234:1a00::/56",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true
    },
    "Subnets": [
        {
            "SubnetId": "subnet-1a",
            "CidrBlock": "10.0.1.0/24",
            "AvailabilityZone": "us-east-1a",
            "MapPublicIpOnLaunch": false
        },
        {
            "SubnetId": "subnet-2a",
            "CidrBlock": "10.0.2.0/24",
            "AvailabilityZone": "us-east-1a",
            "MapPublicIpOnLaunch": true
        }
    ],
    "RouteTables": [
        {
            "RouteTableId": "rtb-main",
            "Associations": [{"SubnetId": "subnet-1a"}],
            "Routes": [
                {"DestinationCidrBlock": "10.0.0.0/16", "Target": "local"},
                {"DestinationCidrBlock": "0.0.0.0/0", "Target": "igw-12345"}
            ]
        },
        {
            "RouteTableId": "rtb-custom",
            "Associations": [{"SubnetId": "subnet-2a"}],
            "Routes": [
                {"DestinationCidrBlock": "10.0.0.0/16", "Target": "local"},
                {"DestinationCidrBlock": "0.0.0.0/0", "Target": "igw-12345"}
            ]
        }
    ]
}
Question 291mediummultiple choice
Review the full subnetting walkthrough →

A financial services company requires that all traffic between two VPCs in the same region be encrypted in transit. The VPCs are in separate AWS accounts and use non-overlapping CIDR blocks. Which solution meets the requirement with the least operational overhead?

Question 292hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. The company wants to use AWS Site-to-Site VPN. What configuration change is required to avoid routing conflicts?

Question 293easymultiple choice
Read the full NAT/PAT explanation →

An application running on EC2 instances in a private subnet needs to download patches from the internet. The VPC has an internet gateway and public subnets. Which resource should be used to provide outbound internet access to the instances?

Question 294mediummultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with multiple subnets across three Availability Zones. The application requires that all traffic between subnets within the same AZ stay within that AZ to minimize latency and data transfer costs. Which configuration achieves this?

Question 295mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An EC2 instance in the PrivateSubnet is unable to download patches from the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.2.0/24
      MapPublicIpOnLaunch: false
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
  PrivateRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  PrivateSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PrivateSubnet
      RouteTableId: !Ref PrivateRouteTable
  NatGateway:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt ElasticIP.AllocationId
      SubnetId: !Ref PublicSubnet
  ElasticIP:
    Type: AWS::EC2::EIP
    Properties:
      Domain: vpc
Question 296hardmulti select
Study the full IPv6 explanation →

A company is designing a VPC with a CIDR block of 10.0.0.0/16. The VPC must support IPv6 and have subnets in three Availability Zones. The company plans to use an AWS Transit Gateway to connect multiple VPCs. Which TWO actions are required to enable IPv6 communication between VPCs through the Transit Gateway?

Question 297mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets must access an S3 bucket without traversing the internet. Which TWO methods can achieve this? (Choose TWO.)

Question 298easymulti select
Read the full Network Design explanation →

A company is designing a VPC for a web application that requires high availability. The application will be deployed across multiple Availability Zones. Which THREE components are essential for a highly available network design? (Choose THREE.)

Question 299hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and wants to connect to another VPC with CIDR 10.0.0.0/16 in a different account. The VPCs are in the same region. Which THREE steps are necessary to establish connectivity? (Choose THREE.)

Question 300easymulti select
Read the full Network Design explanation →

A company is designing a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which THREE design elements are required? (Choose THREE.)

Question 301hardmultiple choice
Read the full Network Design explanation →

Refer to the exhibit. A network engineer has this IAM policy attached to their user. They attempt to create a VPC peering connection between VPC A (in account 123456789012) and VPC B (in account 210987654321). The request fails. Which additional permission is required?

Exhibit

Refer to the exhibit.

IAM policy JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcPeeringConnection",
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DeleteVpcPeeringConnection"
      ],
      "Resource": "*"
    }
  ]
}
Question 302mediummultiple choice
Read the full Network Design explanation →

A company is designing a multi-region active-active application using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application uses Aurora MySQL global database. Which design should be used to minimize cross-region latency for writes?

Question 303hardmultiple choice
Read the full Network Design explanation →

A network engineer is designing a hybrid network using AWS Transit Gateway with multiple VPCs and an on-premises data center connected via AWS Direct Connect. The VPCs need to communicate with each other and with on-premises, but must isolate development VPCs from production VPCs. What is the MOST scalable and cost-effective approach?

Question 304easymultiple choice
Read the full Network Design explanation →

A company wants to provide its employees with access to a set of internal web applications hosted in a VPC. The applications are accessed via an internet-facing ALB. Security requirements mandate that employees connect only from the corporate network (on-premises) and not from the public internet. Which solution meets these requirements?

Question 305mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in three Availability Zones. An internet-facing Network Load Balancer (NLB) is deployed in the public subnets, and a fleet of EC2 instances is in the private subnets. The application logs show intermittent connection timeouts. The security group for the EC2 instances allows traffic from the NLB's security group. What is the MOST likely cause?

Question 306hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Direct Connect with a private VIF to connect its data center to a VPC. The VPC has multiple subnets. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot connect to an EC2 instance's port 443. The EC2 instance's security group allows HTTPS from the on-premises CIDR. What should the engineer check NEXT?

Question 307easymultiple choice
Read the full Network Design explanation →

A company is building a serverless application using API Gateway, Lambda, and DynamoDB. The API must be accessible from the internet and be resilient to Regional failures. Which design provides the HIGHEST availability?

Question 308mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download updates from the internet. The company wants to minimize costs and avoid exposing the instance to inbound internet traffic. Which solution should the engineer choose?

Question 309hardmultiple choice
Read the full DNS explanation →

A company has a global application that uses Amazon Route 53 for DNS. The application is deployed in us-east-1 and eu-west-1. The company wants to route users to the Region with the lowest latency, but also provide failover if one Region becomes unhealthy. Which Route 53 routing policy should be used?

Question 310easymultiple choice
Read the full Network Design explanation →

A company is designing a network for a three-tier application that must be PCI DSS compliant. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers are in the same VPC. What is the MOST secure way to implement this?

Question 311mediummulti select
Read the full NAT/PAT explanation →

A company is designing a Direct Connect solution for high availability. Which TWO actions meet the requirement for diverse physical paths?

Question 312hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. It needs to connect to two other VPCs: VPC B (10.1.0.0/16) and VPC C (10.2.0.0/16). The company wants to use AWS Transit Gateway. Which THREE configurations are required to enable full mesh connectivity between all three VPCs?

Question 313easymulti select
Read the full Network Design explanation →

A company is designing a VPC architecture for a web application that must be highly available across multiple Availability Zones. Which TWO components should be deployed in at least two Availability Zones to meet this requirement?

Question 314hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. It creates a subnet 10.0.1.0/24 in us-east-1a and launches an EC2 instance with a private IP 10.0.1.10. The instance needs to send traffic to an on-premises server at 192.168.1.50 over a Direct Connect private VIF. The VPC has a virtual private gateway attached and a route table associated with the subnet. Which THREE entries must exist in the route table for the traffic to succeed?

Question 315mediummultiple choice
Study the full ACL explanation →

An engineer runs the command above for a subnet associated with this network ACL. The subnet's CIDR is 10.0.1.0/24. An EC2 instance in the subnet attempts to initiate an HTTPS connection to a server on the internet. What is the result?

