Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Network Management and Operations practice sets

ANS-C01 Network Management and Operations • Complete Question Bank

ANS-C01 Network Management and Operations — All Questions With Answers

Complete ANS-C01 Network Management and Operations question bank — all 0 questions with answers and detailed explanations.

346
Questions
Free
No signup
Certifications/ANS-C01/Practice Test/Network Management and Operations/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?

Question 2hardmultiple choice
Read the full VPN explanation →

A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?

Question 3easymultiple choice
Read the full VPN explanation →

A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?

Question 4mediummultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?

Question 5hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?

Question 6mediummulti select
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)

Question 7hardmulti select
Open the full BGP breakdown →

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). The network team notices that traffic to a specific VPC is intermittently failing. The team suspects an issue with BGP routing. Which THREE steps should the team take to troubleshoot the BGP session? (Choose THREE.)

Question 8mediummultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?

Question 9hardmultiple choice
Read the full Network Management and Operations explanation →

A global e-commerce company is migrating to AWS and plans to use a hub-and-spoke topology with AWS Transit Gateway. The network team wants to ensure high availability for the connection between the hub VPC and the on-premises data center using AWS Direct Connect with multiple virtual interfaces (VIFs). They need to be able to fail over quickly with minimal packet loss. Which design should meet these requirements?

Question 10easymultiple choice
Read the full NAT/PAT explanation →

A company has deployed a web application in a VPC with public subnets for the web servers and private subnets for the database servers. The web servers need to access the internet for software updates. The network engineer configured a NAT Gateway in the public subnet and added a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway. However, the web servers cannot reach the internet. What is the most likely cause?

Question 11mediummultiple choice
Read the full VPN explanation →

A company uses AWS Client VPN to provide remote access to its VPC resources. Users report that they can connect to the VPN but cannot reach any resources in the VPC. The VPN endpoint is associated with a subnet in VPC A. The VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint. The security group assigned to the VPN endpoint allows inbound traffic from the VPN clients. What is the most likely cause of the issue?

Question 12hardmultiple choice
Open the full BGP breakdown →

A company is using an AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect. The network team notices that traffic from an on-premises network (CIDR 172.16.0.0/12) to a VPC (CIDR 10.0.0.0/16) is being dropped. The transit gateway route table shows a static route for 10.0.0.0/16 pointing to the VPC attachment. The Direct Connect virtual interface (VIF) is associated with the transit gateway and the on-premises router is advertising 172.16.0.0/12 via BGP. What is the most likely cause of the traffic being dropped?

Question 13mediummulti select
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team needs to monitor the Direct Connect connection for performance issues and receive alerts when latency exceeds a certain threshold. Which TWO actions should the team take to meet these requirements? (Choose TWO.)

Question 14hardmulti select
Review the full subnetting walkthrough →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team observes that traffic between two VPCs (VPC A and VPC B) is not being forwarded correctly. The transit gateway route table is configured with static routes for the VPC CIDRs. Which THREE steps should the engineer take to troubleshoot this issue? (Choose THREE.)

Question 15mediummultiple choice
Read the full Network Management and Operations explanation →

Refer to the exhibit. A network engineer is analyzing VPC Flow Logs to troubleshoot connectivity issues. The engineer notices that traffic from 10.0.1.5 to 192.168.1.1 on port 80 is logged as ACCEPT, but the application team reports that the web request failed. What is the most likely cause?

Exhibit

Refer to the exhibit.

VPC Flow Logs (vpc-flow-logs-1) - capture window: 2023-09-15T10:00:00Z to 2023-09-15T11:00:00Z
2 123456789010 eni-0a1b2c3d4e5f6g7h 10.0.1.5 10.0.2.10 443 54321 6 10 1000 1623456789 1623456790 ACCEPT OK
2 123456789010 eni-0a1b2c3d4e5f6g7h 10.0.2.10 10.0.1.5 54321 443 6 10 1000 1623456790 1623456795 ACCEPT OK
2 123456789010 eni-0a1b2c3d4e5f6g7h 10.0.1.5 192.168.1.1 80 12345 6 20 2000 1623456800 1623456810 ACCEPT OK
2 123456789010 eni-0a1b2c3d4e5f6g7h 10.0.1.5 10.0.2.10 443 54322 6 10 1000 1623456810 1623456820 ACCEPT OK
2 123456789010 eni-0a1b2c3d4e5f6g7h 10.0.2.10 10.0.1.5 54322 443 6 10 1000 1623456820 1623456830 ACCEPT OK
Question 16mediummultiple choice
Study the full ACL explanation →

A company is experiencing intermittent connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS regions. VPC A has CIDR 10.0.0.0/16 and VPC B has CIDR 10.1.0.0/16. The route tables in both VPCs have been updated to include routes pointing to the peering connection. Security groups and network ACLs are configured to allow all traffic for testing. However, traffic from VPC A to VPC B fails intermittently. Which of the following is the most likely cause of this intermittent failure?

Question 17easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is up, but traffic is not flowing from the on-premises network to a VPC. The VPC has a virtual private gateway attached, and the route table has a route pointing to the virtual private gateway for the on-premises CIDR (192.168.0.0/16). The on-premises firewall shows that traffic is being sent to the VPN tunnel. What should the engineer check next?

Question 18easymultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect with a private VIF to access their VPC. Users report intermittent connectivity issues. You check the Direct Connect console and see that the virtual interface state is 'down'. What is the MOST likely cause?

Question 19mediummulti select
Read the full VPN explanation →

A network engineer is troubleshooting high latency on an AWS Transit Gateway that connects multiple VPCs and an on-premises network via AWS Site-to-Site VPN. The engineer wants to identify potential causes. Which TWO actions should the engineer take? (Choose two.)

Question 20mediumdrag order
Read the full VPN explanation →

Arrange the steps to configure a site-to-site VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediumdrag order
Open the full BGP breakdown →

Arrange the steps to configure BGP on a Cisco router for a Direct Connect private virtual interface:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediumdrag order
Read the full VPN explanation →

Arrange the steps to configure an AWS Client VPN endpoint for remote access:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 23mediummatching
Read the full Network Management and Operations explanation →

Match each AWS service or feature to its primary function in network architecture.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hub-and-spoke connectivity between VPCs and on-premises

Dedicated network connection from on-premises to AWS

Direct network connection between two VPCs

Private access to services across VPCs and accounts

Encrypted tunnel over the internet to AWS

Question 24mediummatching
Read the full VPN explanation →

Match each VPN term to its correct description in the context of AWS Site-to-Site VPN.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

VPN concentrator on the AWS side attached to a VPC

VPN device on the on-premises side

Encrypted IPsec connection between VGW and CGW

Secret key used to authenticate the VPN tunnel endpoints

Dynamic routing protocol used to exchange routes over VPN tunnels

Question 25mediummatching
Open the full BGP breakdown →

Match each BGP attribute to its role in route selection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco-proprietary attribute, highest weight preferred

Used to influence outbound traffic from an AS

Shorter path is preferred

Used to influence inbound traffic to an AS

IP address of the next router to reach the destination

Question 26easymultiple choice
Read the full NAT/PAT explanation →

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking an unexpected path. Which AWS service should be used to analyze the packet-level traffic flow and identify the path?

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over a Direct Connect connection. The engineer has verified that the VPC route tables, Direct Connect virtual interface, and on-premises routing are correctly configured. Which tool should be used to verify the path MTU and identify fragmentation issues?

Question 28hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment with hundreds of VPCs connected via a transit gateway. The network team needs to centrally monitor network traffic and detect anomalies such as unusual outbound data transfers. Which combination of services would provide the most scalable and cost-effective solution?

Question 29easymultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team wants to monitor the latency and packet loss on the Direct Connect virtual interfaces. Which AWS service should be used to measure these metrics?

Question 30mediummultiple choice
Open the full BGP breakdown →

A company has a hybrid network architecture with multiple VPCs connected via a transit gateway and on-premises via Direct Connect. The network team wants to automate the response to a BGP session failure on a Direct Connect virtual interface. Which AWS service can be used to monitor the BGP status and trigger an automated action?

Question 31hardmultiple choice
Read the full NAT/PAT explanation →

A company is using a centralized egress VPC model with a NAT gateway for outbound traffic from multiple VPCs. The network team notices that some EC2 instances are having connectivity timeouts when accessing the internet. The team has verified the route tables and security groups. Which additional check should be performed to troubleshoot the issue?

Question 32easymultiple choice
Open the full BGP breakdown →

A network engineer is configuring a new AWS Direct Connect connection and needs to establish BGP peering with the AWS side. The engineer has received the BGP configuration from the AWS Direct Connect endpoint. Which information is required to complete the BGP configuration on the on-premises router?

Question 33mediummultiple choice
Read the full VPN explanation →

A company is using AWS Site-to-Site VPN connections to connect multiple branch offices to a central VPC. The network team wants to ensure high availability and automatic failover if one VPN tunnel goes down. Which configuration should be implemented?

Question 34hardmultiple choice
Open the full BGP breakdown →

A company is migrating its on-premises data center to AWS and wants to use AWS Direct Connect for private connectivity. The network team plans to advertise the company's public IP prefixes to AWS via BGP. Which AWS resource must be configured to allow advertisement of these prefixes?

Question 35mediummulti select
Read the full Network Management and Operations explanation →

Which TWO options are valid ways to monitor network traffic in an AWS environment? (Choose 2.)

Question 36hardmulti select
Read the full Network Management and Operations explanation →

Which THREE are best practices for designing a highly available AWS Direct Connect connection? (Choose 3.)

Question 37easymulti select
Read the full VPN explanation →

Which TWO services can be used to centrally manage and monitor VPN connections across multiple AWS accounts? (Choose 2.)

Question 38mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team notices that traffic from an on-premises data center to a VPC is intermittently dropping. CloudWatch metrics show no errors on the Direct Connect virtual interface. What is the most likely cause of the intermittent drops?

Question 39hardmultiple choice
Review the full routing breakdown →

A global company is designing a multi-region Active-Active application using Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) fronting Auto Scaling groups. The application requires sticky sessions based on the user's source IP. The network team notices that users are frequently switched to a different region mid-session, causing errors. What should the team do to resolve this issue?

Question 40easymultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over AWS Site-to-Site VPN. The VPN tunnel status is UP, and BGP is established. The engineer can ping the on-premises server's private IP from the EC2 instance, but TCP connections to a specific port (e.g., 443) are timing out. What is the most likely cause?

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a multi-tier application. The template includes an Amazon VPC with public and private subnets, NAT gateways, and route tables. After deployment, the EC2 instances in the private subnet cannot access the internet. The NAT gateway is in a public subnet with an Internet Gateway attached. What is the most likely cause?

Question 42hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs. The company wants to use the same Direct Connect connection for both VPCs, but the on-premises router only has one physical port. The network engineer configures a single BGP session over a VLAN-tagged interface. After configuration, only one VPC is reachable. What is the most likely reason?

Question 43easymultiple choice
Review the full routing breakdown →

A company is using AWS Global Accelerator to improve performance for a web application hosted in two AWS Regions. The application uses an Application Load Balancer (ALB) in each region. The company wants to ensure that traffic is directed to the closest healthy endpoint. Which routing configuration should be used?

Question 44mediummultiple choice
Study the full ACL explanation →

A network engineer is configuring AWS Client VPN for remote access. The engineer creates a Client VPN endpoint and associates it with a target network (subnet) in the VPC. After associating, clients can connect to the VPN but cannot access resources in the VPC. The security groups and network ACLs allow all traffic. What is the most likely issue?

Question 45hardmultiple choice
Open the full BGP breakdown →

A company is deploying a hybrid network using AWS Direct Connect and a VPN backup. The Direct Connect connection is established, and BGP is running over the private VIF. The company wants to use the VPN as a backup only when Direct Connect fails. The network engineer configures BGP communities on the Direct Connect VIF to influence route preference. However, during a Direct Connect failure, failover to VPN takes several minutes. What can the engineer do to reduce failover time?

Question 46easymultiple choice
Read the full NAT/PAT explanation →

A company uses VPC Flow Logs to monitor network traffic. The flow logs are published to Amazon S3. The security team wants to analyze the logs for suspicious traffic patterns using Amazon Athena. After creating the Athena table, queries return zero results. The logs are in the correct S3 bucket. What is the most likely cause?

