Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Networking and Content Delivery practice sets

SOA-C02 Networking and Content Delivery • Complete Question Bank

SOA-C02 Networking and Content Delivery — All Questions With Answers

Complete SOA-C02 Networking and Content Delivery question bank — all 0 questions with answers and detailed explanations.

268
Questions
Free
No signup
Certifications/SOA-C02/Practice Test/Networking and Content Delivery/All Questions
Question 1easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to establish a dedicated, low-latency, private connection between its on-premises data center and an AWS VPC. The company does not want to use the public internet. Which AWS service should be used to meet this requirement?

Question 2hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company has two VPCs in different AWS regions (us-east-1 and eu-west-1) that are peered. Applications in both VPCs need to communicate using private IP addresses. The ping tests are successful, but the latency is significantly higher than expected. Which change is most likely to improve the latency between the VPCs?

Question 3mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has deployed a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application's IP addresses are used by a third-party service to allowlist traffic. The EC2 instances are part of an Auto Scaling group that may scale up and down. The SysOps administrator needs to ensure that the third-party service always has the current IP addresses of the ALB without requiring manual updates. Which solution should the administrator implement?

Question 4easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has an on-premises data center connected to an AWS VPC via an AWS Direct Connect connection. The company's SysOps administrator wants to ensure that traffic from the VPC destined for the on-premises network uses the Direct Connect connection instead of the internet. Which configuration should be used?

Question 5easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has two VPCs in the same AWS region. VPC A hosts a web application, and VPC B hosts a database. The SysOps administrator needs to enable private IP communication between the two VPCs without using the public internet. The administrator wants a simple, low-cost solution that uses the AWS network backbone. Which AWS service should be used?

Question 6mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company hosts a web application behind an Application Load Balancer (ALB) in us-east-1. Users in Europe report high latency. The SysOps administrator decides to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. However, the application logs require the original client IP addresses of users. The ALB currently provides the client IP via the X-Forwarded-For header, but the development team warns that Global Accelerator may change the source IP. Which configuration should the administrator choose to meet both performance and logging requirements?

Question 7easymultiple choice
Review the full routing breakdown →

A company hosts a web application on Amazon EC2 instances in two AWS regions: us-east-1 and eu-west-1. The application is behind an Application Load Balancer (ALB) in each region. The SysOps administrator wants to direct users to the region that provides the lowest latency, automatically routing traffic away from a region if it becomes unhealthy. Which Amazon Route 53 routing policy should be used?

Question 8hardmultiple choice
Review the full subnetting walkthrough →

A company has three VPCs in the same AWS region: VPC A (production), VPC B (development), and VPC C (shared services). The VPCs have overlapping CIDR blocks (e.g., VPC A: 10.0.0.0/16, VPC B: 10.0.0.0/16, VPC C: 10.1.0.0/16). The SysOps administrator needs to enable private IP communication between VPC A and VPC C, and between VPC B and VPC C, but not between VPC A and VPC B. The solution must also support a growing number of VPCs in the future. Which AWS service should be used?

Question 9mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company runs a gaming application that uses Amazon EC2 instances to handle real-time multiplayer sessions. The application requires low-latency communication with users around the world. The SysOps administrator needs to accelerate content delivery for non-cacheable, dynamic content (such as real-time game state updates) and also provide static asset delivery. The solution must support both TCP and UDP traffic. Which AWS service should be used?

Question 10easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has two VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The VPCs are in the same AWS region. The SysOps administrator needs to enable private IP connectivity between the two VPCs so that an EC2 instance in VPC-A can communicate with an EC2 instance in VPC-B using their private IP addresses. The administrator wants a simple, low-cost solution with high throughput. Which AWS service should be used?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Amazon VPC with public and private subnets. The private subnets host database instances that should not have direct internet access. However, the database instances need to download patches from an Amazon S3 bucket. The SysOps administrator needs to enable access to S3 from the private subnets without traversing the internet. Which solution should be used?

Question 12mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has an Application Load Balancer (ALB) in the us-east-1 region. Users in Asia report high latency. The SysOps administrator wants to use AWS Global Accelerator to improve performance by directing traffic to the closest edge location. Which step is required to integrate Global Accelerator with the ALB?

Question 13mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has an on-premises data center connected to AWS via an AWS Direct Connect connection. The SysOps administrator needs to ensure high availability for the connectivity. Which configuration provides the highest availability for the Direct Connect connection?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is deployed in the public subnets, and an Auto Scaling group of web servers is deployed in the private subnets. The web servers need to frequently make HTTPS requests to an external API. The API provider requires that all requests originate from a consistent set of static IP addresses for whitelisting. The SysOps administrator must ensure that outbound traffic from the web servers has static source IP addresses. Which solution should be implemented?

Question 15mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has two Amazon VPCs: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16) in the same AWS Region. The SysOps administrator needs to enable private IP connectivity between the two VPCs without using the public internet. The solution must be simple, low-cost, and provide high throughput. Which AWS service should the administrator use?

Question 16easymultiple choice
Read the full VPN explanation →

A company has multiple on-premises branch offices, each with a site-to-site VPN connection to a single VPC in AWS. The SysOps administrator needs to enable communication between the branch offices using the AWS cloud as a hub. Which configuration should be implemented to achieve this with the least operational overhead?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB) in the us-west-2 Region. Users are distributed globally and experience high latency. The SysOps administrator wants to improve latency and offload SSL termination to the edge. Which AWS service should be used with the ALB as the origin?

Question 18easymultiple choice
Review the full subnetting walkthrough →

A company has two Amazon VPCs in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

Question 19easymultiple choice
Read the full Networking and Content Delivery explanation →

A company hosts a static website on Amazon S3. Users access the website from around the world. The SysOps administrator needs to deliver content with low latency and support HTTPS with a custom domain. Which AWS service should be used?

Question 20mediummultiple choice
Review the full subnetting walkthrough →

A company has two Amazon VPCs (VPC-A and VPC-B) in the same AWS Region with non-overlapping CIDR blocks. The SysOps administrator needs to establish private IP connectivity between the two VPCs with high throughput and minimal cost. Which solution should the administrator implement?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application needs to serve HTTPS content. The SysOps administrator wants to offload SSL termination to the ALB and automatically renew the certificate before expiration. Which solution should the administrator implement?

Question 22mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has an on-premises data center connected to AWS via an AWS Direct Connect private virtual interface (VIF). The SysOps administrator needs to ensure that all traffic between the on-premises network and Amazon S3 in the same AWS Region stays within the AWS network and does not traverse the internet. Which solution should the administrator implement?

Question 23hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets need outbound internet access to download software updates while preventing any inbound internet traffic. The SysOps administrator must minimize costs. Which solution should the administrator implement?

Question 24hardmultiple choice
Read the full DNS explanation →

A company has an Amazon VPC with a CIDR block of 10.0.0.0/16 and an AWS Site-to-Site VPN connection to an on-premises data center. The on-premises DNS servers host a private domain 'corp.example.com'. The SysOps administrator needs to enable EC2 instances in the VPC to resolve DNS names for 'corp.example.com' using the on-premises DNS servers. Which Route 53 feature should be configured?

Question 25mediummultiple choice
Review the full subnetting walkthrough →

A company has an Application Load Balancer (ALB) that routes traffic to Amazon EC2 instances in private subnets of a VPC. The SysOps administrator needs to ensure that the EC2 instances can download software updates from the internet, but they must not be directly accessible from the internet. The solution should minimize operational overhead. Which solution should the administrator implement?

Question 26hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The private subnets host application servers that need to make outbound HTTPS connections to the internet. The SysOps administrator must implement a solution that provides outbound internet connectivity while preventing inbound connections from the internet. Additionally, the solution must allow the company to control which domains the application servers can access. Which solution should the administrator implement?

Question 27mediummultiple choice
Review the full subnetting walkthrough →

A company has an Amazon VPC with public and private subnets across two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an Amazon S3 bucket to upload and download files. The SysOps administrator must ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

Question 28mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has an Amazon CloudFront distribution that delivers static content from an Amazon S3 bucket. The SysOps administrator needs to ensure that the content can only be accessed through CloudFront and not directly from the S3 bucket URL. The solution should use AWS managed services with minimal configuration. Which solution should the administrator implement?

