Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSOA-C02DomainsNetworking and Content Delivery
SOA-C02Free — No Signup

Networking and Content Delivery

Practice SOA-C02 Networking and Content Delivery questions with full explanations on every answer.

268questions

Start practicing

Networking and Content Delivery — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SOA-C02 Domains

Monitoring, Logging, and RemediationReliability and Business ContinuityDeployment, Provisioning, and AutomationSecurity and ComplianceNetworking and Content DeliveryCost and Performance Optimization

Practice Networking and Content Delivery questions

10Q20Q30Q50Q

All SOA-C02 Networking and Content Delivery questions (268)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company wants to establish a dedicated, low-latency, private connection between its on-premises data center and an AWS VPC. The company does not want to use the public internet. Which AWS service should be used to meet this requirement?

2

A company has two VPCs in different AWS regions (us-east-1 and eu-west-1) that are peered. Applications in both VPCs need to communicate using private IP addresses. The ping tests are successful, but the latency is significantly higher than expected. Which change is most likely to improve the latency between the VPCs?

3

A company has deployed a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's IP addresses are used by a third-party service to allowlist traffic. The EC2 instances are part of an Auto Scaling group that may scale up and down. The SysOps administrator needs to ensure that the third-party service always has the current IP addresses of the ALB without requiring manual updates. Which solution should the administrator implement?

4

A company has an on-premises data center connected to an AWS VPC via an AWS Direct Connect connection. The company's SysOps administrator wants to ensure that traffic from the VPC destined for the on-premises network uses the Direct Connect connection instead of the internet. Which configuration should be used?

5

A company has two VPCs in the same AWS region. VPC A hosts a web application, and VPC B hosts a database. The SysOps administrator needs to enable private IP communication between the two VPCs without using the public internet. The administrator wants a simple, low-cost solution that uses the AWS network backbone. Which AWS service should be used?

6

A company hosts a web application behind an Application Load Balancer (ALB) in us-east-1. Users in Europe report high latency. The SysOps administrator decides to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. However, the application logs require the original client IP addresses of users. The ALB currently provides the client IP via the X-Forwarded-For header, but the development team warns that Global Accelerator may change the source IP. Which configuration should the administrator choose to meet both performance and logging requirements?

7

A company hosts a web application on Amazon EC2 instances in two AWS regions: us-east-1 and eu-west-1. The application is behind an Application Load Balancer (ALB) in each region. The SysOps administrator wants to direct users to the region that provides the lowest latency, automatically routing traffic away from a region if it becomes unhealthy. Which Amazon Route 53 routing policy should be used?

8

A company has three VPCs in the same AWS region: VPC A (production), VPC B (development), and VPC C (shared services). The VPCs have overlapping CIDR blocks (e.g., VPC A: 10.0.0.0/16, VPC B: 10.0.0.0/16, VPC C: 10.1.0.0/16). The SysOps administrator needs to enable private IP communication between VPC A and VPC C, and between VPC B and VPC C, but not between VPC A and VPC B. The solution must also support a growing number of VPCs in the future. Which AWS service should be used?

9

A company runs a gaming application that uses Amazon EC2 instances to handle real-time multiplayer sessions. The application requires low-latency communication with users around the world. The SysOps administrator needs to accelerate content delivery for non-cacheable, dynamic content (such as real-time game state updates) and also provide static asset delivery. The solution must support both TCP and UDP traffic. Which AWS service should be used?

10

A company has two VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The VPCs are in the same AWS region. The SysOps administrator needs to enable private IP connectivity between the two VPCs so that an EC2 instance in VPC-A can communicate with an EC2 instance in VPC-B using their private IP addresses. The administrator wants a simple, low-cost solution with high throughput. Which AWS service should be used?

11

A company has an Amazon VPC with public and private subnets. The private subnets host database instances that should not have direct internet access. However, the database instances need to download patches from an Amazon S3 bucket. The SysOps administrator needs to enable access to S3 from the private subnets without traversing the internet. Which solution should be used?

12

A company has an Application Load Balancer (ALB) in the us-east-1 region. Users in Asia report high latency. The SysOps administrator wants to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. Which step is required to integrate Global Accelerator with the ALB?

13

A company has an on-premises data center connected to AWS via an AWS Direct Connect connection. The SysOps administrator needs to ensure high availability for the connectivity. Which configuration provides the highest availability for the Direct Connect connection?

14

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is deployed in the public subnets, and an Auto Scaling group of web servers is deployed in the private subnets. The web servers need to frequently make HTTPS requests to an external API. The API provider requires that all requests originate from a consistent set of static IP addresses for whitelisting. The SysOps administrator must ensure that outbound traffic from the web servers has static source IP addresses. Which solution should be implemented?

15

A company has two Amazon VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16) in the same AWS Region. The SysOps administrator needs to enable private IP connectivity between the two VPCs without using the public internet. The solution must be simple, low-cost, and provide high throughput. Which AWS service should the administrator use?

16

A company has multiple on-premises branch offices, each with a site-to-site VPN connection to a single VPC in AWS. The SysOps administrator needs to enable communication between the branch offices using the AWS cloud as a hub. Which configuration should be implemented to achieve this with the least operational overhead?

17

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB) in the us-west-2 Region. Users are distributed globally and experience high latency. The SysOps administrator wants to improve latency and offload SSL termination to the edge. Which AWS service should be used with the ALB as the origin?

18

A company has two Amazon VPCs in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

19

A company hosts a static website on Amazon S3. Users access the website from around the world. The SysOps administrator needs to deliver content with low latency and support HTTPS with a custom domain. Which AWS service should be used?

20

A company has two Amazon VPCs (VPC-A and VPC-B) in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private IP connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

21

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application needs to serve HTTPS content. The SysOps administrator wants to offload SSL termination to the ALB and automatically renew the certificate before expiration. Which solution should the administrator implement?

22

A company has an on-premises data center connected to AWS via an AWS Direct Connect private virtual interface (VIF). The SysOps administrator needs to ensure that all traffic between the on-premises network and Amazon S3 in the same AWS Region stays within the AWS network and does not traverse the internet. Which solution should the administrator implement?

23

A company has a VPC with public and private subnets. The private subnets need outbound internet access to download software updates while preventing any inbound internet traffic. The SysOps administrator must minimize costs. Which solution should the administrator implement?

24

A company has an Amazon VPC with a CIDR block of 10.0.0.0/16 and an AWS Site-to-Site VPN connection to an on-premises data center. The on-premises DNS servers host a private domain 'corp.example.com'. The SysOps administrator needs to enable EC2 instances in the VPC to resolve DNS names for 'corp.example.com' using the on-premises DNS servers. Which Route 53 feature should be configured?

25

A company has an Application Load Balancer (ALB) that routes traffic to Amazon EC2 instances in private subnets of a VPC. The SysOps administrator needs to ensure that the EC2 instances can download software updates from the internet, but they must not be directly accessible from the internet. The solution should minimize operational overhead. Which solution should the administrator implement?