Question 47mediummulti select
Read the full VPN explanation →

A company is designing a VPN connection between an on-premises network and AWS. The network engineer wants to ensure high availability and fast failover. Which TWO actions should the engineer take? (Select TWO.)

Question 48hardmulti select
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and Direct Connect. The network team wants to monitor network performance and detect anomalies. Which THREE AWS services should the team use together to achieve this goal? (Select THREE.)

Question 49mediummulti select
Read the full NAT/PAT explanation →

A company has a Direct Connect connection with a private VIF to a VPC. The network engineer needs to ensure that traffic from the on-premises network to the VPC uses the Direct Connect path, while internet-bound traffic from the VPC uses an Internet Gateway. Which TWO configurations are required? (Select TWO.)

Question 50hardmulti select
Read the full Network Management and Operations explanation →

A company is using AWS Global Accelerator to improve performance for a global application. The application uses an Application Load Balancer (ALB) in each region. The network team wants to ensure that traffic is distributed evenly across regions and that failover happens quickly. Which THREE steps should the team take? (Select THREE.)

Question 51mediummultiple choice
Read the full VPN explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that traffic between two VPCs in different regions is being dropped intermittently. What is the most likely cause?

Question 52easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting high latency on an AWS Direct Connect connection. The engineer checks the CloudWatch metrics for the virtual interface and sees that 'ConnectionBpsEgress' and 'ConnectionBpsIngress' are both below 50% of the provisioned bandwidth. Which additional metric should be examined to identify potential bufferbloat?

Question 53hardmultiple choice
Read the full Network Management and Operations explanation →

A company has a multi-account AWS environment using AWS Organizations. They want to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the management account. The management account S3 bucket policy allows the log delivery service to write logs. However, flow logs are failing to deliver from member accounts. What is the most likely reason?

Question 54mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices intermittent packet loss and latency spikes during peak hours. Which action should the team take to diagnose the issue?

Question 55mediummultiple choice
Open the full BGP breakdown →

A network engineer is designing a hybrid network with AWS Direct Connect and a VPN backup. The company has multiple VPCs connected to an AWS Transit Gateway. The on-premises network advertises the same prefixes over both Direct Connect (via private VIF) and VPN (via BGP). The engineer wants to ensure that traffic from the VPCs to on-premises prefers the Direct Connect path. What should the engineer do?

Question 56hardmultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region but different accounts. The engineer verifies that the route tables and security group rules are correctly configured. However, instances in VPC A cannot ping instances in VPC B. What is the most likely cause?

Question 57easymultiple choice
Read the full VPN explanation →

A company uses AWS Client VPN to provide remote access to its corporate network. Users report that they can connect to the VPN but cannot reach resources in the VPC. The VPN is configured with mutual authentication and authorization rules. What should the network engineer verify first?

Question 58easymultiple choice
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic between its EC2 instances and determine which IP addresses are generating the most traffic. Which AWS service should be used to capture and analyze this traffic?

Question 59hardmultiple choice
Read the full Network Management and Operations explanation →

A company has a Direct Connect connection with a private VIF and a public VIF. The private VIF is used to access VPC resources, and the public VIF is used to access AWS public services. Recently, the company enabled AWS Global Accelerator for its application. The network team notices that traffic to the application via Global Accelerator is not using the Direct Connect connection but is going over the internet. What should the team do to ensure traffic uses the Direct Connect public VIF?

Question 60hardmultiple choice
Review the full subnetting walkthrough →

A company has an AWS Direct Connect connection with a private VIF to a VPC. They notice that traffic from the on-premises network to the VPC is being routed through the internet instead of the Direct Connect. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely cause?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has a NAT Gateway in the public subnet. The network team notices that instances in the private subnets cannot reach the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT Gateway. What could be the issue?

Question 62mediummultiple choice
Review the full routing breakdown →

A company uses AWS Global Accelerator to improve performance for a global application. The application is deployed in two AWS regions behind Network Load Balancers. Users in Asia report high latency even though the accelerator should route them to the nearest endpoint. What is the most likely reason?

Question 63easymultiple choice
Read the full VPN explanation →

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure that if the primary VPN tunnel goes down, traffic automatically fails over to the secondary tunnel. Which configuration is required?

Question 64easymultiple choice
Study the full ACL explanation →

A network engineer is monitoring network traffic using VPC Flow Logs. The engineer wants to capture traffic that is rejected by security groups and network ACLs. Which flow log format should be used?

Question 65hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path, going through the on-premises network instead of staying within AWS. What is the most likely cause?

Question 66hardmultiple choice
Open the full BGP breakdown →

A company is migrating its on-premises data center to AWS. The network team needs to establish a site-to-site VPN connection with dynamic routing using BGP. The on-premises router supports BGP but does not support BGP communities. The VPN connection is established, but the VPC does not learn the on-premises routes. What is the most likely cause?

Question 67mediummultiple choice
Read the full Network Management and Operations explanation →

A company has a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic only from the ALB security group. However, the health checks are failing. What is the most likely cause?

Question 68mediummulti select
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a public subnet and an on-premises server over AWS Direct Connect. The instance can reach the internet but cannot reach the on-premises server. Which TWO actions should the engineer take to diagnose the issue?

Question 69easymultiple choice
Read the full Network Management and Operations explanation →

A company is deploying a web application on EC2 instances behind an ALB. The application must be accessible only over HTTPS. Which security group rule should be added to the ALB security group?

Question 70mediummulti select
Read the full VPN explanation →

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure high availability by using two tunnels. Which two components must be configured to achieve this? (Choose TWO.)

Question 71hardmulti select
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway with multiple VPCs and Direct Connect Gateway. They want to ensure that traffic between VPCs and on-premises is encrypted. Which TWO solutions can achieve this?

Question 72hardmulti select
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect with a private VIF to connect to multiple VPCs in the same region. The company wants to use AWS Transit Gateway to simplify management. Which three components are required to achieve this? (Choose THREE.)

Question 73mediummulti select
Read the full VPN explanation →

A network engineer is configuring a site-to-site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE components should the engineer check?

Question 74mediummulti select
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer wants to use monitoring tools to identify the source of the latency. Which two AWS services can provide metrics and logs to help diagnose the issue? (Choose TWO.)

Question 75mediummultiple choice
Read the full DHCP explanation →

A network engineer is troubleshooting an issue where an EC2 instance launched in VPC vpc-0abcd1234efgh5678 cannot resolve DNS names for other instances using their private DNS names. The VPC has DHCP options set with domain-name-servers=AmazonProvidedDNS. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-attributevpc-id vpc-0abcd1234efgh5678attribute enableDnsHostnamesRefer to the exhibit.```"VpcId": "vpc-0abcd1234efgh5678","EnableDnsHostnames": {"Value": false
Question 76mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic is intermittently dropping and the BGP session between the on-premises router and the AWS Direct Connect virtual interface goes down. Which configuration should be checked first to resolve this issue?

Question 77hardmultiple choice
Read the full Network Management and Operations explanation →

