Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Implementation practice sets

ANS-C01 Network Implementation • Complete Question Bank

ANS-C01 Network Implementation — All Questions With Answers

Complete ANS-C01 Network Implementation question bank — all 0 questions with answers and detailed explanations.

434
Questions
Free
No signup
Certifications/ANS-C01/Practice Test/Network Implementation/All Questions
Question 1mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application across two AWS Regions. The application uses an Application Load Balancer (ALB) in each region, and traffic must be distributed to the closest healthy ALB using Route 53 latency-based routing. The application requires that clients maintain the same source IP address when the request is forwarded from the ALB to the backend targets. The backend targets are EC2 instances in private subnets. The company also needs to ensure that traffic between the ALB and targets stays within AWS. What should the company implement to meet these requirements?

Question 2hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?

Question 3easymultiple choice
Review the full routing breakdown →

A networking engineer is troubleshooting connectivity issues between two VPCs that are peered using a VPC peering connection. The VPCs are in different AWS accounts. The engineer has verified that the route tables are correct and the security groups allow traffic. However, ICMP ping fails from an instance in VPC A to an instance in VPC B. What is a likely cause?

Question 4hardmultiple choice
Review the full routing breakdown →

A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?

Question 5mediummultiple choice
Open the full BGP breakdown →

A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?

Question 6easymulti select
Review the full subnetting walkthrough →

A company is designing a network for a three-tier web application on AWS. The web tier must be accessible from the internet, and the application and database tiers must be in private subnets. The company wants to use a single AWS Region and ensure high availability. Which TWO configurations should be implemented? (Choose two.)

Question 7mediummulti select
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application requires multicast communication between EC2 instances in the same VPC. Which THREE options can support this requirement? (Choose three.)

Question 8easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets in two Availability Zones. They need to ensure that instances in private subnets can access the internet for software updates while remaining unreachable from the internet. Which solution meets these requirements?

Question 9mediummultiple choice
Read the full Network Implementation explanation →

A company has deployed a web application across multiple AWS Regions using Application Load Balancers (ALBs) and EC2 instances. They want to use AWS Global Accelerator to improve performance and provide a fixed entry point. The Global Accelerator is configured with endpoints pointing to the ALBs. However, users are experiencing intermittent failures. What is the most likely cause?

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC peering connection. Both VPCs have CIDR blocks: VPC-A = 10.0.0.0/16, VPC-B = 10.1.0.0/16. An EC2 instance in VPC-A (10.0.1.10) cannot ping an EC2 instance in VPC-B (10.1.1.10). Security groups and NACLs allow all traffic. The route tables are configured as follows: In VPC-A, a route to 10.1.0.0/16 via the peering connection. In VPC-B, a route to 10.0.0.0/16 via the peering connection. What is the most likely cause?

Question 11mediummultiple choice
Review the full routing breakdown →

A company is setting up a Direct Connect connection to connect its on-premises data center to AWS. The connection is established, and a private virtual interface (VIF) is configured. The on-premises router can ping the VIF's Amazon side IP address, but cannot ping an EC2 instance in the VPC. The VPC has a virtual private gateway attached, and the route tables are correctly configured. What should the company check next?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and has enabled VPC Flow Logs to capture all traffic. The logs show that an EC2 instance (10.0.1.10) is sending outbound traffic to an external IP (203.0.113.50) on port 443, but the traffic is being rejected. The instance's security group allows outbound HTTPS to 0.0.0.0/0, and the subnet's NACL allows outbound traffic on port 443. The VPC has an internet gateway attached, and the route table directs 0.0.0.0/0 to the internet gateway. What is the most likely cause of the rejection?

Question 13mediummulti select
Open the full BGP breakdown →

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect and a VPN connection as a backup. The on-premises network uses BGP to advertise routes to AWS. Which of the following are best practices for this setup? (Choose TWO.)

Question 14hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets spanning three Availability Zones. They have deployed an Application Load Balancer (ALB) in the VPC and need to ensure high availability and scalability for a web application. Which of the following are design considerations for implementing the ALB in this environment? (Choose THREE.)

Question 15easymultiple choice
Review the full subnetting walkthrough →

A network engineer is analyzing VPC Flow Logs for a VPC with CIDR 10.0.0.0/16. The exhibit shows a sample log entry. The engineer notices that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted. However, the application team reports that the connection is failing. What is the most likely reason for the disconnect?

Exhibit

Refer to the exhibit.

```
VPC Flow Logs version 2
account-id 123456789012
interface-id eni-0a1b2c3d4e5f67890
srcaddr 10.0.1.10
dstaddr 10.0.2.10
srcport 12345
dstport 443
protocol 6
packets 10
bytes 1500
start 1625097600
end 1625097660
action ACCEPT
log-status OK
```
Question 16mediummultiple choice
Review the full subnetting walkthrough →

A company has set up a transit gateway with attachments to VPC-A and VPC-B. The transit gateway route table shows routes to both VPCs and a blackhole for 0.0.0.0/0. VPC-A's public subnet route table sends 10.1.0.0/16 traffic to the transit gateway. However, an EC2 instance in VPC-A's public subnet cannot reach an instance in VPC-B. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
AWS Transit Gateway Route Table
Route Table ID: tgw-rtb-0123456789abcdef0
Routes:
10.0.0.0/16 attachment tgw-attach-11111111111111111 (VPC-A)
10.1.0.0/16 attachment tgw-attach-22222222222222222 (VPC-B)
0.0.0.0/0 blackhole
```