26

A company has a VPC with public and private subnets. The private subnets host application servers that need to make outbound HTTPS connections to the internet. The SysOps administrator must implement a solution that provides outbound internet connectivity while preventing inbound connections from the internet. Additionally, the solution must allow the company to control which domains the application servers can access. Which solution should the administrator implement?

27

A company has an Amazon VPC with public and private subnets across two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an Amazon S3 bucket to upload and download files. The SysOps administrator must ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

28

A company has an Amazon CloudFront distribution that delivers static content from an Amazon S3 bucket. The SysOps administrator needs to ensure that the content can only be accessed through CloudFront and not directly from the S3 bucket URL. The solution should use AWS managed services with minimal configuration. Which solution should the administrator implement?

29

A company runs an application on Amazon EC2 instances in private subnets of a VPC. The application needs to upload files to an Amazon S3 bucket in the same AWS Region. The SysOps administrator wants to ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

30

A company runs an application across multiple Availability Zones. The application servers are in private subnets and need outbound internet access to download software updates and patches. The SysOps administrator needs a highly available, fully managed solution to provide this outbound connectivity. Which solution should be used?

31

A company has two VPCs in the same AWS account and Region: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The SysOps administrator needs to establish connectivity between these VPCs so that resources in VPC-A can reach resources in VPC-B using private IP addresses. The solution must be highly available and not involve a third-party appliance. Which solution should the administrator implement?

32

A company runs a web application on Amazon EC2 instances in private subnets across multiple Availability Zones. The instances need to download software patches from the internet. The SysOps administrator requires a highly available, fully managed solution for outbound internet connectivity. Which solution should be implemented?

33

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is in the public subnets, and Amazon EC2 instances are in the private subnets. The SysOps administrator needs to allow the EC2 instances to access an Amazon S3 bucket in the same AWS Region without traversing the internet. Which solution should the administrator implement?

34

A company has a VPC with public and private subnets. An Amazon EC2 instance in a private subnet needs to access an Amazon S3 bucket in the same AWS Region. The SysOps administrator wants to ensure the traffic does not traverse the internet. Which solution should be implemented?

35

A company has multiple VPCs in the same AWS account and Region, each with overlapping CIDR blocks (10.0.0.0/16). The SysOps administrator needs to establish connectivity between all VPCs and the on-premises network via AWS Transit Gateway. Additionally, certain VPCs must be isolated from each other while still reaching on-premises. How should the administrator configure the Transit Gateway to meet these requirements?

36

A company wants to host a static website using Amazon S3. The website files are stored in an S3 bucket. The SysOps administrator needs to make the website accessible via HTTP. Which action must be performed on the S3 bucket?

37

A company has an Application Load Balancer (ALB) that routes traffic to targets in private subnets. The SysOps administrator needs to log detailed information about HTTP requests, including client IP, request path, and response time. Which ALB feature should be enabled?

38

A company runs an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB terminates SSL/TLS and forwards traffic to the instances over HTTP. The SysOps administrator needs to capture the original client IP address in the instance logs. How should the administrator configure this?

39

A company uses Amazon CloudFront to deliver content from an Application Load Balancer (ALB) origin. The SysOps administrator needs to restrict access to the content so that only users from a specific geographic location can view it. Which CloudFront feature should be used?

40

A SysOps administrator is troubleshooting connectivity issues between Amazon EC2 instances in two different VPCs that are connected via a VPC peering connection. The instances can successfully send ICMP (ping) traffic, but TCP connections on port 443 (HTTPS) fail. The security groups of both instances allow all inbound and outbound traffic. What is the most likely cause of the issue?

41

A SysOps administrator has deployed an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances. The administrator notices that the ALB is sending all traffic to instances in a single Availability Zone (AZ), ignoring instances in other AZs. The ALB was created with default settings. Which action should the administrator take to ensure traffic is distributed evenly across all AZs?

42

A company needs a dedicated private network connection from its on-premises data center to AWS that provides consistent network performance and high bandwidth. The connection must bypass the public internet. Which AWS service should the SysOps administrator use?

43

A company has multiple VPCs in the same AWS Region that need to communicate with each other. The SysOps administrator wants to avoid the complexity of a full mesh of VPC peering connections. Which AWS service should the administrator use to connect all VPCs with a central hub?

44

A company has a VPC with a public subnet and a private subnet. An Amazon EC2 instance in the private subnet needs to download security patches from the internet, but the instance must not be directly accessible from the internet. The SysOps administrator configured a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The instance's security group allows all outbound traffic. However, the instance still cannot reach the internet. What is the most likely missing configuration?

45

Instances in a private subnet need outbound internet access for software updates. The route table sends 0.0.0.0/0 to a NAT gateway, but updates fail. Which condition should you check first?

46

A company hosts a static website on Amazon EC2 instances behind an Application Load Balancer. They want to improve latency for users around the world by caching content at edge locations. Which AWS service should they use?

47

EC2 instances in private subnets need to access S3 buckets. Currently the instances use a NAT Gateway to reach S3 over the internet. The team wants to keep S3 traffic private (within the AWS network) and reduce NAT Gateway data processing costs. What is the correct solution?

48

A web application is deployed in us-east-1 (primary) and eu-west-1 (standby). Under normal conditions, all traffic should go to us-east-1. If the us-east-1 health check fails, traffic must automatically redirect to eu-west-1 within 30 to 60 seconds. What Route 53 configuration implements this?

49

Users are intermittently reporting 502 Bad Gateway errors when accessing the application through an Application Load Balancer. The team needs to identify which target IPs are associated with the failures and the request processing time for those requests. Application logs on instances do not capture failures before the ALB connection. What should be enabled?

50

A security team applied Network ACL rules to a subnet to allow inbound TCP traffic on port 443 (HTTPS). Users connecting from the internet can initiate connections, but they never receive responses. The NACL is applied to the subnet containing the web servers. What is missing?

51

Drag and drop the steps to enable AWS CloudTrail logging for a specific S3 bucket into the correct order.

52

Match each AWS database service to its type.

53

A company uses Amazon CloudFront to deliver its static website hosted on Amazon S3. The security team notices that users are able to access the S3 bucket directly via the S3 endpoint, bypassing CloudFront. What should be done to ensure that content is only accessible through CloudFront?

54

A SysOps administrator is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises data center connected via AWS Direct Connect. The EC2 instance can reach other instances in the same VPC but cannot reach the on-premises network. The virtual private gateway (VGW) is attached to the VPC and the Direct Connect virtual interface is up. Which configuration step should the administrator verify first?

55

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which configuration ensures that traffic is distributed evenly across all healthy targets?

56

A SysOps administrator is setting up Amazon Route 53 for a domain that will be used for a web application. The application requires failover to a backup data center in another region if the primary becomes unhealthy. The administrator creates a failover routing policy with two records (primary and secondary) associated with health checks. After testing, the failover does not occur when the primary endpoint fails. What is the most likely cause?

57

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The SysOps administrator needs to restrict access to the ALB so that it only accepts requests from CloudFront. Which solution should the administrator implement?