A network engineer is configuring VPC Flow Logs to deliver to an S3 bucket in a different account. The bucket policy is shown. The flow logs are not being delivered. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-flow-logs-bucket/AWSLogs/*",
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:*"
        }
      }
    }
  ]
}
```
Question 78hardmultiple choice
Read the full Network Management and Operations explanation →

A network engineer is designing a multi-region architecture using AWS Transit Gateway and wants to minimize inter-region latency for data transfer between VPCs. The application requires high throughput and low latency. Which design should be used?

Question 79easymultiple choice
Study the full ACL explanation →

A network engineer is troubleshooting SSH connectivity to an EC2 instance in subnet subnet-0abcd1234efgh5678, which is associated with the network ACL shown. The security group allows inbound SSH. Why can't the engineer SSH to the instance?

Network Topology
$ aws ec2 describe-network-aclsfilters Name=vpc-idRefer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-0abcd1234efgh5678","VpcId": "vpc-0abcd1234efgh5678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0","PortRange": {"From": 22,"To": 22},"RuleNumber": 200,"RuleAction": "deny","RuleNumber": 300,"Protocol": "-1","CidrBlock": "0.0.0.0/0"
Question 80easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance has a route to a NAT Gateway in the public subnet. However, the instance cannot reach the internet. Which step should the network engineer take to troubleshoot?

Question 81easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to capture TCP traffic between an EC2 instance (eni-abc123) and an RDS instance (eni-def456) in the same VPC for troubleshooting. Which AWS service should be used to capture the traffic and store it in S3?

Question 82mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its data center to a VPC. The network team needs to ensure high availability and failover in case the primary connection fails. Which solution provides the most cost-effective high availability?

Question 83mediummultiple choice
Read the full VPN explanation →

A company has deployed a transit gateway with multiple VPC attachments and VPN attachments. The network team notices that traffic between two VPCs is taking an unexpected path and experiencing high latency. Which tool should be used to trace the path and identify the specific transit gateway route table that is being used?

Question 84hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting connectivity issues between two VPCs that are connected via VPC peering. The VPCs are in the same region and have overlapping CIDR blocks. The engineer can ping the private IP of an instance in the peered VPC from an instance in the first VPC. However, traffic on TCP port 443 (HTTPS) fails. Which is the most likely cause?

Question 85easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to centrally manage and inspect all traffic between subnets using a security appliance. Which AWS service should be used to achieve this?

Question 86hardmultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect with a private VIF to connect to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot establish TCP connections to an EC2 instance's private IP. The security groups and NACLs are configured to allow the traffic. What is the most likely cause of this issue?

Question 87mediummultiple choice
Read the full Network Management and Operations explanation →

A company has multiple AWS accounts and wants to centralize VPC flow logs for analysis. The flow logs are published to Amazon S3 in each account. A central account needs to access these logs. Which solution meets the requirements with the least operational overhead?

Question 88mediummultiple choice
Read the full VPN explanation →

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel status shows 'UP' but traffic is not passing. The engineer checks the route tables and finds that the VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely missing configuration?

Question 89hardmultiple choice
Read the full VPN explanation →

A network engineer is configuring an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer creates a customer gateway, VPN connection, and virtual private gateway. The VPN tunnel status shows 'down'. Which configuration step is most likely missing?

Question 90hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance is associated with an Elastic IP address. The route table for the private subnet has a default route (0.0.0.0/0) pointing to a NAT gateway. The NAT gateway is in the public subnet and has an Elastic IP. Despite this, the instance cannot reach the internet. The security groups and NACLs are properly configured. What is the likely cause?

Question 91mediummultiple choice
Read the full Network Management and Operations explanation →

A company has a VPC with resources that need to access an S3 bucket in the same region. To minimize latency and avoid internet traffic, which configuration should be used?

Question 92easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to monitor the number of packets dropped by a VPC flow log for a specific network interface. Which Amazon CloudWatch metric should be used?

Question 93mediummulti select
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and a VPC over a Direct Connect connection. The engineer reviews the CloudWatch metrics for the virtual interface and sees an increase in 'ConnectionReset' and 'PacketDropRate'. Which TWO actions should the engineer take to resolve the issue? (Choose TWO.)

Question 94hardmultiple choice
Read the full Network Management and Operations explanation →

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They want to ensure that traffic from on-premises to a specific VPC uses a specific VIF for security compliance. The VPC is associated with a virtual private gateway. Which configuration ensures this?

Question 95hardmulti select
Review the full routing breakdown →

A company has a global application deployed across multiple AWS regions. The application uses Application Load Balancers (ALBs) and Auto Scaling groups. The network team wants to route traffic to the nearest region based on latency, and also wants to failover to another region if the primary region becomes unhealthy. Which THREE services should be used together to achieve this? (Choose THREE.)

Question 96easymulti select
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic in its VPC for security analysis and troubleshooting. Which TWO AWS services can be used to capture and analyze IP traffic information? (Choose TWO.)

Question 97mediummultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC peering connection is active, and the route tables have appropriate routes. However, instances in VPC A cannot reach instances in VPC B. The security groups in both VPCs allow all traffic. What is the most likely issue?

Question 98mediummultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team notices increased latency and packet loss during peak hours. The Direct Connect virtual interface (VIF) is configured as a private VIF to a VPC. What is the MOST likely cause of the issue?

Question 99easymultiple choice
Read the full NAT/PAT explanation →

A company wants to centralize VPC flow log management from multiple accounts into a single S3 bucket in the management account. Which combination of AWS services should be used?

Question 100easymultiple choice
Read the full VPN explanation →

A network engineer needs to monitor traffic between a VPC and an on-premises network over an AWS Site-to-Site VPN. Which AWS service should be used to capture packet-level information for troubleshooting?

Question 101mediummulti select
Open the full BGP breakdown →

A network engineer is diagnosing connectivity issues between an on-premises network and AWS over a Direct Connect connection. The BGP session is established, and the engineer can ping the VPC's private IP addresses. However, TCP connections to EC2 instances are failing. Which TWO actions should the engineer take to identify the issue?

Question 102hardmulti select
Read the full Network Management and Operations explanation →

A company has a multi-account AWS environment using AWS Transit Gateway with multiple VPC attachments. The network team wants to centralize logging of all network traffic crossing the Transit Gateway. Which TWO services can be used together to achieve this?

Question 103hardmulti select
Read the full VPN explanation →

A company is using a transit gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that some VPCs can communicate with each other but not with the on-premises network. The transit gateway route tables are configured correctly. Which TWO configurations should the team check?

Question 104mediummultiple choice
Read the full DNS explanation →

A network engineer created a VPC interface endpoint for a third-party SaaS service using AWS PrivateLink. The endpoint shows 'available' state, but on-premises clients cannot connect to the service via the private endpoint DNS name. What is the MOST likely reason?

Network Topology
$ aws ec2 describe-vpc-endpointsregion us-east-1Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-0a1b2c3d4e5f6g7h8","VpcId": "vpc-12345678","ServiceName": "com.amazonaws.vpce.us-east-1.vpce-svc-0123456789abcdef0","State": "available","VpcEndpointType": "Interface","SubnetIds": ["subnet-11111111", "subnet-22222222"],"NetworkInterfaceIds": ["eni-abcdef01", "eni-23456789"],"PrivateDnsEnabled": true
Question 105easymulti select
Read the full Network Management and Operations explanation →

A network engineer needs to monitor network performance between two EC2 instances in different Availability Zones. Which THREE metrics from Amazon CloudWatch should the engineer use?

Question 106mediummulti select
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway for outbound internet access. The security team wants to audit all traffic from the private subnets to the internet. Which TWO steps should be taken to capture this traffic?

Question 107hardmultiple choice
Study the full ACL explanation →

A network engineer configured a custom network ACL for a VPC. An EC2 instance in a subnet associated with this ACL cannot receive ping (ICMP) from the internet. The security group allows ICMP. Which rule is causing the issue?

Network Topology
$ aws ec2 describe-network-aclsregion us-west-2filters Name=vpc-idRefer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-0123456789abcdef0","VpcId": "vpc-0a1b2c3d4e5f6g7h8","Default": false,"Entries": [
Question 108mediummulti select
Read the full Network Management and Operations explanation →

A company is deploying a new application that requires low latency between EC2 instances. Which THREE placement group strategies should the network engineer consider?

Question 109mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team wants to monitor BGP session status for all Transit Gateway attachments. Which AWS service should be used?

Question 110mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting why an EC2 instance (with the above security group) is not responding to HTTP requests from the internet. The instance is in a public subnet with an Internet Gateway attached. The route table has a default route to the Internet Gateway. What is the most likely cause?

Network Topology
$ aws ec2 describe-network-interfacesnetwork-interface-ids eni-0a1b2c3d4e5f67890query 'NetworkInterfaces[0].Groups'$ aws ec2 describe-security-groupsgroup-ids sg-0123456789abcdef0query 'SecurityGroups[0].IpPermissions'Refer to the exhibit."GroupId": "sg-0123456789abcdef0","GroupName": "web-sg""FromPort": 80,"IpProtocol": "tcp","IpRanges": ["CidrIp": "10.0.0.0/8"],"Ipv6Ranges": [],"PrefixListIds": [],"ToPort": 80,"UserIdGroupPairs": []
Question 111hardmulti select
Study the full IPv6 explanation →

A company has a VPC with both IPv4 and IPv6 CIDR blocks. The network engineer needs to capture all traffic between the VPC and the internet. Which THREE resources must have VPC Flow Logs enabled?

Question 112hardmultiple choice
Read the full DNS explanation →

A network engineer has created a VPC endpoint for a VPC endpoint service. The endpoint is 'available' but the application cannot connect to the service using the private DNS name. The engineer checks the Route 53 private hosted zone and finds that no record exists for the endpoint. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsvpc-endpoint-ids vpce-0a1b2c3d4e5f67890query 'VpcEndpoints[0].DnsEntries'$ aws ec2 describe-vpc-endpoint-servicesservice-names com.amazonaws.vpce.us-east-1.vpce-svc-1234567890query 'ServiceDetails[0].VpcEndpointPolicyEnabled'Refer to the exhibit."DnsName": "vpce-0a1b2c3d4e5f67890-abcdefgh.vpce-svc-1234567890.us-east-1.vpce.amazonaws.com","HostedZoneId": "Z0123456789ABCDEFGHIJ"true
Question 113hardmultiple choice
Read the full VPN explanation →

A network engineer troubleshoots a VPN connection that shows 'available' state but traffic is not passing. The on-premises firewall logs show that the tunnel is established, but no traffic. The engineer checks the VPN configuration. Based on the exhibit, what is the MOST likely cause of the problem?

Network Topology
$ aws ec2 describe-vpn-connectionsvpn-connection-ids vpn-0123456789abcdef0Refer to the exhibit.```"VpnConnections": ["VpnConnectionId": "vpn-0123456789abcdef0","State": "available","CustomerGatewayConfiguration": "...","VpnGatewayId": "vgw-12345678","Category": "VPN","Options": {"StaticRoutesOnly": false,"TunnelOptions": ["OutsideIpAddress": "203.0.113.1","PreSharedKey": "abc123","CgwInsideIpAddress": "169.254.10.2","VgwInsideIpAddress": "169.254.10.1"},"OutsideIpAddress": "203.0.113.2","PreSharedKey": "def456","CgwInsideIpAddress": "169.254.11.2","VgwInsideIpAddress": "169.254.11.1""Routes": [
Question 114easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The issue occurs only during peak business hours. CloudWatch metrics show increased latency and packet loss at the Direct Connect virtual interface. What is the MOST likely cause?

Question 115easymultiple choice
Read the full Network Management and Operations explanation →

A company needs to centrally manage network security policies across multiple VPCs and on-premises networks. Which AWS service provides a centralized dashboard for managing firewall rules?

Question 116mediummultiple choice
Read the full NAT/PAT explanation →

A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They want to centralize outbound internet traffic through a single VPC with a NAT gateway. The security team requires that all traffic to the internet must be logged. Which solution is MOST operationally efficient?

Question 117mediummulti select
Read the full DNS explanation →

A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway. The network team wants to monitor DNS queries from EC2 instances in private subnets to a custom DNS resolver on-premises over a VPN. Which TWO services can capture this traffic?

Question 118hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They notice that traffic from on-premises to a VPC is being dropped. The VPC is associated with a private VIF. The on-premises router has a BGP route to the VPC's CIDR. The VPC's route table has a route to the virtual private gateway. What is the MOST likely cause of the dropped traffic?

Question 119easymultiple choice
Read the full NAT/PAT explanation →

A network engineer needs to verify the routing path between two EC2 instances in different subnets within the same VPC. Which AWS tool can provide this information?

Question 120mediummultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway with multiple VPC attachments. They need to ensure that traffic between two specific VPCs is encrypted in transit. The VPCs are in the same AWS region. What is the SIMPLEST solution?

Question 121mediummultiple choice
Read the full Network Management and Operations explanation →

A network engineer created an IAM policy for a user to manage VPC Flow Logs. The user reports they cannot create flow logs and receive an 'AccessDenied' error. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateFlowLogs",
        "ec2:DescribeFlowLogs",
        "ec2:DeleteFlowLogs"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/vpc-flow-logs/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::123456789012:role/FlowLogsRole"
    }
  ]
}
```
Question 122easymultiple choice
Read the full VPN explanation →

A network engineer is setting up a site-to-site VPN connection between an on-premises network and AWS. After configuring the customer gateway, virtual private gateway, and VPN tunnel, the tunnel status shows 'DOWN'. Which step should the engineer take FIRST to troubleshoot?

Question 123hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across Availability Zones. An application load balancer (ALB) is deployed in public subnets. The network team notices that traffic from the ALB to targets in private subnets is intermittently failing. The targets are healthy. What is the MOST likely cause?

Question 124hardmultiple choice
Review the full routing breakdown →

A financial company has a multi-account AWS environment using AWS Organizations. They have deployed a centralized inspection VPC with a third-party firewall appliance. All VPCs are attached to a Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by the firewall. The firewall is deployed in an Auto Scaling group behind a Network Load Balancer (NLB). What is the BEST way to route traffic to the firewall?

Question 125mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection in real time. Which AWS service should be used?

Question 126mediummultiple choice
Read the full NAT/PAT explanation →

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. The two connections will terminate on different AWS Direct Connect locations. Which configuration will provide the HIGHEST availability?

Question 127mediummultiple choice
Read the full NAT/PAT explanation →

A company's VPC includes a public subnet with a NAT gateway and a private subnet with EC2 instances. The EC2 instances in the private subnet need to access the internet for software updates. The NAT gateway's Elastic IP is associated correctly, and the route tables are configured. However, the EC2 instances cannot reach the internet. What is the most likely cause?

Question 128easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting intermittent connectivity issues between two VPCs that are peered. The VPC peering connection is in the 'active' state. ICMP ping from an instance in VPC A to an instance in VPC B fails intermittently. What is the most likely cause?

Question 129easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need internet access for software updates. The company wants to minimize costs and management overhead. Which solution should they use?

Question 130hardmultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that the BGP session for the public VIF is flapping intermittently. Which configuration change on the customer router would most likely stabilize the BGP session?

Question 131mediummultiple choice
Read the full NAT/PAT explanation →

A company has a Direct Connect connection with a public VIF to access AWS public services. They notice that traffic to Amazon S3 is taking a suboptimal path via the internet instead of the Direct Connect. What is the MOST likely cause?

Question 132mediummultiple choice
Read the full Network Management and Operations explanation →

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for compliance. The logs should be published to a central S3 bucket in the logging account. The logging account has an S3 bucket policy that allows cross-account writes. However, flow logs are not being delivered. What is the most likely missing configuration?

Question 133mediummulti select
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting high latency on a Direct Connect connection. Which TWO actions should the engineer take to diagnose the issue?

Question 134easymultiple choice
Open the full BGP breakdown →

A solutions architect is designing a hybrid network using AWS Transit Gateway with multiple VPN attachments. The on-premises network uses BGP dynamic routing. What is the best practice to achieve high availability and fast failover?

Question 135hardmulti select
Read the full Network Management and Operations explanation →

A company is designing a multi-region network with Direct Connect. They have two Direct Connect connections in each region. They want to achieve the HIGHEST availability and lowest latency for cross-region traffic. Which THREE design elements should they include?

Question 136hardmultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to employees. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a subnet, and authorization rules are configured. What is the most likely cause?

Question 137easymulti select
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic between two VPCs connected via a Transit Gateway. Which THREE AWS services can be used to capture and analyze this traffic?

Question 138mediummultiple choice
Review the full subnetting walkthrough →

A network engineer notices that traffic from an EC2 instance in a public subnet to the internet is not working. The instance has a public IP assigned and is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What should the engineer check next?

Question 139mediummultiple choice
Read the full Network Management and Operations explanation →

Refer to the exhibit. A network engineer has established a VPC peering connection between VPC A (10.0.0.0/16) in account 111111111111 and VPC B (192.168.0.0/16) in account 222222222222. The peering connection status is 'active'. However, instances in VPC A cannot reach instances in VPC B. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpc-peering-connectionsvpc-peering-connection-ids pcx-12345678Refer to the exhibit.```"VpcPeeringConnections": ["Status": {"Code": "active","Message": "Active"},"AccepterVpcInfo": {"OwnerId": "111111111111","VpcId": "vpc-aaaaaaaa","CidrBlock": "10.0.0.0/16""RequesterVpcInfo": {"OwnerId": "222222222222","VpcId": "vpc-bbbbbbbb","CidrBlock": "192.168.0.0/16""Tags": []
Question 140easymultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company wants to ensure that traffic to the VPC uses the Direct Connect connection instead of the internet. Which configuration is required?