```
VPC-A Route Table (public subnet)
Destination Target
10.0.0.0/16 local
10.1.0.0/16 tgw-1234567890abcdef0
0.0.0.0/0 igw-1234567890abcdef0
```
Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new VPC with both public and private subnets. The public subnet hosts an internet-facing Application Load Balancer (ALB), and the private subnet hosts EC2 instances running a web application. The EC2 instances need to download updates from the internet, but they must not be directly accessible from the internet. Which combination of steps should a network engineer implement to meet these requirements?

Question 18hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF connected to a VPC. The network engineer notices that traffic from on-premises to the VPC is being dropped intermittently. The on-premises router shows BGP session is up, but the VPC route table does not have the on-premises prefix. What is the most likely cause?

Question 19easymultiple choice
Read the full Network Implementation explanation →

A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?

Question 20mediummultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Direct Connect private VIF. The VPC has a virtual private gateway attached. The on-premises router can ping the private IP of an EC2 instance in the VPC, but application traffic (TCP port 443) fails. What is the most likely cause?

Question 21hardmulti select
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network engineer needs to ensure that traffic between VPC A and VPC B follows a specific path through a Network Virtual Appliance (NVA) in VPC C. Which TWO actions should the engineer take?

Question 22mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway. The private subnet instances need to access an S3 bucket in the same region. Which THREE steps should the network engineer take to ensure the most cost-effective and secure access without traversing the internet?

Question 23hardmultiple choice
Read the full VRF explanation →

A company has a large AWS environment with hundreds of VPCs connected via a Transit Gateway. The network team is implementing a new hub-and-spoke architecture where all traffic between VPCs must be inspected by a centralized firewall appliance in a shared services VPC. The firewall appliance is a third-party virtual appliance that supports VRF-like segmentation. The network engineer has configured the Transit Gateway with separate route tables for each VPC, and the shared services VPC is associated with all route tables. The firewall appliance is deployed in the shared services VPC with two ENIs: one in a 'trust' subnet and one in an 'untrust' subnet. The trust subnet is used for traffic coming from spoke VPCs, and the untrust subnet is used for traffic going to other spoke VPCs. The firewall appliance performs stateful inspection and returns traffic to the Transit Gateway via the correct ENI. However, after implementation, traffic between two spoke VPCs (VPC A and VPC B) is being dropped. The engineer verifies that the Transit Gateway route tables have static routes for each spoke VPC CIDR pointing to the shared services VPC attachment. The spoke VPCs have routes to each other's CIDR via the Transit Gateway. The firewall logs show that traffic from VPC A reaches the trust ENI, but the firewall is unable to send traffic to VPC B because it does not have a route to VPC B's CIDR. What is the most likely cause?

Question 24easymultiple choice
Open the full BGP breakdown →

A company is deploying a hybrid network architecture with an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The on-premises network uses BGP to advertise routes to the VPN connection. After the VPN is established, the on-premises network cannot reach EC2 instances in the VPC. The VPC route table has a route for the on-premises CIDR block pointing to the VPN gateway. What is the most likely cause of this issue?

Question 25mediummulti select
Review the full routing breakdown →

A network engineer is troubleshooting a connectivity issue between two VPCs (VPC-A and VPC-B) that are connected via a VPC peering connection. The engineer has verified that the route tables in both VPCs have the appropriate routes. However, instances in VPC-A cannot ping instances in VPC-B. Which TWO actions should the engineer take to resolve this issue? (Choose two.)

Question 26mediumdrag order
Read the full Network Implementation explanation →

Order the steps to set up a Network Load Balancer with a TCP listener in front of an Auto Scaling group:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 27mediumdrag order
Read the full Network Implementation explanation →

Order the steps to set up a redundant Direct Connect connection with two virtual interfaces in different AWS regions:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediummatching
Read the full Network Implementation explanation →

Match each AWS security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful firewall that controls inbound and outbound traffic at instance level

Stateless firewall that controls traffic at subnet level

Web application firewall that protects against common web exploits

Managed DDoS protection service with enhanced detection and mitigation

Managed firewall service that provides stateful inspection for VPC traffic

Question 29mediummatching
Read the full Network Implementation explanation →

Match each AWS networking monitoring or troubleshooting tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic information for security and troubleshooting

Monitor network performance metrics like throughput and latency

Test network path between two resources and identify configuration issues

Copy network traffic for content inspection or security analysis

Trace requests through distributed applications, including network calls

Question 30easymultiple choice
Read the full Network Implementation explanation →

A company is deploying a new web application on AWS. They need to distribute incoming HTTPS traffic across multiple EC2 instances in different Availability Zones. Which AWS service should they use?

Question 31mediummultiple choice
Read the full VPN explanation →

A company has set up a site-to-site VPN connection between its on-premises network and AWS. The tunnel status shows 'UP' on both sides, but traffic from on-premises cannot reach EC2 instances in the VPC. What is the most likely cause?

Question 32hardmultiple choice
Read the full NAT/PAT explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer. They need to ensure that if an instance fails health checks, it is automatically terminated and replaced. Which AWS service should they use?

Question 33easymultiple choice
Review the full subnetting walkthrough →

A company is designing a VPC with public and private subnets. They want EC2 instances in private subnets to be able to access the internet for software updates. Which AWS service should they use?

Question 34mediummultiple choice
Read the full Network Implementation explanation →

A company has multiple VPCs that need to communicate with each other. They want to use a hub-and-spoke model with centralized network management. Which AWS service should they use?

Question 35hardmultiple choice
Review the full routing breakdown →

A company is deploying a latency-sensitive application across multiple AWS Regions. They want to use the AWS global network to route traffic to the nearest edge location for fast content delivery. Which service should they use?

Question 36easymultiple choice
Read the full Network Implementation explanation →

A company needs to connect its on-premises data center to AWS with a dedicated, private network connection that provides consistent performance. Which AWS service should they use?

Question 37mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to centrally control outbound traffic to the internet and log all traffic. Which AWS service should they use?

Question 38hardmultiple choice
Read the full Network Implementation explanation →

A company is running a two-tier application with a web tier and a database tier. The web tier must be accessible from the internet, but the database tier should only be accessible from the web tier. Which architecture should they use?

Question 39easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid options for implementing network segmentation in a VPC?

Question 40mediummulti select
Read the full Network Implementation explanation →

Which THREE of the following are valid methods to connect a VPC to an on-premises network?

Question 41hardmulti select
Read the full Network Implementation explanation →

Which TWO of the following are characteristics of an AWS Network Load Balancer (NLB)?

Question 42easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new application in a VPC with public and private subnets. The application servers in the private subnets need to access the internet to download patches. Which configuration meets this requirement without allowing inbound internet traffic?

Question 43mediummultiple choice
Read the full DNS explanation →

A global company wants to connect multiple VPCs across different AWS Regions using a hub-and-spoke model. The hub VPC contains shared services such as Active Directory and DNS. Which AWS service provides the most scalable and maintainable solution for this architecture?

Question 44hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network uses BGP to advertise a route for 10.0.0.0/8. The VPC CIDR is 10.1.0.0/16. The company wants to ensure that all traffic from the VPC to on-premises uses the Direct Connect connection, but if the Direct Connect fails, traffic should fail over to a VPN connection. Which configuration achieves this?

Question 45easymultiple choice
Read the full DNS explanation →

A company wants to enable DNS resolution for hybrid network using Route 53 Resolver. The on-premises DNS servers are reachable via Direct Connect. The company wants to forward queries for a custom domain (example.corp) from VPC to on-premises. Which resource should be created in the VPC?

Question 46mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket in the same Region. Which solution provides the most secure and cost-effective connectivity?

Question 47hardmultiple choice
Read the full Network Implementation explanation →

A company has multiple AWS accounts and wants to centrally manage network security using AWS Network Firewall. The firewall must inspect traffic between VPCs in the same Region. Which deployment model achieves this with minimal latency?

Question 48easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an application load balancer (ALB) in public subnets and EC2 instances in private subnets. The EC2 instances must only accept traffic from the ALB. Which security group configuration achieves this?

Question 49mediummultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a public virtual interface (VIF) to access AWS public services. They want to ensure that all traffic to Amazon S3 from on-premises uses the Direct Connect connection instead of the internet. Which configuration is required?

Question 50hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. The company wants to ensure that traffic to on-premises from VPC does not overlap with VPC's own CIDR. Which action should be taken?

Question 51easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect a VPC to an on-premises network? (Choose TWO.)

Question 52mediummulti select
Read the full Network Implementation explanation →

Which THREE of the following are considerations when designing a VPC with multiple Availability Zones for high availability? (Choose THREE.)

Question 53hardmulti select
Open the full BGP breakdown →

Which TWO of the following are required to establish a BGP session over a Direct Connect private virtual interface? (Choose TWO.)

Question 54easymultiple choice
Review the full subnetting walkthrough →

A company is deploying an application across multiple Availability Zones in a single AWS Region. The application requires that all traffic between EC2 instances in the same subnet be inspected by a network appliance. Which configuration should be used to meet this requirement?

Question 55mediummultiple choice
Review the full routing breakdown →

A company has multiple VPCs connected via a Transit Gateway. The security team wants to centrally inspect all traffic between VPCs using a third-party firewall appliance. The appliance must be deployed in a single VPC and all inter-VPC traffic must be routed through it. Which architecture should be used?

Question 56hardmultiple choice
Review the full routing breakdown →

A company has a Direct Connect connection with multiple Virtual Interfaces (VIFs) to an on-premises network. The VIFs are associated with a Direct Connect Gateway that is attached to multiple VPCs. The company is experiencing asymmetric routing and wants to ensure that traffic from on-premises to the VPCs always uses the same VIF. Which configuration should be implemented?

Question 57easymultiple choice
Read the full VPN explanation →

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN connection uses static routes. Recently, the on-premises network administrator added a new subnet (10.0.3.0/24) and needs to ensure that traffic to this subnet is routed through the VPN tunnel. What must be done in the AWS VPC to enable this connectivity?

Question 58mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to ensure that traffic can only go out to the internet and not be initiated from the internet. Which configuration should be used?

Question 59hardmultiple choice
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application requires multicast communication between instances. The company needs to implement a multicast solution within a VPC. Which AWS service or feature should be used to support multicast?

Question 60easymultiple choice
Read the full Network Implementation explanation →

A company needs to connect its on-premises network to a VPC using AWS Direct Connect. The company wants to use a single Direct Connect connection to connect to multiple VPCs in the same region. Which configuration should be used?

Question 61mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an Application Load Balancer (ALB) that distributes traffic to EC2 instances in private subnets. The ALB needs to be accessible from the internet. The security team requires that all traffic to the ALB be inspected by AWS WAF. Which configuration meets these requirements?

Question 62hardmultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a subnet that hosts an EC2 instance with a sensitive database. The company wants to add an extra layer of encryption for traffic between the on-premises network and the EC2 instance. Which solution should be used?

Question 63easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC? (Select TWO.)

Question 64mediummulti select
Read the full Network Implementation explanation →

Which THREE of the following are features of AWS Transit Gateway? (Select THREE.)

Question 65hardmulti select
Read the full Network Implementation explanation →

A company is designing a multi-region architecture using AWS Direct Connect. Which TWO of the following are valid configurations for connecting to multiple regions? (Select TWO.)

Question 66mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application in a VPC with public and private subnets. The web servers in the public subnets must be able to initiate outbound connections to the internet for software updates, but must not be directly accessible from the internet. Which configuration meets these requirements?

Question 67hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to the VPC. Recently, the company deployed a new VPC with CIDR 10.0.0.0/16 in a different region and established a VPC peering connection between the two VPCs. Now, traffic from on-premises to the new VPC is being routed to the old VPC instead. How should the company resolve this issue?

Question 68easymultiple choice
Review the full subnetting walkthrough →

A company wants to provide internet access to instances in a private subnet while ensuring that traffic is logged and inspected. The solution must be highly available within a single AWS Region. Which approach should the company use?

Question 69mediummultiple choice
Review the full routing breakdown →

A company has deployed an application across multiple AWS Regions using Application Load Balancers (ALBs). The company wants to route traffic to the nearest healthy endpoint using latency-based routing. Which AWS service should be used to distribute traffic across the ALBs?

Question 70hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The company also has a Site-to-Site VPN connection to the same VPC as a backup. During a failover test, traffic from on-premises to the VPC continues to use the Direct Connect even after it is intentionally failed. The BGP timers are set to default values. What is the most likely cause?

Question 71easymultiple choice
Review the full routing breakdown →

A company needs to securely connect multiple VPCs across different AWS Regions using AWS backbone network infrastructure without traversing the public internet. The solution must be managed centrally and support transitive routing between VPCs. Which service should the company use?

Question 72mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should the company implement?

Question 73hardmultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer notices that the BGP session is flapping intermittently. The connection is a 1 Gbps dedicated connection with a single private VIF. The router configuration uses default BGP timers. What is the most likely cause of the flapping?

Question 74mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across three Availability Zones. The company wants to deploy a Network Load Balancer (NLB) to distribute TCP traffic to a fleet of EC2 instances. The NLB must preserve the source IP address of the client. Which configuration is required?

Question 75hardmulti select
Read the full VPN explanation →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network advertises the prefix 10.0.0.0/8 to AWS. The VPC has a CIDR of 10.0.0.0/16. A network engineer wants to ensure that traffic from on-premises to a specific subnet 10.0.1.0/24 in the VPC is routed via a dedicated VPN connection instead of Direct Connect for testing purposes. Which TWO actions should the engineer take?

Question 76mediummulti select
Open the full BGP breakdown →

A company is designing a hybrid network using AWS Direct Connect and a Site-to-Site VPN as a backup. The company has two Direct Connect connections from different providers for redundancy. The company wants to use BGP to automatically fail over to the VPN if both Direct Connect connections fail. Which TWO configurations are required to achieve this?

Question 77hardmulti select
Open the full BGP breakdown →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Direct Connect and a Site-to-Site VPN. The on-premises network advertises 10.0.0.0/8 over BGP. The company wants to ensure that traffic to the VPC's specific subnet 10.0.1.0/24 is routed via the VPN, while all other traffic to 10.0.0.0/8 uses Direct Connect. Which THREE actions should the network engineer take?

Question 78mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets contain NAT gateways for outbound internet access from the private subnets. The private subnets host web servers that need to make API calls to an external service over the internet. After implementation, the web servers cannot reach the internet. Which configuration is the most likely cause?

Question 79easymultiple choice
Open the full BGP breakdown →

A network engineer is setting up a Direct Connect connection from an on-premises data center to AWS. The connection uses a private VIF to connect to a VPC via a Direct Connect gateway. The on-premises network is advertising a BGP prefix 10.0.0.0/16, which overlaps with the VPC CIDR 10.0.0.0/16. What is the expected behavior?

Question 80hardmultiple choice
Read the full VPN explanation →

An organization uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to implement traffic inspection between VPCs using a third-party firewall appliance in a central VPC. The firewall must inspect traffic for all inter-VPC flows. Which architecture meets this requirement?

Question 81mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv6 CIDR block and wants to provide internet access to instances in a private subnet using an egress-only internet gateway. Which of the following must be configured correctly?

Question 82hardmultiple choice
Read the full Network Implementation explanation →

A company is implementing a multi-region architecture with VPCs in us-east-1 and eu-west-1. They want to connect these VPCs using a Transit Gateway and ensure that traffic between regions can be inspected by a firewall in us-east-1. Which configuration is required?

Question 83easymultiple choice
Read the full Network Implementation explanation →

A developer wants to allow an EC2 instance in a VPC to access an Amazon S3 bucket without traversing the public internet. Which AWS service should be used?

Question 84mediummultiple choice
Open the full BGP breakdown →

A company has a VPN connection between an on-premises network and AWS using two tunnels for redundancy. The BGP sessions are established, but traffic is only flowing through one tunnel. The engineer wants to ensure both tunnels are actively used. What should be configured?

Question 85hardmultiple choice
Read the full Network Implementation explanation →

An organization is using AWS Direct Connect with a private VIF to connect to a VPC. They want to extend connectivity to multiple VPCs in the same region without creating multiple private VIFs. Which solution should they implement?

Question 86mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. They launch an EC2 instance in the private subnet with a private IP only. The instance needs to download patches from the internet. Which configuration is required?

Question 87mediummulti select
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues between two VPCs connected via a Transit Gateway. The VPCs are in the same region and have proper route tables. Which TWO actions should the engineer perform to diagnose the problem?

Question 88hardmulti select
Read the full Network Implementation explanation →

An organization is designing a hybrid network using AWS Direct Connect with a private VIF. They want to ensure high availability and failover. Which THREE components should be part of the design?

Question 89easymulti select
Read the full Network Implementation explanation →

A company is deploying an application across multiple VPCs using AWS Transit Gateway. They need to ensure that only specific VPCs can communicate with each other. Which TWO methods can be used to isolate traffic?

Question 90mediummulti select
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. Which THREE configuration items should the engineer verify?

Question 91mediummultiple choice
Read the full Network Implementation explanation →

An engineer is reviewing VPC Flow Logs for connectivity issues between two EC2 instances (10.0.1.5 and 10.0.2.10) on TCP port 443. The first log entry shows ACCEPT, the second shows REJECT. What is the most likely cause of the REJECT?

Exhibit

Refer to the exhibit.

CLI output from a VPC Flow Log:

2 123456789010 eni-12345 10.0.1.5 10.0.2.10 443 54872 6 10 1000 1432919027 1432919028 ACCEPT OK
2 123456789010 eni-12345 10.0.1.5 10.0.2.10 443 54873 6 25 4000 1432919028 1432919029 REJECT OK
Question 92hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance with the attached IAM role is unable to download objects from an S3 bucket. The instance is in a VPC with CIDR 10.0.0.0/16. The S3 bucket policy allows access from the VPC. What is the most likely reason for the failure?

Exhibit

Refer to the exhibit.

IAM policy attached to an EC2 instance role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 93mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a hybrid network architecture with an AWS Direct Connect connection. They require high availability with redundant connections to two different AWS Direct Connect locations. Which configuration meets the high availability requirement?

Question 94hardmultiple choice
Read the full Network Implementation explanation →

A company is troubleshooting high latency on an AWS Direct Connect connection. The network team notices that the latency increases during peak hours. The connection uses a single virtual interface (VIF) with a 1 Gbps capacity. What is the MOST likely cause of the latency?

Question 95easymultiple choice
Read the full Network Implementation explanation →

A company needs to connect multiple VPCs to a common on-premises network through a single AWS Direct Connect connection. Which AWS service should be used to simplify this architecture?

Question 96mediummultiple choice
Read the full DNS explanation →

A company is implementing a multi-region active-active application. They want to route users to the nearest healthy endpoint using DNS. Which AWS service should be used?

Question 97hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They notice that the BGP session is flapping every few minutes. The network team confirms that the customer router and AWS router are configured correctly. What is the MOST likely cause of the BGP flapping?

Question 98easymultiple choice
Study the full IPv6 explanation →

A company is setting up a new VPC with both IPv4 and IPv6 support. They need to ensure that instances in a private subnet can access the Internet for software updates. Which combination of resources is required?

Question 99mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a web application across multiple Availability Zones in a single region. They want to distribute incoming traffic evenly across all healthy EC2 instances. Which AWS service should be used as the entry point?

Question 100hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity issues between an on-premises network and a VPC over a Direct Connect private VIF. The on-premises network can reach EC2 instances in the VPC, but cannot reach an RDS database in the same VPC. The VPC has a single subnet. What is the MOST likely cause?

Question 101easymultiple choice
Read the full Network Implementation explanation →

A company needs to establish a dedicated, private, high-bandwidth connection between its on-premises data center and AWS. Which AWS service should be used?

Question 102mediummulti select
Open the full BGP breakdown →

A company is designing a highly available network in AWS. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to use BGP as the routing protocol. Which TWO actions should be taken to ensure high availability?

Question 103hardmulti select
Review the full subnetting walkthrough →

A company is deploying a new VPC with public and private subnets. The VPC will host web servers in the public subnet and database servers in the private subnet. The web servers need to access the internet for updates, and the database servers need to receive traffic only from the web servers. Which THREE components are essential for this architecture?

Question 104mediummulti select
Read the full Network Implementation explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The network team wants to isolate traffic between VPCs while allowing all VPCs to reach the on-premises network. Which TWO configurations should be implemented?

Question 105mediummultiple choice
Open the full BGP breakdown →

A company needs to connect its on-premises data center to AWS using AWS Direct Connect. The company has two redundant connections and wants to use BGP as the routing protocol. Which BGP attribute should be manipulated to influence outbound traffic from AWS to the on-premises network?

Question 106easymultiple choice
Study the full ACL explanation →

A company has deployed an application in a VPC with public and private subnets across two Availability Zones. The application uses an Application Load Balancer (ALB) in the public subnets to distribute traffic to EC2 instances in the private subnets. The company wants to use AWS WAF to protect against SQL injection attacks. Where should the AWS WAF web ACL be associated?

Question 107hardmultiple choice
Open the full BGP breakdown →

A company is implementing a hybrid network using AWS Direct Connect and VPN backup. The company has two Direct Connect connections from different providers and a site-to-site VPN as a backup. The company wants to ensure that traffic is always routed through the Direct Connect connections when they are healthy, and only fails over to the VPN if both Direct Connect connections fail. Which BGP configuration should be used on the customer gateway device (CGW) to achieve this?

Question 108mediummulti select
Review the full routing breakdown →

A company is designing a multi-region active-active application using Application Load Balancers (ALBs) and AWS Global Accelerator. Which TWO configurations are required to route traffic to the correct regional endpoint based on the client's location?

Question 109hardmulti select
Read the full Network Implementation explanation →

A company is setting up AWS Transit Gateway with multiple VPC attachments and an AWS Direct Connect Gateway. The company wants to control which VPCs can communicate with each other and with the on-premises network. Which THREE actions should the company take to implement this?

Question 110easymulti select
Read the full VPN explanation →

A company is deploying an AWS Client VPN endpoint to provide remote access to its VPC resources. The company wants to allow clients to access resources in multiple subnets within the VPC. Which TWO configurations are necessary?

Question 111mediummultiple choice
Read the full Network Implementation explanation →

A network engineer runs the above command to list VPC endpoints. The engineer notices that the second endpoint (vpce-0b2c3d4e5f6g7h8i9) does not have a policy document displayed. What does this indicate?

Network Topology