58

A SysOps administrator is troubleshooting an issue where an Amazon EC2 instance cannot connect to the internet. The instance is in a public subnet with a route table that has a route to an internet gateway (IGW). The instance has a public IP assigned. What should the administrator check next?

59

A company has deployed a web application across multiple AWS regions and wants to use Amazon Route 53 to direct users to the region with the lowest latency. Which routing policy should the SysOps administrator use?

60

An organization has a VPC with public and private subnets. The private subnets need to access the internet for software updates. A NAT gateway is deployed in a public subnet and the private subnet route table has a route for 0.0.0.0/0 pointing to the NAT gateway. However, instances in the private subnet cannot reach the internet. What could be the issue?

61

A SysOps administrator is configuring Amazon CloudFront to serve content from an Amazon S3 bucket. The content is sensitive and should be encrypted at rest. Which option ensures that content is encrypted at rest in S3?

62

Which TWO actions can a SysOps administrator take to improve the availability of a web application using an Application Load Balancer (ALB) and EC2 instances? (Choose two.)

63

Which THREE components are required to establish a site-to-site VPN connection between an AWS VPC and an on-premises network? (Choose three.)

64

Which TWO features are provided by Amazon CloudFront to secure content delivery? (Choose two.)

65

Refer to the exhibit. A SysOps administrator created this S3 bucket policy to allow CloudFront to access objects in the bucket using an origin access identity (OAI). However, users are still receiving 403 Access Denied errors when accessing the CloudFront distribution. What is the most likely cause?

66

Refer to the exhibit. A SysOps administrator is troubleshooting internet connectivity for an EC2 instance in subnet subnet-0a1b2c3d4e5f6g7h8. The instance can reach other instances in the VPC but cannot access the internet. Based on the route table output, what is the most likely cause?

67

Refer to the exhibit. A SysOps administrator runs the describe-target-health command and sees that an EC2 instance in the target group is unhealthy with a timeout error. What is the most likely cause?

68

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to maintain user session state. Which configuration ensures session stickiness with minimal performance impact?

69

A SysOps administrator notices that traffic from an Application Load Balancer to EC2 instances is failing intermittently. Security groups for the instances allow traffic from the ALB security group on port 80. The ALB target group health checks are failing. What is the most likely cause?

70

A company wants to provide low-latency access to static content (images, CSS) for global users. The content is stored in an S3 bucket. Which service should be used to cache content at edge locations?

71

An application running on EC2 instances sends large amounts of data to an S3 bucket. The SysOps administrator wants to reduce data transfer costs while ensuring the traffic stays within AWS. What is the most cost-effective solution?

72

A SysOps administrator is troubleshooting connectivity issues between two VPCs in different AWS Regions. Both VPCs are connected via a VPC Peering connection. The route tables in both VPCs have routes pointing to the peering connection. Security groups allow all traffic. However, an EC2 instance in VPC A cannot ping an EC2 instance in VPC B. What is the most likely cause?

73

A company has an application that requires UDP traffic to be distributed across multiple EC2 instances. Which AWS load balancer type should be used?

74

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download software patches from the internet. Which component should be used to provide internet access to the instance?

75

A SysOps administrator is configuring an Application Load Balancer to route traffic to multiple target groups based on the URL path. The ALB is not routing traffic correctly. Which listener rule configuration should be used to route requests with path /api/* to target group A and all other requests to target group B?

76

A company has multiple VPCs in the same account that need to communicate with each other. The VPCs are in the same region. Which solution provides the simplest and most scalable connectivity?

77

A SysOps administrator needs to ensure high availability for a web application running on EC2 instances across multiple Availability Zones. Which TWO actions should the administrator take?

78

A company has a VPC with a public subnet and a private subnet. The private subnet hosts a database. Which TWO components are required to allow an EC2 instance in the public subnet to connect to the database?

79

A company is using Amazon CloudFront to deliver content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which TWO steps should be taken?

80

A company is using Amazon Route 53 as its DNS service. The company has a web application running on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The company wants to ensure that if the ALB fails, traffic is automatically redirected to a static error page hosted on an Amazon S3 bucket. Which Route 53 routing policy should be used to achieve this?

81

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. Which of the following route table configurations is required for the private subnet to enable internet access through the NAT gateway?

82

A company is using Amazon CloudFront to distribute content globally. The company wants to restrict access to content so that only users from specific countries can access it. Which CloudFront feature should be used?

83

A company is running a critical application on EC2 instances in a VPC. The instances are in an Auto Scaling group across multiple Availability Zones. The application needs to maintain a fixed, private IP address for each instance. Which approach should be used to ensure each instance receives a consistent private IP address?

84

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The company wants to connect two subnets: one in the VPC (10.0.1.0/24) and one in an on-premises network (192.168.1.0/24) via a Site-to-Site VPN. The VPN connection is established. However, instances in the VPC subnet cannot ping the on-premises server at 192.168.1.10. What is a possible cause?

85

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The company needs to ensure that the ALB sends requests to instances that are healthy and can serve traffic. Which feature should be used to monitor the health of the instances?

86

A company has a CloudFront distribution with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible through CloudFront. Which configuration is required to ensure that direct access to the S3 bucket is blocked?

87

A company has a VPC with multiple subnets across two Availability Zones. The company wants to set up a Network Load Balancer (NLB) to handle TCP traffic to a fleet of EC2 instances. The instances are in private subnets. Which configuration is necessary to ensure the NLB can route traffic to the instances?

88

A company has an EC2 instance that needs to have a static public IP address that does not change even if the instance is stopped and started. Which AWS resource should be attached to the instance?

89

Which TWO of the following are benefits of using Amazon CloudFront in front of an Application Load Balancer? (Select TWO.)

90

Which THREE of the following are valid options for connecting a VPC to an on-premises network? (Select THREE.)

91

Which TWO of the following are features of Amazon Route 53? (Select TWO.)

92

A company has an Application Load Balancer (ALB) that routes traffic to an Auto Scaling group of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The EC2 instances have a security group that allows inbound traffic from the ALB's security group. Users report intermittent 503 errors. What is the most likely cause?

93

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered together. The VPCs are in the same AWS region. An EC2 instance in VPC A (10.0.1.0/24) cannot ping an EC2 instance in VPC B (10.0.2.0/24). Both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target. The security groups and network ACLs allow all inbound and outbound traffic. What is the most likely issue?

94

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The data center has multiple VLANs that need to connect to separate VPCs in AWS. The company wants to maintain isolation between the VPCs while maximizing bandwidth utilization. Which solution should the SysOps administrator recommend?

95

A company hosts a static website on Amazon S3 with public read access enabled. The website is accessed via a custom domain name that uses Amazon Route 53. The domain name points to the S3 bucket's website endpoint. Users report that they can access the website using the S3 bucket URL but not the custom domain name. What is the most likely cause?

96

A company deploys a web application on EC2 instances behind an Application Load Balancer. The SysOps administrator needs to allow inbound traffic only from the ALB to the EC2 instances. Currently, the EC2 security group allows inbound HTTP from 0.0.0.0/0. Which security group configuration should the administrator apply?