Network Topology
$ aws ec2 describe-network-aclsfilters Name=vpc-idRefer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-11111","VpcId": "vpc-abc123","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "10.0.1.0/24","PortRange": {"From": 443,"To": 443},"RuleNumber": 200,"RuleAction": "deny","CidrBlock": "0.0.0.0/0","RuleNumber": 300,"Egress": true,"From": 1024,"To": 65535
Question 316hardmultiple choice
Read the full Network Design explanation →

A Network Engineer is troubleshooting a cross-account VPC endpoint connection. The service provider account (123456789012) has the above IAM policy attached to the endpoint service. The consumer account (111111111111) has created a VPC endpoint (vpce-abc123) and is trying to accept the connection. The consumer receives an 'AccessDenied' error when calling ec2:AcceptVpcEndpointConnections. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowVPCEConnection",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "ec2:AcceptVpcEndpointConnections",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc-endpoint/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:ec2:us-east-1:111111111111:vpc-endpoint/vpce-abc123"
        }
      }
    }
  ]
}
```
Question 317mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region active-active architecture with Amazon Route 53. The application is deployed behind Application Load Balancers (ALBs) in us-east-1 and eu-west-1. The company wants to minimize latency for users and provide automatic failover. Which routing policy should be used?

Question 318hardmultiple choice
Read the full Network Design explanation →

A financial services company must ensure that all traffic between its on-premises data center and VPC is encrypted in transit and does not traverse the public internet. The company has an AWS Direct Connect connection. Which solution meets these requirements?

Question 319easymultiple choice
Study the full multicast explanation →

A company is migrating its on-premises data center to AWS. The network team needs to extend the on-premises network to the cloud and support IP multicast traffic between environments. Which AWS service or feature should be used?

Question 320mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company does not want to assign public IP addresses to the instance. Which combination of resources is required? (Choose TWO.)

Question 321hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16. It has two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). Both subnets have a route to an Internet Gateway. An EC2 instance in subnet A has a security group that allows inbound HTTP from 0.0.0.0/0. The instance's network ACL allows inbound HTTP from 0.0.0.0/0. Users report they cannot access the web server. What is the most likely cause?

Question 322easymultiple choice
Read the full Network Design explanation →

A company wants to connect multiple VPCs across different AWS accounts to a common on-premises network using AWS Transit Gateway. Which resource should be used to allow cross-account VPC attachments?

Question 323hardmultiple choice
Review the full subnetting walkthrough →

A company has deployed an application in a VPC with public and private subnets. The application uses an Amazon RDS for MySQL database in a private subnet. To meet security requirements, the database must not be accessible from the internet. The application team needs to connect to the database for maintenance using SSH over a bastion host. Which architecture is the most secure?

Question 324mediummultiple choice
Read the full Network Design explanation →

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which architecture meets these requirements?

Question 325easymultiple choice
Read the full Network Design explanation →

A company has an AWS Direct Connect connection and wants to use it to access Amazon S3 buckets without traversing the public internet. Which virtual interface type should be used?

Question 326hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. It has a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet. Which solution should be used?

Question 327easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). An EC2 instance in subnet A needs to communicate with an EC2 instance in subnet B. The instances are in the same VPC. What is the default behavior?

Question 328easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets in two Availability Zones. The private subnets host databases that must be accessible only from the application servers in the public subnets. Which VPC feature should be used to allow the application servers to access the databases while preventing direct internet access to the databases?

Question 329mediummultiple choice
Read the full Network Design explanation →

A company is deploying a multi-tier web application across multiple AWS accounts. They want to centralize network security by using a shared services VPC with a Transit Gateway. All application VPCs will be attached to the Transit Gateway. The security team needs to inspect and filter traffic between application VPCs. Which solution should be used to meet this requirement?

Question 330hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a hybrid network with multiple AWS Direct Connect connections to multiple on-premises data centers. They want to maximize availability and use all available bandwidth. They have two Direct Connect connections terminated at two different Direct Connect locations. They plan to use a single Virtual Private Gateway (VGW) for each VPC. Which configuration should be used to meet these requirements?

Question 331easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add additional IP address space for new subnets. The existing subnets use 10.0.0.0/17 and 10.0.128.0/17. Which CIDR block should be added as a secondary CIDR to the VPC to provide the most additional contiguous address space?

Question 332mediummultiple choice
Read the full Network Design explanation →

A company has deployed a web application using an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. The application experiences intermittent high latency. The network team suspects that the ALB is being overwhelmed by traffic. Which metrics should be analyzed in Amazon CloudWatch to determine if the ALB is the bottleneck?

Question 333hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have set up a VPC peering connection with another VPC (CIDR 172.16.0.0/16). The route tables are configured correctly. However, instances in the first VPC cannot communicate with instances in the peered VPC. The security groups and network ACLs are configured to allow all traffic. What is the most likely cause?

Question 334easymultiple choice
Read the full DNS explanation →

A company is designing a multi-region application with active-active configuration. They need a global DNS service that can route users to the nearest healthy endpoint and automatically failover to another region if an endpoint becomes unhealthy. Which AWS service should be used?

Question 335mediummultiple choice
Open the full BGP breakdown →

A company is setting up a new AWS Direct Connect connection. They have provisioned a 1 Gbps dedicated connection. They need to create a private virtual interface (VIF) to connect to their VPC. The VIF has been created and is in the 'available' state, but the BGP session is not coming up. What is the most likely cause?

Question 336hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. They want to ensure that all outbound traffic from EC2 instances in the VPC goes through a centralized NAT device for inspection. They have deployed a NAT instance in a public subnet and configured the route tables for private subnets to point to the NAT instance. However, traffic is not being routed through the NAT instance. What is the most likely cause?

Question 337mediummulti select
Review the full routing breakdown →

A company is designing a network architecture for a critical application that requires high availability across multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region. Which TWO services can provide global routing and failover between the two ALBs?

Question 338hardmulti select
Read the full DNS explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have created a VPC peering connection with another VPC (CIDR 10.1.0.0/16). They want to enable DNS resolution between the VPCs. Which TWO actions must be taken?

Question 339easymulti select
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets. They need to provide internet access to instances in the private subnets for software updates. Which THREE components are required to achieve this?

Question 340mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region application with an Application Load Balancer (ALB) in us-east-1 and us-west-2. They want to route traffic to the nearest region using latency-based routing. Which AWS service should they use to achieve this?

Question 341hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They want to provide outbound internet access to instances in private subnets while preventing inbound internet traffic. The solution must be highly available and scale automatically. Which combination of services should be used?

Question 342easymultiple choice
Study the full ACL explanation →

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). They have added routes in both route tables. However, instances in VPC A cannot ping instances in VPC B. The security groups and network ACLs allow ICMP. What is the most likely cause?

Question 343mediummultiple choice
Read the full Network Design explanation →

A company is deploying a critical application across multiple Availability Zones in a single AWS Region. They need a network design that provides the lowest possible latency between application tiers and supports automatic failover if an AZ becomes unavailable. Which design meets these requirements?

Question 344hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They want to extend connectivity to an on-premises data center that does not support BGP. What is the simplest way to achieve this?

Question 345easymultiple choice
Review the full subnetting walkthrough →

A company needs to allow a specific IP address range (203.0.113.0/24) to access an Amazon RDS database in a private subnet. The RDS instance is deployed in a VPC with no public access. Which configuration step is required?

Question 346mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to monitor all network traffic to and from an EC2 instance for troubleshooting. Which AWS service should they use?

Question 347hardmultiple choice
Read the full DNS explanation →

A company has a hub-and-spoke VPC architecture using AWS Transit Gateway. The hub VPC contains shared services (e.g., Active Directory). Spoke VPCs need to resolve DNS names from the hub VPC. The hub VPC has an Amazon Route 53 Resolver inbound endpoint. What is the correct configuration for the spoke VPCs to use this endpoint?

Question 348easymultiple choice
Read the full Network Design explanation →

A company needs to connect two VPCs in the same AWS account and region. They want to use private IP addresses and avoid any single point of failure. Which solution should they use?

Question 349mediummulti select
Review the full routing breakdown →