Question 141hardmultiple choice
Read the full Network Management and Operations explanation →

Refer to the exhibit. The IAM policy above is attached to a user in account A (123456789012). The user needs to create a VPC peering connection with account B and accept it. The user in account A can create the peering request, but the accept fails with an 'UnauthorizedOperation' error. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVpcPeeringConnection",
                "ec2:AcceptVpcPeeringConnection",
                "ec2:DeleteVpcPeeringConnection"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateRoute",
                "ec2:DeleteRoute",
                "ec2:ModifyVpcPeeringConnectionOptions"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc-peering-connection/*"
        }
    ]
}
```
Question 142hardmultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that some VPCs cannot communicate with each other even though they are attached to the same transit gateway. What is the most likely cause?

Question 143mediummultiple choice
Open the full BGP breakdown →

Refer to the exhibit. A Direct Connect private virtual interface is in the 'available' state, and the BGP session is up. However, the on-premises network cannot reach any resources in the VPC attached to the Direct Connect gateway. What is the MOST likely cause?

Network Topology
$ aws directconnect describe-virtual-interfacesvirtual-interface-id dxvif-12345678Refer to the exhibit.```"virtualInterfaces": ["virtualInterfaceId": "dxvif-12345678","virtualInterfaceName": "PrivateVIF","virtualInterfaceType": "private","virtualInterfaceState": "available","customerAddress": "169.254.10.1/30","amazonAddress": "169.254.10.2/30","bgpPeers": ["bgpPeerState": "up","bgpStatus": "up","amazonAddress": "169.254.10.2/30"],"vlan": 100,"asn": 65000,"authKey": "ABCDEF123456","directConnectGatewayId": "dxgw-11111111"
Question 144mediummulti select
Read the full Network Management and Operations explanation →

Which TWO configuration steps are required to enable VPC Flow Logs to be published to an S3 bucket in a different AWS account? (Select TWO.)

Question 145mediummulti select
Read the full Network Management and Operations explanation →

A company is designing a highly available Direct Connect connection. Which THREE components should be deployed to meet this requirement? (Select THREE.)

Question 146mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect and VPN as backup. The network team notices that during a VPN failover, traffic drops for several minutes. The VPN tunnels are configured with BGP dynamic routing. Which configuration change would MOST likely reduce failover time?

Question 147mediummulti select
Open the full BGP breakdown →

Which TWO actions should a network engineer take to troubleshoot a BGP session that is not establishing between an on-premises router and AWS Direct Connect? (Select TWO.)

Question 148easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to monitor network traffic to an Amazon RDS instance for security analysis. Which AWS service should be used to capture and analyze network traffic?

Question 149hardmultiple choice
Read the full Network Management and Operations explanation →

An engineer is trying to create a VPC Flow Log that delivers to a CloudWatch Logs log group in the same account. The IAM role used has the above trust policy. However, the flow log creation fails with an error. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vpc-flow-logs.amazonaws.com"
      },
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:my-flow-logs:*"
    }
  ]
}
```
Question 150hardmultiple choice
Open the full BGP breakdown →

A company has a hybrid network with multiple AWS Direct Connect connections to different VPCs. The on-premises network uses BGP to advertise prefixes to AWS. The network team notices that some on-premises prefixes are not being received by the VPCs. What is the MOST likely cause?

Question 151mediummultiple choice
Review the full subnetting walkthrough →

An EC2 instance with the attached network interface shown above is unable to reach the internet. The instance is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What is the most likely cause?

Network Topology
$ aws ec2 describe-network-interfacesfilters Name=group-idRefer to the exhibit.```"NetworkInterfaces": ["NetworkInterfaceId": "eni-0abcdef1234567890","Description": "","Groups": ["GroupId": "sg-12345678","GroupName": "my-security-group"],"SourceDestCheck": true,"Attachment": {"InstanceId": "i-0abcdef1234567890","Status": "attached"
Question 152mediummultiple choice
Review the full routing breakdown →

A company uses a centralized inspection VPC for traffic inspection. All VPCs route traffic to the inspection VPC via Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by a network virtual appliance in the inspection VPC. Which Transit Gateway feature should be configured?

Question 153mediummultiple choice
Open the full BGP breakdown →

An engineer is troubleshooting connectivity from on-premises to a VPC via Direct Connect private VIF. The BGP session is up, traffic is flowing, but the on-premises network cannot reach some subnets in the VPC. The VPC CIDR is 10.0.0.0/16. What is the most likely cause based on the exhibit?

Network Topology
$ aws directconnect describe-virtual-interfacesvirtual-interface-id dxvif-ffhhg748Refer to the exhibit.```"virtualInterfaces": ["ownerAccount": "123456789012","virtualInterfaceId": "dxvif-ffhhg748","location": "EqDC2","connectionId": "dxcon-ffhhg748","virtualInterfaceType": "private","virtualInterfaceName": "MyPrivateVIF","vlan": 100,"asn": 64512,"authKey": "","amazonAddress": "169.254.10.1/30","customerAddress": "169.254.10.2/30","addressFamily": "ipv4","virtualInterfaceState": "available","customerRouterConfig": {"routerConfig": {"routerConfigIdentifier": "Cisco-IOS-XR","routerConfigSnippet": "..."},"routeFilterPrefixes": [{"cidr": "10.0.0.0/16"}],"bgpPeers": ["bgpPeerId": "dxbgp-ffhhg748","bgpPeerState": "up"
Question 154easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting high latency to an application hosted in Amazon EC2. The application uses an Application Load Balancer. Which metrics in Amazon CloudWatch should be examined to identify if the load balancer is causing latency?

Question 155mediummultiple choice
Read the full Network Management and Operations explanation →

A company has a Direct Connect connection with a private VIF to a VPC. The network team notices intermittent packet loss on the link. CloudWatch metrics show no errors on the connection. What should the team do next to isolate the issue?

Question 156hardmultiple choice
Review the full routing breakdown →

A company has a global application deployed across multiple AWS Regions. Users are routed to the nearest Region using Amazon Route 53. The application uses an Application Load Balancer in each Region. The network team wants to ensure that traffic is always routed to a healthy Region in case of a Regional failure. Which Route 53 routing policy should be used?

Question 157hardmultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting an issue where an on-premises server cannot reach an EC2 instance in a VPC over a Site-to-Site VPN. The VPN tunnel is up, and BGP is established. The engineer checks the route tables and sees the on-premises CIDR in the VPC route table pointing to the virtual private gateway. What is the most likely cause?

Question 158mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that S3 traffic is taking a suboptimal path over the internet instead of the Direct Connect. Which configuration is MOST likely missing?

Question 159easymultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team wants to monitor the amount of data transferred between VPCs for cost allocation. Which AWS feature should they use?

Question 160mediummultiple choice
Read the full Network Management and Operations explanation →

An organization has a multi-account setup using AWS Organizations. The security team wants to centrally manage and enforce security group rules across all VPCs in all accounts. Which solution should they implement?

Question 161easymultiple choice
Read the full DNS explanation →

A network engineer needs to capture and analyze DNS query logs generated by Amazon Route 53. Which AWS service should be used to store and query these logs?

Question 162hardmultiple choice
Review the full routing breakdown →

A company has a Direct Connect connection with a public VIF to access AWS public services. The on-premises network team reports that they can reach S3 but not DynamoDB. The route table on the customer router shows a default route to the public VIF. What is the most likely cause?

Question 163hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment using AWS Transit Gateway. The network team wants to centralize network logging from all accounts into a single account for analysis. Which combination of services should be used to achieve this?

Question 164easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?

Question 165mediummulti select
Read the full VPN explanation →

A network engineer is diagnosing a connectivity issue between an on-premises network and an Amazon VPC connected via a site-to-site VPN. The VPN tunnel is up, but traffic is not reaching the VPC. Which TWO actions should the engineer take to troubleshoot the issue? (Choose two.)

Question 166mediummultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect with a private VIF to connect to a VPC. They want to ensure high availability by having a second Direct Connect connection. Which configuration provides the most resilient setup?

Question 167hardmulti select
Open the full BGP breakdown →

A company is designing a highly available hybrid network using two AWS Direct Connect connections from different providers. The company wants to use BGP to advertise the same on-premises prefixes to AWS. Which THREE practices should be followed to ensure high availability and optimal traffic flow? (Choose three.)

Question 168hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket. The VPC has a NAT Gateway in the public subnet. The security group for the EC2 instance allows outbound HTTPS to 0.0.0.0/0. The NACL for the private subnet allows outbound HTTPS to 0.0.0.0/0 and inbound ephemeral ports from 0.0.0.0/0. The instance still cannot reach S3. What is the most likely cause?

Question 169easymulti select
Read the full Network Management and Operations explanation →

A network engineer is setting up a VPC peering connection between two VPCs in the same AWS account and Region. Which TWO steps are required to enable communication between instances in the peered VPCs? (Choose two.)

Question 170mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to limit traffic between specific VPCs for security purposes. Which feature should they use?

Question 171easymultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a VPC and an on-premises data center over a Direct Connect virtual interface. The engineer notices that the BGP session is flapping. Which configuration should the engineer verify first?

Question 172hardmulti select
Review the full routing breakdown →

A network engineer is diagnosing a connectivity issue between two VPCs connected via VPC peering. The engineer has confirmed that the route tables in both VPCs have appropriate routes and the security groups allow traffic. However, traffic from VPC A to VPC B fails. Which TWO steps should the engineer take to troubleshoot? (Select TWO.)

Question 173easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to access the internet. The instance has a route table with a default route to a NAT gateway. However, the instance cannot reach the internet. What is the most likely cause?

Question 174mediummulti select
Read the full Network Management and Operations explanation →

A company is deploying a new application across multiple Availability Zones in a single region. The application requires low-latency communication between instances in different AZs. Which THREE design choices help achieve high availability and low latency? (Select THREE.)

Question 175mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. After adding a new VPC attachment, traffic from the on-premises network cannot reach the new VPC. The on-premises BGP route table shows the prefixes of the new VPC as received. What should the engineer check?

Question 176easymulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while blocking inbound internet traffic. Which TWO components are required? (Select TWO.)

Question 177mediummultiple choice
Open the full BGP breakdown →

A company is experiencing intermittent connectivity issues between a VPC and an on-premises data center over an AWS Direct Connect connection. The network engineer checks the Direct Connect virtual interface status and sees it is 'up'. However, BGP sessions are flapping. Which action should the engineer take to diagnose the issue?

Question 178mediummultiple choice
Read the full Network Management and Operations explanation →

A company has a global application deployed across multiple AWS regions using Application Load Balancers (ALBs) and AWS Global Accelerator. Users in Asia report high latency. The network team wants to monitor the performance of the Global Accelerator endpoints. Which AWS service should they use to collect and analyze network metrics?

Question 179hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting high latency on an AWS Transit Gateway attachment to a VPN. The VPN tunnel is established, and traffic flows, but latency spikes are observed during peak hours. The engineer suspects packet loss. Which diagnostic step should be taken first?

Question 180hardmultiple choice
Open the full BGP breakdown →

A network engineer is designing a hybrid network with Direct Connect and VPN backup. The company has multiple VPCs connected via Transit Gateway. They want to use BGP to exchange routes. Which BGP feature should be configured to fail over from Direct Connect to VPN if the Direct Connect link goes down?

Question 181easymultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS CloudFormation to manage its network infrastructure. After a recent update, the stack fails to update, with an error indicating that a security group rule conflicts with an existing rule. What is the most likely cause?

Question 182hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to a partner VPC with CIDR 10.0.0.0/16. Both VPCs are in the same region. They want to use VPC Peering. After creating the peering connection and adding routes, connectivity fails. What is the most likely cause?

Question 183mediummultiple choice
Read the full Network Management and Operations explanation →

A company is designing a multi-region architecture using AWS Transit Gateway inter-region peering. They need to ensure that traffic between VPCs in different regions can traverse the TGW peering attachment without being inspected by a central security appliance. Which configuration should be used?

Question 184easymultiple choice
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic to and from an EC2 instance to detect anomalous outbound traffic. Which AWS service should they use to capture and analyze the traffic?