Question 29mediummultiple choice
Review the full subnetting walkthrough →

A company runs an application on Amazon EC2 instances in private subnets of a VPC. The application needs to upload files to an Amazon S3 bucket in the same AWS Region. The SysOps administrator wants to ensure that traffic to S3 does not traverse the internet and minimizes data transfer costs. Which solution should the administrator implement?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A company runs an application across multiple Availability Zones. The application servers are in private subnets and need outbound internet access to download software updates and patches. The SysOps administrator needs a highly available, fully managed solution to provide this outbound connectivity. Which solution should be used?

Question 31mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has two VPCs in the same AWS account and Region: VPC-A (10.0.0.0/16) and VPC-B (10.1.0.0/16). The SysOps administrator needs to establish connectivity between these VPCs so that resources in VPC-A can reach resources in VPC-B using private IP addresses. The solution must be highly available and not involve a third-party appliance. Which solution should the administrator implement?

Question 32mediummultiple choice
Read the full NAT/PAT explanation →

A company runs a web application on Amazon EC2 instances in private subnets across multiple Availability Zones. The instances need to download software patches from the internet. The SysOps administrator requires a highly available, fully managed solution for outbound internet connectivity. Which solution should be implemented?

Question 33easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An Application Load Balancer (ALB) is in the public subnets, and Amazon EC2 instances are in the private subnets. The SysOps administrator needs to allow the EC2 instances to access an Amazon S3 bucket in the same AWS Region without traversing the internet. Which solution should the administrator implement?

Question 34mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An Amazon EC2 instance in a private subnet needs to access an Amazon S3 bucket in the same AWS Region. The SysOps administrator wants to ensure the traffic does not traverse the internet. Which solution should be implemented?

Question 35hardmultiple choice
Review the full subnetting walkthrough →

A company has multiple VPCs in the same AWS account and Region, each with overlapping CIDR blocks (10.0.0.0/16). The SysOps administrator needs to establish connectivity between all VPCs and the on-premises network via AWS Transit Gateway. Additionally, certain VPCs must be isolated from each other while still reaching on-premises. How should the administrator configure the Transit Gateway to meet these requirements?

Question 36easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to host a static website using Amazon S3. The website files are stored in an S3 bucket. The SysOps administrator needs to make the website accessible via HTTP. Which action must be performed on the S3 bucket?

Question 37mediummultiple choice
Read the full NAT/PAT explanation →

A company has an Application Load Balancer (ALB) that routes traffic to targets in private subnets. The SysOps administrator needs to log detailed information about HTTP requests, including client IP, request path, and response time. Which ALB feature should be enabled?

Question 38mediummultiple choice
Read the full NAT/PAT explanation →

A company runs an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB terminates SSL/TLS and forwards traffic to the instances over HTTP. The SysOps administrator needs to capture the original client IP address in the instance logs. How should the administrator configure this?

Question 39mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to deliver content from an Application Load Balancer (ALB) origin. The SysOps administrator needs to restrict access to the content so that only users from a specific geographic location can view it. Which CloudFront feature should be used?

Question 40hardmultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator is troubleshooting connectivity issues between Amazon EC2 instances in two different VPCs that are connected via a VPC peering connection. The instances can successfully send ICMP (ping) traffic, but TCP connections on port 443 (HTTPS) fail. The security groups of both instances allow all inbound and outbound traffic. What is the most likely cause of the issue?

Question 41easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator has deployed an Application Load Balancer (ALB) that distributes traffic to a fleet of Amazon EC2 instances. The administrator notices that the ALB is sending all traffic to instances in a single Availability Zone (AZ), ignoring instances in other AZs. The ALB was created with default settings. Which action should the administrator take to ensure traffic is distributed evenly across all AZs?

Question 42easymultiple choice
Read the full Networking and Content Delivery explanation →

A company needs a dedicated private network connection from its on-premises data center to AWS that provides consistent network performance and high bandwidth. The connection must bypass the public internet. Which AWS service should the SysOps administrator use?

Question 43easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has multiple VPCs in the same AWS Region that need to communicate with each other. The SysOps administrator wants to avoid the complexity of a full mesh of VPC peering connections. Which AWS service should the administrator use to connect all VPCs with a central hub?

Question 44hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An Amazon EC2 instance in the private subnet needs to download security patches from the internet, but the instance must not be directly accessible from the internet. The SysOps administrator configured a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. The instance's security group allows all outbound traffic. However, the instance still cannot reach the internet. What is the most likely missing configuration?

Question 45hardmultiple choice
Read the full NAT/PAT explanation →

Instances in a private subnet need outbound internet access for software updates. The route table sends 0.0.0.0/0 to a NAT gateway, but updates fail. Which condition should you check first?

Question 46easymultiple choice
Read the full Networking and Content Delivery explanation →

A company hosts a static website on Amazon EC2 instances behind an Application Load Balancer. They want to improve latency for users around the world by caching content at edge locations. Which AWS service should they use?

Question 47easymultiple choice
Read the full NAT/PAT explanation →

EC2 instances in private subnets need to access S3 buckets. Currently the instances use a NAT Gateway to reach S3 over the internet. The team wants to keep S3 traffic private (within the AWS network) and reduce NAT Gateway data processing costs. What is the correct solution?

Question 48mediummultiple choice
Review the full routing breakdown →

A web application is deployed in us-east-1 (primary) and eu-west-1 (standby). Under normal conditions, all traffic should go to us-east-1. If the us-east-1 health check fails, traffic must automatically redirect to eu-west-1 within 30 to 60 seconds. What Route 53 configuration implements this?

Question 49mediummultiple choice
Read the full Networking and Content Delivery explanation →

Users are intermittently reporting 502 Bad Gateway errors when accessing the application through an Application Load Balancer. The team needs to identify which target IPs are associated with the failures and the request processing time for those requests. Application logs on instances do not capture failures before the ALB connection. What should be enabled?

Question 50easymultiple choice
Study the full ACL explanation →

A security team applied Network ACL rules to a subnet to allow inbound TCP traffic on port 443 (HTTPS). Users connecting from the internet can initiate connections, but they never receive responses. The NACL is applied to the subnet containing the web servers. What is missing?

Question 51mediumdrag order
Read the full Networking and Content Delivery explanation →

Drag and drop the steps to enable AWS CloudTrail logging for a specific S3 bucket into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 52mediummatching
Read the full Networking and Content Delivery explanation →

Match each AWS database service to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Relational database

NoSQL key-value and document

In-memory caching

Data warehousing

Graph database

Question 53mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to deliver its static website hosted on Amazon S3. The security team notices that users are able to access the S3 bucket directly via the S3 endpoint, bypassing CloudFront. What should be done to ensure that content is only accessible through CloudFront?

Question 54hardmultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises data center connected via AWS Direct Connect. The EC2 instance can reach other instances in the same VPC but cannot reach the on-premises network. The virtual private gateway (VGW) is attached to the VPC and the Direct Connect virtual interface is up. Which configuration step should the administrator verify first?

Question 55easymultiple choice
Read the full Networking and Content Delivery explanation →

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which configuration ensures that traffic is distributed evenly across all healthy targets?

Question 56hardmultiple choice
Review the full routing breakdown →

A SysOps administrator is setting up Amazon Route 53 for a domain that will be used for a web application. The application requires failover to a backup data center in another region if the primary becomes unhealthy. The administrator creates a failover routing policy with two records (primary and secondary) associated with health checks. After testing, the failover does not occur when the primary endpoint fails. What is the most likely cause?

Question 57mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The SysOps administrator needs to restrict access to the ALB so that it only accepts requests from CloudFront. Which solution should the administrator implement?

Question 58easymultiple choice
Review the full subnetting walkthrough →

A SysOps administrator is troubleshooting an issue where an Amazon EC2 instance cannot connect to the internet. The instance is in a public subnet with a route table that has a route to an internet gateway (IGW). The instance has a public IP assigned. What should the administrator check next?

Question 59mediummultiple choice
Review the full routing breakdown →

A company has deployed a web application across multiple AWS regions and wants to use Amazon Route 53 to direct users to the region with the lowest latency. Which routing policy should the SysOps administrator use?

Question 60hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a VPC with public and private subnets. The private subnets need to access the internet for software updates. A NAT gateway is deployed in a public subnet and the private subnet route table has a route for 0.0.0.0/0 pointing to the NAT gateway. However, instances in the private subnet cannot reach the internet. What could be the issue?

Question 61easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator is configuring Amazon CloudFront to serve content from an Amazon S3 bucket. The content is sensitive and should be encrypted at rest. Which option ensures that content is encrypted at rest in S3?