$ aws ec2 describe-vpc-endpointsquery 'VpcEndpoints[*].{Id:VpcEndpointIdoutput jsonRefer to the exhibit.```"Id": "vpce-0a1b2c3d4e5f6g7h8","Type": "Gateway","ServiceName": "com.amazonaws.us-east-1.s3","PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::my-bucket/*\"]}]}"},"Id": "vpce-0b2c3d4e5f6g7h8i9","ServiceName": "com.amazonaws.us-east-1.dynamodb"
Question 112mediummultiple choice
Read the full Network Implementation explanation →

A network engineer runs the above command and sees an ENI (eni-0a1b2c3d4e5f6g7h8) with status 'in-use' but no InstanceId attached. What AWS service is most likely using this ENI?

Network Topology
$ aws ec2 describe-network-interfacesquery 'NetworkInterfaces[*].{Id:NetworkInterfaceIdoutput jsonRefer to the exhibit.```"Id": "eni-0a1b2c3d4e5f6g7h8","Status": "in-use","Description": "RDS-managed","Attachment": {"InstanceId": null},"Id": "eni-0b2c3d4e5f6g7h8i9","Description": "","InstanceId": "i-0c3d4e5f6g7h8i9j0"
Question 113hardmultiple choice
Review the full subnetting walkthrough →

A network engineer examines the route table above. The VPC has a CIDR of 10.0.0.0/16. There is a VPC peering connection (pcx-...) to a VPC with CIDR 192.168.0.0/16. However, instances in this route table's subnet cannot communicate with the peered VPC. What is the most likely cause?

Network Topology
$ aws ec2 describe-route-tablesquery 'RouteTables[*].{Id:RouteTableIdoutput jsonRefer to the exhibit.```"Id": "rtb-0a1b2c3d4e5f6g7h8","VpcId": "vpc-0a1b2c3d4e5f6g7h8","Routes": ["DestinationCidrBlock": "10.0.0.0/16","GatewayId": "local"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": "igw-0a1b2c3d4e5f6g7h8""DestinationCidrBlock": "192.168.0.0/16","GatewayId": "pcx-0a1b2c3d4e5f6g7h8"
Question 114easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets are used for NAT gateways and an Application Load Balancer (ALB). The private subnets host EC2 instances running a web application. What is the most cost-effective and highly available configuration for internet access from the private instances?

Question 115mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The VPC uses a virtual private gateway (VGW). The on-premises network advertises a route to a specific subnet (10.0.0.0/24) via BGP. However, traffic from the VPC to that subnet is failing. What should the network engineer check first?

Question 116hardmultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to inspect traffic between VPCs using a centralized network virtual appliance (NVA) in a security VPC. What is the most scalable and highly available design to achieve this?

Question 117mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with private subnets that use a NAT gateway for outbound internet access. The NAT gateway is in a public subnet with an Elastic IP. Users report that some applications are failing to connect to external services. Network engineers confirm that the NAT gateway is in the 'available' state and the route tables have a default route (0.0.0.0/0) pointing to the NAT gateway. What is the most likely cause?

Question 118hardmultiple choice
Open the full BGP breakdown →

A company is designing a multi-region architecture with two AWS Regions. They need to connect VPCs in each region to an on-premises data center using AWS Direct Connect. They want to minimize latency and use the same BGP ASN on both sides. Which solution meets these requirements?

Question 119easymultiple choice
Review the full subnetting walkthrough →

A company wants to allow an EC2 instance in a private subnet to download files from an S3 bucket without traversing the internet. Which AWS service should be used?

Question 120mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to another VPC (192.168.0.0/16) using VPC peering. Both VPCs have overlapping CIDRs with some on-premises networks. What must be done to ensure proper routing?

Question 121hardmultiple choice
Read the full VPN explanation →

A company uses AWS Client VPN for remote access. Users report intermittent disconnections. The network engineer notices that the Client VPN endpoint is associated with a single subnet. What change should be made to improve reliability?

Question 122easymultiple choice
Study the full IPv6 explanation →

A company has a VPC with both IPv4 and IPv6 CIDRs. They need to allow outbound IPv6 traffic from private subnets to the internet. What should they use?

Question 123mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are requirements for establishing an AWS Direct Connect private virtual interface? (Choose two.)

Question 124hardmulti select
Read the full Network Implementation explanation →

Which THREE of the following are valid considerations when designing a multi-VPC architecture using AWS Transit Gateway? (Choose three.)

Question 125easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are true about AWS VPC endpoints? (Choose two.)

Question 126mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a multi-tier web application on AWS. The web tier runs on EC2 instances behind an Application Load Balancer (ALB), and the application tier runs on EC2 instances that connect to an RDS MySQL Multi-AZ DB instance. The application tier must be isolated from the internet and only accessible from the web tier. Which network implementation meets these requirements with the LEAST administrative overhead?

Question 127hardmultiple choice
Read the full VPN explanation →

A company is implementing a hybrid network architecture with AWS Direct Connect and a VPN backup. The company has two Direct Connect connections from different providers terminating at two AWS Direct Connect locations, each connecting to a separate AWS Transit Gateway in the same region. The VPCs are attached to both transit gateways. The company needs to ensure that traffic from on-premises to VPCs uses the primary Direct Connect connection when available and fails over to the secondary Direct Connect connection, then to the VPN. How should the company configure routing to achieve this?

Question 128easymultiple choice
Read the full VPN explanation →

A company is setting up AWS Client VPN to allow remote employees to access resources in a VPC. The VPC has a CIDR block of 10.0.0.0/16. The Client VPN endpoint is associated with a subnet 10.0.1.0/24. The company wants to assign client IP addresses from a different CIDR range than the VPC to avoid overlap. Which client CIDR range should the company specify?

Question 129mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets in two Availability Zones. The private subnets host EC2 instances that need to download patches from the internet. The company wants to minimize costs while ensuring high availability. Which solution meets these requirements?

Question 130hardmultiple choice
Open the full BGP breakdown →

A company has an AWS Direct Connect connection with a private VIF to a VPC. The VPC has multiple subnets across two Availability Zones. The company wants to use the Direct Connect connection as the primary path for all traffic from on-premises to the VPC, and use a Site-to-Site VPN as a backup. The on-premises router is configured to advertise a default route via BGP over the Direct Connect, and the VPN also advertises a default route. Which configuration ensures that the Direct Connect path is preferred over the VPN?

Question 131easymultiple choice
Study the full IPv6 explanation →

A company is deploying a VPC with IPv6 support. The VPC has a CIDR block of 10.0.0.0/16 and an assigned IPv6 CIDR block of 2600:1f16:xxxx:xxxx::/56. The company wants EC2 instances in a public subnet to be able to communicate with the internet using IPv6. Which configuration is necessary?

Question 132mediummultiple choice
Review the full subnetting walkthrough →

A company is running a stateful firewall appliance in an EC2 instance in a VPC. The appliance inspects traffic between subnets. The company needs to ensure that traffic from the web tier subnet to the application tier subnet passes through the firewall, but the firewall itself must not affect other traffic. Which configuration should the company implement?

Question 133hardmultiple choice
Review the full routing breakdown →

A company has multiple VPCs connected via AWS Transit Gateway. Each VPC has its own route table in the transit gateway. The company wants to restrict traffic between certain VPCs. For example, VPC A should be able to send traffic to VPC B but not to VPC C. VPC B should be able to send traffic to VPC C. Which configuration should the company use?

Question 134easymultiple choice
Read the full VPN explanation →

A company is setting up a Site-to-Site VPN connection to AWS. The customer gateway device is behind a NAT device that performs address translation. Which tunnel option must be enabled to ensure the VPN tunnel establishes correctly?

Question 135mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with a public subnet and a private subnet. The private subnet hosts an RDS database, and the public subnet hosts a web server. The web server needs to access the database. Which TWO of the following are required to allow the web server to connect to the database?

Question 136hardmulti select
Review the full subnetting walkthrough →

A company is using AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The VPC has a CIDR 10.0.0.0/16. The on-premises network uses 192.168.0.0/16. The company wants to enable communication between on-premises and the VPC, and also allow the VPC to access the internet via an internet gateway. Which TWO of the following configurations are necessary?

Question 137mediummulti select
Read the full NAT/PAT explanation →

A company is designing a VPC with multiple subnets. The company wants to use VPC Flow Logs to monitor network traffic. Which TWO of the following are valid destinations for VPC Flow Logs?

Question 138easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets. The private subnets need outbound internet access for updates, but must not be directly reachable from the internet. Which AWS service should be used to achieve this?

Question 139mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They want to route users to the nearest healthy ALB using latency-based routing. Which AWS service should be used?

Question 140hardmultiple choice
Read the full Network Implementation explanation →

A network engineer is troubleshooting connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS accounts and regions. The engineer can ping the private IP of an instance in the peered VPC from one side, but not from the other. What is the most likely cause?

Question 141easymultiple choice
Read the full Network Implementation explanation →

A company wants to deploy a web application on EC2 instances behind an Application Load Balancer (ALB). The application must support sticky sessions (session affinity). What configuration is required on the ALB?

Question 142mediummultiple choice
Review the full subnetting walkthrough →

A company is migrating a legacy application that requires static IP addresses for its clients' firewall whitelisting. The application will be hosted on EC2 instances behind a Network Load Balancer (NLB) in a private subnet. Which approach should the company use to provide static IP addresses for outbound traffic?

Question 143hardmultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They want to extend this connectivity to multiple VPCs in the same region without creating additional VIFs. Which solution should they implement?

Question 144easymultiple choice
Read the full Network Implementation explanation →

A company wants to restrict outbound traffic from a VPC to only allow HTTPS traffic to a specific list of domains. Which AWS service can be used to achieve this?

Question 145mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be implemented?

Question 146hardmultiple choice
Read the full Network Implementation explanation →

A company is experiencing intermittent connectivity issues between its on-premises network and AWS via a Direct Connect connection. The link is up, but packet loss is observed. Which test should the network engineer perform first to isolate the issue?

Question 147easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect an on-premises data center to a VPC in AWS? (Choose 2.)

Question 148mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are true about using a Network Load Balancer (NLB) with AWS PrivateLink? (Choose 2.)

Question 149easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an S3 bucket. What is the MOST cost-effective and secure way to provide this access?

Question 150hardmulti select
Read the full Network Implementation explanation →

Which THREE of the following are considerations when designing a multi-account VPC architecture using AWS Transit Gateway? (Choose 3.)

Question 151mediummultiple choice
Open the full BGP breakdown →

A company is setting up a Direct Connect connection to AWS. The on-premises router is configured with a BGP ASN of 65000. The AWS side uses a public ASN of 64512. Which configuration change is required for BGP peering to establish?

Question 152mediummultiple choice
Review the full routing breakdown →

A company is migrating on-premises workloads to AWS using AWS Direct Connect. The company has two Direct Connect connections from different providers for redundancy. Which configuration ensures seamless failover with automatic traffic rerouting?

Question 153easymultiple choice
Review the full subnetting walkthrough →

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access but not be directly reachable from the internet. Which AWS service should be used?

Question 154hardmultiple choice
Read the full Network Implementation explanation →

A company has a multi-account AWS Organizations setup with hundreds of VPCs across multiple regions. The network team needs to centralize outbound internet traffic through a set of inspection VPCs for security monitoring. Which solution is MOST scalable and cost-effective?

Question 155hardmultiple choice
Review the full routing breakdown →

A company has a VPC with a transit gateway (TGW) connected to multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises a specific prefix 10.0.0.0/16. A VPC attachment in the same region also advertises the same prefix. The TGW route table has the on-premises route as static and the VPC route as propagated. Which route will be used for traffic destined to 10.0.0.5?

Question 156easymultiple choice
Review the full subnetting walkthrough →

An application running on EC2 instances in a private subnet needs to send logs to Amazon CloudWatch Logs. Which step is essential to allow this communication without traversing the internet?

Question 157mediummulti select
Read the full VPN explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16 and needs to establish connectivity to an on-premises network via AWS Site-to-Site VPN. The on-premises network uses a CIDR block of 192.168.0.0/16. The VPN connection will be redundant using two tunnels. Which TWO actions are required to enable this connectivity?

Question 158mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise its prefixes. Recently, the on-premises router started advertising a more specific route (10.0.0.0/24) that overlaps with the VPC's CIDR (10.0.0.0/16). What is the impact on traffic destined to 10.0.0.5?

Question 159hardmulti select
Read the full Network Implementation explanation →

A company is deploying a global application and wants to use AWS Global Accelerator to improve performance. The application runs behind an Application Load Balancer (ALB) in us-east-1. Which THREE components are part of a Global Accelerator deployment?

Question 160hardmultiple choice
Read the full Network Implementation explanation →

A company is deploying a multi-tier application across multiple VPCs connected via AWS Transit Gateway. The web tier must be able to initiate connections to the app tier, but the app tier must not be able to initiate connections to the web tier. How can this be achieved?

Question 161easymulti select
Read the full Network Implementation explanation →

A network engineer needs to monitor network traffic in a VPC. Which TWO AWS services can capture and analyze VPC flow logs?

Question 162easymultiple choice
Read the full VPN explanation →

A company needs to connect its on-premises data center to AWS using a site-to-site VPN. The on-premises firewall does not support IPsec. What alternative solution can the company use?

Question 163hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A subnet is created in VPC vpc-abcde but no explicit route table association is set. What is the default route for internet-bound traffic from this subnet?

Exhibit

Refer to the exhibit.

AWS CLI output:
{
    "RouteTables": [
        {
            "Associations": [
                {
                    "Main": true,
                    "RouteTableId": "rtb-12345",
                    "SubnetId": null
                }
            ],
            "Routes": [
                {
                    "DestinationCidrBlock": "10.0.0.0/16",
                    "GatewayId": "local",
                    "Origin": "CreateRouteTable",
                    "State": "active"
                },
                {
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "NatGatewayId": "nat-67890",
                    "Origin": "CreateRoute",
                    "State": "active"
                }
            ],
            "RouteTableId": "rtb-12345",
            "VpcId": "vpc-abcde"
        }
    ]
}
Question 164mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Transit Gateway to connect multiple VPCs. The network team notices that traffic between two VPCs is taking a suboptimal path through a third VPC. What is the most likely cause?

Question 165mediummultiple choice
Review the full routing breakdown →

Refer to the exhibit. After deploying this CloudFormation stack, the VPC is attached to the transit gateway. However, routes are not being propagated to the transit gateway route table. What is the most likely cause?

Exhibit

Refer to the exhibit.

CloudFormation snippet:
Resources:
  MyTransitGateway:
    Type: AWS::EC2::TransitGateway
    Properties:
      AmazonSideAsn: 64512
      AutoAcceptSharedAttachments: disable
      DefaultRouteTableAssociation: enable
      DefaultRouteTablePropagation: enable
      DnsSupport: enable
      VpnEcmpSupport: enable
  MyVpcAttachment:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      SubnetIds:
        - subnet-abc
        - subnet-def
      TransitGatewayId: !Ref MyTransitGateway
      VpcId: vpc-12345
Question 166hardmultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to add IPv6 support for its public-facing web application. The application must be accessible via both IPv4 and IPv6. The VPC already has an Internet Gateway attached. What is the correct set of steps to enable IPv6?

Question 167easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A flow log record shows ACCEPT for traffic from 10.0.1.5 to 10.0.2.10 on port 443. Which AWS service is most likely the destination?

Exhibit

Refer to the exhibit.

VPC Flow Logs record:
2 123456789010 eni-12345 10.0.1.5 10.0.2.10 443 34567 6 25 7500 1620140761 1620140821 ACCEPT OK
Question 168mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect multiple VPCs together in a hub-and-spoke topology while maintaining centralized control? (Choose two.)

Question 169mediummultiple choice
Read the full Network Implementation explanation →

A company is using AWS Direct Connect with a public virtual interface to access Amazon S3. The on-premises network has a firewall that only allows traffic to specific IP prefixes. What is the best practice to ensure connectivity while maintaining security?

Question 170hardmulti select
Read the full Network Implementation explanation →

Which TWO of the following are best practices for securing a VPC with AWS Network Firewall? (Choose two.)

Question 171hardmultiple choice
Review the full subnetting walkthrough →

A company has multiple VPCs connected via a transit gateway. Each VPC has a security group that allows traffic from the other VPCs' CIDR blocks. The security group rules are getting complex. How can the company simplify security group management while maintaining the same level of security?

Question 172easymulti select
Read the full Network Implementation explanation →

Which THREE of the following are considerations when designing a Direct Connect implementation for high availability? (Choose three.)

Question 173easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a public-facing web application on EC2 instances behind an Application Load Balancer. The ALB is configured to terminate HTTPS using a certificate from AWS Certificate Manager. What additional step is required to ensure the ALB can validate the certificate?

Question 174easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets in two Availability Zones. The workloads in the private subnets need to access the internet for software updates. What is the MOST secure way to provide this internet access?

Question 175mediummultiple choice
Read the full Network Implementation explanation →

A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but in different Availability Zones. The instances are in the same security group and have proper rules. Which configuration is most likely causing the latency?

Question 176mediummultiple choice
Review the full subnetting walkthrough →

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC with public and private subnets. The ALB is in public subnets, and the web servers are in private subnets. Clients report intermittent connection errors. Investigation shows that the ALB is marking targets as unhealthy. What is the MOST likely cause?

Question 177hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network uses BGP to advertise routes to the VPC. The company wants to extend this connectivity to a second VPC in the same region without creating additional Direct Connect connections. Which solution should be used?

Question 178easymultiple choice
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application requires multicast traffic between EC2 instances. Which AWS service can support multicast within a VPC?

Question 179hardmultiple choice
Review the full subnetting walkthrough →

A financial services company is designing a multi-region architecture for disaster recovery. They have a primary VPC in us-east-1 and a standby VPC in us-west-2. Each VPC has its own CIDR block (10.0.0.0/16 and 10.1.0.0/16). They want to use an inter-region VPC peering connection for replication traffic. Which of the following is a required step to establish this peering connection?

Question 180easymultiple choice
Read the full Network Implementation explanation →

A company is deploying a web application across multiple Availability Zones in a VPC. The application tier consists of EC2 instances behind an Application Load Balancer (ALB). The security team requires that all traffic between the ALB and the EC2 instances be encrypted. Which solution meets this requirement?

Question 181easymultiple choice
Read the full Network Implementation explanation →

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. The company wants to use a single Direct Connect connection to connect to multiple VPCs in different AWS accounts. Which AWS service should be used to achieve this?

Question 182mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company has a NAT gateway in a public subnet. The EC2 instance can connect to other instances in the VPC but cannot reach the internet. What is the most likely cause?

Question 183mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the public subnet is configured as a NAT instance. The company wants to replace the NAT instance with a NAT gateway for better availability and maintenance. After creating a NAT gateway in the public subnet and updating the route table of the private subnet, traffic from the private subnet cannot reach the internet. What is the MOST likely cause?

Question 184hardmultiple choice
Read the full Network Implementation explanation →

A company is designing a hybrid network using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to configure a virtual interface (VIF) that provides connectivity to multiple VPCs in the same region. Which type of VIF should they use?

Question 185hardmultiple choice
Read the full Network Implementation explanation →

A company is designing a network architecture for a critical application that requires high availability and low latency. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones in a single region. The instances will communicate with an Amazon RDS database. Which configuration will provide the MOST resilient and performant network connectivity?

Question 186easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity from an on-premises network to an EC2 instance in a VPC via a Site-to-Site VPN. The VPN tunnel is up, but the engineer cannot ping the EC2 instance's private IP. What should the engineer check first?

Question 187easymultiple choice
Read the full Network Implementation explanation →

A company has several VPCs in the same AWS account and region. They want to centrally manage and monitor network traffic between these VPCs and also to on-premises networks. Which AWS service should they use?

Question 188mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block and ensure that traffic from the internet to the IPv6-enabled resources is allowed. Which configuration is required?

Question 189mediummultiple choice
Review the full subnetting walkthrough →

A company is setting up a new VPC with a CIDR block of 10.0.0.0/16. They need to create subnets for different tiers: public (web servers), private (application servers), and database (RDS). They want to maximize the number of available IP addresses while ensuring each subnet has at least 256 IP addresses. Which subnet design meets these requirements?

Question 190hardmultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a CIDR of 10.0.0.0/16 and an on-premises network with CIDR 10.0.0.0/8. The Transit Gateway route table has a static route for 10.0.0.0/8 pointing to the VPN attachment. However, traffic from on-premises to the VPC is not working. What is the most likely cause?

Question 191hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a route 0.0.0.0/0 pointing to the NAT gateway. However, the EC2 instance cannot reach the internet. Which additional configuration is needed?

Question 192easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket. Which AWS service should be used to allow this access without traversing the internet?

Question 193easymulti select
Read the full Network Implementation explanation →

A company is designing a hybrid network using AWS Direct Connect. Which TWO of the following are required to establish a private virtual interface (VIF) to a single VPC?

Question 194mediummultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a private virtual interface to a VPC. They want to use the same Direct Connect connection to access another VPC in the same region. Which solution should they implement?

Question 195mediummulti select
Read the full Network Implementation explanation →

A company has multiple VPCs that need to communicate with each other and with an on-premises network via AWS Transit Gateway. Which THREE of the following are valid attachment types for a transit gateway?

Question 196hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet. The company has a NAT gateway in the public subnet. The NAT gateway has an Elastic IP. The private subnet route table has a default route pointing to the NAT gateway. However, the EC2 instance cannot reach the internet. What is the most likely cause?

Question 197hardmulti select
Review the full subnetting walkthrough →

A company is troubleshooting connectivity issues between two VPCs that are peered using an inter-region VPC peering connection. The VPCs have the following CIDR blocks: VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Which THREE of the following are possible reasons for the connectivity failure?

Question 198easymulti select
Read the full Network Implementation explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which TWO actions should be taken to ensure high availability?

Question 199easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets host NAT gateways for outbound internet access from the private subnets. Which configuration ensures that EC2 instances in the private subnets can route traffic to the internet through the NAT gateways?

Question 200mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to create subnets for a three-tier application. Which THREE subnet CIDR blocks are valid within this VPC?

Question 201easymultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity between two EC2 instances in the same VPC but different subnets. The instances can ping each other's private IP addresses, but traffic on TCP port 443 fails. What is the most likely cause?

Question 202hardmulti select
Read the full VPN explanation →

A company is setting up a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE configuration items should be checked?

Question 203mediummultiple choice
Read the full VPN explanation →

A company is implementing a hybrid network using AWS Direct Connect and VPN backup. They have multiple VPCs in a single AWS Region. Which design minimizes the number of Direct Connect virtual interfaces while providing connectivity to all VPCs?

Question 204mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is assigned an IAM policy to manage VPC resources. The engineer attempts to create a VPC with CIDR 10.0.0.0/16 and fails. What is the reason?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway",
        "ec2:CreateRouteTable",
        "ec2:CreateRoute",
        "ec2:AssociateRouteTable"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVpc",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc/*",
      "Condition": {
        "StringEquals": {
          "ec2:VpcCidrBlock": "10.0.0.0/16"
        }
      }
    }
  ]
}
```
Question 205mediummultiple choice
Open the full BGP breakdown →