Question 185hardmultiple choice
Open the full BGP breakdown →

A network engineer is configuring an AWS Site-to-Site VPN with dynamic routing (BGP). The customer gateway device is a Cisco router. The VPN tunnel is established, but BGP is not forming. Which configuration on the Cisco router is most likely missing?

Question 186mediummultiple choice
Review the full subnetting walkthrough →

A company has a Direct Connect connection with a private virtual interface. The on-premises network team reports that they cannot reach EC2 instances in a VPC. The VPC has a virtual private gateway attached. The route table in the VPC has a route to the on-premises CIDR via the virtual private gateway. What should the network engineer verify?

Question 187mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team notices that traffic from on-premises to an EC2 instance in the VPC is taking a suboptimal path through the internet instead of the Direct Connect. What is the most likely cause?

Question 188hardmultiple choice
Read the full VPN explanation →

A company uses AWS Direct Connect and VPN as backup. They have a Transit Gateway with multiple VPC attachments. The network engineer wants to ensure that traffic uses Direct Connect when available and fails over to VPN. Which configuration should be applied?

Question 189easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to capture and analyze traffic crossing a VPC peering connection for troubleshooting. Which AWS service should be used?

Question 190mediummulti select
Read the full Network Management and Operations explanation →

A company is troubleshooting a slow network connection between two EC2 instances in the same VPC but different Availability Zones. Which TWO tools can be used to measure throughput and diagnose performance issues?

Question 191mediummultiple choice
Read the full MPLS explanation →

A company is migrating from a legacy MPLS network to AWS using Direct Connect. The network team wants to ensure high availability with a backup connection. They have two Direct Connect connections from different providers, both terminating at the same AWS Direct Connect location. Which configuration provides the most resilient setup?

Question 192hardmulti select
Read the full Network Management and Operations explanation →

A company has a Direct Connect connection and wants to use it for both private and public resources. Which TWO components are required to achieve this?

Question 193hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a NAT Gateway in the public subnet. However, the instance cannot reach the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause?

Question 194mediummulti select
Read the full Network Management and Operations explanation →

A network engineer is analyzing VPC Flow Logs and notices that some rejected traffic is not logged. Which THREE conditions could cause this?

Question 195mediummulti select
Review the full subnetting walkthrough →

A network engineer is troubleshooting an issue where an EC2 instance in a VPC cannot reach an S3 bucket via a gateway endpoint. The instance is in a private subnet with a route table that has a route for the S3 prefix list pointing to the gateway endpoint. Which TWO actions should the engineer take to diagnose the problem?

Question 196mediummultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting an AWS Lambda function that needs to create and manage ENIs in a VPC. The Lambda function is unable to create ENIs. The IAM policy attached to the Lambda execution role is shown in the exhibit. What is the issue?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        }
    ]
}
```
Question 197hardmulti select
Review the full routing breakdown →

A company is deploying a multi-tier application across two Availability Zones. The web tier must be highly available and scale based on traffic. The application load balancer (ALB) is internet-facing. Which TWO configurations are required to ensure the ALB can route traffic to the web instances across both AZs?

Question 198hardmultiple choice
Review the full routing breakdown →

A network engineer ran the command shown in the exhibit to check VPC peering connections. Two peering connections are active. The engineer wants to verify that routes are correctly configured. What additional step is needed to ensure that instances in vpc-11111111 can communicate with instances in vpc-33333333?

Network Topology
$ aws ec2 describe-vpc-peering-connectionsquery 'VpcPeeringConnections[*].{}'output table+Refer to the exhibit.```PeeringConnectionId: VpcPeeringConnectionId,Status: Status.Code,RequesterVpc: AccepterVpcInfo.VpcId,AccepterVpc: AccepterVpcInfo.VpcId| DescribeVpcPeeringConnections || PeeringConnectionId|Status| RequesterVpc || pcx-12345678 |active| vpc-11111111 || pcx-23456789 |active| vpc-22222222 || AccepterVpc || vpc-33333333 || vpc-44444444 |
Question 199mediummulti select
Read the full Network Management and Operations explanation →

A network team is planning a migration of a legacy application to AWS. The application requires a static IP address for the on-premises firewall whitelist. Which THREE AWS services can provide a static IP address for outbound traffic from a VPC?

Question 200mediummultiple choice
Read the full Network Management and Operations explanation →

A network engineer is monitoring a Direct Connect connection. The exhibit shows CloudWatch metric data for the ConnectionState metric. The engineer sees that the average value is 0.0 for most of the day. What does this indicate?

Network Topology
$ aws cloudwatch get-metric-statisticsnamespace AWS/DXmetric-name ConnectionStatedimensions Name=ConnectionIdstatistics Averageperiod 300start-time 2023-01-01T00:00:00Zend-time 2023-01-02T00:00:00ZRefer to the exhibit.```"Label": "ConnectionState","Datapoints": ["Timestamp": "2023-01-01T00:00:00Z","Average": 0.0},"Timestamp": "2023-01-01T01:00:00Z","Timestamp": "2023-01-01T02:00:00Z","Average": 1.0...
Question 201mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic from on-premises to the VPC is intermittently dropping. You check the Direct Connect virtual interface status and find it is 'down'. Which AWS service should you use to troubleshoot the physical layer connectivity?

Question 202easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but different Availability Zones. Which AWS service can provide detailed network performance metrics to identify the source of latency?

Question 203mediummultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic from a specific VPC to an on-premises network is being dropped. All other VPCs can reach the on-premises network. Which configuration should be checked first?

Question 204hardmultiple choice
Read the full NAT/PAT explanation →

A company has a hybrid network with multiple AWS Direct Connect connections to multiple VPCs. They want to monitor network performance and receive alerts when latency exceeds a threshold. Which combination of AWS services should be used to achieve this?

Question 205easymultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting an issue where an EC2 instance in a public subnet cannot reach the internet. The instance has a public IP, and the route table has a default route to an internet gateway. What is the most likely cause?

Question 206mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to analyze all traffic to and from the internet for security incidents. Which AWS service should be used to capture and analyze this traffic?

Question 207hardmultiple choice
Read the full Network Management and Operations explanation →

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. They need to ensure that traffic is distributed evenly across regions and that failover happens automatically. Which configuration should they use?

Question 208hardmultiple choice
Read the full Network Management and Operations explanation →

A network engineer is designing a multi-region application that requires low-latency traffic between EC2 instances in two different AWS Regions. The engineer needs to ensure that traffic between the instances uses the AWS global network and not the public internet. Which AWS service should be used?

Question 209easymultiple choice
Read the full Network Management and Operations explanation →

A network administrator is setting up VPC Flow Logs to monitor traffic to an Amazon RDS instance. The logs are sent to Amazon S3. After enabling Flow Logs, the administrator notices that no logs are being delivered. What is the most likely cause?

Question 210easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a NAT gateway in a public subnet. The security team wants to log all outbound traffic from private subnets to the internet. Which AWS service should be used to capture this traffic?

Question 211mediummultiple choice
Open the full BGP breakdown →

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The connection is up, but the network team cannot reach resources in a VPC. The virtual interface is in the 'available' state, and BGP session is established. What should the team check next?

Question 212hardmultiple choice
Read the full VPN explanation →

A company has a VPC with a VPN connection to an on-premises network. The network team reports that the VPN tunnel is flapping intermittently. You need to identify the cause. Which AWS service provides logs that can help troubleshoot the VPN tunnel status?

Question 213mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets and an internet gateway. The security team wants to detect and block malicious traffic patterns. Which AWS service should be used to provide intrusion detection and prevention?

Question 214hardmultiple choice
Read the full Network Management and Operations explanation →

A company has a large AWS environment with hundreds of VPCs connected via Transit Gateway. They want to centrally manage network traffic flow and enforce security policies. Which service should they use to create a central network inspection architecture?

Question 215easymultiple choice
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic between VPCs in the same AWS Region that are connected via VPC Peering. Which AWS service can provide visibility into the traffic?

Question 216mediummultiple choice
Read the full VPN explanation →

A network engineer is monitoring network performance between an EC2 instance and an on-premises server using AWS VPN. The engineer notices intermittent packet loss. Which AWS service can provide detailed network metrics and path visualization to troubleshoot?

Question 217mediummulti select
Read the full VPN explanation →

A network engineer is troubleshooting a VPN connectivity issue. The VPN tunnel is up, but traffic is not passing. Which TWO AWS services should the engineer use to diagnose the problem?

Question 218easymultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect but cannot access any resources. The VPN is configured with a security group that allows all traffic. What should the administrator check?

Question 219hardmulti select
Read the full Network Management and Operations explanation →

A company wants to implement a network monitoring solution that provides real-time traffic analysis and anomaly detection. Which THREE AWS services should be used together?

Question 220mediummultiple choice
Read the full Network Management and Operations explanation →

A company has multiple VPCs connected via VPC peering. They want to simplify network management and reduce the number of peering connections. Which AWS service should they use?

Question 221easymulti select
Read the full Network Management and Operations explanation →

A network engineer needs to monitor network performance between an on-premises data center and AWS via Direct Connect. Which TWO metrics should the engineer monitor in Amazon CloudWatch?

Question 222hardmulti select
Read the full NAT/PAT explanation →

Which TWO actions are recommended to troubleshoot asymmetric routing in a VPC with multiple NAT gateways?

Question 223hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A company has created a VPC endpoint for S3. However, an EC2 instance in the subnet associated with the route table cannot access S3 via the endpoint. The route table has a route to the endpoint. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsregion us-east-1Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-0a1b2c3d4e5f6g7h8","VpcId": "vpc-12345678","ServiceName": "com.amazonaws.us-east-1.s3","State": "available","PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}","RouteTableIds": ["rtb-12345678"],"SubnetIds": [],"Groups": [],"PrivateDnsEnabled": false,"NetworkInterfaceIds": ["eni-12345678"]
Question 224mediummulti select
Read the full VPN explanation →

Which THREE factors should be considered when designing a highly available AWS Site-to-Site VPN connection?

Question 225mediummultiple choice
Read the full Network Management and Operations explanation →

Refer to the exhibit. A network engineer is creating an IAM policy to allow a user to manage VPC Peering connections. The user reports that they cannot delete a VPC Peering connection. What should the engineer add to the policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpcPeeringConnection",
        "ec2:AcceptVpcPeeringConnection"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeVpcPeeringConnections",
      "Resource": "*"
    }
  ]
}
```
Question 226hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A network engineer created a NAT gateway in a public subnet, but its state shows 'failed'. What is the most likely cause?

Network Topology
$ aws ec2 describe-nat-gatewaysregion us-east-1Refer to the exhibit.```"NatGateways": ["NatGatewayId": "nat-0a1b2c3d4e5f6g7h8","State": "failed","SubnetId": "subnet-12345678","VpcId": "vpc-12345678","CreateTime": "2023-01-01T00:00:00.000Z","DeleteTime": null,"NatGatewayAddresses": ["AllocationId": "eipalloc-12345678","NetworkInterfaceId": "eni-12345678","PrivateIp": "10.0.1.10","PublicIp": "203.0.113.10"
Question 227easymulti select
Read the full Network Management and Operations explanation →

Which TWO AWS services can be used to centrally manage and monitor network traffic across multiple VPCs and on-premises networks?

Question 228easymultiple choice
Open the full BGP breakdown →

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The engineer notices that BGP sessions are flapping. What should the engineer check first?

Question 229mediummultiple choice
Study the full ACL explanation →

A company is experiencing intermittent SSH connection failures to their EC2 instances in a VPC. The instances are in a private subnet with a NAT gateway. The security group allows inbound SSH from the corporate CIDR. The network ACL is set to default allow all. The route table has a route to the NAT gateway for 0.0.0.0/0. What is the most likely cause of the intermittent failures?

Question 230mediummultiple choice
Read the full VPN explanation →

A company has a transit gateway with multiple VPC attachments and an on-premises VPN connection. The network team is seeing asymmetric routing and packet drops. What should they implement to resolve this?

Question 231hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting high latency on a VPN connection between an on-premises network and AWS. The VPN uses two tunnels to a virtual private gateway. The engineer notices that traffic is only using one tunnel, and the other tunnel is idle. What should the engineer do to ensure both tunnels are utilized?