A company is designing a network for a high-traffic web application that must be highly available across multiple AWS Regions. The application uses Application Load Balancers (ALBs) in each region. Which TWO actions should be taken to route traffic to the nearest healthy endpoint?

Question 350hardmulti select
Read the full Network Design explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They want to add redundant connectivity using a second Direct Connect connection from a different provider. They need to ensure that if the primary connection fails, traffic automatically fails over to the secondary. Which THREE components are required?

Question 351easymulti select
Read the full Network Design explanation →

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. Which THREE steps are necessary?

Question 352mediummultiple choice
Read the full DNS explanation →

A company is designing a multi-Region application with an Application Load Balancer (ALB) in each Region fronting an Auto Scaling group of EC2 instances. The application must be accessible via a single DNS name, and traffic should be routed to the closest healthy Region using a latency-based routing policy. Which AWS service should be used as the DNS endpoint to achieve this?

Question 353hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to use a single NAT Gateway for all private subnets to reduce costs, but the NAT Gateway is in a single Availability Zone (AZ). The network architect is concerned about single points of failure. Which design best addresses high availability while still using the minimum number of NAT Gateways?

Question 354easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. It needs to connect to an on-premises data center via AWS Direct Connect. The on-premises network uses 10.0.0.0/8. Which action should the network engineer take to avoid IP address overlap?

Question 355mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. It has six subnets: three public (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24) and three private (10.0.4.0/24, 10.0.5.0/24, 10.0.6.0/24). The company wants to launch an RDS instance in a private subnet. Which subnet should the RDS instance be placed in to maximize high availability and follow best practices?

Question 356hardmultiple choice
Read the full Network Design explanation →

A company is deploying a web application across multiple AWS Regions using an Application Load Balancer (ALB) in each Region. The company wants to use AWS Global Accelerator to provide a static IP address and accelerate traffic. The application requires that client IP addresses be preserved in the backend logs. Which configuration should the network engineer use?

Question 357mediummultiple choice
Open the full BGP breakdown →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to two on-premises locations via AWS Direct Connect. Each Direct Connect connection uses a private VIF. The company wants to use BGP to exchange routes. The on-premises routers advertise the same prefix 10.0.0.0/8 for both connections. How should the network engineer configure the VPC route tables to ensure traffic is load balanced across both Direct Connect connections?

Question 358easymultiple choice
Read the full NAT/PAT explanation →

A company wants to design a highly available architecture for a web application that runs on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application must be able to handle sudden traffic spikes. Which load balancing solution provides the best combination of high availability, automatic scaling, and SSL offloading?

Question 359hardmultiple choice
Open the full BGP breakdown →

A company has a VPC with a CIDR of 10.0.0.0/16. It has two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). The company wants to use AWS Site-to-Site VPN to connect to an on-premises network with a CIDR of 192.168.0.0/16. The VPN connection uses a virtual private gateway (VGW) attached to the VPC. The on-premises network has a VPN appliance that supports BGP. The company also wants to use static routes for the VPN. Which configuration is required to enable communication between the VPC and on-premises network?

Question 360easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers must be in private subnets except the web tier. Which combination of AWS services and routing should be used to meet these requirements?

Question 361mediummulti select
Review the full subnetting walkthrough →

A company is designing a network for a VPC with a CIDR of 10.0.0.0/16. The VPC has three private subnets in three different Availability Zones. The company needs to provide internet access to instances in the private subnets for software updates. The architecture must be highly available and cost-effective. Which TWO actions should the network engineer take?

Question 362hardmulti select
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize internet egress for all VPCs through a single VPC that has a NAT Gateway and an internet gateway. Which TWO configurations are required to achieve this?

Question 363mediummulti select
Read the full DNS explanation →

A company is designing a network architecture for a critical application that must be highly available across AWS Regions. The application uses an Application Load Balancer (ALB) in each Region, and the company wants to use a global DNS name that automatically routes traffic to the healthy Region with the lowest latency. The company also needs to be able to perform planned failover for maintenance. Which THREE components are required to meet these requirements?

Question 364mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-Region active-active application using Application Load Balancers (ALBs) in us-east-1 and eu-west-1, with Route 53 latency-based routing. Users report that after a failover, existing connections fail. What should the company implement to ensure seamless failover?

Question 365easymultiple choice
Read the full Network Design explanation →

A company wants to connect its on-premises data center to AWS using a dedicated, high-bandwidth, low-latency connection. The data center is collocated with an AWS Direct Connect location. Which AWS service should be used to establish this connection?

Question 366hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to access the internet for software updates but must not be accessible from the internet. Which combination of resources meets these requirements with the least operational overhead?

Question 367mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. It needs to create a secondary CIDR block for additional subnets that must not overlap with the existing CIDR. Which CIDR block should be used?

Question 368easymultiple choice
Read the full Network Design explanation →

A company needs to establish private connectivity between two VPCs in different AWS accounts. The VPCs are in the same Region. Which AWS feature should be used?

Question 369hardmultiple choice
Read the full Network Design explanation →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The company wants to add a second VPC in the same AWS Region using the same Direct Connect connection. Which solution meets the requirements with the least operational effort?

Question 370mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16 and needs to connect to a partner's VPC with CIDR 10.0.0.0/16. The VPCs are in the same Region. What is the best solution?

Question 371easymultiple choice
Read the full Network Design explanation →

A company wants to improve the performance and availability of its application that is deployed on EC2 instances in a single Availability Zone. Which architecture should the company implement?

Question 372mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The ALB is configured with a target group that has a health check path of /health. Some instances are failing health checks and being marked unhealthy, but the application logs show the instances are healthy. What is the most likely cause?

Question 373hardmulti select
Read the full Network Design explanation →

Which TWO options are valid methods to connect a VPC to an on-premises network? (Choose two.)

Question 374mediummulti select
Read the full Network Design explanation →

Which TWO statements about AWS Transit Gateway are correct? (Choose two.)

Question 375hardmulti select
Read the full Network Design explanation →

Which THREE factors should be considered when designing a VPC for a multi-tier application that requires high availability and security? (Choose three.)

Question 376mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region active-active architecture for a web application using Application Load Balancers (ALBs) and AWS Global Accelerator. The application must provide low-latency access to users worldwide and automatically route traffic to healthy endpoints. Which design should be used?

Question 377hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating its on-premises data center to AWS. The network team needs to design a hybrid connectivity solution that provides high availability with a bandwidth of at least 10 Gbps and low latency for real-time data replication. The company has two redundant on-premises routers connected to two separate internet service providers (ISPs). Which combination of AWS services should the company use to meet these requirements?

Question 378easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates but must not be directly accessible from the internet. Which AWS service should be used to provide internet access to instances in the private subnets?

Question 379mediummultiple choice
Review the full routing breakdown →

A company is deploying a critical application across multiple Availability Zones (AZs) in a single AWS region. The application requires a highly available network layer that can automatically detect and reroute traffic away from failed endpoints. Which AWS service should be used to meet this requirement?

Question 380hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across two AZs. The VPC is connected to an on-premises data center via AWS Direct Connect. The company wants to ensure that traffic between the VPC and on-premises is load-balanced across two Direct Connect virtual interfaces (VIFs) for high availability. Which configuration should be used?

Question 381easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC for a three-tier web application. The web servers must be accessible from the internet, while the application and database servers must be isolated. Which subnet design should the company use?

Question 382mediummultiple choice
Review the full routing breakdown →

A company is using AWS Organizations to manage multiple accounts. The network team needs to allow a centralized inspection VPC to inspect all traffic between VPCs in different accounts. Which AWS service should be used to route traffic through the inspection VPC?

Question 383hardmultiple choice
Review the full subnetting walkthrough →

A company is designing a hybrid network with a Direct Connect connection. The VPC has multiple subnets that need to communicate with on-premises. The company wants to use a single VIF for both private and public traffic. Which type of VIF should be used?

Question 384easymultiple choice
Study the full IPv6 explanation →

A company is deploying an application that must use IPv6 for internet-facing traffic. The VPC is currently using IPv4 only. What is the simplest way to enable IPv6?