97

A company uses Amazon CloudFront to distribute content to users worldwide. The origin is an Application Load Balancer (ALB) that routes to EC2 instances. The SysOps administrator notices that some users are receiving cached responses even though the content has been updated on the origin. The administrator needs to ensure that users always receive the latest version of the content. What should the administrator do?

98

A SysOps administrator needs to create a VPC with both public and private subnets. The public subnet will host a NAT gateway and a bastion host. The private subnet will host application servers that need outbound internet access for updates. Which routing configuration should the administrator implement?

99

A company has an internal Application Load Balancer (ALB) in a VPC. The ALB is used by an on-premises application via AWS Direct Connect. The on-premises application needs to resolve the ALB's DNS name. The VPC has Route 53 private hosted zone associated with the VPC. The on-premises DNS servers are configured to forward queries for the company's domain to the VPC's Route 53 inbound resolver endpoints. However, the on-premises application cannot resolve the ALB's DNS name. What is the likely cause?

100

A company is using Amazon CloudFront with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible via CloudFront. The SysOps administrator has configured an Origin Access Identity (OAI) and updated the bucket policy to allow access only to the OAI. However, users are still able to access the S3 bucket directly via the S3 URL. What is the most likely reason?

101

Which TWO actions should a SysOps administrator take to improve the availability and reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer?

102

Which THREE configurations are required to enable an EC2 instance in a private subnet to access the internet for software updates while preventing inbound internet traffic?

103

Which TWO are valid methods to secure traffic between a client and an Application Load Balancer?

104

A company hosts a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. Which step should the SysOps administrator take to troubleshoot the issue?

105

An organization uses Amazon CloudFront to serve static content from an S3 bucket. The content is updated frequently, but users are seeing stale files. What is the most efficient way to invalidate the cache for updated objects?

106

A company has a VPC with public and private subnets. A NAT Gateway is in the public subnet, and a private EC2 instance needs to download patches from the internet. The instance can reach the internet after a reboot. Which action should the SysOps administrator take to make the internet access persistent?

107

A SysOps administrator needs to allow a Lambda function to access a DynamoDB table in the same AWS account. Which configuration is required?

108

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection is redundant with two virtual interfaces (VIFs). Recently, one VIF failed, and the administrator notices that traffic is not automatically failing over. What must be configured to enable automatic failover?

109

A web application on EC2 instances behind an ALB experiences increased latency during peak hours. The SysOps administrator notices that the ALB's RequestCount per target is high. What design change should improve performance?

110

An organization wants to block traffic from specific IP addresses at the edge of the AWS network before it reaches the application. Which service should be used?

111

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which step is necessary?

112

A SysOps administrator receives an alert that a VPN connection between a VPC and an on-premises network is down. The VPN uses static routing. After verifying the on-premises side is functioning, what should the administrator check in AWS?

113

Which TWO actions can reduce data transfer costs for content delivered to users globally? (Choose two.)

114

Which THREE components are required to set up a site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

115

Which TWO security measures should be implemented to protect a VPC from DDoS attacks? (Choose two.)

116

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances. Users report intermittent 503 errors. Which of the following is the MOST likely cause?

117

A company wants to host a static website on AWS with high availability and low latency for global users. Which combination of services should be used?

118

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet to allow instances in the private subnet to access the internet. However, private instances cannot reach an external service at 203.0.113.50:443. What should be checked first?

119

A company uses Amazon CloudFront to serve content from an S3 bucket. The bucket is configured as an origin with Origin Access Control (OAC). Users report that they can access the content via CloudFront but also directly via the S3 bucket URL. How can the company restrict direct access to the S3 bucket?

120

A company has deployed a web application across multiple Availability Zones using an Application Load Balancer. The application experiences increased latency during peak hours. Which action would be MOST effective in reducing latency?

121

A company has a VPN connection between its on-premises network and AWS VPC. The VPN tunnel shows status as UP, but traffic is not flowing from on-premises to the VPC. Which configuration should be checked?

122

A company wants to provide low-latency access to a web application for users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. Which AWS service should be used to route users to the nearest region?

123

A company has a VPC with a public subnet and a private subnet. An Amazon RDS for MySQL database is deployed in the private subnet. Which TWO steps are required to allow an EC2 instance in the public subnet to connect to the database? (Choose two.)

124

A company is using Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is configured with HTTPS listeners. Users report that some requests are failing with a 502 error. Which THREE steps should the SysOps administrator take to troubleshoot the issue? (Choose three.)

125

A company is using Amazon Route 53 with a private hosted zone for internal DNS resolution within a VPC. The VPC is connected to an on-premises network via a VPN. On-premises resources cannot resolve DNS names in the private hosted zone. Which TWO actions should be taken to resolve this issue? (Choose two.)

126

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to send traffic to an EC2 instance in subnet-B. Both instances are in the same VPC and have appropriate security group rules. However, traffic is not reaching the destination. What is the MOST likely cause?

127

A company is using Amazon CloudFront to distribute content globally. The origin is an S3 bucket. The SysOps administrator notices that cache hit ratio is low. Which configuration change would MOST improve the cache hit ratio?

128

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent 502 errors. The SysOps administrator checks the ALB access logs and sees that the error occurs when the target group has 'unhealthy' targets. What is the MOST likely cause of the 502 errors?

129

A SysOps administrator needs to route traffic for a domain name 'example.com' to an Application Load Balancer. Which AWS service should be used to create the DNS record?

130

A company has a VPC with public and private subnets across three Availability Zones. The public subnets host NAT Gateways, and the private subnets host EC2 instances that need to access the internet. The SysOps administrator notices that EC2 instances in one private subnet cannot reach the internet, while others can. What is the MOST likely cause?

131

A company uses Amazon CloudFront to deliver static content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which solution should be used?

132

A SysOps administrator needs to monitor network traffic to and from an EC2 instance for troubleshooting. Which AWS feature captures IP traffic information at the VPC level?

133

A company's web application is hosted on EC2 instances behind a Network Load Balancer (NLB) with a static IP address. The application receives a sudden spike in traffic, and some clients report connection timeouts. Which NLB feature should the SysOps administrator configure to handle the increased load?

134

A SysOps administrator needs to ensure that all traffic between an on-premises data center and the AWS VPC is encrypted and goes over the internet. Which AWS service should be used?

135

A company has a VPC with multiple subnets. The SysOps administrator wants to ensure that EC2 instances in a private subnet can access Amazon S3 without going through a NAT Gateway or internet gateway. Which solution meets this requirement?

136

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot be accessed via SSH from the internet. The security group allows inbound SSH (port 22) from 0.0.0.0/0. The network ACL (NACL) for the subnet has an inbound rule allowing SSH from 0.0.0.0/0. What else could be blocking access?

137

A SysOps administrator is designing a highly available web application across multiple AWS regions. The application uses an Application Load Balancer in each region. Which TWO services can be used to route traffic to the closest regional load balancer based on latency?