Question 62mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO actions can a SysOps administrator take to improve the availability of a web application using an Application Load Balancer (ALB) and EC2 instances? (Choose two.)

Question 63hardmulti select
Read the full VPN explanation →

Which THREE components are required to establish a site-to-site VPN connection between an AWS VPC and an on-premises network? (Choose three.)

Question 64easymulti select
Read the full Networking and Content Delivery explanation →

Which TWO features are provided by Amazon CloudFront to secure content delivery? (Choose two.)

Question 65mediummultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A SysOps administrator created this S3 bucket policy to allow CloudFront to access objects in the bucket using an origin access identity (OAI). However, users are still receiving 403 Access Denied errors when accessing the CloudFront distribution. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1A2B3C4D5E6F7"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 66hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A SysOps administrator is troubleshooting internet connectivity for an EC2 instance in subnet subnet-0a1b2c3d4e5f6g7h8. The instance can reach other instances in the VPC but cannot access the internet. Based on the route table output, what is the most likely cause?

Network Topology
$ aws ec2 describe-route-tablesroute-table-id rtb-0a1b2c3d4e5f6g7h8Refer to the exhibit."RouteTables": ["Associations": ["SubnetId": "subnet-0a1b2c3d4e5f6g7h8","RouteTableAssociationId": "rtbassoc-0a1b2c3d4e5f6g7h8","Main": false],"RouteTableId": "rtb-0a1b2c3d4e5f6g7h8","Routes": ["DestinationCidrBlock": "10.0.0.0/16","GatewayId": "local","Origin": "CreateRouteTable","State": "active"},"DestinationCidrBlock": "0.0.0.0/0","NatGatewayId": "nat-0a1b2c3d4e5f6g7h8","Origin": "CreateRoute",
Question 67easymultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A SysOps administrator runs the describe-target-health command and sees that an EC2 instance in the target group is unhealthy with a timeout error. What is the most likely cause?

Network Topology
$ aws elbv2 describe-target-healthtarget-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-tg/1234567890123456Refer to the exhibit."TargetHealthDescriptions": ["Target": {"Id": "i-0a1b2c3d4e5f6g7h8","Port": 80},"HealthCheckPort": "80","TargetHealth": {"State": "unhealthy","Reason": "Target.Timeout","Description": "Request timed out"
Question 68mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB). The application needs to maintain user session state. Which configuration ensures session stickiness with minimal performance impact?

Question 69hardmultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator notices that traffic from an Application Load Balancer to EC2 instances is failing intermittently. Security groups for the instances allow traffic from the ALB security group on port 80. The ALB target group health checks are failing. What is the most likely cause?

Question 70easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to provide low-latency access to static content (images, CSS) for global users. The content is stored in an S3 bucket. Which service should be used to cache content at edge locations?

Question 71mediummultiple choice
Read the full Networking and Content Delivery explanation →

An application running on EC2 instances sends large amounts of data to an S3 bucket. The SysOps administrator wants to reduce data transfer costs while ensuring the traffic stays within AWS. What is the most cost-effective solution?

Question 72hardmultiple choice
Review the full routing breakdown →

A SysOps administrator is troubleshooting connectivity issues between two VPCs in different AWS Regions. Both VPCs are connected via a VPC Peering connection. The route tables in both VPCs have routes pointing to the peering connection. Security groups allow all traffic. However, an EC2 instance in VPC A cannot ping an EC2 instance in VPC B. What is the most likely cause?

Question 73easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has an application that requires UDP traffic to be distributed across multiple EC2 instances. Which AWS load balancer type should be used?

Question 74mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download software patches from the internet. Which component should be used to provide internet access to the instance?

Question 75hardmultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator is configuring an Application Load Balancer to route traffic to multiple target groups based on the URL path. The ALB is not routing traffic correctly. Which listener rule configuration should be used to route requests with path /api/* to target group A and all other requests to target group B?

Question 76mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has multiple VPCs in the same account that need to communicate with each other. The VPCs are in the same region. Which solution provides the simplest and most scalable connectivity?

Question 77easymulti select
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to ensure high availability for a web application running on EC2 instances across multiple Availability Zones. Which TWO actions should the administrator take?

Question 78mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The private subnet hosts a database. Which TWO components are required to allow an EC2 instance in the public subnet to connect to the database?

Question 79mediummulti select
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to deliver content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which TWO steps should be taken?

Question 80mediummultiple choice
Read the full DNS explanation →

A company is using Amazon Route 53 as its DNS service. The company has a web application running on an Auto Scaling group of EC2 instances behind an Application Load Balancer (ALB). The company wants to ensure that if the ALB fails, traffic is automatically redirected to a static error page hosted on an Amazon S3 bucket. Which Route 53 routing policy should be used to achieve this?

Question 81hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. Which of the following route table configurations is required for the private subnet to enable internet access through the NAT gateway?

Question 82easymultiple choice
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to distribute content globally. The company wants to restrict access to content so that only users from specific countries can access it. Which CloudFront feature should be used?

Question 83hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company is running a critical application on EC2 instances in a VPC. The instances are in an Auto Scaling group across multiple Availability Zones. The application needs to maintain a fixed, private IP address for each instance. Which approach should be used to ensure each instance receives a consistent private IP address?

Question 84mediummultiple choice
Read the full VPN explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. The company wants to connect two subnets: one in the VPC (10.0.1.0/24) and one in an on-premises network (192.168.1.0/24) via a Site-to-Site VPN. The VPN connection is established. However, instances in the VPC subnet cannot ping the on-premises server at 192.168.1.10. What is a possible cause?

Question 85easymultiple choice
Read the full Networking and Content Delivery explanation →

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The company needs to ensure that the ALB sends requests to instances that are healthy and can serve traffic. Which feature should be used to monitor the health of the instances?

Question 86mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has a CloudFront distribution with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible through CloudFront. Which configuration is required to ensure that direct access to the S3 bucket is blocked?

Question 87hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets across two Availability Zones. The company wants to set up a Network Load Balancer (NLB) to handle TCP traffic to a fleet of EC2 instances. The instances are in private subnets. Which configuration is necessary to ensure the NLB can route traffic to the instances?

Question 88easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has an EC2 instance that needs to have a static public IP address that does not change even if the instance is stopped and started. Which AWS resource should be attached to the instance?

Question 89mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO of the following are benefits of using Amazon CloudFront in front of an Application Load Balancer? (Select TWO.)

Question 90hardmulti select
Read the full Networking and Content Delivery explanation →

Which THREE of the following are valid options for connecting a VPC to an on-premises network? (Select THREE.)

Question 91easymulti select
Review the full routing breakdown →

Which TWO of the following are features of Amazon Route 53? (Select TWO.)

Question 92easymultiple choice
Review the full routing breakdown →

A company has an Application Load Balancer (ALB) that routes traffic to an Auto Scaling group of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The EC2 instances have a security group that allows inbound traffic from the ALB's security group. Users report intermittent 503 errors. What is the most likely cause?

Question 93mediummultiple choice
Study the full ACL explanation →

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered together. The VPCs are in the same AWS region. An EC2 instance in VPC A (10.0.1.0/24) cannot ping an EC2 instance in VPC B (10.0.2.0/24). Both VPCs have route tables that include the CIDR of the other VPC with the peering connection as the target. The security groups and network ACLs allow all inbound and outbound traffic. What is the most likely issue?

Question 94hardmultiple choice
Open the full VLAN trunking answer →

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The data center has multiple VLANs that need to connect to separate VPCs in AWS. The company wants to maintain isolation between the VPCs while maximizing bandwidth utilization. Which solution should the SysOps administrator recommend?

Question 95easymultiple choice
Review the full routing breakdown →

A company hosts a static website on Amazon S3 with public read access enabled. The website is accessed via a custom domain name that uses Amazon Route 53. The domain name points to the S3 bucket's website endpoint. Users report that they can access the website using the S3 bucket URL but not the custom domain name. What is the most likely cause?

Question 96mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company deploys a web application on EC2 instances behind an Application Load Balancer. The SysOps administrator needs to allow inbound traffic only from the ALB to the EC2 instances. Currently, the EC2 security group allows inbound HTTP from 0.0.0.0/0. Which security group configuration should the administrator apply?