An organization needs to securely connect its on-premises data center to multiple VPCs in different AWS Regions. The on-premises network uses BGP. Which AWS service should be used to simplify routing and provide a single point of attachment for the on-premises router?

Question 206hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC (10.0.0.0/16) with two subnets: public (10.0.1.0/24) and private (10.0.2.0/24). They have an Application Load Balancer (ALB) in the public subnet that distributes traffic to EC2 instances in the private subnet. The ALB is internet-facing and has a security group that allows inbound HTTP/S from 0.0.0.0/0. The EC2 instances have a security group that allows inbound HTTP from the ALB's security group. Users report that they can access the application, but the application is slow and sometimes times out. The network engineer checks CloudWatch metrics and sees that the ALB's target response time is high. The engineer suspects that the EC2 instances are overwhelmed. Which action should the engineer take to improve performance?

Question 207hardmultiple choice
Read the full Network Implementation explanation →

A company is deploying a latency-sensitive application across two AWS Regions using Application Load Balancers (ALBs) and AWS Global Accelerator. The application uses TCP port 8443. Which configuration ensures the lowest possible latency for global users?

Question 208mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private virtual interface (VIF) attached to a Virtual Private Gateway (VGW) that is associated with a single VPC (10.0.0.0/16). The on-premises network uses BGP to exchange routes. The company has recently acquired another company and needs to connect to their VPC (172.16.0.0/16) in the same region. They want to use the existing Direct Connect connection to access both VPCs. The network engineer creates a Transit Gateway, attaches both VPCs, and creates a transit virtual interface (VIF) to the Transit Gateway. The engineer also deletes the private VIF. However, after the change, on-premises users cannot reach either VPC. What should the engineer do to restore connectivity?

Question 209hardmultiple choice
Read the full Network Implementation explanation →

A company is setting up AWS Direct Connect with a 1 Gbps dedicated connection. They want redundant connectivity with automatic failover. What is the most cost-effective way to achieve this?

Question 210mediummultiple choice
Review the full routing breakdown →

A company is deploying a web application across multiple Availability Zones in a VPC. The application needs to be highly available and scale based on traffic. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. The company wants to ensure that if an Availability Zone fails, the ALB can still route traffic to healthy instances in other zones. What should the network engineer implement to meet this requirement?

Question 211easymultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC. Which action should they take?

Question 212hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet to download software updates. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the EC2 instance cannot access the internet. The network engineer verifies that the NAT gateway has an Elastic IP, the security group for the EC2 instance allows outbound HTTPS traffic, and the network ACL for the private subnet allows inbound and outbound ephemeral ports. What is the most likely cause of the issue?

Question 213mediummultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via VPN. The on-premises network advertises a route for 10.0.0.0/8. One VPC has a CIDR of 10.0.1.0/24. How does Transit Gateway handle the overlapping route?

Question 214easymultiple choice
Review the full subnetting walkthrough →

A company is setting up a Direct Connect connection to AWS. They have a virtual private gateway (VGW) attached to their VPC. They need to establish a single logical connection over the Direct Connect link to access all subnets in the VPC. Which resource should they create on the Direct Connect virtual interface?

Question 215hardmultiple choice
Read the full Network Implementation explanation →

A company is designing a multi-account AWS environment using AWS Organizations. They need to centralize VPC flow logs and network traffic inspection across all accounts. Which architecture meets these requirements with minimal operational overhead?

Question 216mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet. Which solution should a network engineer implement?

Question 217easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC over a private, dedicated connection? (Select TWO.)

Question 218hardmultiple choice
Review the full subnetting walkthrough →

A company is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) that are peered together. Both VPCs are in the same region. VPC-A has a CIDR of 10.0.0.0/16 and VPC-B has a CIDR of 10.0.0.0/16. The peering connection is established and the route tables are updated. However, EC2 instances in VPC-A cannot ping EC2 instances in VPC-B. What is the most likely cause?

Question 219mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are benefits of using an AWS Transit Gateway over VPC peering for connecting multiple VPCs? (Select TWO.)

Question 220easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to monitor all network traffic entering and leaving the VPC for security analysis. Which AWS service should they use?

Question 221hardmulti select
Read the full VPN explanation →

Which THREE of the following are required to configure a site-to-site VPN connection between an on-premises network and an Amazon VPC? (Select THREE.)

Question 222mediummultiple choice
Open the full BGP breakdown →

A company is connecting their on-premises data center to AWS using a site-to-site VPN. The customer gateway device has a dynamic routing configuration with BGP. The VPN connection is established, but the VPC route table does not contain the on-premises network routes. What is the most likely cause?

Question 223mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets across two Availability Zones. They need to ensure that instances in the private subnets can access the internet for software updates without being directly reachable from the internet. Which AWS service should they use?

Question 224hardmultiple choice
Study the full ACL explanation →

A company has deployed a Network Load Balancer (NLB) in a VPC. The NLB is configured with a target group that points to EC2 instances in the same VPC. The network engineer notices that traffic from clients is not being forwarded to the targets. The NLB's security groups and network ACLs allow all traffic. What is the most likely cause?

Question 225hardmultiple choice
Read the full VPN explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They also have a VPN connection as a backup. They want to ensure that traffic always uses the Direct Connect connection when it is available, and only fails over to the VPN if Direct Connect goes down. How should they configure routing?

Question 226easymultiple choice
Read the full Network Implementation explanation →

A company wants to securely connect multiple VPCs in the same region to a common on-premises network using a single Direct Connect connection. Which AWS service should they use to simplify the network architecture?

Question 227easymultiple choice
Read the full VPN explanation →

A company wants to securely connect their on-premises data center to AWS using a site-to-site VPN. They have multiple branch offices that also need to connect to AWS. Which AWS service should they use to simplify the management of multiple VPN connections?

Question 228mediummulti select
Read the full Network Implementation explanation →

A company is designing a multi-tier application in a VPC. The web tier must be accessible from the internet, while the application tier must only be accessible from the web tier. The database tier must be isolated from all other tiers except the application tier. Which TWO network architectures meet these requirements? (Choose TWO.)

Question 229mediummultiple choice
Read the full NAT/PAT explanation →

A company deployed an Application Load Balancer (ALB) in front of a fleet of EC2 instances. Users report intermittent timeouts. The ALB's target group health checks are failing for some instances. The instances are in private subnets with a single NAT Gateway. What is the most likely cause?

Question 230hardmulti select
Study the full multicast explanation →

A company is migrating a legacy application to AWS. The application uses multicast traffic between servers. The company needs to support multicast in the AWS VPC. Which TWO solutions can the network engineer recommend? (Choose TWO.)

Question 231hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They create a subnet 10.0.1.0/24 and launch an EC2 instance with a private IP 10.0.1.5. The instance needs to communicate with an on-premises server at 172.16.0.10 over a VPN connection. The VPN connection uses a Virtual Private Gateway. The VPC route table has a route 172.16.0.0/16 pointing to the VPG. The instance cannot reach the on-premises server. What is the most likely cause?

Question 232mediummulti select
Read the full VPN explanation →

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. The VPN uses two tunnels for high availability. The network engineer needs to ensure that if one tunnel goes down, traffic automatically fails over to the other tunnel. Which THREE steps should the engineer perform? (Choose THREE.)

Question 233easymultiple choice
Read the full Network Implementation explanation →

A company wants to use AWS Direct Connect to establish a dedicated network connection from their on-premises data center to AWS. They need to connect to a VPC in the us-east-1 region. Which of the following is a required step in the setup process?

Question 234hardmultiple choice
Study the full ACL explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An Application Load Balancer (ALB) is deployed in the public subnet, and EC2 instances are in the private subnet. The ALB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the ALB's security group on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24) and allows outbound ephemeral ports. However, the ALB health checks are failing with 503 errors. The network engineer checks the ALB logs and sees that TCP connections are established but HTTP requests are timing out. What is the most likely cause?

Question 235mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with two subnets: a public subnet with a NAT Gateway and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a security group that allows all outbound traffic. The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instance cannot reach the internet. What is the most likely issue?

Question 236mediummultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. They also have an EC2 instance in the private subnet that needs to access the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. The security group for the EC2 instance allows outbound HTTPS traffic. The network ACL for the private subnet allows inbound and outbound ephemeral ports. However, the EC2 instance cannot reach the internet. The network engineer checks the NAT Gateway and sees that it has an Elastic IP attached. The engineer also checks the route table for the public subnet and finds no route to the internet. What should the engineer do to fix the issue?

Question 237hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets that are peered with another VPC using a VPC Peering connection. They want to ensure that traffic between the two VPCs is encrypted. What should they do?

Question 238hardmultiple choice
Study the full ACL explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They have a Network Load Balancer (NLB) in the public subnet, and EC2 instances in the private subnet. The NLB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the NLB's private IP addresses on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR and outbound ephemeral ports to 0.0.0.0/0. However, clients connecting to the NLB experience intermittent timeouts. The network engineer checks the NLB logs and sees that connections are established but occasionally drop. The engineer also notices that the EC2 instances have a default route to a NAT Gateway in the public subnet. What is the most likely cause of the intermittent timeouts?

Question 239easymultiple choice
Review the full subnetting walkthrough →

A company needs to provide internet access to a VPC that has both public and private subnets. They have already created an Internet Gateway and attached it to the VPC. What else must be configured for instances in the public subnet to be reachable from the internet?

Question 240easymultiple choice
Review the full subnetting walkthrough →

A company has deployed a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which service should be used to provide this access without exposing the instances to inbound traffic?

Question 241mediummulti select
Read the full Network Implementation explanation →

A company is designing a highly available network architecture using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to ensure that if one connection fails, traffic automatically fails over to the other. Which TWO steps should they take? (Select TWO.)

Question 242mediummultiple choice
Review the full routing breakdown →

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They need to route traffic to the closest healthy endpoint. Which AWS service should be used for global load balancing?

Question 243hardmulti select
Review the full subnetting walkthrough →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a subnet that hosts a web application. They need to ensure that traffic from the on-premises network to the web application does not traverse the internet. Which TWO components are required? (Select TWO.)

Question 244hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across three Availability Zones. They are deploying an NFS file system using Amazon EFS. They need high availability and low latency from all subnets. Which EFS deployment option meets these requirements?

Question 245easymulti select
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. They want to allow instances in the private subnet to download patches from the internet. Which THREE components are required? (Select THREE.)

Question 246easymultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity from an EC2 instance in a private subnet to an S3 bucket. The VPC has a VPC endpoint for S3 configured. The instance can access the internet via a NAT Gateway. Which configuration is MOST likely causing the connection to S3 to fail?

Question 247mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VPC endpoint for S3 is created as a Gateway endpoint. The route tables rtb-11111111 and rtb-22222222 are associated with the endpoint. An EC2 instance in a subnet associated with rtb-11111111 cannot access S3 via the endpoint. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsregion us-east-1Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-0a1b2c3d4e5f67890","VpcId": "vpc-12345678","ServiceName": "com.amazonaws.us-east-1.s3","VpcEndpointType": "Gateway","State": "available","RouteTableIds": ["rtb-11111111", "rtb-22222222"],"PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}"
Question 248mediummultiple choice
Open the full VLAN trunking answer →

A company wants to establish a dedicated, private connection between their on-premises data center and AWS. They require consistent, low-latency performance and support for multiple VLANs. Which AWS service should they use?