Question 385mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region active-active application using Amazon Route 53 latency-based routing with health checks. The application is deployed in us-east-1 and eu-west-1. During a load test, users in South America experience high latency despite the Route 53 configuration. What is the most likely cause?

Question 386easymultiple choice
Open the full BGP breakdown →

A company is deploying a hybrid network with AWS Direct Connect and a VPN backup. The Direct Connect virtual interface is configured for private VIF with BGP. The VPN uses IPsec tunnels over the internet. What is the best practice to ensure symmetric routing and failover?

Question 387hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a network architecture for a critical application that requires sub-millisecond latency between EC2 instances in the same placement group. The instances will be launched in a single Availability Zone in us-east-1. Which combination of features should be used to achieve the lowest latency?

Question 388mediummultiple choice
Read the full VPN explanation →

A company has an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The tunnel status is up, but traffic from on-premises cannot reach an EC2 instance in the VPC. The instance's security group allows inbound traffic from the on-premises CIDR. Which configuration should be checked first?

Question 389hardmultiple choice
Read the full Network Design explanation →

A company is designing a network for a large-scale e-commerce platform that must handle sudden traffic spikes. The architecture uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances across multiple Availability Zones. The ALB is internet-facing. To protect against DDoS attacks, which AWS services should be used at the network edge?

Question 390easymultiple choice
Read the full Network Design explanation →

A company wants to connect its VPC to an on-premises data center using AWS Direct Connect. The company has two Direct Connect locations in the same AWS region. For high availability, they plan to establish two separate connections. Which configuration ensures that if one connection fails, traffic automatically fails over to the other?

Question 391mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates, but must not be directly reachable from the internet. Which two components are required for this design? (Choose two.)

Question 392mediummulti select
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add IPv6 support for their internet-facing Application Load Balancer. The VPC is already associated with an IPv6 CIDR block. What additional configuration is required? (Choose two.)

Question 393hardmulti select
Read the full Network Design explanation →

A company is designing a multi-account AWS environment using AWS Transit Gateway. They have 10 VPCs in separate accounts that need to communicate with each other and with an on-premises network via Direct Connect. Which three components are required to enable this connectivity? (Choose three.)

Question 394mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to communicate with an RDS database in subnet-B. Both subnets are in the same Availability Zone. What is the most efficient way to enable this communication?

Question 395easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. The database should not have direct internet access. Which architecture meets these requirements?

Question 396hardmultiple choice
Read the full Network Design explanation →

A company is deploying a critical application that requires low latency between EC2 instances in the same AWS region but across multiple Availability Zones. The instances are part of an Auto Scaling group behind a Network Load Balancer. Which network design provides the lowest latency while maintaining high availability?

Question 397mediummultiple choice
Read the full Network Design explanation →

A company is deploying a multi-tier web application across three Availability Zones in a single AWS Region. The web tier must be fault-tolerant and scale horizontally. Which network design provides the highest availability and scalability?

Question 398hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network via AWS Direct Connect. The on-premises network uses 10.0.0.0/16. Which solution allows connectivity without IP overlap?

Question 399easymultiple choice
Read the full Network Design explanation →

A company wants to allow its VPC to access an S3 bucket securely without traversing the internet. Which AWS resource enables private connectivity between a VPC and S3?

Question 400mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to minimize cost and management overhead. Which solution should be used?

Question 401hardmultiple choice
Read the full Network Design explanation →

A company has a large VPC with multiple workloads. They need to isolate development and production environments within the same VPC, but allow limited communication between them via specific ports. Which approach meets these requirements?

Question 402easymultiple choice
Read the full Network Design explanation →

A company wants to improve disaster recovery by replicating data between two AWS Regions. Which AWS service provides a managed solution for cross-Region network connectivity?

Question 403mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to add a second CIDR block of 10.1.0.0/16 for additional subnets. After adding the CIDR, the existing subnets cannot communicate with the new subnets. What is the most likely cause?

Question 404hardmultiple choice
Read the full Network Design explanation →

A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They need to centralize outbound internet traffic through a single VPC. Which architecture should be used?

Question 405easymultiple choice
Review the full subnetting walkthrough →

A company wants to ensure that traffic between EC2 instances in the same VPC but different subnets is encrypted. Which solution should be used?

Question 406mediummulti select
Read the full Network Design explanation →

A company is designing a network for a critical application that requires high availability across multiple Availability Zones. Which TWO design choices ensure that the application remains available if an entire AZ fails?

Question 407hardmulti select
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. The private subnet needs to access an S3 bucket for backups. Which TWO actions are required to provide private connectivity to S3 without using a NAT Gateway?

Question 408mediummulti select
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Direct Connect. They need to ensure high availability and failover. Which THREE components should be deployed to meet these requirements?

Question 409mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-Region architecture with active-active failover for a web application. The application uses Application Load Balancers (ALBs) in two AWS Regions. Traffic must be routed to the closest healthy Region with automatic failover. Which AWS service should be used to route traffic?

Question 410hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to connect their on-premises data center to AWS using AWS Direct Connect. The data center uses RFC 1918 addresses from the 10.0.0.0/8 range, overlapping with the VPC CIDR. The company cannot change the on-premises IP addresses. Which design allows connectivity without IP conflicts?

Question 411easymultiple choice
Read the full Network Design explanation →

A company wants to connect an Amazon RDS for SQL Server database instance in a VPC to an on-premises application. The connection must be encrypted in transit and should traverse the AWS backbone network. Which solution meets these requirements?

Question 412mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An Amazon EC2 instance in a private subnet needs to download patches from the internet. The company wants to ensure that the instance cannot be directly initiated from the internet. Which design should be used?

Question 413hardmultiple choice
Read the full NAT/PAT explanation →

A company is deploying a multi-tier web application across multiple Availability Zones in a single Region. The web tier must be fault-tolerant and distribute traffic across EC2 instances. The application tier uses an Auto Scaling group of EC2 instances that need to be accessed by the web tier using a static IP address. Which combination of AWS services meets these requirements?

Question 414easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They want to connect this VPC to a second VPC with CIDR 10.1.0.0/16 using VPC Peering. The VPCs are in the same account and Region. What is the minimum number of route table entries needed in each VPC to enable full bidirectional communication?

Question 415mediummultiple choice
Read the full Network Design explanation →

A company needs to provide secure access to an Amazon S3 bucket for a third-party partner. The partner has their own AWS account. The company wants to avoid exposing the bucket to the public internet. Which solution meets these requirements?

Question 416hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to communicate with an on-premises server using an IPsec VPN. The company has set up a Virtual Private Gateway (VGW) and a Customer Gateway (CGW) with a Site-to-Site VPN connection. The VPN tunnel is established. However, the EC2 instance cannot ping the on-premises server. The security groups and network ACLs allow all traffic. What is the most likely cause?

Question 417easymultiple choice
Review the full subnetting walkthrough →

A company wants to ensure that traffic between Amazon EC2 instances in the same VPC but different subnets is inspected by a network security appliance. The appliance is deployed in a separate security VPC. Which AWS service should be used to route traffic through the security VPC?

Question 418mediummulti select
Review the full subnetting walkthrough →

A company is designing a hybrid network using AWS Direct Connect. They have a VPC with a CIDR of 10.0.0.0/16 and an on-premises network with CIDR 10.0.0.0/8. The company needs to ensure that traffic from the VPC to the on-premises network uses the Direct Connect connection and that traffic does not traverse the internet. Which TWO actions are required? (Choose TWO.)

Question 419hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across three Availability Zones. They deploy an Amazon RDS for MySQL Multi-AZ DB instance. The application tier consists of EC2 instances in private subnets. To improve read performance, the company wants to add read replicas. Which THREE design considerations are important for network connectivity? (Choose THREE.)

Question 420mediummulti select
Read the full Network Design explanation →

A company is designing a network architecture for a critical application that requires high availability and fault tolerance. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones. The instances must be able to communicate with each other across AZs. Which TWO design decisions improve the fault tolerance of the application? (Choose TWO.)

Question 421easymultiple choice
Review the full routing breakdown →

A company wants to connect two VPCs in the same AWS region using a hub-and-spoke model. Which AWS service should be used to route traffic between the VPCs through a central inspection VPC?

Question 422mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture with an active-active setup. They need to route traffic to the nearest healthy endpoint. Which AWS service should they use?