Question 97hardmultiple choice
Review the full routing breakdown →

A company uses Amazon CloudFront to distribute content to users worldwide. The origin is an Application Load Balancer (ALB) that routes to EC2 instances. The SysOps administrator notices that some users are receiving cached responses even though the content has been updated on the origin. The administrator needs to ensure that users always receive the latest version of the content. What should the administrator do?

Question 98easymultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator needs to create a VPC with both public and private subnets. The public subnet will host a NAT gateway and a bastion host. The private subnet will host application servers that need outbound internet access for updates. Which routing configuration should the administrator implement?

Question 99mediummultiple choice
Read the full DNS explanation →

A company has an internal Application Load Balancer (ALB) in a VPC. The ALB is used by an on-premises application via AWS Direct Connect. The on-premises application needs to resolve the ALB's DNS name. The VPC has Route 53 private hosted zone associated with the VPC. The on-premises DNS servers are configured to forward queries for the company's domain to the VPC's Route 53 inbound resolver endpoints. However, the on-premises application cannot resolve the ALB's DNS name. What is the likely cause?

Question 100hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront with an S3 bucket as the origin. The S3 bucket contains sensitive data that should only be accessible via CloudFront. The SysOps administrator has configured an Origin Access Identity (OAI) and updated the bucket policy to allow access only to the OAI. However, users are still able to access the S3 bucket directly via the S3 URL. What is the most likely reason?

Question 101mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO actions should a SysOps administrator take to improve the availability and reduce latency for a web application hosted on EC2 instances behind an Application Load Balancer?

Question 102hardmulti select
Review the full subnetting walkthrough →

Which THREE configurations are required to enable an EC2 instance in a private subnet to access the internet for software updates while preventing inbound internet traffic?

Question 103easymulti select
Read the full Networking and Content Delivery explanation →

Which TWO are valid methods to secure traffic between a client and an Application Load Balancer?

Question 104easymultiple choice
Read the full Networking and Content Delivery explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer. Users report intermittent 503 errors. Which step should the SysOps administrator take to troubleshoot the issue?

Question 105mediummultiple choice
Read the full Networking and Content Delivery explanation →

An organization uses Amazon CloudFront to serve static content from an S3 bucket. The content is updated frequently, but users are seeing stale files. What is the most efficient way to invalidate the cache for updated objects?

Question 106hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. A NAT Gateway is in the public subnet, and a private EC2 instance needs to download patches from the internet. The instance can reach the internet after a reboot. Which action should the SysOps administrator take to make the internet access persistent?

Question 107easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to allow a Lambda function to access a DynamoDB table in the same AWS account. Which configuration is required?

Question 108mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection is redundant with two virtual interfaces (VIFs). Recently, one VIF failed, and the administrator notices that traffic is not automatically failing over. What must be configured to enable automatic failover?

Question 109hardmultiple choice
Read the full Networking and Content Delivery explanation →

A web application on EC2 instances behind an ALB experiences increased latency during peak hours. The SysOps administrator notices that the ALB's RequestCount per target is high. What design change should improve performance?

Question 110easymultiple choice
Read the full Networking and Content Delivery explanation →

An organization wants to block traffic from specific IP addresses at the edge of the AWS network before it reaches the application. Which service should be used?

Question 111mediummultiple choice
Study the full IPv6 explanation →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which step is necessary?

Question 112hardmultiple choice
Read the full VPN explanation →

A SysOps administrator receives an alert that a VPN connection between a VPC and an on-premises network is down. The VPN uses static routing. After verifying the on-premises side is functioning, what should the administrator check in AWS?

Question 113mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO actions can reduce data transfer costs for content delivered to users globally? (Choose two.)

Question 114hardmulti select
Read the full VPN explanation →

Which THREE components are required to set up a site-to-site VPN connection between an on-premises network and an AWS VPC? (Choose three.)

Question 115easymulti select
Read the full Networking and Content Delivery explanation →

Which TWO security measures should be implemented to protect a VPC from DDoS attacks? (Choose two.)

Question 116mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company is using an Application Load Balancer (ALB) to distribute traffic to a set of EC2 instances. Users report intermittent 503 errors. Which of the following is the MOST likely cause?

Question 117easymultiple choice
Read the full NAT/PAT explanation →

A company wants to host a static website on AWS with high availability and low latency for global users. Which combination of services should be used?

Question 118hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet to allow instances in the private subnet to access the internet. However, private instances cannot reach an external service at 203.0.113.50:443. What should be checked first?

Question 119hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to serve content from an S3 bucket. The bucket is configured as an origin with Origin Access Control (OAC). Users report that they can access the content via CloudFront but also directly via the S3 bucket URL. How can the company restrict direct access to the S3 bucket?

Question 120easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has deployed a web application across multiple Availability Zones using an Application Load Balancer. The application experiences increased latency during peak hours. Which action would be MOST effective in reducing latency?

Question 121mediummultiple choice
Read the full VPN explanation →

A company has a VPN connection between its on-premises network and AWS VPC. The VPN tunnel shows status as UP, but traffic is not flowing from on-premises to the VPC. Which configuration should be checked?

Question 122easymultiple choice
Review the full routing breakdown →

A company wants to provide low-latency access to a web application for users in North America and Europe. The application runs on EC2 instances in us-east-1 and eu-west-1. Which AWS service should be used to route users to the nearest region?

Question 123mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An Amazon RDS for MySQL database is deployed in the private subnet. Which TWO steps are required to allow an EC2 instance in the public subnet to connect to the database? (Choose two.)

Question 124hardmulti select
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is configured with HTTPS listeners. Users report that some requests are failing with a 502 error. Which THREE steps should the SysOps administrator take to troubleshoot the issue? (Choose three.)

Question 125mediummulti select
Read the full DNS explanation →

A company is using Amazon Route 53 with a private hosted zone for internal DNS resolution within a VPC. The VPC is connected to an on-premises network via a VPN. On-premises resources cannot resolve DNS names in the private hosted zone. Which TWO actions should be taken to resolve this issue? (Choose two.)

Question 126hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to send traffic to an EC2 instance in subnet-B. Both instances are in the same VPC and have appropriate security group rules. However, traffic is not reaching the destination. What is the MOST likely cause?

Question 127mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to distribute content globally. The origin is an S3 bucket. The SysOps administrator notices that cache hit ratio is low. Which configuration change would MOST improve the cache hit ratio?

Question 128mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application experiences intermittent 502 errors. The SysOps administrator checks the ALB access logs and sees that the error occurs when the target group has 'unhealthy' targets. What is the MOST likely cause of the 502 errors?

Question 129easymultiple choice
Read the full DNS explanation →

A SysOps administrator needs to route traffic for a domain name 'example.com' to an Application Load Balancer. Which AWS service should be used to create the DNS record?

Question 130hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets across three Availability Zones. The public subnets host NAT Gateways, and the private subnets host EC2 instances that need to access the internet. The SysOps administrator notices that EC2 instances in one private subnet cannot reach the internet, while others can. What is the MOST likely cause?

Question 131mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to deliver static content from an S3 bucket. The SysOps administrator wants to restrict access so that only CloudFront can access the S3 bucket. Which solution should be used?

Question 132easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to monitor network traffic to and from an EC2 instance for troubleshooting. Which AWS feature captures IP traffic information at the VPC level?

Question 133hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company's web application is hosted on EC2 instances behind a Network Load Balancer (NLB) with a static IP address. The application receives a sudden spike in traffic, and some clients report connection timeouts. Which NLB feature should the SysOps administrator configure to handle the increased load?

Question 134mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to ensure that all traffic between an on-premises data center and the AWS VPC is encrypted and goes over the internet. Which AWS service should be used?

Question 135hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with multiple subnets. The SysOps administrator wants to ensure that EC2 instances in a private subnet can access Amazon S3 without going through a NAT Gateway or internet gateway. Which solution meets this requirement?

Question 136easymultiple choice
Study the full ACL explanation →

A SysOps administrator is troubleshooting an issue where an EC2 instance cannot be accessed via SSH from the internet. The security group allows inbound SSH (port 22) from 0.0.0.0/0. The network ACL (NACL) for the subnet has an inbound rule allowing SSH from 0.0.0.0/0. What else could be blocking access?

Question 137mediummulti select
Review the full routing breakdown →

A SysOps administrator is designing a highly available web application across multiple AWS regions. The application uses an Application Load Balancer in each region. Which TWO services can be used to route traffic to the closest regional load balancer based on latency?