138

A company uses a Network Load Balancer (NLB) with a static IP address. The SysOps administrator needs to enable client IP preservation for the NLB so that backend instances see the original client IP. Which TWO conditions are required for client IP preservation to work?

139

A SysOps administrator is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which THREE components are required to achieve this?

140

Refer to the exhibit. A company has an S3 bucket policy as shown. The SysOps administrator notices that users from the allowed IP range (192.0.2.0/24) can access objects, but users outside that range are denied. However, a CloudFront distribution with an origin access identity (OAI) is also unable to access the bucket and receives 'Access Denied'. What is the MOST likely cause?

141

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) across three Availability Zones. Each AZ has one public and one private subnet. The EC2 instances are in the private subnets. The ALB is internet-facing. Recently, during a traffic spike, some users experienced intermittent timeouts. The SysOps administrator reviews the ALB access logs and finds that the timeouts correspond to periods when the target group had 'unhealthy' instances. The health check is configured to check a health endpoint on port 80 with a path of '/health'. The SysOps administrator checks the EC2 instances and finds that the health endpoint responds correctly. However, the health checks are failing intermittently. The administrator notices that the security group for the EC2 instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound HTTP and outbound ephemeral ports. What is the MOST likely cause of the health check failures?

142

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The VPC has an Internet Gateway (IGW) attached. The public subnets have a route to the IGW, and the private subnets have a route to a NAT Gateway in the public subnet 10.0.1.0/24. The SysOps administrator deploys a new EC2 instance in the private subnet 10.0.4.0/24. The instance needs to download software from the internet, but the download fails. The administrator can successfully ping the NAT Gateway from the instance. What is the MOST likely cause of the failure?

143

A company uses Amazon CloudFront to deliver video content to users worldwide. The content is stored in an S3 bucket. The SysOps administrator notices that users in some geographic regions experience high latency when loading the video. The administrator wants to improve the performance for these users without changing the existing infrastructure. The CloudFront distribution is configured with the default cache behavior. What is the MOST cost-effective solution to reduce latency for users in those regions?

144

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. Users report slow load times. The SysOps team notices that all traffic goes to a single availability zone. Which action should be taken to improve performance and reliability?

145

A SysOps administrator needs to allow an EC2 instance in a private subnet to download patches from the internet. Which AWS service should be used to achieve this securely?

146

An application hosted on EC2 instances behind an ALB is experiencing intermittent connectivity errors. The ALB target group is configured with health checks on port 80. The SysOps team notices that the EC2 instances pass health checks but clients still receive 503 errors. What is the most likely cause?

147

A SysOps administrator is troubleshooting DNS resolution issues for a custom domain used by an Application Load Balancer. Which TWO steps should the administrator take to diagnose the issue? (Choose two.)

148

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for EC2 instances to download updates. Which THREE components are required to achieve this? (Choose three.)

149

A SysOps administrator needs to troubleshoot connectivity between two EC2 instances in the same VPC but different subnets. The instances cannot communicate. Which THREE checks should the administrator perform? (Choose three.)

150

A SysOps administrator notices that an EC2 instance is not receiving traffic from an Application Load Balancer (ALB). The ALB is healthy and the target group shows the instance as healthy. The exhibit shows the network interface attached to the instance. What is the likely cause of the issue?

151

A company runs a multi-tier web application in a VPC with public and private subnets. The web servers (EC2 instances) are in public subnets, and the database servers (RDS MySQL) are in private subnets. The web servers need to connect to the database servers on port 3306. The security group for the RDS instances (sg-db) has an inbound rule allowing TCP port 3306 from the security group of the web servers (sg-web). The web servers can connect to the database, but the connection is intermittent and slow. The SysOps administrator checks the network ACLs and finds that both the public and private subnet network ACLs have default allow all entries. What is the most likely cause of the issue?

152

A company has deployed a global web application using AWS CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is in a single AWS region. Users in different geographic regions report high latency, and some users are unable to access the application. The SysOps administrator verifies that the CloudFront distribution is configured correctly and that the ALB is healthy. The administrator also confirms that the ALB's security group allows traffic from the CloudFront IP ranges. What is the most likely cause of the issue?

153

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket to store logs. The instance currently has no internet access. The SysOps administrator has created a VPC endpoint for S3 (gateway type) and attached it to the VPC. The instance still cannot reach S3. What additional step is required?

154

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The VPC has a private subnet with EC2 instances that need to communicate with on-premises servers. The on-premises network team reports that they can ping the EC2 instances, but the EC2 instances cannot ping the on-premises servers. The SysOps administrator checks the route tables and finds that the VPC has a route to the on-premises CIDR via the virtual private gateway. The security groups allow all ICMP traffic. What is the most likely cause?

155

A company uses Amazon Route 53 as its DNS service. They have a domain example.com with an alias record pointing to an Application Load Balancer (ALB). Recently, they updated the ALB's DNS name, but the Route 53 record was not updated. Users are still being directed to the old ALB, which has been decommissioned. The SysOps administrator updates the alias record to point to the new ALB DNS name. However, users still experience errors for several hours. What is the most likely reason?

156

A company has a VPC with both IPv4 and IPv6 CIDR blocks. They have a public subnet with an EC2 instance that needs to be accessible over IPv6 from the internet. The instance has an IPv6 address assigned. The SysOps administrator has attached an Internet Gateway (IGW) to the VPC and added a route to the IGW for the public subnet's IPv6 route table. However, the instance is not reachable over IPv6. What is the missing configuration?

157

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses sticky sessions (session affinity) based on cookies. Recently, the SysOps team noticed that user sessions are being lost intermittently, causing users to be logged out. The team checks the ALB configuration and finds that the stickiness is enabled with a cookie name 'AWSALB' and duration of 1 hour. The application also sets its own cookie. What is the most likely cause of session loss?

158

A company uses an Application Load Balancer (ALB) to distribute traffic to an Auto Scaling group of EC2 instances. Users report intermittent 503 errors. The SysOps Administrator checks the ALB metrics and sees that the Sum of HTTP 503s correlates with spikes in CPU utilization on the EC2 instances. What is the MOST likely cause and solution?

159

A SysOps Administrator manages a VPC with public and private subnets. The private subnets need to access the internet for software updates. The Administrator creates a NAT Gateway in a public subnet and updates the private subnet route table to point 0.0.0.0/0 to the NAT Gateway. However, instances in the private subnet still cannot reach the internet. What is the MOST likely reason?

160

A company has a VPC that requires DNS resolution for custom domain names within the VPC. They want to use a private hosted zone in Amazon Route 53. Which resource is required to associate the private hosted zone with the VPC?

161

A SysOps Administrator is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. After the peering connection is accepted, instances in VPC-A cannot ping instances in VPC-B. Both VPCs have non-overlapping CIDR blocks. What is the MOST likely cause?

162

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The application needs to authenticate users using an external identity provider (IdP). The SysOps Administrator recommends using Amazon Cognito as an identity broker. Which ALB action should be configured to authenticate users before forwarding requests to the target group?