Question 249hardmultiple choice
Read the full Network Implementation explanation →

Refer to the exhibit. A Lambda function is attached to a VPC using the network interface eni-1234567890abcdef0. The Lambda function needs to send traffic to an on-premises server via a Direct Connect connection. The traffic is failing. Which setting on the network interface is most likely causing the issue?

Network Topology
$ aws ec2 describe-network-interfacesnetwork-interface-ids eni-1234567890abcdef0Refer to the exhibit.```"NetworkInterfaces": ["NetworkInterfaceId": "eni-1234567890abcdef0","Description": "AWS Lambda VPC attachment","PrivateIpAddresses": [{"PrivateIpAddress": "10.0.1.10", "Primary": true},{"PrivateIpAddress": "10.0.1.11", "Primary": false}],"Groups": [{"GroupId": "sg-12345678", "GroupName": "lambda-sg"}"SubnetId": "subnet-12345678","VpcId": "vpc-12345678","SourceDestCheck": true
Question 250hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (443) traffic. The route table for the private subnet has a default route pointing to a NAT Gateway in the public subnet. Which additional configuration is required to ensure the NAT Gateway can route the traffic?

Question 251easymultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. The bucket policy shown is applied to an S3 bucket. A VPC endpoint for S3 is created in a VPC with CIDR 10.0.0.0/16. An EC2 instance in the VPC tries to access an object in the bucket using the VPC endpoint. The request fails. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "10.0.0.0/16"
                }
            }
        }
    ]
}
```
Question 252easymultiple choice
Read the full Network Implementation explanation →

A company is running a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application needs to store session state in an ElastiCache Redis cluster. The Redis cluster should not be accessible from the internet. Which network design should be used?

Question 253mediummultiple choice
Review the full subnetting walkthrough →

A company has deployed a VPC with a public subnet and a private subnet in each of two Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access an external API over HTTPS. What is the MOST secure way to provide this access?

Question 254mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a multi-tier web application in a VPC. The web tier must be accessible from the internet, while the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. Which design best meets these requirements?

Question 255hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). They launch a NAT Gateway in the public subnet and add a route in the private subnet route table: destination 0.0.0.0/0, target nat-gateway-id. An EC2 instance in the private subnet can ping an external server, but cannot connect to it via SSH. The security group allows outbound SSH (port 22), and the NACL allows outbound ephemeral ports. What is the likely cause?

Question 256easymultiple choice
Read the full VPN explanation →

A network engineer is setting up a site-to-site VPN connection between an on-premises network and an AWS VPC. The engineer configures the customer gateway device with the correct parameters. However, the VPN tunnel status remains 'DOWN'. What is the most likely cause?

Question 257mediummulti select
Read the full Network Implementation explanation →

A company is deploying a web application that will be accessed over the internet. They want to use an Application Load Balancer (ALB) to distribute traffic across EC2 instances in multiple Availability Zones. Which TWO configurations are required to make the ALB internet-facing? (Choose TWO.)

Question 258hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to AWS. The VPC CIDR is 10.0.0.0/16. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection. However, traffic is going over the internet instead. What is the most likely cause?

Question 259hardmulti select
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two Availability Zones, each with a public and a private subnet. They want to connect their on-premises network (192.168.0.0/16) to the VPC using a site-to-site VPN. Which THREE resources are needed to establish the VPN connection? (Choose THREE.)

Question 260mediummultiple choice
Read the full Network Implementation explanation →

An organization is migrating to AWS and needs to connect multiple VPCs in different AWS regions using a hub-and-spoke topology. The hub VPC will host centralized services. Which solution is most cost-effective and provides high throughput?

Question 261easymulti select
Read the full Network Implementation explanation →

A company has an AWS Direct Connect connection and wants to connect to multiple VPCs in the same region. Which TWO services can be used to achieve this? (Choose TWO.)

Question 262easymultiple choice
Read the full Network Implementation explanation →

A company is using a Network Load Balancer (NLB) to distribute traffic to a fleet of EC2 instances. The NLB is configured with a target group that has health checks enabled. Some instances are marked as unhealthy even though they are running and responding to requests on the health check port. What is a likely cause?

Question 263mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A company has an S3 bucket with the bucket policy shown. An EC2 instance in a VPC with CIDR 10.0.0.0/16 tries to retrieve an object from the bucket using the S3 console, but receives an 'Access Denied' error. The instance's security group allows all outbound traffic. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/16"
        }
      }
    }
  ]
}
Question 264hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They also have a site-to-site VPN as a backup. The on-premises network advertises the same prefix via BGP over both connections. The company wants to prefer the Direct Connect path. What configuration achieves this?

Question 265hardmultiple choice
Review the full subnetting walkthrough →

A company has a multi-tier application deployed in a VPC. The web tier consists of an internet-facing Application Load Balancer (ALB) in public subnets, and EC2 instances in private subnets. The application tier runs on EC2 instances in separate private subnets, and the database tier uses an Amazon RDS for MySQL instance in private subnets. The application tier needs to connect to the database on port 3306. The security group for the RDS instance (sg-database) has an inbound rule allowing TCP 3306 from the security group of the application tier (sg-app). The application tier instances can connect to the database, but the web tier instances cannot. The web tier instances should not have direct database access. What is the most likely reason for the web tier's inability to connect to the database?

Question 266mediummultiple choice
Study the full ACL explanation →

A security team wants to block traffic from a specific IP address (203.0.113.5) from reaching an EC2 instance. The instance is in a public subnet with a security group that allows all traffic from the internet. A network ACL is associated with the subnet. The team adds a DENY rule for the IP in the network ACL. However, traffic from that IP still reaches the instance. What is the most likely reason?

Question 267mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two Availability Zones, each with a public subnet (10.0.1.0/24 and 10.0.2.0/24) and a private subnet (10.0.3.0/24 and 10.0.4.0/24). They have an internet-facing ALB in the public subnets and EC2 instances in the private subnets. The EC2 instances need to download updates from the internet. They deploy a NAT Gateway in each public subnet and add routes in the private subnet route tables pointing to the respective NAT Gateway in the same AZ. However, the EC2 instances in AZ2 cannot access the internet, while those in AZ1 can. What is the most likely cause?

Question 268easymultiple choice
Review the full subnetting walkthrough →

A company is setting up a VPC with both public and private subnets. The private subnets need outbound internet access for software updates. Which component is required to enable this?

Question 269mediummulti select
Read the full VPN explanation →

A network engineer is troubleshooting connectivity between an on-premises data center and a VPC over an AWS Site-to-Site VPN. The tunnel status shows UP, but traffic from on-premises to the VPC is intermittently dropped. Which TWO of the following are likely causes? (Choose 2.)

Question 270hardmultiple choice
Read the full DNS explanation →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. They have an on-premises application that needs to resolve private hosted zone names in Amazon Route 53. The on-premises DNS server forwards queries for the private domain to the VPC's DNS resolver. However, resolution fails. What is the most likely cause?

Question 271hardmulti select
Read the full VPN explanation →

A company uses AWS Transit Gateway with multiple VPC attachments and a VPN attachment to an on-premises network. The on-premises network advertises the same prefix via two separate VPN connections for redundancy. The TGW route table shows both routes as active. Traffic from a VPC to on-premises is not load-balanced and prefers one connection. Which THREE actions would help achieve active-active load balancing? (Choose 3.)

Question 272mediummulti select
Read the full NAT/PAT explanation →

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS region using AWS native services? (Choose two.)

Question 273easymulti select
Read the full Network Implementation explanation →

A network engineer is designing a Direct Connect solution with a public VIF and a private VIF. The private VIF will connect to a VPC via a Direct Connect Gateway. Which TWO of the following statements are correct regarding this setup? (Choose 2.)

Question 274hardmultiple choice
Open the full BGP breakdown →

A media company runs a latency-sensitive streaming application on Amazon EC2 instances in a VPC. The application sends UDP traffic to multiple on-premises destinations via an AWS Transit Gateway with a VPN attachment. Users report occasional freezing. Network monitoring shows no packet loss on the VPN tunnel, but the application logs show out-of-order packets and high jitter. The company uses a single VPN tunnel with BGP dynamic routing over the public internet. The on-premises router has a 50ms latency to the AWS endpoint. The application requires low jitter and in-order delivery. What should a network engineer do to resolve the issue?

Question 275hardmulti select
Read the full VPN explanation →

Which THREE of the following are required to establish a highly available site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

Question 276mediummultiple choice
Read the full NAT/PAT explanation →

A financial services company has a VPC with a public subnet and a private subnet. EC2 instances in the private subnet need to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, instances cannot reach the internet. The NAT gateway is in an 'available' state and has an Elastic IP attached. The security group for the NAT gateway allows all outbound traffic. What is the most likely cause of the issue?

Question 277easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are true about AWS VPC security groups? (Choose two.)

Question 278easymultiple choice
Read the full VPN explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect two separate branch offices using AWS Client VPN. Each branch office has a different subnet: Branch A uses 10.0.1.0/24 and Branch B uses 10.0.2.0/24. The Client VPN endpoint is configured with a CIDR range of 10.0.3.0/24. The route table for the VPC has the local route and routes to the Client VPN endpoint. Users from both branches can connect to the VPN but cannot communicate with each other. What is the most likely reason?

Question 279easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a new application in a VPC with public and private subnets. The application needs to access an S3 bucket in the same AWS Region. Which configuration provides the MOST secure and cost-effective connectivity?

Question 280hardmultiple choice
Read the full Network Implementation explanation →

A global e-commerce company uses AWS CloudFront to distribute content. They have an origin behind an Application Load Balancer (ALB) in a VPC. The ALB is internet-facing and has a security group that allows inbound HTTPS traffic from CloudFront's IP ranges. Users in some regions report slow loading times. The company wants to reduce latency and improve performance. They are considering using Lambda@Edge and origin failover. However, they also notice that the ALB is receiving traffic directly from some IPs that are not CloudFront IPs, causing unnecessary load. What should a network engineer do to restrict access to the ALB to only CloudFront?

Question 281mediummultiple choice
Read the full Network Implementation explanation →

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible over the internet, but the security team requires that all traffic be inspected by a third-party firewall appliance. What is the MOST scalable architecture?

Question 282mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The VPC has a virtual private gateway (VGW). The on-premises network uses BGP to exchange routes with the VGW. The company wants to route traffic from the VPC to an on-premises subnet 192.168.1.0/24. The on-premises router advertises 192.168.1.0/24 over BGP. However, instances in the VPC cannot reach that subnet. The VPC route table has the local route and a route to the VGW for 0.0.0.0/0. What is the most likely cause?

Question 283hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway (VGW) attached. The on-premises network advertises a prefix 10.0.0.0/8 over BGP. The VPC has subnets with CIDR 10.0.1.0/24 and 10.0.2.0/24. The company wants to ensure that traffic to on-premises uses Direct Connect. However, traffic to an S3 bucket uses the internet. What route configuration is required?

Question 284hardmultiple choice
Review the full subnetting walkthrough →

A large enterprise uses AWS Organizations with multiple accounts. The central networking account hosts a Transit Gateway with attachments from VPCs in various accounts. The enterprise uses AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts. A network engineer in a spoke account creates a VPC and attaches it to the shared Transit Gateway. The attachment shows 'available' state. However, traffic from the spoke VPC to other attached VPCs fails. The spoke VPC route table has a route to the Transit Gateway for 0.0.0.0/0. The Transit Gateway route table has routes for the spoke VPC CIDR and other VPC CIDRs. What is the most likely cause?

Question 285easymultiple choice
Read the full Network Implementation explanation →

A company has multiple VPCs that need to communicate with each other using private IP addresses. The VPCs are in the same AWS account and Region. Which AWS service provides the simplest and most scalable solution?

Question 286mediummultiple choice
Read the full DNS explanation →

A company uses AWS PrivateLink to access a SaaS application hosted in another AWS account. The SaaS provider has created a VPC endpoint service in their account. The consumer has created a VPC endpoint in their VPC. The consumer's VPC has a route table with a local route and a route to a NAT gateway. The VPC endpoint is associated with a security group that allows inbound HTTPS from the consumer's VPC CIDR. The consumer's EC2 instances can resolve the DNS name of the endpoint but cannot connect to the SaaS service. What is the most likely cause?

Question 287mediummultiple choice
Read the full NAT/PAT explanation →

A company is deploying a fleet of EC2 instances in private subnets. The instances need to download patches from the internet. The company wants to minimize cost and avoid managing NAT instances. The VPC has an internet gateway (IGW) attached. What should the company do?

Question 288hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets across two Availability Zones. They have a Network Load Balancer (NLB) in the public subnets. The NLB has a target group of EC2 instances in the private subnets. The NLB is configured with TLS listeners and uses a certificate from AWS Certificate Manager (ACM). Clients connect to the NLB over the internet. Some clients report connection timeouts. The NLB access logs show that the connections are established but then hang. The target instances are healthy. The security groups for the instances allow inbound TCP/443 from the NLB's private IPs. What is the most likely cause?

Question 289mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with IPv4 and IPv6 CIDRs. They have a public subnet with an internet gateway and a private subnet with a NAT gateway. EC2 instances in the private subnet need to download updates from the internet. The instances have IPv6 addresses. The private subnet route table has a default route (::/0) pointing to an egress-only internet gateway. However, instances cannot reach IPv6 internet destinations. The egress-only internet gateway is attached to the VPC and in 'available' state. What is the most likely cause?

Question 290hardmultiple choice
Read the full Network Implementation explanation →

A company is setting up a new AWS account and wants to centrally manage VPC network traffic inspection across multiple accounts using a central VPC. The company uses AWS Organizations. Which architecture meets these requirements?

Question 291easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet hosting a web server. They want to make the web server accessible over the internet. The web server has a public IP address. The public subnet route table has a default route (0.0.0.0/0) to an internet gateway. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. However, external users cannot access the web server. What is the most likely cause?

Question 292easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add an additional non-overlapping CIDR to the VPC. What is a valid CIDR block they can add?

Question 293mediummultiple choice
Read the full Network Implementation explanation →

A company uses AWS Global Accelerator to improve performance for a web application hosted on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The Global Accelerator has an endpoint group in the us-east-1 Region with the ALB as an endpoint. Users in Asia report high latency. The company creates a new endpoint group in ap-southeast-1 and adds the same ALB (which is still in us-east-1). However, users in Asia still experience high latency. What should the network engineer do to reduce latency for Asian users?

Question 294mediummultiple choice
Study the full multicast explanation →

A company is migrating an on-premises application to AWS. The application uses multicast for discovery. Which AWS service supports multicast traffic within a VPC?

Question 295hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The VPC has a virtual private gateway (VGW). The on-premises network uses BGP to advertise routes. The company wants to ensure high availability by using two Direct Connect connections from different providers. Both connections terminate at the same Direct Connect location (same AWS device). The company configures two private VIFs, each with a separate BGP session, and attaches both to the same VGW. However, when one connection fails, traffic does not fail over. What is the most likely cause?

Question 296hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network is advertising a default route (0.0.0.0/0) over BGP. The VPC has an internet gateway attached. When an EC2 instance in the VPC sends traffic to an internet destination, which path does it take by default?

Question 297mediummultiple choice
Review the full routing breakdown →

A company is deploying a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group across three Availability Zones, and an Amazon RDS for MySQL database. The ALB has a target group that routes traffic to the EC2 instances on TCP port 8080. The security group for the EC2 instances allows inbound traffic from the ALB's security group on port 8080. Users report intermittent connectivity issues to the application. A network engineer reviews the VPC Flow Logs and notices that traffic from the ALB to the EC2 instances is being recorded as 'REJECT' for some requests. What is the most likely cause of this issue?

Question 298mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS Region? (Choose TWO.)

Question 299hardmulti select
Open the full BGP breakdown →

A network engineer is designing a highly available VPN connectivity between an on-premises data center and AWS. The company has two AWS Direct Connect connections terminated on two different AWS Direct Connect locations for redundancy. The company wants to use AWS Site-to-Site VPN as a backup for Direct Connect. The VPN connections will terminate on a single Virtual Private Gateway (VGW) attached to a VPC. The on-premises network has two customer gateways (CGWs) each with a unique BGP ASN. Which TWO actions should the engineer take to ensure automatic failover and load balancing? (Choose two.)

Question 300hardmulti select
Read the full VPN explanation →

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose THREE.)

Question 301hardmultiple choice
Review the full subnetting walkthrough →

A financial services company is migrating its on-premises data center to AWS. The company has a three-tier application that consists of web servers, application servers, and a database. The application servers must communicate with the database using a private IP address. The database is hosted on an Amazon RDS for MySQL instance in a private subnet. The application servers are in a public subnet. The company has a security requirement that all traffic between the application servers and the database must be encrypted in transit. The network engineer has created a security group for the RDS instance that allows inbound traffic on port 3306 from the security group of the application servers. The engineer has also enabled encryption at rest for the RDS instance. During a security audit, it is discovered that traffic between the application servers and the database is not encrypted. The application team confirms that the application is configured to connect to the database using standard MySQL client library without any SSL/TLS options. The network engineer must ensure that all traffic between the application servers and the database is encrypted without modifying the application code. What should the network engineer do?

Question 302easymulti select
Read the full Network Implementation explanation →

Which TWO of the following are benefits of using AWS Global Accelerator? (Choose TWO.)

Question 303mediummultiple choice
Open the full BGP breakdown →

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. They have two redundant 1 Gbps AWS Direct Connect connections. The company wants to use BGP to advertise the same prefix from both locations to AWS. How should they configure the BGP attributes to ensure active/passive failover with automatic failback?

Question 304hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets in two Availability Zones. They have a NAT gateway in each AZ for outbound internet access. They recently added a third AZ and created a new private subnet. Instances in the new private subnet cannot reach the internet. The route table for the new subnet has a default route (0.0.0.0/0) pointing to a NAT gateway in the same AZ. What is the most likely cause?

Question 305easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity between an EC2 instance in a VPC and an on-premises server connected via AWS Site-to-Site VPN. The ping from the EC2 instance to the on-premises server fails. The VPN tunnel status shows 'UP'. Which configuration should the engineer check first?

Question 306hardmultiple choice
Review the full routing breakdown →

A company is deploying a multi-region application and needs to route users to the nearest healthy endpoint. They are using Amazon Route 53 with latency-based routing and health checks. Users in Asia are sometimes routed to the US region even when the Asia endpoint is healthy. What is the most likely cause?

Question 307mediummultiple choice
Read the full NAT/PAT explanation →

A company has an AWS Transit Gateway with multiple VPC attachments. They want to centralize outbound internet traffic through a single VPC that has a NAT gateway and an internet gateway. All other VPCs should route internet-bound traffic through this central VPC. What configuration is required?

Question 308easymultiple choice
Read the full Network Implementation explanation →

A company has a VPC with an Application Load Balancer (ALB) in front of a fleet of EC2 instances. The security group for the EC2 instances must allow traffic only from the ALB. Which source should be specified in the security group inbound rule?

Question 309hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They want to use BGP to advertise a specific /24 prefix from their on-premises network to AWS. After configuration, the prefix is not visible in the VPC route tables. The BGP session is established. What should the company check?

Question 310mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a global application behind an Application Load Balancer (ALB) in AWS. They want to use AWS Global Accelerator to improve performance by directing traffic to the nearest healthy endpoint. Which configuration is required to achieve this?

Question 311easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download software patches from the internet. Which AWS service should be used to provide outbound internet access without allowing inbound traffic?

Question 312mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. They want to use VPC Flow Logs to capture network traffic metadata for troubleshooting. Which TWO of the following are valid destinations for VPC Flow Logs? (Select TWO.)

Question 313hardmulti select
Read the full Network Implementation explanation →

A company is designing a multi-account AWS environment using AWS Transit Gateway. They want to centralize network management and ensure that VPCs in different accounts can communicate. Which THREE steps are required to achieve this? (Select THREE.)

Question 314easymulti select
Read the full DNS explanation →

A company is setting up a new VPC and needs to ensure that instances in the VPC can resolve DNS names within AWS (e.g., ec2-203-0-113-25.compute-1.amazonaws.com). Which TWO configurations are required? (Select TWO.)

Question 315mediummultiple choice
Read the full Network Implementation explanation →

A company is deploying a multi-VPC architecture with connectivity requirements. The network team needs to establish private connectivity between VPCs in the same AWS account and region, using services that can scale to 100 Gbps throughput. Which solution meets these requirements?

Question 316hardmultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network team reports intermittent connectivity loss to resources in the VPC, but the Direct Connect tunnel status shows as UP. Which configuration is MOST likely causing the issue?

Question 317easymultiple choice
Read the full VPN explanation →

A company is implementing a hybrid network using AWS Site-to-Site VPN. The on-premises firewall requires that the VPN tunnels use IKEv2 with pre-shared keys and that the tunnels are always active. Which VPN configuration should be used?

Question 318mediummultiple choice
Read the full Network Implementation explanation →

A company is designing a network for a multi-tier application that includes a web tier, application tier, and database tier. The web tier must be accessible from the internet, while the application and database tiers should have no direct internet access. All tiers are in the same VPC. Which configuration meets these requirements?

Question 319hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC has a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. An EC2 instance in the private subnet needs to download patches from the internet. Which configuration is required to provide outbound internet access to the private instance while preventing inbound internet traffic?

Question 320mediummultiple choice
Read the full VPN explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect and Site-to-Site VPN. The network team wants to ensure that traffic between VPCs does not traverse the on-premises network. Which Transit Gateway feature should be used?

Question 321hardmultiple choice
Review the full routing breakdown →

A company has a Direct Connect connection with a private VIF to a Direct Connect gateway. The VIF is associated with a Direct Connect gateway that has a virtual private gateway (VGW) attachment to a VPC. The on-premises network is advertising a route to 10.0.0.0/16. However, the VPC cannot reach on-premises resources. The VPC has a route table with a route to 10.0.0.0/16 pointing to the VGW. What is the MOST likely cause?

Question 322easymultiple choice
Read the full Network Implementation explanation →

A company wants to securely connect two VPCs in different AWS regions using AWS infrastructure. Which service should be used?

Question 323mediummultiple choice
Read the full VPN explanation →

A company is troubleshooting connectivity issues between an on-premises network and a VPC connected via AWS VPN CloudHub. The on-premises network uses multiple customer gateways (CGWs) connected to a single virtual private gateway (VGW). The company wants to ensure that all traffic from the VPC to on-premises is routed through a specific CGW. Which configuration should be used?

Question 324hardmulti select
Read the full Network Implementation explanation →

Which TWO scenarios are best suited for using AWS Transit Gateway over VPC peering? (Select TWO.)

Question 325mediummulti select
Review the full subnetting walkthrough →

Which THREE actions are required to enable an EC2 instance in a private subnet to download software updates from the internet? (Select THREE.)

Question 326mediummulti select
Read the full Network Implementation explanation →

Which TWO statements about AWS Direct Connect are correct? (Select TWO.)

Question 327hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An EC2 instance in a VPC is assigned a public IP via an Elastic IP address. The instance is not reachable from the internet, although it has a security group allowing inbound HTTP traffic from 0.0.0.0/0. The VPC has an Internet Gateway attached to the route table of the subnet. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-network-interfacesnetwork-interface-ids eni-1234567890abcdef0Refer to the exhibit.```"NetworkInterfaces": ["Association": {"IpOwnerId": "amazon","PublicIp": "203.0.113.5","AllocationId": "eipalloc-0abcdef1234567890"},"Attachment": {"AttachmentId": "eni-attach-0abcdef1234567890","InstanceId": "i-0abcdef1234567890","InstanceOwnerId": "123456789012","DeviceIndex": 0,"Status": "attached","DeleteOnTermination": true"Description": "Primary network interface","Groups": ["GroupName": "sg-12345678","GroupId": "sg-12345678"],"InterfaceType": "interface","Ipv6Addresses": [],"MacAddress": "12:34:56:78:9a:bc","NetworkInterfaceId": "eni-1234567890abcdef0","OwnerId": "123456789012","PrivateIpAddress": "10.0.1.15","PrivateIpAddresses": ["Primary": true,"PrivateIpAddress": "10.0.1.15""SourceDestCheck": true,"Status": "in-use","SubnetId": "subnet-0abcdef1234567890","TagSet": [],"VpcId": "vpc-0abcdef1234567890"
Question 328mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A CloudFormation template creates a VPC with public and private subnets. The template includes an Internet Gateway and a route table with a default route to the IGW, associated with the public subnet. An EC2 instance launched in the public subnet cannot be reached from the internet. The security group allows inbound HTTP from 0.0.0.0/0. What is the MOST likely missing resource?

Exhibit

Refer to the exhibit.