Question 138hardmulti select
Read the full Networking and Content Delivery explanation →

A company uses a Network Load Balancer (NLB) with a static IP address. The SysOps administrator needs to enable client IP preservation for the NLB so that backend instances see the original client IP. Which TWO conditions are required for client IP preservation to work?

Question 139mediummulti select
Review the full subnetting walkthrough →

A SysOps administrator is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which THREE components are required to achieve this?

Question 140mediummultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A company has an S3 bucket policy as shown. The SysOps administrator notices that users from the allowed IP range (192.0.2.0/24) can access objects, but users outside that range are denied. However, a CloudFront distribution with an origin access identity (OAI) is also unable to access the bucket and receives 'Access Denied'. What is the MOST likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}
Question 141hardmultiple choice
Study the full ACL explanation →

A company runs a critical application on EC2 instances behind an Application Load Balancer (ALB) across three Availability Zones. Each AZ has one public and one private subnet. The EC2 instances are in the private subnets. The ALB is internet-facing. Recently, during a traffic spike, some users experienced intermittent timeouts. The SysOps administrator reviews the ALB access logs and finds that the timeouts correspond to periods when the target group had 'unhealthy' instances. The health check is configured to check a health endpoint on port 80 with a path of '/health'. The SysOps administrator checks the EC2 instances and finds that the health endpoint responds correctly. However, the health checks are failing intermittently. The administrator notices that the security group for the EC2 instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound HTTP and outbound ephemeral ports. What is the MOST likely cause of the health check failures?

Question 142mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The VPC has an Internet Gateway (IGW) attached. The public subnets have a route to the IGW, and the private subnets have a route to a NAT Gateway in the public subnet 10.0.1.0/24. The SysOps administrator deploys a new EC2 instance in the private subnet 10.0.4.0/24. The instance needs to download software from the internet, but the download fails. The administrator can successfully ping the NAT Gateway from the instance. What is the MOST likely cause of the failure?

Question 143mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to deliver video content to users worldwide. The content is stored in an S3 bucket. The SysOps administrator notices that users in some geographic regions experience high latency when loading the video. The administrator wants to improve the performance for these users without changing the existing infrastructure. The CloudFront distribution is configured with the default cache behavior. What is the MOST cost-effective solution to reduce latency for users in those regions?

Question 144mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. Users report slow load times. The SysOps team notices that all traffic goes to a single availability zone. Which action should be taken to improve performance and reliability?

Question 145easymultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator needs to allow an EC2 instance in a private subnet to download patches from the internet. Which AWS service should be used to achieve this securely?

Question 146hardmultiple choice
Read the full Networking and Content Delivery explanation →

An application hosted on EC2 instances behind an ALB is experiencing intermittent connectivity errors. The ALB target group is configured with health checks on port 80. The SysOps team notices that the EC2 instances pass health checks but clients still receive 503 errors. What is the most likely cause?

Question 147mediummulti select
Read the full DNS explanation →

A SysOps administrator is troubleshooting DNS resolution issues for a custom domain used by an Application Load Balancer. Which TWO steps should the administrator take to diagnose the issue? (Choose two.)

Question 148hardmulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need outbound internet access for EC2 instances to download updates. Which THREE components are required to achieve this? (Choose three.)

Question 149mediummulti select
Review the full subnetting walkthrough →

A SysOps administrator needs to troubleshoot connectivity between two EC2 instances in the same VPC but different subnets. The instances cannot communicate. Which THREE checks should the administrator perform? (Choose three.)

Question 150hardmultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator notices that an EC2 instance is not receiving traffic from an Application Load Balancer (ALB). The ALB is healthy and the target group shows the instance as healthy. The exhibit shows the network interface attached to the instance. What is the likely cause of the issue?

Exhibit

Refer to the exhibit.

Output of `aws ec2 describe-network-interfaces`:
```json
{
    "NetworkInterfaces": [
        {
            "NetworkInterfaceId": "eni-0a1b2c3d4e5f67890",
            "Description": "ELB app/alb-1234567890abcdef/1a2b3c4d5e6f7g8h",
            "VpcId": "vpc-12345678",
            "SubnetId": "subnet-12345678",
            "Groups": [
                {
                    "GroupId": "sg-12345678",
                    "GroupName": "default"
                }
            ],
            "SourceDestCheck": true,
            "Attachment": {
                "InstanceId": "i-0a1b2c3d4e5f67890"
            }
        }
    ]
}
```
Question 151mediummultiple choice
Study the full ACL explanation →

A company runs a multi-tier web application in a VPC with public and private subnets. The web servers (EC2 instances) are in public subnets, and the database servers (RDS MySQL) are in private subnets. The web servers need to connect to the database servers on port 3306. The security group for the RDS instances (sg-db) has an inbound rule allowing TCP port 3306 from the security group of the web servers (sg-web). The web servers can connect to the database, but the connection is intermittent and slow. The SysOps administrator checks the network ACLs and finds that both the public and private subnet network ACLs have default allow all entries. What is the most likely cause of the issue?

Question 152hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company has deployed a global web application using AWS CloudFront with an Application Load Balancer (ALB) as the origin. The ALB is in a single AWS region. Users in different geographic regions report high latency, and some users are unable to access the application. The SysOps administrator verifies that the CloudFront distribution is configured correctly and that the ALB is healthy. The administrator also confirms that the ALB's security group allows traffic from the CloudFront IP ranges. What is the most likely cause of the issue?

Question 153easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket to store logs. The instance currently has no internet access. The SysOps administrator has created a VPC endpoint for S3 (gateway type) and attached it to the VPC. The instance still cannot reach S3. What additional step is required?

Question 154mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The VPC has a private subnet with EC2 instances that need to communicate with on-premises servers. The on-premises network team reports that they can ping the EC2 instances, but the EC2 instances cannot ping the on-premises servers. The SysOps administrator checks the route tables and finds that the VPC has a route to the on-premises CIDR via the virtual private gateway. The security groups allow all ICMP traffic. What is the most likely cause?

Question 155hardmultiple choice
Read the full DNS explanation →

A company uses Amazon Route 53 as its DNS service. They have a domain example.com with an alias record pointing to an Application Load Balancer (ALB). Recently, they updated the ALB's DNS name, but the Route 53 record was not updated. Users are still being directed to the old ALB, which has been decommissioned. The SysOps administrator updates the alias record to point to the new ALB DNS name. However, users still experience errors for several hours. What is the most likely reason?

Question 156easymultiple choice
Study the full IPv6 explanation →

A company has a VPC with both IPv4 and IPv6 CIDR blocks. They have a public subnet with an EC2 instance that needs to be accessible over IPv6 from the internet. The instance has an IPv6 address assigned. The SysOps administrator has attached an Internet Gateway (IGW) to the VPC and added a route to the IGW for the public subnet's IPv6 route table. However, the instance is not reachable over IPv6. What is the missing configuration?

Question 157mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application uses sticky sessions (session affinity) based on cookies. Recently, the SysOps team noticed that user sessions are being lost intermittently, causing users to be logged out. The team checks the ALB configuration and finds that the stickiness is enabled with a cookie name 'AWSALB' and duration of 1 hour. The application also sets its own cookie. What is the most likely cause of session loss?

Question 158mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses an Application Load Balancer (ALB) to distribute traffic to an Auto Scaling group of EC2 instances. Users report intermittent 503 errors. The SysOps Administrator checks the ALB metrics and sees that the Sum of HTTP 503s correlates with spikes in CPU utilization on the EC2 instances. What is the MOST likely cause and solution?

Question 159hardmultiple choice
Read the full NAT/PAT explanation →

A SysOps Administrator manages a VPC with public and private subnets. The private subnets need to access the internet for software updates. The Administrator creates a NAT Gateway in a public subnet and updates the private subnet route table to point 0.0.0.0/0 to the NAT Gateway. However, instances in the private subnet still cannot reach the internet. What is the MOST likely reason?

Question 160easymultiple choice
Read the full DNS explanation →

A company has a VPC that requires DNS resolution for custom domain names within the VPC. They want to use a private hosted zone in Amazon Route 53. Which resource is required to associate the private hosted zone with the VPC?

Question 161mediummultiple choice
Review the full subnetting walkthrough →

A SysOps Administrator is setting up a VPC peering connection between two VPCs (VPC-A and VPC-B) in different AWS accounts. After the peering connection is accepted, instances in VPC-A cannot ping instances in VPC-B. Both VPCs have non-overlapping CIDR blocks. What is the MOST likely cause?