163

A company uses Amazon CloudFront to deliver static content from an Amazon S3 bucket. Users in Europe report slow load times. Which CloudFront feature would MOST effectively improve performance for these users?

164

A SysOps Administrator is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. The instances can communicate over private IP addresses when security groups are set to allow all traffic, but fail when security groups are configured with specific rules. The Administrator wants to allow HTTP (port 80) and HTTPS (port 443) traffic from the client instance to the server instance. What security group rules are needed?

165

A company is using Amazon Route 53 for DNS and wants to route traffic to multiple endpoints based on the geographic location of the user. Which routing policy should the SysOps Administrator use?

166

A SysOps Administrator is configuring a Network Load Balancer (NLB) for a TCP-based application. The application requires that clients see the original source IP address of the request. Which configuration should the Administrator use?

167

A company is designing a highly available architecture using an Application Load Balancer (ALB) with multiple target groups. Which TWO statements are correct regarding ALB routing?

168

A SysOps Administrator is configuring VPC Flow Logs to monitor network traffic. Which THREE pieces of information are included in VPC Flow Log records?

169

A company wants to use Amazon CloudFront to distribute content globally with low latency. Which TWO features of CloudFront help achieve this?

170

Refer to the exhibit. A SysOps Administrator is reviewing the network ACL configuration. An instance in subnet 10.0.1.0/24 needs to receive HTTPS traffic from the internet. Why is the current configuration insufficient?

171

Refer to the exhibit. This bucket policy is attached to an S3 bucket that is used as an origin for a CloudFront distribution. Users are reporting Access Denied errors when accessing objects via the CloudFront URL. What is the MOST likely cause?

172

Refer to the exhibit. A SysOps Administrator runs the above command and sees that an EC2 instance is unhealthy. The health check is configured to check the HTTP endpoint '/health' on port 80. The instance's security group allows inbound HTTP traffic from the ALB's security group. What is the MOST likely cause?

173

A company hosts a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent timeouts. The web server logs show HTTP 503 errors. Which configuration is MOST likely causing the issue?

174

A company wants to reduce latency for global users accessing static content stored in Amazon S3. Which AWS service should be used?

175

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer (ALB) in the public subnets routes traffic to EC2 instances in the private subnets. The EC2 instances need to access the internet for software updates. Which solution is MOST secure and cost-effective?

176

A sysadmin receives an alert that a Network Load Balancer (NLB) is not passing traffic to targets. The target group health checks are passing. What is the MOST likely cause?

177

A company needs to resolve DNS names for on-premises servers from AWS. They have set up a DHCP options set with the on-premises DNS server IP. Which additional step is required?

178

A company uses an Application Load Balancer (ALB) to route traffic to a web application. The security team requires that all traffic be encrypted in transit. The ALB currently uses a TLS certificate from AWS Certificate Manager (ACM). Users report that some browsers show a certificate warning. What is the MOST likely cause?

179

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to connect to an on-premises network using a site-to-site VPN. The on-premises network uses 10.0.0.0/16 as well. Which solution avoids routing conflicts?

180

A sysadmin needs to block specific IP addresses from accessing an Application Load Balancer. Which approach is MOST efficient?

181

A company uses AWS Global Accelerator to improve performance of a TCP application. Users in Asia report higher latency than users in Europe. The endpoints are all in us-east-1. What is the BEST solution?

182

Which TWO AWS services can be used to provide a static IP address for an Application Load Balancer? (Choose two.)

183

Which THREE components are required to set up a site-to-site VPN connection between a VPC and an on-premises network? (Choose three.)

184

Which TWO statements about Amazon CloudFront origins are correct? (Choose two.)

185

A company has an application running on EC2 instances in a VPC. The application needs to access an S3 bucket in the same AWS region. Which configuration provides the MOST secure and cost-effective access?

186

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered using a VPC Peering connection. The instances in VPC A can ping the private IP of instances in VPC B, but not the DNS names. What is the most likely cause?

187

A company uses AWS Direct Connect to connect its on-premises network to AWS. The SysOps team notices that traffic from the on-premises network to a VPC is not using the Direct Connect connection but instead is going over the internet. The VPC has a virtual private gateway attached and the on-premises router is advertising a specific route. What is the most likely cause?

188

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The SysOps administrator receives reports that some users are experiencing intermittent HTTP 503 errors. What is the most likely cause?

189

A company has a web application deployed in a VPC with both public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The web servers need to access the internet for updates. Which configuration is required to provide internet access to the web servers while keeping the database servers private?

190

A SysOps administrator is setting up a Network Load Balancer (NLB) to handle millions of requests per second. The target group consists of EC2 instances that are in a single Availability Zone. Which of the following is a potential issue?

191

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect to an on-premises network with a CIDR of 10.0.0.0/8. What is the issue?

192

A SysOps administrator is configuring a VPC with a public subnet and a private subnet. The private subnet needs to access the internet to download patches. The administrator creates a NAT Gateway in the public subnet and updates the private subnet route table. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

193

A company uses AWS Global Accelerator to improve the performance of a web application hosted in multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region as the endpoint. Users report that traffic is not being routed to the closest region. What could be the cause?

194

A SysOps administrator is planning a VPC design with high availability for an application that must tolerate the failure of an entire Availability Zone. Which TWO configurations should be implemented? (Select TWO.)

195

A company is using Amazon Route 53 as its DNS service. The SysOps team needs to route traffic to multiple resources based on the geographic location of the users. Which THREE routing policies can achieve this? (Select THREE.)

196

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet via a NAT Gateway. Which TWO components must be correctly configured for this to work? (Select TWO.)

197

Refer to the exhibit. A VPC peering connection exists between VPC A (CIDR 10.0.0.0/16) and VPC B (CIDR 192.168.0.0/16). The command output shows the route table for VPC A (rtb-11111111) and VPC B (rtb-33333333). An instance in VPC A (private IP 10.0.1.5) cannot ping an instance in VPC B (private IP 192.168.1.10). What is the most likely reason?

198

Refer to the exhibit. A SysOps administrator has attached the bucket policy shown to an S3 bucket. Users from the IP range 192.0.2.0/24 report that they can access objects, but users from other IP ranges also report they can access objects. What is the most likely reason?

199

Refer to the exhibit. A SysOps administrator is troubleshooting a CloudFront distribution that serves content from an S3 bucket. Users are receiving 'Access Denied' errors when trying to access objects. The exhibit shows the distribution configuration. What is the most likely cause?

200

A company has deployed a web application behind an Application Load Balancer (ALB) across multiple Availability Zones. Users in some regions report slow page load times. Which action should the SysOps Administrator take to improve performance for all users?

201

A SysOps Administrator needs to allow an EC2 instance in a private subnet to access the internet for software updates. Which AWS service should be used?

202

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway. The private subnet has an EC2 instance that needs to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instance cannot reach the internet. What is the most likely cause?

203

An organization has a VPC peering connection between VPC A and VPC B. Instances in VPC A can reach instances in VPC B, but not vice versa. What is the most likely cause?

204

A company wants to distribute content with low latency to users globally. The content is static and stored in an S3 bucket. Which AWS service should be used?