```
<AWS CloudFormation snippet>
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.2.0/24
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway
  PublicRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref MyVPC
  PublicRoute:
    Type: AWS::EC2::Route
    DependsOn: AttachGateway
    Properties:
      RouteTableId: !Ref PublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref InternetGateway
  PublicSubnetRouteTableAssociation:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      SubnetId: !Ref PublicSubnet
      RouteTableId: !Ref PublicRouteTable
```
Question 329hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A VPN connection is established between an on-premises network (10.0.0.0/16) and an AWS VPC (172.16.0.0/16). The on-premises network can ping the VPC's private IP addresses, but the VPC cannot ping the on-premises network's IP addresses. The VPC route table has a route to 10.0.0.0/16 pointing to the VGW. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpn-connectionsvpn-connection-ids vpn-1234567890abcdef0Refer to the exhibit.```"VpnConnections": ["VpnConnectionId": "vpn-1234567890abcdef0","State": "available","CustomerGatewayConfiguration": "...","Type": "ipsec.1","CustomerGatewayId": "cgw-1234567890abcdef0","VpnGatewayId": "vgw-1234567890abcdef0","Options": {"EnableAcceleration": false,"StaticRoutesOnly": false,"LocalIpv4NetworkCidr": "0.0.0.0/0","RemoteIpv4NetworkCidr": "0.0.0.0/0","TunnelOptions": ["OutsideIpAddress": "52.0.0.1","TunnelInsideCidr": "169.254.10.0/30","PreSharedKey": "secret"},"OutsideIpAddress": "52.0.0.2","TunnelInsideCidr": "169.254.10.4/30","Routes": ["Source": "static","DestinationCidrBlock": "10.0.0.0/16","State": "available"
Question 330mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application across three Availability Zones in a VPC. The web tier must be highly available and scale based on CPU utilization. The database tier uses an Amazon RDS Multi-AZ DB instance. The web tier must have the lowest possible latency to the internet. Which configuration should be used for the web tier subnets?

Question 331easymultiple choice
Read the full Network Implementation explanation →

A company wants to connect its on-premises data center to AWS using AWS Direct Connect. The company requires a dedicated 1 Gbps connection with low latency and high bandwidth for mission-critical workloads. Which type of Direct Connect interface should be used?

Question 332hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has three subnets: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. An EC2 instance in subnet 10.0.1.0/24 needs to send traffic to an on-premises server at 10.0.0.5/32 via a VPN connection. The VPC route table has a route to the VPN gateway for 10.0.0.0/8. What is the expected behavior?

Question 333mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a VPC with two public subnets and two private subnets across two Availability Zones. The template includes an internet gateway and a NAT gateway in each public subnet. The company needs to ensure that instances in the private subnets can access the internet. Which route table configuration should be used?

Question 334hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to establish a site-to-site VPN connection to an on-premises network with a CIDR of 192.168.0.0/16. The VPN tunnel is up, but traffic from the VPC to on-premises is not flowing. Which of the following is the most likely cause?

Question 335easymultiple choice
Read the full Network Implementation explanation →

A company is designing a network for a highly available application across multiple AWS regions. The application requires low-latency communication between regions and uses IP addresses that cannot change. Which AWS service should be used to connect the VPCs in different regions?

Question 336mediummultiple choice
Read the full Network Implementation explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize network security by inspecting all traffic between VPCs and between VPCs and on-premises. Which architecture should be used?

Question 337hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket to download files. The company wants to avoid using a NAT gateway and minimize latency. Which solution should be used?

Question 338easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a web application in a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The ALB must only accept traffic from the internet and forward it to the instances. Which subnet configuration is correct for the ALB and EC2 instances?

Question 339mediummulti select
Review the full subnetting walkthrough →

A company is deploying a VPC with a CIDR block of 10.0.0.0/16. The VPC requires six subnets: three public and three private, each with a /24 CIDR. The company needs to ensure high availability across three Availability Zones. Which TWO of the following are valid subnet CIDR assignments that meet these requirements?

Question 340hardmulti select
Read the full VPN explanation →

A company is configuring a site-to-site VPN connection between its on-premises network and AWS. The VPN tunnel is up, but traffic is not passing. The company has verified that routes are correct on both sides. Which TWO actions should the company take to troubleshoot the issue?

Question 341mediummulti select
Read the full Network Implementation explanation →

A company is designing a hybrid network using AWS Direct Connect. The company has a single 1 Gbps dedicated connection and wants to connect to multiple VPCs in the same region. Which THREE steps are necessary to achieve this connectivity?

Question 342hardmultiple choice
Read the full Network Implementation explanation →

A network engineer is reviewing VPC Flow Logs for a VPC. The logs show that traffic from 10.0.1.5 to 10.0.2.10 on port 443 is being accepted and rejected intermittently. Both instances are in the same VPC. What is the most likely cause?

Exhibit

Refer to the exhibit. The following is an excerpt from a VPC Flow Log:

2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12345 6 10 1000 1234567890 1234567890 ACCEPT OK
2 123456789010 eni-12345678 10.0.1.5 10.0.2.10 443 12346 6 10 1000 1234567890 1234567890 REJECT OK
Question 343mediummultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues. The route table shows a blackhole route for 10.0.0.0/8 pointing to a VPC endpoint (vpce-12345678). What is the most likely cause of the blackhole state?

Exhibit

Refer to the exhibit. The following is an AWS CLI output:

{
    "RouteTables": [
        {
            "RouteTableId": "rtb-12345678",
            "Routes": [
                {
                    "DestinationCidrBlock": "10.0.0.0/16",
                    "GatewayId": "local",
                    "State": "active"
                },
                {
                    "DestinationCidrBlock": "0.0.0.0/0",
                    "GatewayId": "igw-12345678",
                    "State": "active"
                },
                {
                    "DestinationCidrBlock": "10.0.0.0/8",
                    "GatewayId": "vpce-12345678",
                    "State": "blackhole"
                }
            ]
        }
    ]
}
Question 344hardmultiple choice
Read the full NAT/PAT explanation →

A company is using CloudFormation to deploy a VPC. The private subnet route table has a route to a NAT gateway. However, instances in the private subnet cannot access the internet. The NAT gateway is in a public subnet and has an attached Elastic IP. What is the most likely issue?

Exhibit

Refer to the exhibit. The following is a CloudFormation snippet:

  PrivateSubnetRouteTable:
    Type: AWS::EC2::RouteTable
    Properties:
      VpcId: !Ref VPC
  PrivateRoute:
    Type: AWS::EC2::Route
    Properties:
      RouteTableId: !Ref PrivateSubnetRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NatGatewayId: !Ref NatGateway
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24
      RouteTableId: !Ref PrivateSubnetRouteTable
Question 345mediummultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for software updates but must not be reachable from the internet. Which AWS service should be used to achieve this?

Question 346hardmultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They want to use the same connection to access another VPC in a different region. What is the simplest way to achieve this?

Question 347easymultiple choice
Review the full subnetting walkthrough →

A network engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which AWS service should be used?

Question 348mediummultiple choice
Read the full Network Implementation explanation →

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. What is the best approach?

Question 349hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. They also have a VPN connection as a backup. How should they configure BGP to ensure that the VPN is only used when Direct Connect fails?

Question 350easymultiple choice
Read the full VPN explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. What should be done to avoid overlapping CIDRs?

Question 351mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv6 CIDR and wants to provide internet access to instances in a private subnet using IPv6. Which AWS service should be used?

Question 352hardmultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity between two VPCs that are peered. The route tables are correct, and security groups allow traffic. However, ICMP ping fails. What is the most likely cause?

Question 353easymultiple choice
Review the full subnetting walkthrough →

A company wants to provide internet access to instances in a public subnet. Which component must be attached to the VPC and have a route to it in the subnet's route table?

Question 354mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid methods to connect an on-premises data center to an Amazon VPC over a private, dedicated network connection? (Choose two.)

Question 355hardmulti select
Read the full Network Implementation explanation →

Which THREE of the following are benefits of using AWS Transit Gateway over VPC peering for inter-VPC connectivity? (Choose three.)

Question 356mediummulti select
Read the full Network Implementation explanation →

Which TWO of the following are valid configurations for an AWS Direct Connect virtual interface? (Choose two.)

Question 357hardmultiple choice
Read the full DNS explanation →

A network engineer created a VPC endpoint for the service shown in the exhibit. The endpoint is in the 'available' state, but instances in the VPC cannot resolve the private DNS name 'example.com'. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
# AWS CLI output: describe-vpc-endpoint-services
{
    "ServiceNames": [
        "com.amazonaws.vpce.us-east-1.vpce-svc-0123456789abcdef0"
    ],
    "ServiceDetails": [
        {
            "ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0123456789abcdef0",
            "ServiceId": "vpce-svc-0123456789abcdef0",
            "ServiceType": [
                {
                    "ServiceType": "Interface"
                }
            ],
            "AvailabilityZones": ["us-east-1a", "us-east-1b"],
            "Owner": "123456789012",
            "PrivateDnsName": "example.com",
            "VpcEndpointPolicySupported": true,
            "AcceptanceRequired": true,
            "ManagesVpcEndpoints": false,
            "BaseEndpointDnsNames": ["vpce-0123456789abcdef0-us-east-1a.vpce.amazonaws.com"]
        }
    ]
}
```
Question 358mediummultiple choice
Review the full subnetting walkthrough →