Question 162hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The application needs to authenticate users using an external identity provider (IdP). The SysOps Administrator recommends using Amazon Cognito as an identity broker. Which ALB action should be configured to authenticate users before forwarding requests to the target group?

Question 163easymultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to deliver static content from an Amazon S3 bucket. Users in Europe report slow load times. Which CloudFront feature would MOST effectively improve performance for these users?

Question 164mediummultiple choice
Review the full subnetting walkthrough →

A SysOps Administrator is troubleshooting connectivity issues between two EC2 instances in the same VPC but different subnets. The instances can communicate over private IP addresses when security groups are set to allow all traffic, but fail when security groups are configured with specific rules. The Administrator wants to allow HTTP (port 80) and HTTPS (port 443) traffic from the client instance to the server instance. What security group rules are needed?

Question 165hardmultiple choice
Read the full DNS explanation →

A company is using Amazon Route 53 for DNS and wants to route traffic to multiple endpoints based on the geographic location of the user. Which routing policy should the SysOps Administrator use?

Question 166mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps Administrator is configuring a Network Load Balancer (NLB) for a TCP-based application. The application requires that clients see the original source IP address of the request. Which configuration should the Administrator use?

Question 167mediummulti select
Review the full routing breakdown →

A company is designing a highly available architecture using an Application Load Balancer (ALB) with multiple target groups. Which TWO statements are correct regarding ALB routing?

Question 168hardmulti select
Read the full Networking and Content Delivery explanation →

A SysOps Administrator is configuring VPC Flow Logs to monitor network traffic. Which THREE pieces of information are included in VPC Flow Log records?

Question 169easymulti select
Read the full Networking and Content Delivery explanation →

A company wants to use Amazon CloudFront to distribute content globally with low latency. Which TWO features of CloudFront help achieve this?

Question 170mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A SysOps Administrator is reviewing the network ACL configuration. An instance in subnet 10.0.1.0/24 needs to receive HTTPS traffic from the internet. Why is the current configuration insufficient?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "10.0.1.0/24","PortRange": {"From": 80,"To": 80},"RuleNumber": 200,"CidrBlock": "0.0.0.0/0","From": 443,"To": 443"RuleNumber": 300,"Egress": true,"From": 1024,"To": 65535
Question 171hardmultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. This bucket policy is attached to an S3 bucket that is used as an origin for a CloudFront distribution. Users are reporting Access Denied errors when accessing objects via the CloudFront URL. What is the MOST likely cause?

Exhibit

Refer to the exhibit.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}
```
Question 172easymultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A SysOps Administrator runs the above command and sees that an EC2 instance is unhealthy. The health check is configured to check the HTTP endpoint '/health' on port 80. The instance's security group allows inbound HTTP traffic from the ALB's security group. What is the MOST likely cause?

Network Topology
$ aws elbv2 describe-target-healthtarget-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-tg/1234567890123456Refer to the exhibit.```"TargetHealthDescriptions": ["Target": {"Id": "i-0abcd1234efgh5678","Port": 80},"HealthCheckPort": "80","TargetHealth": {"State": "unhealthy","Description": "Health checks failed"
Question 173mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company hosts a web application on EC2 instances behind an Application Load Balancer (ALB). Users report intermittent timeouts. The web server logs show HTTP 503 errors. Which configuration is MOST likely causing the issue?

Question 174easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to reduce latency for global users accessing static content stored in Amazon S3. Which AWS service should be used?

Question 175hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets in two Availability Zones. An Application Load Balancer (ALB) in the public subnets routes traffic to EC2 instances in the private subnets. The EC2 instances need to access the internet for software updates. Which solution is MOST secure and cost-effective?

Question 176mediummultiple choice
Read the full Networking and Content Delivery explanation →

A sysadmin receives an alert that a Network Load Balancer (NLB) is not passing traffic to targets. The target group health checks are passing. What is the MOST likely cause?

Question 177easymultiple choice
Read the full DHCP explanation →

A company needs to resolve DNS names for on-premises servers from AWS. They have set up a DHCP options set with the on-premises DNS server IP. Which additional step is required?

Question 178hardmultiple choice
Review the full routing breakdown →

A company uses an Application Load Balancer (ALB) to route traffic to a web application. The security team requires that all traffic be encrypted in transit. The ALB currently uses a TLS certificate from AWS Certificate Manager (ACM). Users report that some browsers show a certificate warning. What is the MOST likely cause?

Question 179mediummultiple choice
Read the full VPN explanation →

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to connect to an on-premises network using a site-to-site VPN. The on-premises network uses 10.0.0.0/16 as well. Which solution avoids routing conflicts?

Question 180easymultiple choice
Read the full Networking and Content Delivery explanation →

A sysadmin needs to block specific IP addresses from accessing an Application Load Balancer. Which approach is MOST efficient?

Question 181hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company uses AWS Global Accelerator to improve performance of a TCP application. Users in Asia report higher latency than users in Europe. The endpoints are all in us-east-1. What is the BEST solution?

Question 182mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO AWS services can be used to provide a static IP address for an Application Load Balancer? (Choose two.)

Question 183hardmulti select
Read the full VPN explanation →

Which THREE components are required to set up a site-to-site VPN connection between a VPC and an on-premises network? (Choose three.)

Question 184easymulti select
Read the full Networking and Content Delivery explanation →

Which TWO statements about Amazon CloudFront origins are correct? (Choose two.)

Question 185easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has an application running on EC2 instances in a VPC. The application needs to access an S3 bucket in the same AWS region. Which configuration provides the MOST secure and cost-effective access?

Question 186mediummultiple choice
Read the full DNS explanation →

A SysOps administrator is troubleshooting connectivity issues between two VPCs that are peered using a VPC Peering connection. The instances in VPC A can ping the private IP of instances in VPC B, but not the DNS names. What is the most likely cause?

Question 187hardmultiple choice
Review the full routing breakdown →

A company uses AWS Direct Connect to connect its on-premises network to AWS. The SysOps team notices that traffic from the on-premises network to a VPC is not using the Direct Connect connection but instead is going over the internet. The VPC has a virtual private gateway attached and the on-premises router is advertising a specific route. What is the most likely cause?

Question 188easymultiple choice
Read the full Networking and Content Delivery explanation →

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The SysOps administrator receives reports that some users are experiencing intermittent HTTP 503 errors. What is the most likely cause?

Question 189mediummultiple choice
Review the full subnetting walkthrough →

A company has a web application deployed in a VPC with both public and private subnets. The web servers are in public subnets and the database servers are in private subnets. The web servers need to access the internet for updates. Which configuration is required to provide internet access to the web servers while keeping the database servers private?

Question 190hardmultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator is setting up a Network Load Balancer (NLB) to handle millions of requests per second. The target group consists of EC2 instances that are in a single Availability Zone. Which of the following is a potential issue?

Question 191easymultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect to an on-premises network with a CIDR of 10.0.0.0/8. What is the issue?

Question 192mediummultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator is configuring a VPC with a public subnet and a private subnet. The private subnet needs to access the internet to download patches. The administrator creates a NAT Gateway in the public subnet and updates the private subnet route table. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

Question 193hardmultiple choice
Review the full routing breakdown →

A company uses AWS Global Accelerator to improve the performance of a web application hosted in multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region as the endpoint. Users report that traffic is not being routed to the closest region. What could be the cause?

Question 194mediummulti select
Read the full Networking and Content Delivery explanation →

A SysOps administrator is planning a VPC design with high availability for an application that must tolerate the failure of an entire Availability Zone. Which TWO configurations should be implemented? (Select TWO.)

Question 195hardmulti select
Read the full DNS explanation →

A company is using Amazon Route 53 as its DNS service. The SysOps team needs to route traffic to multiple resources based on the geographic location of the users. Which THREE routing policies can achieve this? (Select THREE.)

Question 196easymulti select
Read the full NAT/PAT explanation →

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet via a NAT Gateway. Which TWO components must be correctly configured for this to work? (Select TWO.)

Question 197mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VPC peering connection exists between VPC A (CIDR 10.0.0.0/16) and VPC B (CIDR 192.168.0.0/16). The command output shows the route table for VPC A (rtb-11111111) and VPC B (rtb-33333333). An instance in VPC A (private IP 10.0.1.5) cannot ping an instance in VPC B (private IP 192.168.1.10). What is the most likely reason?

Network Topology
$ aws ec2 describe-vpc-peering-connectionsquery 'VpcPeeringConnections[*].Status'$ aws ec2 describe-route-tablesroute-table-ids rtb-11111111route-table-ids rtb-33333333Refer to the exhibit.```"Code": "active","Message": "Provisioned""RouteTables": ["Associations": [...],"Routes": ["DestinationCidrBlock": "10.0.0.0/16","GatewayId": "local"},"DestinationCidrBlock": "0.0.0.0/0","GatewayId": "igw-22222222""DestinationCidrBlock": "192.168.0.0/16","GatewayId": "pcx-44444444"
Question 198hardmultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A SysOps administrator has attached the bucket policy shown to an S3 bucket. Users from the IP range 192.0.2.0/24 report that they can access objects, but users from other IP ranges also report they can access objects. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}
```
Question 199mediummultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A SysOps administrator is troubleshooting a CloudFront distribution that serves content from an S3 bucket. Users are receiving 'Access Denied' errors when trying to access objects. The exhibit shows the distribution configuration. What is the most likely cause?