Question 232hardmultiple choice
Read the full Network Management and Operations explanation →

A financial services company uses AWS Direct Connect to connect its data center to multiple VPCs via a transit gateway. They need to meet PCI DSS compliance requirements by encrypting all traffic between the data center and AWS. What solution meets this requirement with the least operational overhead?

Question 233easymultiple choice
Review the full routing breakdown →

A company uses AWS Direct Connect with a private VIF to connect to their VPC. They want to monitor the network latency between their on-premises router and the AWS Direct Connect location. Which AWS service should they use?

Question 234hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets use a NAT gateway for outbound internet access. The security team notices that some EC2 instances in the private subnets are able to reach the internet, but others are not. All instances have the same security group and are in the same private subnet. What is the most likely cause?

Question 235easymultiple choice
Read the full VPN explanation →

A company uses AWS Client VPN to provide remote access to its VPC. Users report slow connection speeds. The CloudWatch metrics show high packet loss on the VPN connections. What is the most likely cause?

Question 236mediummultiple choice
Read the full Network Management and Operations explanation →

A network engineer is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. The VPCs are in the same region. After accepting the peering request, instances in VPC-A cannot communicate with instances in VPC-B. What should the engineer check first?

Question 237mediummultiple choice
Read the full Network Management and Operations explanation →

A company has deployed a Network Load Balancer (NLB) in front of a fleet of EC2 instances in a VPC. The NLB is configured with a TCP listener on port 443. Clients are experiencing timeouts. The target group health checks are passing. What is the most likely cause?

Question 238hardmultiple choice
Read the full Network Management and Operations explanation →

A company runs a multi-account AWS environment using AWS Organizations. They need to centrally manage VPC flow logs across all accounts and enable analysis for security incidents. The flow logs must be stored in a central S3 bucket in the management account. What is the MOST scalable and cost-effective approach?

Question 239mediummultiple choice
Review the full routing breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to monitor the number of packets dropped due to route table limits. Which CloudWatch metric should they use?

Question 240easymultiple choice
Read the full VPN explanation →

A network engineer is setting up an AWS Site-to-Site VPN connection. The customer gateway device is behind a NAT device that performs PAT. The VPN tunnel fails to come up. What is the most likely cause?

Question 241easymultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach any resources in the VPC. What is the most likely cause?

Question 242mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They notice that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What configuration change should be made to ensure optimal routing?

Question 243hardmultiple choice
Open the full BGP breakdown →

A company has a VPC with an AWS Site-to-Site VPN connection to their on-premises network. The VPN uses dynamic routing with BGP. The on-premises network is advertising a specific route to the VPC. However, instances in the VPC cannot reach the on-premises network. The VPN tunnels are up and BGP sessions are established. What should the engineer check?

Question 244hardmultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The Direct Connect Gateway is associated with a Transit Gateway. The on-premises network advertises a prefix via BGP, but the prefix does not appear in the Transit Gateway route table. What is the most likely cause?

Question 245easymultiple choice
Open the full BGP breakdown →

A company is using AWS Direct Connect with a private VIF. They want to monitor the BGP session status and receive alerts if the session goes down. Which AWS service should they use?

Question 246easymulti select
Read the full Network Management and Operations explanation →

Which TWO are valid methods to monitor and troubleshoot AWS Direct Connect connections?

Question 247mediummulti select
Read the full Network Management and Operations explanation →

A network engineer is troubleshooting a slow connection between an EC2 instance and an RDS database in the same VPC. The engineer wants to analyze network performance metrics. Which TWO metrics should the engineer examine? (Choose two.)

Question 248mediummulti select
Read the full Network Management and Operations explanation →

Which THREE are best practices for managing network security in a multi-VPC AWS environment using AWS Transit Gateway?

Question 249hardmulti select
Read the full Network Management and Operations explanation →

A company is designing a multi-region architecture with VPCs connected via VPC peering. They need to ensure high availability and low latency. Which THREE design principles should they follow? (Choose three.)

Question 250hardmulti select
Read the full VPN explanation →

Which TWO are requirements for using AWS Client VPN to provide secure remote access?

Question 251easymultiple choice
Review the full routing breakdown →

A network engineer is troubleshooting intermittent connectivity issues between two VPCs connected via a VPC peering connection. The engineer notices that the route tables in both VPCs have the correct routes. What should the engineer check next?

Question 252mediummulti select
Read the full Network Management and Operations explanation →

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. They notice that traffic between VPCs is being dropped intermittently. Which TWO actions should the engineer take to diagnose the issue? (Choose two.)

Question 253mediummultiple choice
Open the full BGP breakdown →

A company has set up a Direct Connect connection with a private VIF to its VPC. The BGP session is up, but traffic is not passing between the on-premises network and the VPC. Which configuration should be verified?

Question 254hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet and a private subnet. The private subnet hosts a web application that needs to access an external API over the internet. The private subnet uses a NAT Gateway in the public subnet for outbound internet access. The web application is failing to reach the external API. The engineer has verified the following: the NAT Gateway has an Elastic IP attached, the route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway, the security group for the web application allows outbound HTTPS (TCP 443) to 0.0.0.0/0, the network ACL for the private subnet allows inbound and outbound TCP ephemeral ports (1024-65535) from and to 0.0.0.0/0, and the IAM role attached to the EC2 instance allows outbound HTTPS. The engineer also confirmed that the NAT Gateway is in the public subnet which has a route to an Internet Gateway. Despite all these checks, the web application still cannot reach the external API. What should the engineer do next?

Question 255hardmultiple choice
Review the full routing breakdown →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. After a network change, some VPCs cannot reach the on-premises network. The Transit Gateway route table shows the correct association and propagation. What is the most likely cause?

Question 256mediummultiple choice
Read the full Network Management and Operations explanation →

A company has deployed a multi-VPC architecture with AWS Transit Gateway. The network team notices that traffic between two VPCs is intermittently dropped. Both VPCs are attached to the same transit gateway. Which action should the network engineer take to troubleshoot the issue?

Question 257easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to monitor the network traffic between EC2 instances in a VPC. Which AWS service should be used to capture IP traffic information?

Question 258hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. The template includes an Internet Gateway and a NAT Gateway. After deployment, instances in the private subnet cannot access the internet. The network engineer checks the route tables and finds that the private subnet route table has a default route pointing to the NAT Gateway. What is the most likely cause of the issue?

Question 259mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has set up a NAT gateway in the public subnet. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

Question 260easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer is monitoring network performance and needs to collect and analyze network metrics from multiple AWS services in a centralized dashboard. Which AWS service should be used to aggregate and visualize these metrics?

Question 261hardmultiple choice
Read the full Network Management and Operations explanation →

A company has multiple AWS accounts and wants to centrally manage network resources using AWS Transit Gateway. Which feature allows sharing the Transit Gateway across accounts?

Question 262mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to its VPC. The on-premises network team reports that they can ping the private IP address of an EC2 instance in the VPC, but cannot establish a TCP connection to a web server running on that instance. The network security group allows inbound TCP port 80 from the on-premises CIDR. What should the network engineer check next?

Question 263easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to troubleshoot high latency between two EC2 instances in the same VPC but in different Availability Zones. Which tool should be used to measure network performance?

Question 264mediummultiple choice
Read the full VPN explanation →

A company has set up a Site-to-Site VPN connection between its on-premises network and AWS. The VPN tunnel shows as 'UP' but traffic is not flowing. What should the engineer check?

Question 265hardmultiple choice
Read the full Network Management and Operations explanation →

A company is experiencing high latency for traffic between EC2 instances in the same VPC but in different Availability Zones. The network team suspects the issue is related to the placement group used. The instances are in a spread placement group. What should the network engineer do to reduce latency?

Question 266hardmultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect with multiple virtual interfaces (VIFs) to connect to multiple VPCs. The network team wants to ensure high availability and failover. Which configuration provides the best resiliency?

Question 267easymultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Site-to-Site VPN. The VPN tunnel status shows as UP. The on-premises network can ping the virtual private gateway (VGW) IP address, but cannot reach EC2 instances inside the VPC. What is the most likely cause?

Question 268mediummulti select
Read the full Network Management and Operations explanation →

A company is designing a highly available network architecture using AWS Direct Connect. Which TWO actions should be taken to ensure redundancy?

Question 269mediummultiple choice
Read the full VPN explanation →

A company manages multiple VPCs connected via a transit gateway. Each VPC has a VPN connection to an on-premises data center. The network team wants to monitor the bandwidth utilization on each VPN connection. Which approach is the most efficient?

Question 270hardmulti select
Read the full VPN explanation →

A network engineer is troubleshooting a VPN connection that is not passing traffic. The tunnel status shows as 'UP'. Which THREE steps should the engineer take to diagnose the issue?

Question 271hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. The private subnet instances need to make outbound internet requests. A NAT Gateway is deployed in the public subnet. The network engineer notices that instances in the private subnet cannot reach the internet, but the NAT Gateway's Elastic IP is reachable from the internet. Which of the following is the most likely cause?

Question 272easymulti select
Read the full Network Management and Operations explanation →

A company wants to monitor network traffic in its VPC for security analysis. Which TWO AWS services can be used to capture and analyze network traffic?

Question 273easymultiple choice
Read the full VPN explanation →

A network engineer is designing a highly available VPN connection between an on-premises network and AWS. The on-premises network has two internet connections from different ISPs. Which AWS VPN configuration should be used to provide the highest availability?

Question 274hardmultiple choice
Review the full routing breakdown →

A company has a hub-and-spoke network architecture using AWS Transit Gateway. The hub VPC contains a central inspection appliance (NVA) for traffic inspection. Spoke VPCs are attached to the Transit Gateway and have routes pointing to the Transit Gateway for all traffic. The Transit Gateway has a default route table that routes traffic to the NVA for inspection. Recently, the network team noticed that traffic between two spoke VPCs is not being inspected. The team verified that the Transit Gateway route tables are correctly configured and that the NVA is healthy. What should the team do to ensure that inter-spoke traffic is inspected?

Question 275mediummulti select
Study the full ACL explanation →

A network engineer is troubleshooting network connectivity issues in a VPC. The engineer suspects that the network ACL is blocking traffic. Which TWO actions should the engineer take to verify this?

Question 276mediummultiple choice
Read the full Network Management and Operations explanation →

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB). The application is experiencing intermittent timeouts. CloudWatch metrics show that the ALB's RequestCount is within normal limits, but TargetResponseTime occasionally spikes to 10 seconds. What is the most likely cause?

Question 277hardmulti select
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. The network engineer needs to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which THREE steps are necessary to achieve this?

Question 278hardmultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA. The tunnel status shows 'UP' but no traffic passes. The engineer checks the route tables and finds the correct static routes on both sides. What should the engineer check next?

Question 279easymultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its data center to a VPC. The VIF is up, and the BGP session is established. However, the on-premises router cannot ping the VPC's private IP addresses. Which configuration is most likely missing?

Question 280mediummulti select
Open the full BGP breakdown →

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team needs to monitor the BGP session status for each VPN attachment. Which TWO services can be used to monitor BGP status and receive alerts if a session goes down?

Question 281mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway, and the private subnet has EC2 instances that need internet access. The private instances can reach the internet, but cannot access an S3 bucket in the same region using the S3 gateway endpoint. What is the most likely cause?

Question 282hardmultiple choice
Study the full ACL explanation →

A company has a hybrid network architecture with an AWS VPC (10.0.0.0/16) connected to an on-premises data center via AWS Direct Connect with a private VIF. The on-premises network uses 10.1.0.0/16. The VPC has subnets in two Availability Zones, each with a private subnet (10.0.1.0/24 and 10.0.2.0/24) and a public subnet. The company recently deployed a new application in the VPC that uses an Application Load Balancer (ALB) in the public subnets. The ALB targets EC2 instances in the private subnets. Users on-premises report that they cannot access the application using the ALB's DNS name. The on-premises network team confirms that they can ping the ALB's private IP address from on-premises. The VPC route tables have routes for the on-premises network pointing to the virtual private gateway (VGW). The security groups and network ACLs are configured to allow traffic from on-premises. What is the most likely cause of the issue?

Question 283hardmultiple choice
Read the full VPN explanation →

A network engineer is monitoring a hybrid network with a VPN connection to AWS. The engineer notices periodic packet loss and high latency during peak hours. The VPN tunnel uses static routing. The on-premises bandwidth is 100 Mbps, and the VPN connection is limited to 1.25 Gbps. What is the most likely cause?