Question 423hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF to access a VPC. They also have a site-to-site VPN as backup. They notice that during Direct Connect maintenance, the VPN does not take over traffic as expected. All routes are advertised over BGP. What is the most likely reason?

Question 424easymultiple choice
Read the full Network Design explanation →

A company needs to ensure that all traffic between their VPC and on-premises network is encrypted. Which solution meets this requirement?

Question 425mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet and need it to access the internet. Which combination of components is required?

Question 426hardmultiple choice
Read the full Network Design explanation →

A company has multiple VPCs connected via AWS Transit Gateway. They need to inspect all inter-VPC traffic using a centralized firewall appliance. What is the most efficient way to achieve this?

Question 427easymultiple choice
Read the full Network Design explanation →

A company wants to use AWS Direct Connect to connect their on-premises network to a VPC. They have two Direct Connect locations and want high availability. What is the minimum number of Direct Connect virtual interfaces needed?

Question 428mediummultiple choice
Read the full Network Design explanation →

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, and the application tier must only be accessible from the web tier. Which architecture should they use?

Question 429hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to peer with another VPC that has a CIDR of 10.0.0.0/24. What will happen?

Question 430mediummulti select
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Direct Connect. They want to ensure high availability and minimize downtime. Which TWO actions should they take?

Question 431hardmulti select
Read the full Network Design explanation →

A company wants to use AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to centrally manage and enforce security policies. Which THREE components are required?

Question 432easymulti select
Read the full Network Design explanation →

A company is deploying a web application in a VPC. They need to ensure that the web servers can be accessed from the internet and that traffic is encrypted. Which TWO services should they use?

Question 433hardmultiple choice
Read the full Network Design explanation →

Based on the VPC Flow Logs entry, which of the following statements is correct?

Exhibit

Refer to the exhibit. The following is a VPC Flow Logs entry:

2 123456789010 eni-1234567890abcdef 10.0.1.5 10.0.2.10 443 80 6 10 5000 1620000000 1620000060 ACCEPT OK
Question 434mediummultiple choice
Review the full routing breakdown →

Based on the route table, which of the following is true?

Exhibit

Refer to the exhibit. The following is an excerpt from a VPC route table:

Destination | Target
10.0.0.0/16 | local
0.0.0.0/0 | igw-1234567890abcdef0
172.31.0.0/16 | vgw-1234567890abcdef0
Question 435easymultiple choice
Read the full Network Design explanation →

Based on the output, which of the following is true?

Exhibit

Refer to the exhibit. The following is an AWS CLI command output:

{
    "DirectConnectGateway": {
        "directConnectGatewayId": "dxgw-1234567890abcdef0",
        "directConnectGatewayName": "My-DXGW",
        "amazonSideAsn": 64512,
        "ownerAccount": "123456789012",
        "state": "available"
    }
}
Question 436easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need to access the internet for software updates. Which configuration meets this requirement securely?

Question 437mediummultiple choice
Read the full Network Design explanation →

A company is designing a multi-account architecture using AWS Transit Gateway. They need to isolate development and production environments but allow shared services account access to both. What is the most scalable and secure design?

Question 438hardmultiple choice
Open the full BGP breakdown →

A company is migrating to AWS and needs to connect its on-premises data center to multiple VPCs across several AWS regions. The on-premises network uses BGP and requires high availability with sub-second failover. The solution must be cost-effective and support traffic segmentation. Which design meets these requirements?

Question 439mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an application load balancer (ALB) in public subnets and web servers in private subnets. The web servers must be accessible only from the ALB. What is the most secure and efficient configuration?

Question 440hardmultiple choice
Read the full Network Design explanation →

A company is designing a hybrid network using AWS Direct Connect with multiple VPCs in the same region. They need to ensure that traffic between on-premises and VPCs is encrypted and that VPC-to-VPC traffic does not traverse the internet. Which solution meets these requirements?

Question 441easymultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add IPv6 support for their application. What is the simplest way to enable IPv6 communication for instances in the VPC?

Question 442mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to connect multiple VPCs. They notice that traffic between two VPCs in different Availability Zones is taking a suboptimal path, resulting in cross-AZ data transfer costs. How can they optimize the path and reduce costs?

Question 443hardmultiple choice
Review the full routing breakdown →

A company is designing a highly available network for a critical application that requires sub-second failover between two AWS regions. The application uses active-active traffic distribution. Which routing policy should they use in Amazon Route 53?

Question 444easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to peer with another VPC that has CIDR 10.0.0.0/16. What is the issue and how can it be resolved?

Question 445mediummulti select
Review the full subnetting walkthrough →

A company is designing a network for a multi-tier application that must meet compliance requirements. The architecture includes a VPC with public, private, and database subnets. Which TWO actions should be taken to ensure the database subnets are not directly accessible from the internet? (Select TWO.)

Question 446mediummulti select
Read the full Network Design explanation →

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. They want to ensure high availability and failover. Which TWO configurations should they implement? (Select TWO.)

Question 447hardmulti select
Review the full routing breakdown →

A company is designing a network for a global application that requires low latency between users and application servers. They plan to use multiple AWS regions and want to route users to the nearest healthy endpoint. Which THREE services should they use together? (Select THREE.)

Question 448mediummultiple choice
Study the full ACL explanation →

A company has deployed a multi-tier web application in a single AWS region. The architecture includes a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier runs on EC2 instances in the private subnets. The database tier uses an Amazon RDS Multi-AZ deployment in the database subnets. The company is experiencing intermittent connectivity issues between the application tier and the database tier. The application logs show connection timeouts. The network engineer has verified that the security groups and network ACLs are correctly configured. The RDS instance is reachable from the application tier via a telnet test from one specific instance, but not consistently from all instances. What is the most likely cause of the intermittent connectivity?

Question 449hardmultiple choice
Open the full BGP breakdown →

A company is expanding its on-premises data center to AWS using a hybrid cloud architecture. They have established an AWS Direct Connect connection with a private virtual interface to a VPC. The on-premises network uses BGP to exchange routes with the VPC. The network engineer notices that the on-premises network can reach some EC2 instances in the VPC but not others. All EC2 instances are in the same subnet (10.0.1.0/24) and have private IP addresses. The Direct Connect virtual interface is configured with the VPC CIDR (10.0.0.0/16) advertised to on-premises. The on-premises firewall logs show that traffic to the unreachable instances is being dropped. What is the most likely cause?

Question 450mediummultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network architecture that connects its on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that if the Direct Connect connection fails, traffic automatically fails over to a VPN connection. Which configuration ensures this failover behavior?

Question 451hardmultiple choice
Read the full NAT/PAT explanation →

A global company is deploying a multi-Region application on AWS. The application requires low-latency access to a shared dataset that is updated frequently in multiple Regions. The company wants to use Amazon Route 53 latency-based routing to direct users to the closest Region. Which data store provides the best combination of low-latency reads and cross-Region consistency for this use case?

Question 452easymultiple choice
Read the full Network Design explanation →

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. The company wants to use private virtual interfaces (VIFs) to access multiple VPCs in the same AWS Region. Which AWS service should be used to simplify this connectivity?

Question 453mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. The company wants to ensure that traffic from private subnets uses a single, highly available IP address for outbound traffic. Which solution meets these requirements?

Question 454hardmultiple choice
Read the full Network Design explanation →

A company is designing a network for a real-time financial trading application. The application requires deterministic low-latency connectivity between two EC2 instances in different Availability Zones within the same VPC. Which placement group type and networking feature should the company use?

Question 455easymultiple choice
Read the full Network Design explanation →

A company wants to allow its employees to securely access internal applications hosted in a VPC without traversing the internet. The company also wants to be able to enforce security policies at the user level. Which AWS service should the company use?

Question 456mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to make API calls to Amazon S3. Which is the most secure way to provide this access without traffic leaving the AWS network?

Question 457hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a multi-account AWS environment using AWS Organizations. The company wants to centralize outbound internet traffic from all VPCs in all accounts through a single VPC in a shared services account. The shared services account has a VPC with a NAT gateway and an internet gateway. Which architecture meets this requirement?

Question 458easymultiple choice
Review the full routing breakdown →

A network engineer runs the AWS CLI command shown in the exhibit. The VPC has an Amazon Route 53 private hosted zone associated. What is the impact of this setting?

Network Topology
$ aws ec2 describe-vpc-attributevpc-id vpc-12345678attribute enableDnsSupportRefer to the exhibit.```"VpcId": "vpc-12345678","EnableDnsSupport": {"Value": false