A company has an S3 bucket with the bucket policy shown. The VPC endpoint ID is correct. However, an EC2 instance in a private subnet in the same VPC cannot download objects from the bucket. What is a possible reason?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "vpce-0123456789abcdef0"
        }
      }
    }
  ]
}
```
Question 359easymultiple choice
Review the full subnetting walkthrough →

A network engineer created the CloudFormation stack shown. After creation, an EC2 instance launched in PublicSubnet does not have a public IP address. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
# CloudFormation snippet
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      MapPublicIpOnLaunch: true
```
Question 360mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Both VPCs have route tables that include routes to each other's CIDR blocks via the peering connection. Instances in VPC A can ping instances in VPC B, but traffic to an Application Load Balancer (ALB) in VPC B fails. The ALB is in public subnets with internet-facing scheme. What is the most likely cause?

Question 361easymultiple choice
Review the full routing breakdown →

A network engineer is designing a hybrid network using AWS Direct Connect. The company requires high availability and wants to use a single AWS Direct Connect location with two connections from different customer routers. Which solution meets the high availability requirement?

Question 362hardmultiple choice
Review the full routing breakdown →

A company is deploying a multi-region application with an Application Load Balancer (ALB) in us-east-1 and a second ALB in eu-west-1. They want to route traffic to the nearest region using Amazon Route 53. They have set up a latency-based routing policy. Users in North America are being routed to eu-west-1 instead of us-east-1. What is the most likely cause?

Question 363mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises the 10.0.0.0/8 prefix. One VPC has a route to the Transit Gateway for 0.0.0.0/0. Instances in that VPC can reach the internet via a NAT gateway but cannot reach on-premises resources. What is the most likely issue?

Question 364easymultiple choice
Read the full VPN explanation →

A company is setting up an AWS Client VPN endpoint for remote access. Users report they can connect to the VPN but cannot access resources in the VPC. The VPN endpoint is associated with a subnet that has a route table with a route to an internet gateway. The security group for the VPN endpoint allows all traffic. What could be the issue?

Question 365hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Direct Connect with a public VIF to access Amazon S3. They notice that traffic to S3 is taking a suboptimal path (going through the internet) instead of the Direct Connect connection. The VPC has a route table with a route for S3 prefix list via the virtual private gateway. What is the most likely cause?

Question 366mediummultiple choice
Read the full Network Implementation explanation →

A company is implementing a network for a three-tier application in a VPC. They need to ensure that the web tier can communicate with the application tier, but the application tier cannot initiate connections to the web tier. Which configuration should be used?

Question 367hardmultiple choice
Open the full BGP breakdown →

A company has an AWS Direct Connect connection with a private VIF to a VPC. They also have a VPN connection as a backup. They want to use BGP attributes to prefer the Direct Connect path. On the customer router, they set a lower local preference for routes received via the VPN. However, traffic still uses the VPN. What could be the reason?

Question 368easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with public and private subnets. They want to allow instances in a private subnet to access the internet for software updates while preventing inbound internet traffic. Which configuration should be used?

Question 369mediummulti select
Read the full Network Implementation explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in multiple Availability Zones. Which TWO configurations are required to achieve high availability?

Question 370hardmulti select
Read the full Network Implementation explanation →

A company is implementing a network segmentation strategy using AWS Transit Gateway. They have three VPCs: production, development, and shared services. They need to ensure that production and development VPCs can both access shared services, but cannot communicate with each other. Which THREE configurations are required?

Question 371easymulti select
Read the full VPN explanation →

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. Which TWO components are required for the VPN connection?

Question 372easymultiple choice
Read the full Network Implementation explanation →

A company is setting up a Direct Connect connection between its on-premises data center and AWS. The company wants to use a single virtual interface (VIF) to access multiple VPCs in the same AWS Region. Which AWS service should be used to achieve this?

Question 373mediummultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses, but they cannot reach an internet-facing application hosted on an EC2 instance in a public subnet. The EC2 instance has a public IP and a security group allowing HTTP/HTTPS from 0.0.0.0/0. What is the most likely cause?

Question 374hardmultiple choice
Read the full Network Implementation explanation →

A company is deploying a multi-region application using two AWS Regions. They want to use an AWS Transit Gateway to interconnect VPCs within each region, and they need to interconnect the Transit Gateways across regions. Which is the most scalable and reliable approach?

Question 375easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a VPC with both public and private subnets. They have an EC2 instance in a private subnet that needs to access the internet for software updates. Which AWS service should be placed in a public subnet to enable this?

Question 376mediummultiple choice
Read the full VPN explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They also have a Site-to-Site VPN connection to the same VPC as a backup. The on-premises router is advertising the same prefixes over both connections. The company wants to ensure that traffic uses Direct Connect when available and fails over to VPN if Direct Connect goes down. Which configuration should be applied?

Question 377hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. They have set up a Transit Gateway and attached the VPC and the Direct Connect gateway. The on-premises network can reach some VPC resources but not others. The VPC has multiple subnets with different CIDR blocks. The on-premises router is advertising the same prefixes over BGP. What is the most likely cause of the partial connectivity?

Question 378easymultiple choice
Read the full VPN explanation →

A company wants to connect its on-premises data center to a VPC using AWS Site-to-Site VPN. Which of the following is required to establish the VPN connection?

Question 379mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets in multiple Availability Zones. They want to deploy a NAT gateway for outbound internet access for instances in private subnets. Which of the following is the most highly available architecture?

Question 380hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network team notices that traffic to a particular EC2 instance is taking a suboptimal path that goes through the internet instead of Direct Connect. The EC2 instance has both a private IP and a public IP. The on-premises router is advertising the VPC's CIDR block over BGP. What is the most likely cause?

Question 381mediummulti select
Read the full Network Implementation explanation →

Which TWO options are valid methods to connect a VPC to an on-premises network? (Choose 2)

Question 382hardmulti select
Read the full Network Implementation explanation →

Which THREE considerations are important when implementing a multi-region Direct Connect architecture? (Choose 3)

Question 383easymulti select
Read the full Network Implementation explanation →

Which TWO components are required when configuring a transit gateway to connect multiple VPCs and an on-premises network via Direct Connect? (Choose 2)

Question 384hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A network engineer is creating an IAM policy for a junior engineer who needs to set up a VPC with public and private subnets and an internet gateway. The junior engineer reports that they cannot create a VPC peering connection. Based on the policy, what is the most likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:CreateSubnet",
        "ec2:CreateInternetGateway",
        "ec2:AttachInternetGateway",
        "ec2:CreateRouteTable",
        "ec2:AssociateRouteTable",
        "ec2:CreateRoute",
        "ec2:CreateSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:AuthorizeSecurityGroupEgress"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:CreateVpcPeeringConnection",
      "Resource": "*"
    }
  ]
}```
Question 385hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC in us-east-1. The VPC has two subnets: a public subnet and a private subnet. The public subnet has an internet gateway attached. The private subnet has a NAT gateway. The company's on-premises network uses the 10.0.0.0/8 IP range. The VPC CIDR is 10.1.0.0/16. The on-premises router is advertising 10.1.0.0/16 over BGP to the Direct Connect router. The company needs EC2 instances in the private subnet to initiate outbound connections to the internet for updates. The NAT gateway is in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the on-premises network team reports that they can ping the private IP of the NAT gateway (10.1.0.10) but not the private IP of an EC2 instance in the private subnet (10.1.1.50). The EC2 instance's security group allows ICMP from the on-premises IP range. The VPC's main route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. The VPC is attached to a virtual private gateway. What is the most likely cause?

Question 386mediummultiple choice
Open the full BGP breakdown →

A company has multiple VPCs in the same AWS region that need to communicate with each other and with an on-premises data center. The company currently uses VPC peering connections between each VPC pair, which has become difficult to manage as the number of VPCs grows. The company wants to simplify the network architecture and implement a hub-and-spoke model using AWS Transit Gateway. The on-premises data center is connected to AWS via a Direct Connect connection with a private VIF. The company has already created a Transit Gateway and attached all VPCs to it. They have also created a Direct Connect gateway and associated it with the Transit Gateway. The on-premises router is advertising the on-premises CIDR (10.0.0.0/8) over BGP. However, after the migration, the VPCs cannot communicate with each other, and the on-premises network cannot reach the VPCs. The VPC route tables have been updated to route all traffic to the Transit Gateway. The Transit Gateway route table has propagation enabled for all VPC attachments and the Direct Connect gateway attachment. What is the most likely missing configuration?

Question 387hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets across two Availability Zones. The private subnets require outbound internet access for updates, but must not be directly reachable from the internet. The company has a NAT gateway in each public subnet. Security team reports that instances in private subnets cannot reach the internet. Which configuration should be verified first?

Question 388mediummultiple choice
Open the full BGP breakdown →

A company is implementing a hybrid network using AWS Direct Connect. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect gateway (DXGW) with a private virtual interface (VIF) to their on-premises router. They have established a BGP session between the on-premises router and the VGW. The on-premises network can reach EC2 instances in the VPC, but the VPC instances cannot reach on-premises resources. What is the most likely cause?

Question 389easymultiple choice
Review the full subnetting walkthrough →

A company is designing a multi-tier application with web servers in public subnets and database servers in private subnets. The database servers should only be accessible from the web servers. Which AWS feature should be used to enforce this?

Question 390hardmultiple choice
Review the full subnetting walkthrough →

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The ALB is in public subnets, and the web servers are in private subnets. The ALB is configured with a target group pointing to the web servers. Users report intermittent 503 errors. The web servers are healthy according to the target group health checks. What is the most likely cause?

Question 391mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to a partner's VPC with CIDR 10.0.0.0/16 using a VPC peering connection. What is the issue with this configuration?

Question 392easymultiple choice
Read the full VPN explanation →

A company has an AWS Site-to-Site VPN connection between their on-premises network and a VPC. The VPN tunnel status shows 'UP'. However, instances in the VPC cannot ping an on-premises server at 192.168.1.10. Which step should be taken to troubleshoot?

Question 393mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They have a NAT gateway in a public subnet. They want to provide internet access to instances in private subnets. The NAT gateway is configured with an Elastic IP. The private instances still cannot access the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT gateway. What is missing?

Question 394hardmultiple choice
Review the full subnetting walkthrough →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a CIDR of 10.0.0.0/16 attached to the transit gateway. They also have a Direct Connect virtual interface attached to the transit gateway. The on-premises network can reach some VPCs but not the VPC with CIDR 10.0.0.0/16. The transit gateway route table has a static route for the on-premises CIDR and a route propagation from the VPC attachment. What is the most likely issue?

Question 395easymultiple choice
Read the full Network Implementation explanation →

A company needs to establish a dedicated, low-latency, and consistent network connection from their on-premises data center to AWS. Which AWS service should they use?

Question 396mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. They have a NAT gateway in a public subnet for outbound internet access from private instances. Which TWO of the following are required for the NAT gateway to function correctly?

Question 397hardmulti select
Read the full VPN explanation →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 172.16.0.0/12. They are using an AWS Transit Gateway with a VPN attachment to the on-premises network. The transit gateway route table has a static route for 172.16.0.0/12 pointing to the VPN attachment. Which THREE of the following are necessary for traffic to flow from the VPC to on-premises?

Question 398easymulti select
Review the full subnetting walkthrough →

Which TWO of the following are valid methods to provide outbound internet access to instances in a private subnet?

Question 399hardmultiple choice
Study the full AAA explanation →

Refer to the exhibit. A company has two VPCs (vpc-aaaaaaaa and vpc-bbbbbbbb) that are peered. The CIDR blocks are both 10.0.0.0/16. The peering connection status is 'active'. Which of the following is true about this configuration?

Network Topology
aws ec2 describe-vpc-peering-connectionsquery "VpcPeeringConnections[?Status.Code=='active']"output json"VpcPeeringConnectionId": "pcx-12345678","AccepterVpcInfo": {"OwnerId": "111111111111","VpcId": "vpc-aaaaaaaa","CidrBlock": "10.0.0.0/16"},"RequesterVpcInfo": {"OwnerId": "222222222222","VpcId": "vpc-bbbbbbbb","Status": {"Code": "active"
Question 400hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with CIDR 10.0.0.0/16. They have two Availability Zones (us-east-1a and us-east-1b). In each AZ, there is a public subnet (10.0.1.0/24 and 10.0.2.0/24) and a private subnet (10.0.3.0/24 and 10.0.4.0/24). A NAT Gateway is deployed in the public subnet of us-east-1a. The private route tables for both private subnets have a default route pointing to the NAT Gateway. An application team has deployed EC2 instances in the private subnets. They report that instances in us-east-1b cannot access the internet, while instances in us-east-1a can. The NAT Gateway is healthy and has an Elastic IP attached. The route tables for the public subnets have a default route to the Internet Gateway. What is the most likely cause of the issue?