Question 284hardmultiple choice
Study the full ACL explanation →

A company has a VPC with a CIDR of 172.16.0.0/16. The VPC contains an Amazon RDS for MySQL database in a private subnet. The database is accessed by EC2 instances in the same VPC and by on-premises servers via a Site-to-Site VPN. The network team recently enabled VPC Flow Logs and noticed that the database is receiving a high number of SYN packets from an IP address that is not part of the VPC or on-premises network. The security group for the database only allows inbound traffic on port 3306 from the EC2 instances' security group and the on-premises CIDR (10.0.0.0/8). The network ACL for the database subnet allows inbound and outbound traffic on all ports from all sources. What is the most likely cause of the unexpected traffic?

Question 285easymultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network can reach some VPCs but not others. All VPCs are attached to the same Transit Gateway. What should the engineer check first?

Question 286mediummultiple choice
Study the full IPv6 explanation →

A company uses a VPC with multiple subnets in different Availability Zones. The VPC has a NAT Gateway in a public subnet of us-east-1a, and a second NAT Gateway in us-east-1b for high availability. Each private subnet in us-east-1a routes 0.0.0.0/0 to the NAT Gateway in us-east-1a, and private subnets in us-east-1b route to the NAT Gateway in us-east-1b. The company's EC2 instances in private subnets need to access an external service using IPv6. The VPC is not configured for IPv6. The network engineer needs to enable IPv6 connectivity for these instances. Which solution is the most cost-effective and scalable?

Question 287mediummultiple choice
Study the full ACL explanation →

A company has a VPC with a public subnet hosting a web server. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. The network ACL for the public subnet allows inbound HTTP from 0.0.0.0/0. Users report that they cannot access the website. The engineer verifies that the web server is running and has a public IP. What is the most likely issue?

Question 288easymultiple choice
Read the full Network Management and Operations explanation →

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The network team notices intermittent packet loss on the Direct Connect virtual interface (VIF). Which AWS service should be used to monitor the latency and packet loss on the VIF?

Question 289hardmultiple choice
Read the full VPN explanation →

A company is using AWS Client VPN for remote access. Users can authenticate and establish a VPN connection, but they cannot access resources in the VPC. The Client VPN endpoint is associated with a subnet in the VPC. The security group for the Client VPN endpoint allows all traffic. What is the most likely cause?

Question 290mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The security team wants to detect and alert on any SSH traffic (port 22) that originates from the internet to any EC2 instance in the VPC. Which solution achieves this with minimal operational overhead?

Question 291easymultiple choice
Read the full Network Management and Operations explanation →

A company monitors its VPC using VPC Flow Logs. The logs are sent to CloudWatch Logs. The security team wants to detect traffic to known malicious IP addresses. Which AWS service can be used to analyze the flow logs in near real-time?

Question 292hardmultiple choice
Review the full routing breakdown →

A company has a global application deployed across multiple AWS Regions. The application uses Amazon Route 53 latency-based routing. The network team wants to monitor the health of the application endpoints. They configure Route 53 health checks with fast interval (10 seconds) for each endpoint. After a few days, they notice an increase in costs. Which change will reduce costs while maintaining adequate health monitoring?

Question 293mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The public subnet has a bastion host (EC2) with a security group that allows SSH from a specific IP range. The private subnet has an RDS instance. The company wants to enable the bastion host to connect to the RDS instance. Which TWO steps are required?

Question 294hardmulti select
Open the full BGP breakdown →

A company uses AWS Direct Connect with a public VIF to access S3. The on-premises network uses BGP to advertise a specific prefix to AWS. The company wants to ensure that traffic to S3 from on-premises always uses the Direct Connect connection and not the internet. Which TWO configurations must be in place?

Question 295easymultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect to connect to its VPC. The network team wants to encrypt all traffic between the on-premises data center and the VPC. Which solution provides encryption?

Question 296mediummulti select
Read the full Network Management and Operations explanation →

A company is designing a multi-account strategy using AWS Organizations. The security team wants to centrally manage VPC Flow Logs from all accounts. Which THREE steps are required to achieve this?

Question 297mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a NAT Gateway in a public subnet. The network team notices that instances in private subnets cannot access the internet. Reviewing the route tables, the private subnet route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause of the issue?

Question 298hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. The network engineer wants to monitor network traffic between two specific EC2 instances in different subnets. Which THREE methods can be used to capture and analyze this traffic?

Question 299hardmultiple choice
Read the full Network Management and Operations explanation →

A company has a VPC with a Transit Gateway (TGW) connected to multiple VPCs and an on-premises network via Direct Connect. The network team wants to implement centralized inspection of all traffic between VPCs and between VPCs and on-premises. Which architecture should they use?

Question 300hardmultiple choice
Review the full subnetting walkthrough →

A company has a production VPC with a public and private subnet across two Availability Zones. The public subnet hosts a Network Load Balancer (NLB) that distributes traffic to EC2 instances in the private subnet. The application experiences periodic failures where the NLB marks all targets as unhealthy for about 2 minutes, then they recover. The health checks are HTTP on port 80 with a 5-second interval, 2 consecutive successes to be healthy, and 2 consecutive failures to be unhealthy. The target group health check timeout is 5 seconds. The EC2 instances are behind an Auto Scaling group with a minimum of 2 instances per AZ. CPU utilization on the instances is stable at 40%. The NLB's CloudWatch metrics show HealthyHostCount drops to zero suddenly. The network engineer suspects a network issue. What is the most likely cause?

Question 301easymultiple choice
Review the full subnetting walkthrough →

A company is using AWS CloudFormation to deploy network infrastructure. The network team wants to ensure that all subnets created in the VPC have a tag 'Environment' with the value 'Production'. Which CloudFormation resource property should they use?

Question 302mediummultiple choice
Open the full BGP breakdown →

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise the 10.0.0.0/8 prefix to AWS. The VPC has a route table that includes a route to the Virtual Private Gateway for 10.0.0.0/8. On-premises hosts can ping EC2 instances in the VPC, but EC2 instances cannot ping on-premises hosts. The VPC has an Internet Gateway and a NAT Gateway. The EC2 instances are in private subnets with routes to the NAT Gateway for 0.0.0.0/0. What is the most likely cause?

Question 303mediummulti select
Read the full Network Management and Operations explanation →

A company is designing a multi-VPC architecture using AWS Transit Gateway. They need to ensure that traffic between VPCs is encrypted and that only specific VPCs can communicate with each other. Which two services should they use together? (Choose TWO.)

Question 304easymultiple choice
Study the full ACL explanation →

A company has a VPC with a single public subnet. The subnet has a web server that needs to be accessible over the internet. The security group for the web server allows inbound HTTP (port 80) from 0.0.0.0/0. The network ACL for the subnet allows inbound HTTP from 0.0.0.0/0 and outbound traffic on ports 1024-65535 to 0.0.0.0/0. The internet gateway is attached to the VPC, and the route table has a route to the internet gateway for 0.0.0.0/0. The web server has a public IP address. However, users cannot access the web server. The engineer verifies that the web server is running and listening on port 80. What is the most likely cause?

Question 305hardmulti select
Open the full BGP breakdown →

A company is troubleshooting connectivity issues between an on-premises network and a VPC connected via AWS Direct Connect. The network team has verified that the virtual interface (VIF) is up and BGP is established. However, traffic is not flowing. Which two configuration issues could cause this problem? (Choose TWO.)

Question 306mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers. The network team notices that traffic between two VPCs is taking an unexpected path through the on-premises network instead of staying within the Transit Gateway. What is the most likely cause?

Question 307hardmultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a private subnet and an RDS database in another VPC connected via a VPC peering connection. The connection works for a few minutes and then drops. CloudWatch logs show no errors on the peering connection. What should the engineer check first?

Question 308easymulti select
Read the full Network Management and Operations explanation →

A company is using AWS CloudWatch to monitor network metrics. They want to create a dashboard that shows the total number of bytes sent and received by all EC2 instances in a specific VPC. Which three metrics should they use? (Choose THREE.)

Question 309easymultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Direct Connect with a private VIF to connect its on-premises data center to a VPC. The network team wants to monitor the link health and receive alarms if the connection goes down. Which AWS service should they use?

Question 310mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. They want to implement network segmentation such that traffic between subnets is controlled by a centralized firewall. Which three components are required? (Choose THREE.)

Question 311mediummultiple choice
Read the full Network Management and Operations explanation →

A company has a multi-account AWS environment using AWS Transit Gateway with a centralized network account. The network team wants to ensure that only specific VPCs can communicate with each other. What is the best practice to achieve this?

Question 312hardmulti select
Read the full VPN explanation →

A company is using AWS Site-to-Site VPN to connect its on-premises network to a VPC. The network team wants to ensure high availability and failover. Which three actions should they take? (Choose THREE.)

Question 313hardmultiple choice
Read the full Network Management and Operations explanation →

A company is using AWS Database Migration Service (DMS) to replicate data from an on-premises Oracle database to an Amazon RDS for Oracle instance. The replication is failing intermittently with connection timeouts. The network connectivity uses a Direct Connect private VIF. What should the network team investigate first?

Question 314hardmultiple choice
Review the full routing breakdown →

A company has a multi-VPC architecture using AWS Transit Gateway (TGW). They have a central inspection VPC with a Gateway Load Balancer (GWLB) and third-party firewall appliances. All other VPCs are attached to the TGW and have route tables that send traffic to the inspection VPC for inspection. Recently, the network team deployed a new VPC (VPC-D) and attached it to the TGW. They configured the VPC-D route table to send all inter-VPC traffic to the TGW. However, traffic from VPC-D to other VPCs is not being inspected. The team confirmed that the firewall appliances are healthy and the GWLB is correctly configured. Which action should the network team take to ensure traffic from VPC-D is inspected?

Question 315easymultiple choice
Read the full Network Management and Operations explanation →

A network engineer needs to analyze network traffic between EC2 instances in the same VPC to troubleshoot a performance issue. Which AWS feature should they use?

Question 316mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection uses a private virtual interface (VIF) and BGP. The network team recently added a new CIDR block (10.0.3.0/24) to the VPC. They updated the VPC's route table to include a route to the on-premises network. However, the on-premises network cannot reach resources in the new subnet. The BGP session is up, and the Direct Connect gateway is configured. What should the network team do to resolve the issue?

Question 317mediummultiple choice
Read the full Network Management and Operations explanation →

A company wants to centralize logging of VPC Flow Logs from multiple accounts into a single Amazon S3 bucket. The logs must be encrypted at rest using an AWS KMS CMK. What is the recommended approach?

Question 318easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple EC2 instances that need to access an Amazon S3 bucket. The network team wants to ensure that traffic to S3 stays within the AWS network and does not traverse the internet. The VPC has a VPC endpoint for S3 (Gateway type). The team has created the endpoint and attached the appropriate policy allowing access to the specific S3 bucket. However, EC2 instances in a private subnet cannot access the S3 bucket. The private subnet route table has a default route pointing to a NAT Gateway. Which change should the network team make to allow private instances to access S3 via the endpoint?

Question 319mediummulti select
Read the full Network Management and Operations explanation →

A company is deploying a new application across multiple Availability Zones in a VPC. The application needs to be highly available and must handle traffic from both internal users and external customers. Which TWO options should the network team implement to meet these requirements? (Choose two.)

Question 320hardmulti select
Read the full VPN explanation →

A company has a hybrid network with an AWS Direct Connect connection and an AWS Site-to-Site VPN as a backup. The network team notices that traffic is asymmetrically routing through both connections, causing performance issues. Which TWO steps should the team take to ensure traffic uses the primary Direct Connect and only fails over to the VPN? (Choose two.)

Question 321mediummulti select
Review the full routing breakdown →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that VPC A cannot communicate with VPC B, while all other VPCs communicate normally. The transit gateway route table shows routes from both VPCs. Which TWO actions should the network engineer take to diagnose the issue? (Choose TWO.)

Question 322mediummulti select
Read the full NAT/PAT explanation →

A company wants to monitor network traffic between its VPC and on-premises data center over a Direct Connect private VIF. The network team needs to capture the source and destination IP addresses, protocols, and packet counts. Which THREE AWS services or features should they use together? (Choose three.)