205

A SysOps Administrator is configuring a VPC with a public subnet and a private subnet. The public subnet has an Internet Gateway. An EC2 instance in the private subnet needs to access an S3 bucket. What is the MOST secure way to provide this access?

206

A company has deployed an Application Load Balancer (ALB) in a VPC. The ALB is configured with a target group pointing to EC2 instances in a private subnet. Clients receive HTTP 503 errors. What is the likely cause?

207

A SysOps Administrator needs to monitor network traffic in a VPC. Which AWS service provides packet-level information about IP traffic?

208

A company has a VPC with multiple subnets. An EC2 instance in a public subnet needs to communicate with an RDS database in a private subnet. The RDS security group allows inbound traffic from the EC2 instance's security group. However, the EC2 instance cannot connect. What is the most likely cause?

209

A company has a VPC with a public subnet and a private subnet. The private subnet contains an EC2 instance that must access the internet for software updates. Which TWO actions are required to enable this? (Choose TWO.)

210

A SysOps Administrator is troubleshooting an issue where an Application Load Balancer (ALB) returns 502 Bad Gateway errors. Which THREE are possible causes? (Choose THREE.)

211

Which TWO AWS services can be used to improve the security of a VPC? (Choose TWO.)

212

Refer to the exhibit. A VPC Gateway Endpoint for S3 is created and associated with route table rtb-11111111. However, an EC2 instance in a subnet that uses route table rtb-22222222 cannot access S3. What is the most likely cause?

213

Refer to the exhibit. An EC2 instance is registered with an ALB target group. The health check returns 502. What is the most likely cause?

214

Refer to the exhibit. A security group is attached to an Application Load Balancer (ALB) that serves HTTPS traffic on port 443. Users can access the application via HTTPS. However, the ALB's health checks to targets on port 80 are failing. What is the reason?

215

A company's web application uses an Application Load Balancer (ALB) in front of multiple EC2 instances in an Auto Scaling group. Users report intermittent 503 errors. The ALB health checks are configured to check the /health endpoint every 30 seconds with a threshold of 2 successful checks to mark healthy. The Auto Scaling group’s health check grace period is set to 60 seconds. What is the most likely cause of the 503 errors?

216

A SysOps administrator needs to route traffic to multiple AWS regions for a global application with low latency. Which AWS service should be used?

217

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet. Private EC2 instances need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instances cannot reach the internet. What is the most likely cause?

218

An organization wants to allow an on-premises data center to access an Amazon RDS database in a VPC. Which AWS service should be used to establish a dedicated, private, and high-bandwidth connection?

219

A SysOps administrator notices that traffic to an Application Load Balancer (ALB) is being rejected. The ALB has a security group that allows inbound HTTP (80) and HTTPS (443) from 0.0.0.0/0. The target group health checks are failing. What could be the issue?

220

A company uses Amazon CloudFront to serve static content from an S3 bucket. The S3 bucket is configured as an origin with RestrictBucketAccess set to Yes, and the origin access identity (OAI) is configured. Users can access the content via CloudFront, but direct S3 URLs return Access Denied. However, some users report that they can still access the content directly via S3 URLs. What is the most likely reason?

221

A SysOps administrator needs to monitor the amount of data transferred through a VPC’s internet gateway. Which Amazon CloudWatch metric should be used?

222

A company wants to distribute content globally with low latency and high transfer speeds. The content is stored in S3 buckets in multiple regions. Which AWS service should be used to accelerate content delivery?

223

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet. The instance has a security group allowing outbound HTTPS traffic. The subnet’s route table has a default route (0.0.0.0/0) to a NAT Gateway. The NAT Gateway is in a public subnet with an Elastic IP and a route to an internet gateway. What is a likely cause of the issue?

224

Which TWO actions can be taken to improve the availability of a web application hosted on EC2 instances behind an Application Load Balancer? (Select two.)

225

Which THREE AWS services can be used to improve security and performance for a web application that uses an Application Load Balancer? (Select three.)

226

Which TWO methods can be used to secure an S3 bucket that is used as an origin for Amazon CloudFront? (Select two.)

227

Refer to the exhibit. A SysOps administrator is troubleshooting connectivity issues for a web application that uses an ALB. The ALB sends health check requests to targets on port 443. The network ACL shown is associated with the target subnet. Based on the exhibit, what is causing the health checks to fail?

228

Refer to the exhibit. An S3 bucket policy is configured for a CloudFront distribution using an OAI. The policy allows the OAI to get objects. Additionally, it allows anyone from the IP range 203.0.113.0/24 to get objects directly. Users from other IPs report they can still access objects directly via S3 URLs. What is the most likely cause?

229

Refer to the exhibit. The output shows the health status of two targets in a target group. One target is unhealthy with a 502 error. What is the most likely cause?

230

A company is using Amazon CloudFront to distribute its web application. Users in a specific geographic region are experiencing high latency. What is the most cost-effective solution to reduce latency for these users?

231

A SysOps administrator needs to allow traffic from a specific IP address range (203.0.113.0/24) to access an Amazon EC2 instance in a VPC. Which configuration step should be performed?

232

An application running on an EC2 instance is unable to connect to an Amazon RDS database in the same VPC. The security groups allow traffic from the EC2 instance. What is the most likely cause?

233

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. Users report intermittent 502 errors. What is the most likely cause?

234

A SysOps administrator needs to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which configuration should be used?

235

An application uses Amazon Route 53 weighted routing to distribute traffic across two AWS regions. After a deployment, users in one region are experiencing errors. What should the administrator do to mitigate the issue immediately?

236

A company wants to allow its employees to access internal applications using a custom domain name (app.example.com) that resolves to an internal ALB. Which AWS service should be used?

237

A SysOps administrator notices that traffic to an Amazon EC2 instance is being blocked even though the security group allows all inbound traffic. The subnet's network ACL allows all inbound and outbound traffic. What could be the issue?

238

A company is using Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. How should this be configured?

239

A SysOps administrator needs to design a VPC with public and private subnets for a web application. Which TWO components are required to allow instances in the private subnet to access the internet?

240

A company uses Amazon CloudFront to distribute content globally. They need to restrict access to premium content to only authenticated users. Which THREE methods can be used to achieve this?

241

A SysOps administrator is troubleshooting a connectivity issue from an EC2 instance to an RDS database in the same VPC. The security groups are configured correctly. Which TWO steps should the administrator take to diagnose the issue?

242

A company has a VPC with public and private subnets across two Availability Zones. An application running on EC2 instances in the private subnets needs to access the internet for updates. Which configuration should be used to provide internet access while minimizing administrative overhead?

243

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The security team reports that the ALB is receiving a high number of requests with suspicious User-Agent strings. The SysOps team needs to block these requests at the load balancer level without changing the application code. Which action should be taken?

244

A company wants to host a static website on AWS with high availability and low latency for global users. Which service should be used to serve the static content?