Question 459mediummulti select
Read the full Network Design explanation →

A company wants to connect multiple VPCs in different AWS Regions using AWS Transit Gateway. The company requires full mesh connectivity with centralized inspection of inter-Region traffic. Which TWO actions should the company take? (Choose TWO.)

Question 460hardmulti select
Read the full Network Design explanation →

A company is designing a network for a critical application that requires an SLA of 99.99% availability. The application runs on EC2 instances in an Auto Scaling group across three Availability Zones. The company needs to ensure that the network design meets the SLA. Which THREE components should the company include? (Choose THREE.)

Question 461mediummulti select
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application requires multicast traffic between EC2 instances in the same VPC. Which TWO AWS services can support this requirement? (Choose TWO.)

Question 462hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) in a VPC. The application experiences unpredictable traffic spikes. The company notices that during peak traffic, the ALB returns 503 errors. The network engineer checks the ALB's CloudWatch metrics and sees that the 'ActiveConnectionCount' is high but 'TargetResponseTime' is low. The ALB's target group is configured with a deregistration delay of 300 seconds. The ALB is internet-facing and uses an SSL/TLS certificate from AWS Certificate Manager. The security group for the ALB allows inbound HTTPS from 0.0.0.0/0. The target instances' security group allows inbound traffic from the ALB's security group. The VPC has a CIDR of 10.0.0.0/16 with public and private subnets. The ALB is in public subnets, and the instances are in private subnets. The route tables for private subnets have a default route to a NAT gateway in the public subnets. The company wants to resolve the 503 errors. What should the network engineer do?

Question 463mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. It has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The company hosts a web application on EC2 instances in the private subnets behind an Application Load Balancer (ALB) in the public subnets. The ALB is internet-facing. The company wants to add a second ALB in the same VPC for a different application but using the same public subnets. The new ALB also needs to be internet-facing. However, when the company tries to create the new ALB, they receive an error: 'The subnet 'subnet-xxxxxxxx' does not have enough free IP addresses to satisfy the request.' The network engineer checks the subnets and finds that the public subnets have only 2 free IP addresses each. The private subnets have plenty of free IP addresses. The company wants to resolve this error without changing the architecture of the existing applications. What should the network engineer do?

Question 464easymultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has created a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. However, the EC2 instance cannot reach the internet. The network engineer verifies that the NAT gateway has an Elastic IP address, the security group and network ACLs allow outbound traffic, and the route table for the public subnet has a route to an internet gateway. What is the most likely cause of the issue?

Question 465mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-Region active-active application using Application Load Balancers (ALBs) behind AWS Global Accelerator. They require that traffic from a specific client IP address is always routed to the same AWS Region for session persistence. Which Global Accelerator feature should be used?

Question 466hardmultiple choice
Read the full VPN explanation →

A company runs a critical application on Amazon EC2 instances in a VPC. The application receives data from an on-premises data center over an AWS Direct Connect connection. The company wants to add redundant connectivity using a VPN connection over the internet. They need to ensure that traffic from on-premises to AWS uses the Direct Connect connection when it is healthy, and only fails over to the VPN if Direct Connect fails. Which configuration achieves this?

Question 467easymultiple choice
Read the full VPN explanation →

A company has a VPC with public and private subnets. They launch an Amazon RDS for MySQL DB instance in a private subnet. The DB instance needs to be accessible from an on-premises application that connects via an AWS Site-to-Site VPN. What is the MOST secure way to allow the on-premises application to connect to the DB instance?

Question 468mediummultiple choice
Open the full VLAN trunking answer →

A company is migrating its on-premises data center to AWS. The migration requires connectivity between the on-premises network and a VPC. The company needs a connection that supports multiple VLANs for separate environments (development, test, production) and provides consistent performance. The company also wants to avoid using the public internet. Which AWS service should be used?

Question 469hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets and an AWS Transit Gateway. They have a requirement to inspect traffic between subnets using a third-party firewall appliance that is deployed in a centralized inspection VPC. The firewall appliance must process all traffic between the VPC subnets, including traffic between subnets in the same Availability Zone. Which routing configuration achieves this?

Question 470easymultiple choice
Study the full IPv6 explanation →

A company is designing a VPC with both IPv4 and IPv6 workloads. The VPC has an internet gateway, and the company wants to allow outbound IPv6 traffic to the internet from instances in a private subnet while blocking inbound IPv6 traffic from the internet. Which configuration should be used?

Question 471mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet containing a NAT gateway and a private subnet containing Amazon EC2 instances. The instances in the private subnet need to download patches from the internet. The NAT gateway is in the public subnet and has an Elastic IP address. The private subnet's route table has a default route pointing to the NAT gateway. However, the instances cannot reach the internet. What is the MOST likely cause?

Question 472hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: Subnet A (10.0.1.0/24) and Subnet B (10.0.2.0/24). They launch an EC2 instance in Subnet A and assign it a primary private IP address of 10.0.1.50. They then attach a second elastic network interface (ENI) to the instance with a primary private IP of 10.0.2.100. The instance needs to send traffic from the second ENI. However, when the instance sends traffic from the second ENI, it fails. What is the MOST likely cause?

Question 473easymultiple choice
Read the full Network Design explanation →

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible from the internet. Which component must be attached to the VPC to allow internet traffic to reach the ALB?

Question 474mediummulti select
Review the full routing breakdown →

A company is designing a multi-VPC architecture in a single AWS Region. The company has three VPCs: Production, Development, and Shared Services. They want to enable transitive routing between all VPCs while minimizing operational overhead. Which TWO solutions meet these requirements?

Question 475hardmulti select
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have subnets in three Availability Zones. They need to add IPv6 connectivity to the VPC and allow instances in private subnets to initiate outbound IPv6 connections to the internet, but not allow inbound connections from the internet. Which TWO actions must be taken?

Question 476mediummulti select
Read the full Network Design explanation →

A company wants to connect its on-premises network to AWS using AWS Direct Connect. The company has two data centers, each with a redundant connection to an AWS Direct Connect location. The company wants to ensure high availability and failover capability. Which THREE steps should be taken?

Question 477hardmultiple choice
Read the full DNS explanation →

A company is running a multi-tier web application across two AWS Regions (us-east-1 and eu-west-1) for disaster recovery. The application uses an Application Load Balancer (ALB) in each Region. The company uses Amazon Route 53 with latency-based routing to direct traffic to the closest Region. Recently, during a regional failure in us-east-1, users experienced timeouts instead of being redirected to eu-west-1. The DNS TTL is set to 60 seconds. The Route 53 health checks for the us-east-1 ALB are configured to check the HTTP endpoint every 30 seconds with 3 consecutive failures required to mark it unhealthy. The eu-west-1 ALB is healthy. The company's network design includes a VPC in each Region with public and private subnets. The ALBs are internet-facing and have proper security groups. The Route 53 records are configured correctly. What is the MOST likely cause of the timeout?

Question 478mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have three subnets: Subnet A (10.0.1.0/24) in us-east-1a, Subnet B (10.0.2.0/24) in us-east-1b, and Subnet C (10.0.3.0/24) in us-east-1c. The company has deployed a set of EC2 instances in Subnet A that need to access an Amazon S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet and remains within the AWS network. The VPC has a VPC endpoint for S3 (gateway type) created and associated with the route table for Subnet A. However, the instances are unable to access the S3 bucket. What is the MOST likely cause?

Question 479easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They launch an EC2 instance in the private subnet that needs to download software updates from the internet. The company configures a NAT gateway in the public subnet and adds a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The NAT gateway is assigned an Elastic IP address. However, the EC2 instance cannot reach the internet. The security group for the EC2 instance allows all outbound traffic. What is the MOST likely cause?

Question 480mediummultiple choice
Read the full DNS explanation →

A company is deploying a multi-tier web application across two AWS Regions with an active-passive failover architecture. The application uses Application Load Balancers (ALBs) in each Region, and traffic must be directed to the active Region using DNS. Which routing policy should be used for the Amazon Route 53 record set to achieve this?

Question 481easymulti select
Read the full NAT/PAT explanation →

A solutions architect is designing a VPC with public and private subnets. The application in the private subnet needs to download patches from the internet. Which TWO options allow outbound internet access while keeping the EC2 instance in the private subnet without a public IP address?

Question 482hardmulti select
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application uses multicast for service discovery. Which THREE AWS services or features can be used to support multicast traffic within a VPC?

Question 483hardmultiple choice
Review the full subnetting walkthrough →

An IAM policy attached to a user allows creating and deleting VPCs and subnets only in us-east-1. The user attempts to create a VPC in eu-west-1. What will happen?

Exhibit

Refer to the exhibit.