Question 401mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a single private virtual interface (VIF) to a virtual private gateway (VGW) attached to a VPC. The VPC CIDR is 10.0.0.0/16. The on-premises CIDR is 172.16.0.0/12. The BGP session is established, and the on-premises router is advertising the 172.16.0.0/12 route to the VGW. The VGW is configured to propagate routes to the VPC route tables. However, instances in the VPC cannot reach on-premises resources. The VPC route table shows a propagated route for 172.16.0.0/12 with a target of the VGW. What is the most likely issue?

Question 402easymultiple choice
Study the full ACL explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have an Application Load Balancer (ALB) in public subnets and EC2 instances in private subnets. The ALB is configured to route traffic to the instances. Users can reach the ALB, but the ALB returns 502 Bad Gateway errors. The target group health checks are failing. The instances are running a web server on port 80. The security group for the instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24). What is the most likely cause of the health check failures?

Question 403easymultiple choice
Review the full subnetting walkthrough →

A company is deploying a multi-tier application on AWS and needs to ensure that traffic between the web tier and the application tier does not traverse the internet. Both tiers are deployed in the same VPC but in different subnets. What is the MOST secure way to meet this requirement?

Question 404mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity issues from an on-premises data center to an Amazon VPC via an AWS Site-to-Site VPN. The VPN tunnel is up, but ping from an on-premises host (10.0.0.5) to an EC2 instance (172.16.1.10) fails. The VPC CIDR is 172.16.0.0/16. The on-premises CIDR is 10.0.0.0/8. The customer gateway device has a route for 172.16.0.0/16 pointing to the VPN tunnel. The VPC route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. Security groups and NACLs allow ICMP. What is the MOST likely cause?

Question 405hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. The ALB is internet-facing and uses TLS termination. The application requires that client IP addresses be preserved in the backend logs. The backend instances are in private subnets behind the ALB. Which configuration will ensure client IP addresses are preserved without additional overhead?

Question 406easymultiple choice
Read the full Network Implementation explanation →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. They want to add a second Direct Connect connection for redundancy. What is the MINIMUM number of virtual interfaces required to achieve active-active failover for the VPC?

Question 407mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is configuring an AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network advertises a prefix 10.0.0.0/8. One of the VPCs has a CIDR of 10.0.0.0/16. What will happen to traffic destined to 10.0.0.5 from another VPC attached to the Transit Gateway?

Question 408hardmultiple choice
Review the full routing breakdown →

A company is deploying a global application with users in North America and Europe. They have set up an Application Load Balancer (ALB) in us-east-1 and another in eu-west-1. They want to route users to the nearest ALB using AWS Global Accelerator. What is the correct configuration to achieve this?

Question 409easymultiple choice
Read the full Network Implementation explanation →

A network engineer is troubleshooting an AWS Direct Connect connection that is experiencing high latency. The connection is a 1 Gbps dedicated connection. The engineer notices that the link utilization is at 90%. What is the MOST likely cause of the high latency?

Question 410mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They have a web server in the public subnet that needs to make API calls to Amazon S3. The web server has a public IP. What is the MOST secure way to allow the web server to access S3 without traversing the internet?

Question 411hardmultiple choice
Open the full BGP breakdown →

A company is building a hybrid network with an AWS Transit Gateway connecting multiple VPCs and an on-premises network via Direct Connect. The on-premises network uses BGP to advertise routes to the Transit Gateway. One of the VPCs has an overlapping CIDR (10.0.0.0/16) with the on-premises network (10.0.0.0/8). The company wants to ensure that traffic from other VPCs to 10.0.0.0/16 goes to the VPC, not on-premises. What configuration is required?

Question 412mediummulti select
Review the full subnetting walkthrough →

A company is designing a VPC with multiple subnets for a three-tier application. They need to ensure that the database tier (private subnet) can be accessed only by the application tier (private subnet) and that no other resources in the VPC can access the database. Which TWO security mechanisms should be used together to achieve this? (Choose TWO.)

Question 413hardmulti select
Read the full VPN explanation →

A company is migrating its on-premises data center to AWS using Direct Connect and a VPN connection as backup. The company has multiple VPCs connected via a Transit Gateway. They want to ensure high availability for the Direct Connect connection. Which TWO actions should be taken? (Choose TWO.)

Question 414easymulti select
Read the full VPN explanation →

A company is setting up AWS Site-to-Site VPN for connectivity between its on-premises network and AWS VPC. They want to ensure the VPN tunnel is highly available. Which THREE components should be configured? (Choose THREE.)

Question 415hardmultiple choice
Review the full subnetting walkthrough →

A company has a production VPC with CIDR 10.0.0.0/16. They have an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones. The ALB distributes traffic to a fleet of EC2 instances in private subnets. The EC2 instances need to access an Amazon S3 bucket to retrieve configuration files. The company wants to minimize data transfer costs and ensure that traffic to S3 does not traverse the internet. A network engineer created a Gateway VPC Endpoint for S3 in the VPC and added a route in the public subnet route tables pointing to the endpoint. However, the EC2 instances still cannot access the S3 bucket. The security groups for the EC2 instances allow outbound HTTPS to 0.0.0.0/0. The NACLs are default (allow all). The S3 bucket policy allows access from the VPC endpoint. What is the MOST likely reason the EC2 instances cannot access S3?

Question 416mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. They have also set up a Site-to-Site VPN as a backup. The VPC has a virtual private gateway (VGW) attached. The on-premises network uses BGP over the Direct Connect and static routes for the VPN. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect when it is available; instead, it goes over the VPN. The VPC route table has a route for the on-premises CIDR (10.0.0.0/8) to the VGW. The VPN connection is configured with static routes. What is the MOST likely cause of this behavior?

Question 417easymultiple choice
Study the full ACL explanation →

A small company has a single VPC with one public subnet and one private subnet. They have a web server in the public subnet and a database server in the private subnet. The web server needs to access the database server on port 3306 (MySQL). The network engineer has configured the security group for the database server to allow inbound TCP port 3306 from the security group of the web server. However, the web server cannot connect to the database server. The network ACL for the private subnet is the default (allows all inbound and outbound). The web server can ping the database server's private IP. What is the MOST likely cause of the connection failure?

Question 418mediummulti select
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application across multiple Availability Zones in a VPC. The architecture includes public-facing Application Load Balancers, Amazon EC2 instances in private subnets, and an Amazon RDS for MySQL Multi-AZ DB instance. To meet compliance requirements, all traffic between the web tier and database tier must be encrypted and must not traverse the internet. Which TWO actions should the company take to implement this securely? (Choose two.)

Question 419mediummulti select
Read the full NAT/PAT explanation →

A company is implementing a hybrid network architecture with an AWS Transit Gateway connecting multiple VPCs and an on-premises data center via AWS Direct Connect. The company needs to ensure that traffic between VPCs is inspected by a centralized security appliance running on EC2 instances in a dedicated inspection VPC. To achieve this, traffic must be routed through the inspection VPC before reaching its destination. Which TWO configurations are required? (Choose two.)

Question 420hardmulti select
Read the full Network Implementation explanation →

A company is using AWS Direct Connect to connect its on-premises network to a VPC via a private virtual interface (VIF) attached to a virtual private gateway (VGW). The company wants to add redundant connectivity using a second Direct Connect connection from a different provider. The network team proposes using a Direct Connect gateway (DXGW) with two private VIFs from different connections, each attached to the DXGW. The DXGW will be associated with the VGW. Which THREE steps are required to complete this configuration? (Choose three.)

Question 421hardmultiple choice
Study the full multicast explanation →

A company is implementing a multicast application in AWS. The application requires that multicast traffic be forwarded between Amazon EC2 instances in different VPCs. The company has set up a multicast domain using AWS Transit Gateway Connect with multicast support. The multicast group is using the IP address 239.0.1.10. The network engineer has confirmed that the EC2 instances are registered as multicast members and that the Transit Gateway multicast domain is configured correctly. However, receivers in VPC B are not receiving multicast traffic from senders in VPC A. What is the MOST likely cause of this issue?

Question 422mediummultiple choice
Read the full VPN explanation →

A company is implementing an AWS Client VPN endpoint to provide remote access to its VPC resources. The company's on-premises network uses a split-tunneling configuration to route only corporate traffic through the VPN. The Client VPN endpoint is associated with a single subnet in the VPC. Users report that they can connect to the Client VPN but cannot reach resources in the VPC. The Client VPN endpoint's security group allows all traffic. What is the MOST likely cause of this issue?

Question 423mediummultiple choice
Review the full routing breakdown →

A company is deploying an AWS Network Firewall in a centralized inspection VPC to inspect traffic between VPCs connected to an AWS Transit Gateway. The architecture uses Transit Gateway route tables to send inter-VPC traffic through the inspection VPC. The Network Firewall is configured with stateful and stateless rule groups. After deployment, the security team notices that traffic from VPC A to VPC B is being dropped. Other traffic flows correctly. What is the MOST likely cause of this issue?

Question 424hardmultiple choice
Open the full VLAN trunking answer →

A company is migrating its on-premises data center to AWS and wants to extend its Layer 2 network to AWS using AWS Outposts. The company has an existing VLAN with IP subnet 10.0.1.0/24 that hosts a legacy application requiring direct Layer 2 connectivity between on-premises servers and Outposts racks. The network engineer has installed an Outposts rack in the data center and connected it to the on-premises network via a local gateway (LGW) with a VLAN interface. The engineer has created a subnet in the Outposts VPC with CIDR 10.0.1.0/24 and launched EC2 instances. However, the on-premises servers cannot communicate with the Outposts instances. The LGW is configured correctly. Which action should the engineer take to resolve the issue?

Question 425hardmultiple choice
Review the full routing breakdown →

A company has deployed a multi-account AWS environment using AWS Organizations. Each account has one or more VPCs that need to communicate with each other and with an on-premises data center via a central transit VPC. The company uses AWS Transit Gateway with a centralized network account that hosts the Transit Gateway. VPCs from other accounts are attached to the Transit Gateway via Resource Access Manager (RAM) shares. The network team notices that after attaching a new VPC from a member account, resources in that VPC cannot communicate with resources in other attached VPCs. The Transit Gateway route tables have appropriate routes, and the VPC route tables point to the Transit Gateway. What is the MOST likely cause of the issue?

Question 426mediummultiple choice
Read the full NAT/PAT explanation →

A company is implementing a network architecture for a critical application that requires ultra-low latency between two Amazon EC2 instances. The instances are launched in two different Availability Zones within the same AWS Region. The network engineer needs to ensure that traffic between the instances uses the lowest latency path possible. The instances are placed in a cluster placement group. The application uses TCP. The engineer has configured the security groups to allow all traffic between the instances. However, latency is higher than expected. What should the engineer do to reduce latency?

Question 427mediummultiple choice
Open the full BGP breakdown →

A company is setting up an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The VPC has a virtual private gateway (VGW) attached, and the VPN connection uses two tunnels for redundancy. The on-premises customer gateway (CGW) is configured with the public IP address of the on-premises VPN device. The VPN tunnels are up and BGP sessions are established. However, the company cannot ping an EC2 instance in the VPC from an on-premises server. The security group for the EC2 instance allows ICMP from the on-premises network CIDR. What is the MOST likely cause of the issue?

Question 428easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is internet-facing and uses a public subnet. The EC2 instances are in private subnets. The application needs to be accessible from the internet. The security group for the ALB allows inbound HTTP and HTTPS from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic from the ALB's security group. The route tables for the private subnets have a default route to a NAT gateway. Users report that they cannot access the application. The ALB target group shows the instances as unhealthy. What is the MOST likely cause?

Question 429mediummultiple choice
Read the full Network Implementation explanation →

A company is using AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises data center to a VPC. The VPC has a virtual private gateway (VGW) attached. The company has recently added a second VPC and wants to use the same Direct Connect connection to access both VPCs. The network engineer proposes using a Direct Connect gateway (DXGW) with two private VIFs, one for each VPC. However, the engineer wants to minimize complexity and cost. Which configuration should the engineer use to allow both VPCs to use the same Direct Connect connection?

Question 430hardmultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and an IPv6 CIDR of 2001:db8:1234::/56. The company hosts a web application on IPv4-only EC2 instances in a private subnet. The application must be accessible from the internet via IPv6. The company has an internet-facing Application Load Balancer (ALB) with dual-stack IP address type. The ALB is in a public subnet. The target group is configured with IP address type IPv4. Users report that they can access the application via IPv4 but not via IPv6. The ALB security group allows inbound HTTP/HTTPS from ::/0. What is the MOST likely cause?

Question 431easymultiple choice
Read the full NAT/PAT explanation →

A company is deploying a new VPC with public and private subnets. The company wants to ensure that EC2 instances in the private subnet can access the internet for software updates. The instances do not need to be accessible from the internet. The network engineer has created a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. However, instances in the private subnet cannot reach the internet. The NAT gateway is in the 'available' state. What is the MOST likely cause?

Question 432mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 172.16.0.0/16. The VPC has two subnets: subnet A (172.16.1.0/24) and subnet B (172.16.2.0/24). The company launches an EC2 instance in subnet A with a private IP of 172.16.1.10 and a public IP. The instance's security group allows inbound SSH from 0.0.0.0/0. The subnet A's route table has a route to an internet gateway (IGW) for 0.0.0.0/0. The network engineer can SSH into the instance from the internet. The company then attaches a second network interface (eth1) to the instance with an IP from subnet B (172.16.2.20). The engineer wants to use this interface for additional management traffic. After attaching, the engineer can no longer SSH into the instance via the original public IP. What is the MOST likely cause?

Question 433mediummulti select
Review the full subnetting walkthrough →

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets across multiple Availability Zones. The security team requires that all traffic between the ALB and the EC2 instances be encrypted using TLS. The application must also support HTTP health checks from the ALB. Which TWO actions should the network engineer take to meet these requirements? (Choose TWO.)

Question 434hardmultiple choice
Read the full VPN explanation →

A global e-commerce company operates a production environment on AWS with a VPC (10.0.0.0/16) containing public and private subnets in three Availability Zones. The application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB) in public subnets. The company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers via Site-to-Site VPN. Recently, the operations team noticed intermittent connectivity issues: users in the Asia-Pacific region experience slow page load times and occasional timeouts, while users in other regions have no issues. The network team suspects packet loss or high latency on the VPN connection to the on-premises data center in Singapore, which hosts a critical database. The AWS Direct Connect connection is not yet available. The team ran a traceroute from an EC2 instance in the production VPC to the database server (IP 203.0.113.50) and observed high latency and packet loss on the fifth hop (a transit gateway attachment). The VPN tunnel status shows 'UP' on both ends. CloudWatch metrics for the VPN tunnel show no errors but high 'TunnelData' bytes. What should the network engineer do FIRST to resolve the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ANS-C01 Practice Test 1 — 10 Questions→ANS-C01 Practice Test 2 — 10 Questions→ANS-C01 Practice Test 3 — 10 Questions→ANS-C01 Practice Test 4 — 10 Questions→ANS-C01 Practice Test 5 — 10 Questions→ANS-C01 Practice Exam 1 — 20 Questions→ANS-C01 Practice Exam 2 — 20 Questions→ANS-C01 Practice Exam 3 — 20 Questions→ANS-C01 Practice Exam 4 — 20 Questions→Free ANS-C01 Practice Test 1 — 30 Questions→Free ANS-C01 Practice Test 2 — 30 Questions→Free ANS-C01 Practice Test 3 — 30 Questions→ANS-C01 Practice Questions 1 — 50 Questions→ANS-C01 Practice Questions 2 — 50 Questions→ANS-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Network Management and OperationsNetwork Security, Compliance and GovernanceNetwork DesignNetwork Implementation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Implementation setsAll Network Implementation questionsANS-C01 Practice Hub