Network Topology
$ aws cloudfront get-distribution-configid E1A2B3C4D5E6F7Refer to the exhibit.```"ETag": "E3QEXAMPLE","DistributionConfig": {"CallerReference": "my-distribution","Aliases": {"Quantity": 1,"Items": ["www.example.com"]},"Origins": {"Items": ["Id": "my-origin","DomainName": "my-bucket.s3.us-east-1.amazonaws.com","S3OriginConfig": {"OriginAccessIdentity": """DefaultCacheBehavior": {"TargetOriginId": "my-origin","ViewerProtocolPolicy": "redirect-to-https","AllowedMethods": {"Quantity": 2,"Items": ["GET", "HEAD"],"CachedMethods": {"Items": ["GET", "HEAD"]"Compress": true"Enabled": true
Question 200mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has deployed a web application behind an Application Load Balancer (ALB) across multiple Availability Zones. Users in some regions report slow page load times. Which action should the SysOps Administrator take to improve performance for all users?

Question 201easymultiple choice
Review the full subnetting walkthrough →

A SysOps Administrator needs to allow an EC2 instance in a private subnet to access the internet for software updates. Which AWS service should be used?

Question 202hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway. The private subnet has an EC2 instance that needs to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instance cannot reach the internet. What is the most likely cause?

Question 203mediummultiple choice
Read the full Networking and Content Delivery explanation →

An organization has a VPC peering connection between VPC A and VPC B. Instances in VPC A can reach instances in VPC B, but not vice versa. What is the most likely cause?

Question 204easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to distribute content with low latency to users globally. The content is static and stored in an S3 bucket. Which AWS service should be used?

Question 205hardmultiple choice
Review the full subnetting walkthrough →

A SysOps Administrator is configuring a VPC with a public subnet and a private subnet. The public subnet has an Internet Gateway. An EC2 instance in the private subnet needs to access an S3 bucket. What is the MOST secure way to provide this access?

Question 206mediummultiple choice
Review the full subnetting walkthrough →

A company has deployed an Application Load Balancer (ALB) in a VPC. The ALB is configured with a target group pointing to EC2 instances in a private subnet. Clients receive HTTP 503 errors. What is the likely cause?

Question 207easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps Administrator needs to monitor network traffic in a VPC. Which AWS service provides packet-level information about IP traffic?

Question 208mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with multiple subnets. An EC2 instance in a public subnet needs to communicate with an RDS database in a private subnet. The RDS security group allows inbound traffic from the EC2 instance's security group. However, the EC2 instance cannot connect. What is the most likely cause?

Question 209mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. The private subnet contains an EC2 instance that must access the internet for software updates. Which TWO actions are required to enable this? (Choose TWO.)

Question 210hardmulti select
Read the full Networking and Content Delivery explanation →

A SysOps Administrator is troubleshooting an issue where an Application Load Balancer (ALB) returns 502 Bad Gateway errors. Which THREE are possible causes? (Choose THREE.)

Question 211easymulti select
Read the full Networking and Content Delivery explanation →

Which TWO AWS services can be used to improve the security of a VPC? (Choose TWO.)

Question 212hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A VPC Gateway Endpoint for S3 is created and associated with route table rtb-11111111. However, an EC2 instance in a subnet that uses route table rtb-22222222 cannot access S3. What is the most likely cause?

Network Topology
$ aws ec2 describe-vpc-endpointsregion us-east-1Refer to the exhibit.```"VpcEndpoints": ["VpcEndpointId": "vpce-0a1b2c3d4e5f6g7h8","VpcId": "vpc-12345678","ServiceName": "com.amazonaws.us-east-1.s3","VpcEndpointType": "Gateway","RouteTableIds": ["rtb-11111111"],"PolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}","State": "available"
Question 213mediummultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. An EC2 instance is registered with an ALB target group. The health check returns 502. What is the most likely cause?

Network Topology
$ aws elbv2 describe-target-healthtarget-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-tg/1234567890123456Refer to the exhibit.```"TargetHealthDescriptions": ["Target": {"Id": "i-0a1b2c3d4e5f6g7h8","Port": 80},"HealthCheckPort": "80","TargetHealth": {"State": "unhealthy",
Question 214hardmultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. A security group is attached to an Application Load Balancer (ALB) that serves HTTPS traffic on port 443. Users can access the application via HTTPS. However, the ALB's health checks to targets on port 80 are failing. What is the reason?

Network Topology
$ aws ec2 describe-security-groupsgroup-ids sg-12345678Refer to the exhibit.```"SecurityGroups": ["GroupId": "sg-12345678","IpPermissions": ["IpProtocol": "tcp","FromPort": 80,"ToPort": 80,"IpRanges": [{"CidrIp": "10.0.0.0/16"}},"FromPort": 443,"ToPort": 443,{"CidrIp": "0.0.0.0/0"}
Question 215mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company's web application uses an Application Load Balancer (ALB) in front of multiple EC2 instances in an Auto Scaling group. Users report intermittent 503 errors. The ALB health checks are configured to check the /health endpoint every 30 seconds with a threshold of 2 successful checks to mark healthy. The Auto Scaling group’s health check grace period is set to 60 seconds. What is the most likely cause of the 503 errors?

Question 216easymultiple choice
Review the full routing breakdown →

A SysOps administrator needs to route traffic to multiple AWS regions for a global application with low latency. Which AWS service should be used?

Question 217hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets. A NAT Gateway is deployed in the public subnet. Private EC2 instances need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instances cannot reach the internet. What is the most likely cause?

Question 218easymultiple choice
Read the full Networking and Content Delivery explanation →

An organization wants to allow an on-premises data center to access an Amazon RDS database in a VPC. Which AWS service should be used to establish a dedicated, private, and high-bandwidth connection?

Question 219mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator notices that traffic to an Application Load Balancer (ALB) is being rejected. The ALB has a security group that allows inbound HTTP (80) and HTTPS (443) from 0.0.0.0/0. The target group health checks are failing. What could be the issue?

Question 220hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to serve static content from an S3 bucket. The S3 bucket is configured as an origin with RestrictBucketAccess set to Yes, and the origin access identity (OAI) is configured. Users can access the content via CloudFront, but direct S3 URLs return Access Denied. However, some users report that they can still access the content directly via S3 URLs. What is the most likely reason?

Question 221mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to monitor the amount of data transferred through a VPC’s internet gateway. Which Amazon CloudWatch metric should be used?

Question 222easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to distribute content globally with low latency and high transfer speeds. The content is stored in S3 buckets in multiple regions. Which AWS service should be used to accelerate content delivery?

Question 223easymultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator is troubleshooting an issue where an EC2 instance in a private subnet cannot connect to the internet. The instance has a security group allowing outbound HTTPS traffic. The subnet’s route table has a default route (0.0.0.0/0) to a NAT Gateway. The NAT Gateway is in a public subnet with an Elastic IP and a route to an internet gateway. What is a likely cause of the issue?

Question 224mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO actions can be taken to improve the availability of a web application hosted on EC2 instances behind an Application Load Balancer? (Select two.)

Question 225hardmulti select
Read the full Networking and Content Delivery explanation →

Which THREE AWS services can be used to improve security and performance for a web application that uses an Application Load Balancer? (Select three.)