```
{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "ec2:CreateVpc",        "ec2:DeleteVpc",        "ec2:CreateSubnet",        "ec2:DeleteSubnet"      ],      "Resource": "*",      "Condition": {        "StringEquals": {          "aws:RequestedRegion": "us-east-1"        }      }    }  ]}
```
Question 484mediummultiple choice
Study the full ACL explanation →

A company runs a critical web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application experiences intermittent timeouts during peak hours. The network team suspects that the security group or network ACL is misconfigured. They enable VPC Flow Logs and notice that outbound traffic from the ALB to the EC2 instances on port 8080 shows 'ACCEPT' records, but the ALB returns 504 errors. The ALB health check is configured to hit the EC2 instances on port 8080/health. What is the most likely cause of the 504 errors?

Question 485hardmultiple choice
Review the full routing breakdown →

A company has a global application deployed across multiple AWS Regions. They use an Amazon Route 53 latency-based routing policy to direct users to the closest region. Recently, users in Asia are experiencing high latency even though traffic is being directed to the nearest region. The network team reviews the latency measurements and notices that the Route 53 latency values are based on the region where the resources are hosted, but the actual application performance is poor. What is the most likely cause?

Question 486easymultiple choice
Review the full subnetting walkthrough →

A company wants to connect its on-premises data center to AWS using AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that they can ping the Direct Connect public VIF IP but cannot access S3. The VPC has a private subnet with an S3 VPC endpoint. What is the most likely reason for the failure?

Question 487mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Both VPCs have subnets with EC2 instances. The security groups allow all traffic between the instances. The instances in VPC A can ping the instances in VPC B, but cannot initiate TCP connections to a web server running on port 443 in VPC B. What is the most likely cause?

Question 488hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The on-premises router advertises a specific route for a subnet (192.168.1.0/24) to the VPC via BGP. However, instances in the VPC cannot reach the 192.168.1.0/24 subnet. The VPC route table shows the route as 'active' and 'propagated' from the Direct Connect virtual interface. What is the most likely cause?

Question 489easymultiple choice
Read the full NAT/PAT explanation →

A company wants to provide internet access to instances in a private subnet without using a NAT Gateway, due to cost constraints. They have a public subnet with a bastion host that has a public IP. They also have a VPC with an Internet Gateway. What is the most cost-effective way to allow outbound internet access for instances in the private subnet?

Question 490hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-VPC architecture connected via AWS Transit Gateway. They have VPCs in different AWS accounts. The network team wants to centralize internet traffic through a single egress VPC that has a NAT Gateway and an Internet Gateway. All other VPCs should route outbound internet traffic through the Transit Gateway to the egress VPC. They have configured route tables accordingly, but instances in non-egress VPCs cannot reach the internet. What is the most likely missing configuration?

Question 491mediummultiple choice
Review the full subnetting walkthrough →

An application running on EC2 instances in a VPC needs to access an Amazon S3 bucket to read configuration files. The VPC has an S3 VPC endpoint configured. The instances are in a private subnet and have a security group that allows all outbound traffic. The bucket policy allows access from the VPC endpoint. However, the application fails to access the S3 bucket. What is the most likely cause?

Question 492easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to create a subnet for a new application that requires at least 2000 usable IP addresses. Which subnet size should they choose?

Question 493hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF and a virtual private gateway (VGW) to connect its on-premises data center to a VPC. The on-premises network uses BGP to advertise routes to AWS. The VPC has multiple subnets. The company wants to ensure that only traffic destined for the VPC CIDR (10.0.0.0/16) is sent over Direct Connect, and all other traffic uses the internet. However, after configuration, on-premises users can access the internet through the Direct Connect link, which is unintended. What change should be made to restrict traffic?

Question 494mediummultiple choice
Review the full subnetting walkthrough →

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The ALB is internet-facing and has a security group that allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic only from the ALB's security group. The application works correctly. However, the security team wants to add an additional layer of protection by using AWS WAF. What is the best way to integrate AWS WAF with the ALB to filter malicious requests?

Question 495mediummulti select
Review the full routing breakdown →

A company is designing a multi-region active-active application using Amazon Route 53 and Application Load Balancers (ALBs). The application must be highly available and route traffic to the closest healthy endpoint. Which TWO configurations should the company use? (Choose two.)

Question 496mediummulti select
Read the full NAT/PAT explanation →

A financial services company is designing a VPC with multiple tiers: web, application, and database. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The company needs to allow the application tier to download patches from the internet. Which THREE components should be included in the design? (Choose three.)

Question 497hardmultiple choice
Study the full ACL explanation →

A large e-commerce company is redesigning its global network architecture. They have three VPCs in us-east-1: production (10.0.0.0/16), staging (10.1.0.0/16), and development (10.2.0.0/16). They also have two VPCs in eu-west-1: production (10.10.0.0/16) and staging (10.11.0.0/16). All VPCs are connected via a Transit Gateway with inter-region peering. The company wants to allow the staging VPCs in both regions to communicate with each other for data replication, but no other cross-region traffic should be allowed. Additionally, the production VPC in us-east-1 must be able to send traffic to the production VPC in eu-west-1 for a disaster recovery pilot. The security team has configured Network ACLs and security groups appropriately. However, after implementation, the staging VPCs can communicate, but the production VPCs cannot. A network engineer checks the Transit Gateway route tables and finds that both production VPC attachments are associated with the same route table, which has a static route for the 10.0.0.0/16 and 10.10.0.0/16 prefixes. What is the MOST likely reason for the failure?

Question 498mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new application on AWS and needs a highly available architecture across two Availability Zones (AZs) in a single region. The application consists of an Application Load Balancer (ALB) in front of a fleet of EC2 instances running in an Auto Scaling group, and an Amazon RDS for MySQL database with Multi-AZ deployment. The company requires that the application remain available even if an entire AZ fails. The network team has designed the VPC with two public subnets and two private subnets, each in a different AZ. The ALB is internet-facing and placed in the public subnets. The EC2 instances are in the private subnets. The RDS instance is also in the private subnets. The route tables are configured with a default route via an Internet Gateway for public subnets and via a NAT Gateway for private subnets. What change is MOST likely needed to ensure the architecture can survive an AZ failure?