245

A SysOps administrator notices that traffic from an Application Load Balancer to targets is failing intermittently. The targets are EC2 instances in an Auto Scaling group. The health check settings on the target group are: ping path '/health', healthy threshold 2, unhealthy threshold 2, timeout 5 seconds, interval 30 seconds. Which change would most likely improve the stability of the health checks?

246

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They have a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. They launch an EC2 instance in the private subnet and need it to have a predictable, static private IP address for database replication. Which action should be taken?

247

A company wants to use Amazon CloudFront to serve content from an Application Load Balancer (ALB) that is internet-facing. Which type of origin should be configured in CloudFront?

248

A company has a VPC with an Internet Gateway and a NAT Gateway. They launch an EC2 instance in a private subnet. The instance needs to download updates from the internet, but the security team wants to prevent any inbound traffic from the internet. Which route table configuration is correct for the private subnet?

249

A company has a web application behind an Application Load Balancer (ALB) with sticky sessions enabled. The ALB's target group contains EC2 instances in an Auto Scaling group. After a deployment, users report that they are being logged out frequently. What is the most likely cause?

250

Which AWS service can be used to create a private, dedicated connection between an on-premises data center and AWS?

251

A company is using Amazon CloudFront to distribute content globally. They want to restrict access to their content so that only users from specific countries can access it. Which TWO actions can be taken to achieve this?

252

A company is designing a multi-tier application in a VPC. The web tier must be in public subnets and the application tier in private subnets. The application tier needs to receive traffic only from the web tier. Which TWO configurations are required?

253

A company wants to use Amazon Route 53 to route traffic to multiple endpoints for high availability. Which THREE routing policies can be used for this purpose?

254

A company has a production application running on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application uses an RDS MySQL database in the same VPC. The SysOps team recently implemented a change to the network ACLs to improve security. After the change, the application became unreachable from the internet, but the EC2 instances can still communicate with the RDS database. The ALB is in a public subnet, and the EC2 instances and RDS are in private subnets. The ALB's security group allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances' security group allows inbound from the ALB's security group. The RDS security group allows inbound from the EC2 instances' security group. The network ACLs for the public subnet allow inbound HTTP/HTTPS from 0.0.0.0/0 and all outbound traffic. The network ACLs for the private subnets were modified to deny all inbound traffic except from the public subnet CIDR (10.0.1.0/24) and allow all outbound traffic. Which change should be made to restore internet access to the application?

255

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom domain name, 'app.example.com'. The SysOps team configured Amazon Route 53 with an alias record to the ALB DNS name. Users report that occasionally they are directed to a different website. The team suspects DNS resolution issues. They check the Route 53 hosted zone and find the alias record is correctly configured. The ALB is healthy. What is the most likely cause of the intermittent misdirection?

256

A company has deployed a static website on Amazon S3 with public read access. They want to use Amazon CloudFront to serve the content with HTTPS. They create a CloudFront distribution with the S3 bucket as an origin. After configuring the distribution, users report that they are unable to access the website via the CloudFront URL. The CloudFront distribution status is 'Deployed'. The S3 bucket policy allows GetObject for any principal. What is the most likely reason for the issue?

257

A company has an application running on EC2 instances behind an Application Load Balancer. Users report intermittent timeout errors. The ALB target group shows healthy instances, and CloudWatch metrics show no spikes in CPU or memory. Which configuration is most likely causing the timeouts?

258

A SysOps administrator needs to route traffic to multiple AWS regions for disaster recovery using Amazon Route 53. The primary region should receive all traffic unless it becomes unhealthy. Which routing policy should be used?

259

A company has an Amazon CloudFront distribution with an S3 bucket as origin. The bucket contains sensitive data. Which configuration ensures that users access the content only through CloudFront and not directly via the S3 URL?

260

A company is designing a VPC with public and private subnets. The private subnets need internet access for patching, but must not be directly reachable from the internet. Which TWO components should be used together?

261

A SysOps administrator is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC Peering connection. An EC2 instance in VPC-A cannot ping an EC2 instance in VPC-B. The route tables and security groups are correctly configured. Which THREE steps should the administrator take to resolve the issue?

262

A company has an Application Load Balancer (ALB) that distributes traffic to EC2 instances. The company wants to enable path-based routing to send requests to different target groups. Which TWO resources must be created to achieve this?

263

An EC2 instance in the subnet associated with the network ACL above cannot receive HTTP traffic (port 80) from the internet. The instance has a security group allowing HTTP inbound. What is the cause?

264

A SysOps administrator manages a web application hosted on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. Recently, the development team deployed a new version that increases the load time for certain pages. Users report that they are randomly seeing other users' data. The administrator suspects that the sticky session configuration is not working correctly. The ALB target group is configured with stickiness enabled using the AWSALB cookie. What should the administrator do to verify that sticky sessions are being honored?

265

A company uses Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access to content based on geographic location. Some countries should be blocked entirely. The administrator configured a CloudFront geographic restriction (whitelist/blacklist) and updated the S3 bucket policy to allow only CloudFront access via Origin Access Identity (OAI). However, users from blocked countries are still able to access some content. What is the most likely cause?

266

A company has a VPC with public and private subnets across two Availability Zones. They have a NAT Gateway in each public subnet for high availability. EC2 instances in the private subnets need to access an external service that requires a fixed IP address for whitelisting. The administrator configured the route tables to use the NAT Gateway in the same Availability Zone. However, when the NAT Gateway in AZ-A fails, instances in AZ-A lose internet connectivity. What should the administrator do to ensure high availability with fixed IP addresses?

267

A company has a web application that uses Amazon CloudFront and an Application Load Balancer as origin. The application requires HTTPS between CloudFront and the ALB. The ALB uses a certificate from AWS Certificate Manager (ACM) for the custom domain. The administrator notices that CloudFront returns HTTP 502 errors occasionally. The ALB target group shows healthy instances. What is the most likely cause of the 502 errors?

268

A company has a multi-tier application with a web tier, application tier, and database tier. All tiers are in the same VPC. The web tier is in public subnets, application tier in private subnets, and database tier in private subnets. The security groups are configured as follows: Web SG allows HTTP/HTTPS from 0.0.0.0/0; App SG allows HTTP from Web SG; DB SG allows MySQL from App SG. The application tier instances cannot connect to the database tier. What is the most likely cause?

Practice all 268 Networking and Content Delivery questions

Other SOA-C02 exam domains

Monitoring, Logging, and RemediationReliability and Business ContinuityDeployment, Provisioning, and AutomationSecurity and ComplianceCost and Performance Optimization

Frequently asked questions

What does the Networking and Content Delivery domain cover on the SOA-C02 exam?

The Networking and Content Delivery domain covers the key concepts tested in this area of the SOA-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SOA-C02 domains — no account required.

How many Networking and Content Delivery questions are in the SOA-C02 question bank?

The Courseiva SOA-C02 question bank contains 268 questions in the Networking and Content Delivery domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Networking and Content Delivery for SOA-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Networking and Content Delivery questions for SOA-C02?

Yes — the session launcher on this page draws questions exclusively from the Networking and Content Delivery domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SOA-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03DOP-C02