Question 323hardmulti select
Read the full Network Management and Operations explanation →

A financial services company is deploying a multi-account environment using AWS Organizations. The security team requires that all network traffic to and from the internet must flow through a centralized inspection VPC that hosts third-party firewall appliances. The architecture uses a single AWS Transit Gateway with a centralized inspection VPC attached. Which THREE steps are necessary to enforce this architecture? (Choose THREE.)

Question 324hardmulti select
Study the full ACL explanation →

A company is troubleshooting an issue where an application running on an EC2 instance cannot connect to an Amazon S3 bucket using a VPC endpoint. The security groups and network ACLs appear correct. Which THREE items should the network team verify to resolve the issue? (Choose three.)

Question 325easymultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network engineer is troubleshooting connectivity issues and notices that the BGP session between the on-premises router and the AWS Direct Connect virtual interface is down. The engineer has verified the physical connectivity and the VLAN configuration. What should the engineer check next?

Question 326mediummultiple choice
Review the full subnetting walkthrough →

A network engineer is troubleshooting an EC2 instance that cannot connect to S3 via a VPC endpoint. The describe-vpc-endpoints output shows the endpoint is associated with a route table but no subnets. What is the likely issue?

Network Topology
$ aws ec2 describe-vpc-endpointsvpc-endpoint-ids vpce-12345678"VpcEndpoints": ["VpcEndpointId": "vpce-12345678","VpcId": "vpc-111122223333","ServiceName": "com.amazonaws.vpce.us-east-1.s3","State": "available","PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"*\",\"Resource\":\"*\"}]}","RouteTableIds": ["rtb-222233334444"],"SubnetIds": [],"NetworkInterfaceIds": ["eni-333344445555"],"DnsEntry": ["DnsName": "vpce-12345678-abcdefgh.s3.us-east-1.vpce.amazonaws.com","HostedZoneId": "Z7HUB22UULQXV"
Question 327mediummultiple choice
Read the full NAT/PAT explanation →

A company is using AWS CloudFormation to deploy a VPC with public and private subnets, an internet gateway, and a NAT gateway. The deployment fails with the error: 'Route table rtb-12345678 already has a route with destination 0.0.0.0/0'. The network engineer reviews the template and sees that the public route table has a route to the internet gateway and the private route table has a route to the NAT gateway. Both route tables are defined in the same template. What is the most likely cause of this error?

Question 328mediummultiple choice
Open the full BGP breakdown →

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones in a VPC. The application communicates with an on-premises database over an AWS Direct Connect private VIF. The network team has configured a VPN connection as a backup. Recently, the application experienced intermittent timeouts when accessing the database. The team suspects asymmetric routing because the primary Direct Connect and backup VPN are both active. The network team wants to ensure that all traffic to the on-premises network uses the Direct Connect when it is available, and only fails over to the VPN if Direct Connect goes down. The BGP sessions are configured on both connections. The Direct Connect advertises the on-premises CIDR of 10.0.0.0/16, and the VPN advertises the same CIDR. The team has access to the on-premises router configuration and AWS console. Which action should the team take to resolve the issue?

Question 329hardmultiple choice
Review the full routing breakdown →

A company has a hybrid network with multiple VPCs connected via AWS Transit Gateway and an on-premises network via Direct Connect. The network team is planning to migrate a legacy application from on-premises to a new VPC. The application requires low-latency access to an RDS database running in an existing VPC. The team wants to minimize changes to the existing routing. What should the team do to meet these requirements?

Question 330hardmultiple choice
Read the full DNS explanation →

A media company streams live video to viewers worldwide. The application runs on EC2 instances behind an Application Load Balancer in two AWS regions, us-east-1 and eu-west-1. The company uses Amazon CloudFront as a CDN with origins pointing to both regional ALBs. The network team recently deployed AWS Global Accelerator to improve performance by directing traffic to the nearest healthy endpoint. However, after enabling Global Accelerator, viewers in Europe report buffering issues, while viewers in the US have no issues. The team has verified that the Global Accelerator endpoints are healthy and the ALBs are functioning correctly. The application uses a custom domain name. The DNS is managed by Route 53. What is the most likely cause of the buffering issues for European viewers?

Question 331easymultiple choice
Read the full Network Management and Operations explanation →

A company has a Direct Connect connection with a private virtual interface to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection. They have enabled VPC Flow Logs for the VPC, but the flow logs do not show traffic that traverses the Direct Connect. The team needs a solution to capture the bandwidth usage of the Direct Connect connection. Which solution should they implement?

Question 332easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The public subnet contains a web server (EC2 instance) that must be accessible from the internet. The private subnet contains a database server (EC2 instance) that should only be accessible from the web server. The web server's security group allows HTTP (80) and HTTPS (443) from 0.0.0.0/0. The database server's security group allows MySQL (3306) from the web server's security group. However, the web server cannot connect to the database server. The network engineer has verified that the web server can reach the internet and that the database server's security group is correctly configured. What is the most likely cause of the connectivity problem?

Question 333mediummulti select
Open the full BGP breakdown →

A network engineer must design a solution to monitor and troubleshoot connectivity from an on-premises data center to a VPC over an AWS Direct Connect connection. The solution must provide visibility into BGP routing, packet loss, and latency. Which TWO services or features should the engineer use? (Choose two.)

Question 334mediummultiple choice
Read the full NAT/PAT explanation →

A company uses AWS CloudWAN to build a global network connecting multiple VPCs and on-premises sites. The network team has configured a core network with a segment that includes VPCs in us-east-1 and eu-west-1. The team notices that traffic between VPCs in different regions is taking a suboptimal path, going through the internet instead of staying within the AWS global network. The team has verified that the core network attachments are correctly configured and that the route tables are propagated. What should the team do to ensure traffic stays within the AWS global network?

Question 335hardmulti select
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment with hundreds of VPCs interconnected via a transit gateway. The network team needs to centrally monitor VPC reachability and identify asymmetric routing paths. Which THREE services or features should be used together to achieve this? (Choose three.)

Question 336hardmultiple choice
Review the full subnetting walkthrough →

A company has a multi-account AWS environment using AWS Organizations. Each account contains a VPC with a private subnet and a public subnet. The company uses a centralized inspection VPC in the network account with third-party firewall appliances. All internet-bound traffic from the VPCs must be routed through the inspection VPC via an AWS Transit Gateway. The network team has configured the transit gateway with separate route tables: one for the inspection VPC and one for the spoke VPCs. The spoke VPCs have a default route (0.0.0.0/0) pointing to the transit gateway. The inspection VPC has a default route pointing to an egress VPC that has an internet gateway. However, traffic from a spoke VPC is not reaching the internet. The network engineer has verified that the firewall appliances are running and that the security groups and NACLs allow traffic. What is the most likely cause of the issue?

Question 337hardmultiple choice
Read the full DNS explanation →

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones. The application is fronted by an Application Load Balancer (ALB). The network team recently migrated from a transit VPC to a transit gateway for inter-VPC connectivity. After the migration, users experience intermittent connectivity failures. The team checks the ALB target group and sees that health checks are passing. However, from an EC2 instance in the same VPC, they can reach the ALB but not the application. They notice that the application sends traffic to an internal DNS server that is in a different VPC, and the application depends on that DNS resolution. The transit gateway route tables are configured to propagate routes from attached VPCs. The DNS server is reachable from the application VPC over the transit gateway. What is the MOST likely cause of the intermittent failures?

Question 338mediummultiple choice
Open the full BGP breakdown →

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The connection uses a private virtual interface (VIF) to access the VPC. The network team is monitoring the link and notices that the BGP session goes down intermittently. The team has checked the physical layer and found no issues. The BGP keepalive timer is set to 30 seconds on both sides. The network engineer suspects that the issue might be related to the BGP hold timer. What should the engineer do to stabilize the BGP session?

Question 339mediummultiple choice
Read the full VPN explanation →

A company has an AWS Site-to-Site VPN connection between an on-premises network and a VPC. The VPN uses virtual private gateways and static routes. The network team reports that the VPN tunnel is up, but traffic from the on-premises network cannot reach some EC2 instances in the VPC. The EC2 instances have security groups that allow inbound traffic from the on-premises network. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. The tunnel status shows 'UP' from both sides. What is the MOST likely cause of the connectivity issue?

Question 340hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets across three Availability Zones. The VPC contains an Auto Scaling group of EC2 instances that process messages from an SQS queue. The instances are deployed in private subnets and need to access the SQS queue over the internet. The company wants to minimize data transfer costs and improve security by keeping traffic within the AWS network. The VPC has a NAT gateway in each AZ for outbound internet access. The network team has configured the route tables for the private subnets to send 0.0.0.0/0 traffic to the NAT gateway in the same AZ. However, the team notices that the EC2 instances are still using the NAT gateways to reach SQS, resulting in higher costs. What should the team do to ensure traffic to SQS stays within the AWS network?

Question 341hardmultiple choice
Review the full routing breakdown →

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that the latency to S3 increases significantly during peak hours. They have tested the connection and confirmed that the physical link is not saturated. The company uses a single Direct Connect connection. The S3 traffic is routed over the public VIF. The team wants to improve performance without adding a new Direct Connect connection. Which action should the team take to reduce latency?

Question 342easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnets have a NAT gateway for outbound internet access. The private subnets route all 0.0.0.0/0 traffic to the NAT gateway. The network team wants to centrally log all outbound internet traffic from the private subnets. They enable VPC Flow Logs and publish them to Amazon S3. However, they notice that the flow logs are capturing only traffic between instances within the VPC, not the NAT gateway traffic. What should the team do to capture outbound internet traffic?

Question 343mediummultiple choice
Review the full routing breakdown →

A company has a VPC with an AWS Transit Gateway connecting multiple VPCs and an on-premises network via AWS Direct Connect. The network team needs to ensure that only specific VPCs can communicate with each other. They create a transit gateway route table for each VPC and attach the VPC to the route table. They also propagate routes from the Direct Connect virtual interface. However, after configuration, traffic between two VPCs that should not communicate is still flowing. What is the MOST likely cause?

Question 344hardmultiple choice
Read the full DNS explanation →

A company uses AWS CloudFormation to deploy a multi-tier application. The template includes a VPC, public and private subnets, security groups, and an Application Load Balancer. The network team wants to ensure that the ALB can only accept traffic from a specific set of IP addresses. They add a security group rule that allows inbound traffic on port 443 from the allowed IP CIDR. However, after deployment, the ALB is not responding to requests from the allowed IPs. The team checks the security group and confirms the rule exists. They also verify that the ALB is in the public subnet and has a public DNS name. What is the MOST likely cause?

Question 345easymultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). An EC2 instance in the private subnet needs to download patches from the internet. The team creates a NAT gateway in the public subnet and updates the private subnet route table to route 0.0.0.0/0 to the NAT gateway. The EC2 instance still cannot reach the internet. The team confirms the NAT gateway has an elastic IP and the public subnet has an internet gateway. What is the MOST likely cause?

Question 346mediummultiple choice
Open the full BGP breakdown →

A company has a VPC with an AWS Direct Connect private VIF connected to a virtual private gateway. The on-premises network uses BGP to advertise routes to AWS. The network team wants to ensure that only specific prefixes from on-premises are accepted. They configure the virtual private gateway with a BGP community. However, after configuration, they notice that all prefixes are still being accepted. What is the MOST likely reason?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ANS-C01 Practice Test 1 — 10 Questions→ANS-C01 Practice Test 2 — 10 Questions→ANS-C01 Practice Test 3 — 10 Questions→ANS-C01 Practice Test 4 — 10 Questions→ANS-C01 Practice Test 5 — 10 Questions→ANS-C01 Practice Exam 1 — 20 Questions→ANS-C01 Practice Exam 2 — 20 Questions→ANS-C01 Practice Exam 3 — 20 Questions→ANS-C01 Practice Exam 4 — 20 Questions→Free ANS-C01 Practice Test 1 — 30 Questions→Free ANS-C01 Practice Test 2 — 30 Questions→Free ANS-C01 Practice Test 3 — 30 Questions→ANS-C01 Practice Questions 1 — 50 Questions→ANS-C01 Practice Questions 2 — 50 Questions→ANS-C01 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Network Management and OperationsNetwork Security, Compliance and GovernanceNetwork DesignNetwork Implementation

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Network Management and Operations setsAll Network Management and Operations questionsANS-C01 Practice Hub