Question 499hardmultiple choice
Open the full BGP breakdown →

A media company is designing a global streaming platform using AWS. They have a primary workload in us-east-1 (VPC A, 10.0.0.0/16) and a secondary workload in eu-west-1 (VPC B, 10.1.0.0/16). They need to replicate data between these VPCs with low latency and high throughput, and also allow their on-premises data center (10.2.0.0/16) in us-east-2 to communicate with both VPCs. The on-premises network is connected to AWS via two Direct Connect connections terminating in us-east-1 and eu-west-1. The company uses a Transit Gateway in each region, with inter-region peering between the Transit Gateways. The on-premises network has BGP advertisements for 10.2.0.0/16. The routing is set up such that the on-premises network can reach both VPCs via the Direct Connect connections. However, the VPCs cannot reach each other's CIDRs. The network engineer checks the Transit Gateway route tables and sees that the inter-region peering attachment is associated with the appropriate route tables, and static routes for the remote VPC CIDRs are present. What is the MOST likely cause of the problem?

Question 500mediummultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network architecture using AWS Direct Connect. They have a single Direct Connect connection with a private virtual interface (VIF) to a VPC in us-east-1. The on-premises network uses BGP to advertise a prefix (10.0.0.0/8) to AWS. The VPC has a CIDR of 10.1.0.0/16. The company wants to add a second VPC (10.2.0.0/16) in the same region and allow on-premises to communicate with both VPCs. They plan to use a Transit Gateway to connect the VPCs and the Direct Connect gateway. The Direct Connect gateway is associated with the Transit Gateway. The on-premises router is advertising 10.0.0.0/8. After configuration, the on-premises network can communicate with 10.1.0.0/16 but not with 10.2.0.0/16. The network engineer verifies that the Transit Gateway route table has routes for both VPC attachments and that the Direct Connect gateway is associated with the Transit Gateway. What is the MOST likely issue?

Question 501hardmultiple choice
Open the full BGP breakdown →

A company is migrating its on-premises data center to AWS. As part of the migration, they need to establish connectivity between their on-premises network (10.0.0.0/8) and multiple VPCs in a single region. They are using AWS Transit Gateway with a Direct Connect gateway. They have two Direct Connect connections, each with a private virtual interface (VIF) to the Direct Connect gateway. The on-premises routers are configured with BGP and are advertising 10.0.0.0/8. The Transit Gateway has three VPC attachments: VPC1 (10.1.0.0/16), VPC2 (10.2.0.0/16), and VPC3 (10.3.0.0/16). All VPC attachments are in the same Transit Gateway route table, which also includes the Direct Connect gateway attachment. Initially, all VPCs can communicate with on-premises. After a maintenance window, the network team adds a new on-premises subnet (10.4.0.0/16) and updates the BGP advertisement to include 10.4.0.0/16. However, after the change, instances in VPC3 can no longer reach on-premises resources in any subnet, while VPC1 and VPC2 can still communicate with all on-premises subnets including the new one. The network engineer checks the Transit Gateway route table and sees that the route for 10.0.0.0/8 is present, pointing to the Direct Connect gateway attachment. What is the MOST likely cause of the issue?

Question 502mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a network architecture for a two-tier web application. The web tier runs on EC2 instances behind an Application Load Balancer (ALB) in public subnets. The application tier runs on EC2 instances in private subnets. The application tier needs to access an Amazon RDS for PostgreSQL database in the same private subnets. The company requires that all traffic between the ALB and web tier, as well as between web tier and application tier, remain within the AWS network and not traverse the internet. The current design uses an Internet Gateway (IGW) for public subnet internet access and a NAT Gateway for private subnet outbound internet access. The web tier instances have a default route to the IGW, and the application tier instances have a default route to the NAT Gateway. The security groups are configured correctly. However, the application tier cannot connect to the RDS database. What is the MOST likely cause?

Question 503hardmultiple choice
Open the full BGP breakdown →

A global company is designing a multi-region architecture with VPCs in us-east-1, eu-west-1, and ap-southeast-1. They are using AWS Transit Gateway with inter-region peering between all three regions. The company also has on-premises data centers in the US and Europe connected via Direct Connect to the Transit Gateways in us-east-1 and eu-west-1 respectively. The on-premises networks use BGP to advertise their CIDRs (10.0.0.0/8 for US, 172.16.0.0/12 for Europe). The Transit Gateway route tables are configured to propagate routes from all attachments. The company needs all VPCs and on-premises networks to be able to communicate with each other. After configuration, the VPC in ap-southeast-1 can communicate with the VPCs in us-east-1 and eu-west-1, but cannot communicate with either on-premises network. The VPCs in us-east-1 and eu-west-1 can communicate with all on-premises networks. What is the MOST likely cause of this issue?

Question 504mediummultiple choice
Review the full routing breakdown →

A company is designing a network for a critical application that requires high availability across two AWS Regions (us-east-1 and us-west-2). The application uses an Application Load Balancer (ALB) in each region, with Auto Scaling groups behind them. The database is an Amazon Aurora Global Database with a primary cluster in us-east-1 and a secondary cluster in us-west-2. The company wants to use Amazon Route 53 to route traffic to the closest healthy ALB. They also need to ensure that if the primary database fails over to the secondary region, the application can still write to the database with minimal latency. Additionally, the application must be able to read from the local database in each region for read-intensive workloads. The network team has designed the following: Route 53 with latency-based routing and health checks for the ALBs. The application instances in each region are configured to connect to the local Aurora cluster endpoint. For writes, they use the global writer endpoint. What is the MOST significant design flaw?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ANS-C01 Practice Test 1 — 10 Questions→ANS-C01 Practice Test 2 — 10 Questions→ANS-C01 Practice Test 3 — 10 Questions→ANS-C01 Practice Test 4 — 10 Questions→ANS-C01 Practice Test 5 — 10 Questions→ANS-C01 Practice Exam 1 — 20 Questions→ANS-C01 Practice Exam 2 — 20 Questions→ANS-C01 Practice Exam 3 — 20 Questions→ANS-C01 Practice Exam 4 — 20 Questions→Free ANS-C01 Practice Test 1 — 30 Questions→Free ANS-C01 Practice Test 2 — 30 Questions→Free ANS-C01 Practice Test 3 — 30 Questions→ANS-C01 Practice Questions 1 — 50 Questions→ANS-C01 Practice Questions 2 — 50 Questions→ANS-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Network Management and OperationsNetwork Security, Compliance and GovernanceNetwork DesignNetwork Implementation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Design setsAll Network Design questionsANS-C01 Practice Hub