Question 226mediummulti select
Read the full Networking and Content Delivery explanation →

Which TWO methods can be used to secure an S3 bucket that is used as an origin for Amazon CloudFront? (Select two.)

Question 227mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A SysOps administrator is troubleshooting connectivity issues for a web application that uses an ALB. The ALB sends health check requests to targets on port 443. The network ACL shown is associated with the target subnet. Based on the exhibit, what is causing the health checks to fail?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","Entries": ["RuleNumber": 100,"Protocol": "6","RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0","PortRange": {"From": 443,"To": 443},"RuleNumber": 110,"From": 80,"To": 80"RuleNumber": 120,"Protocol": "-1","RuleAction": "deny","CidrBlock": "0.0.0.0/0"
Question 228hardmultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. An S3 bucket policy is configured for a CloudFront distribution using an OAI. The policy allows the OAI to get objects. Additionally, it allows anyone from the IP range 203.0.113.0/24 to get objects directly. Users from other IPs report they can still access objects directly via S3 URLs. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E123456789"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "203.0.113.0/24"
                }
            }
        }
    ]
}
```
Question 229mediummultiple choice
Read the full Networking and Content Delivery explanation →

Refer to the exhibit. The output shows the health status of two targets in a target group. One target is unhealthy with a 502 error. What is the most likely cause?

Network Topology
$ aws elbv2 describe-target-healthtarget-group-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/my-tg/1234567890123456Refer to the exhibit.```"TargetHealthDescriptions": ["Target": {"Id": "i-0abcd1234efgh5678","Port": 80},"HealthCheckPort": "80","TargetHealth": {"State": "unhealthy","Id": "i-0abcd1234efgh5679","State": "healthy"
Question 230easymultiple choice
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to distribute its web application. Users in a specific geographic region are experiencing high latency. What is the most cost-effective solution to reduce latency for these users?

Question 231easymultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to allow traffic from a specific IP address range (203.0.113.0/24) to access an Amazon EC2 instance in a VPC. Which configuration step should be performed?

Question 232mediummultiple choice
Read the full Networking and Content Delivery explanation →

An application running on an EC2 instance is unable to connect to an Amazon RDS database in the same VPC. The security groups allow traffic from the EC2 instance. What is the most likely cause?

Question 233hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront with an Application Load Balancer (ALB) as the origin. Users report intermittent 502 errors. What is the most likely cause?

Question 234mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator needs to ensure that all traffic to an Amazon S3 bucket is encrypted in transit. Which configuration should be used?

Question 235hardmultiple choice
Review the full routing breakdown →

An application uses Amazon Route 53 weighted routing to distribute traffic across two AWS regions. After a deployment, users in one region are experiencing errors. What should the administrator do to mitigate the issue immediately?

Question 236easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to allow its employees to access internal applications using a custom domain name (app.example.com) that resolves to an internal ALB. Which AWS service should be used?

Question 237mediummultiple choice
Study the full ACL explanation →

A SysOps administrator notices that traffic to an Amazon EC2 instance is being blocked even though the security group allows all inbound traffic. The subnet's network ACL allows all inbound and outbound traffic. What could be the issue?

Question 238hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access so that only CloudFront can access the S3 bucket. How should this be configured?

Question 239mediummulti select
Review the full subnetting walkthrough →

A SysOps administrator needs to design a VPC with public and private subnets for a web application. Which TWO components are required to allow instances in the private subnet to access the internet?

Question 240hardmulti select
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to distribute content globally. They need to restrict access to premium content to only authenticated users. Which THREE methods can be used to achieve this?

Question 241easymulti select
Read the full Networking and Content Delivery explanation →

A SysOps administrator is troubleshooting a connectivity issue from an EC2 instance to an RDS database in the same VPC. The security groups are configured correctly. Which TWO steps should the administrator take to diagnose the issue?

Question 242mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets across two Availability Zones. An application running on EC2 instances in the private subnets needs to access the internet for updates. Which configuration should be used to provide internet access while minimizing administrative overhead?

Question 243hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company is using an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances. The security team reports that the ALB is receiving a high number of requests with suspicious User-Agent strings. The SysOps team needs to block these requests at the load balancer level without changing the application code. Which action should be taken?

Question 244easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to host a static website on AWS with high availability and low latency for global users. Which service should be used to serve the static content?

Question 245mediummultiple choice
Read the full NAT/PAT explanation →

A SysOps administrator notices that traffic from an Application Load Balancer to targets is failing intermittently. The targets are EC2 instances in an Auto Scaling group. The health check settings on the target group are: ping path '/health', healthy threshold 2, unhealthy threshold 2, timeout 5 seconds, interval 30 seconds. Which change would most likely improve the stability of the health checks?

Question 246hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They have a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. They launch an EC2 instance in the private subnet and need it to have a predictable, static private IP address for database replication. Which action should be taken?

Question 247easymultiple choice
Read the full Networking and Content Delivery explanation →

A company wants to use Amazon CloudFront to serve content from an Application Load Balancer (ALB) that is internet-facing. Which type of origin should be configured in CloudFront?

Question 248mediummultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with an Internet Gateway and a NAT Gateway. They launch an EC2 instance in a private subnet. The instance needs to download updates from the internet, but the security team wants to prevent any inbound traffic from the internet. Which route table configuration is correct for the private subnet?

Question 249hardmultiple choice
Read the full Networking and Content Delivery explanation →

A company has a web application behind an Application Load Balancer (ALB) with sticky sessions enabled. The ALB's target group contains EC2 instances in an Auto Scaling group. After a deployment, users report that they are being logged out frequently. What is the most likely cause?

Question 250easymultiple choice
Read the full Networking and Content Delivery explanation →

Which AWS service can be used to create a private, dedicated connection between an on-premises data center and AWS?

Question 251mediummulti select
Read the full Networking and Content Delivery explanation →

A company is using Amazon CloudFront to distribute content globally. They want to restrict access to their content so that only users from specific countries can access it. Which TWO actions can be taken to achieve this?

Question 252hardmulti select
Review the full subnetting walkthrough →

A company is designing a multi-tier application in a VPC. The web tier must be in public subnets and the application tier in private subnets. The application tier needs to receive traffic only from the web tier. Which TWO configurations are required?

Question 253easymulti select
Review the full routing breakdown →

A company wants to use Amazon Route 53 to route traffic to multiple endpoints for high availability. Which THREE routing policies can be used for this purpose?

Question 254hardmultiple choice
Study the full ACL explanation →

A company has a production application running on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application uses an RDS MySQL database in the same VPC. The SysOps team recently implemented a change to the network ACLs to improve security. After the change, the application became unreachable from the internet, but the EC2 instances can still communicate with the RDS database. The ALB is in a public subnet, and the EC2 instances and RDS are in private subnets. The ALB's security group allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances' security group allows inbound from the ALB's security group. The RDS security group allows inbound from the EC2 instances' security group. The network ACLs for the public subnet allow inbound HTTP/HTTPS from 0.0.0.0/0 and all outbound traffic. The network ACLs for the private subnets were modified to deny all inbound traffic except from the public subnet CIDR (10.0.1.0/24) and allow all outbound traffic. Which change should be made to restore internet access to the application?

Question 255mediummultiple choice
Read the full DNS explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application uses a custom domain name, 'app.example.com'. The SysOps team configured Amazon Route 53 with an alias record to the ALB DNS name. Users report that occasionally they are directed to a different website. The team suspects DNS resolution issues. They check the Route 53 hosted zone and find the alias record is correctly configured. The ALB is healthy. What is the most likely cause of the intermittent misdirection?

Question 256easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has deployed a static website on Amazon S3 with public read access. They want to use Amazon CloudFront to serve the content with HTTPS. They create a CloudFront distribution with the S3 bucket as an origin. After configuring the distribution, users report that they are unable to access the website via the CloudFront URL. The CloudFront distribution status is 'Deployed'. The S3 bucket policy allows GetObject for any principal. What is the most likely reason for the issue?

Question 257mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has an application running on EC2 instances behind an Application Load Balancer. Users report intermittent timeout errors. The ALB target group shows healthy instances, and CloudWatch metrics show no spikes in CPU or memory. Which configuration is most likely causing the timeouts?

Question 258hardmultiple choice
Review the full routing breakdown →

A SysOps administrator needs to route traffic to multiple AWS regions for disaster recovery using Amazon Route 53. The primary region should receive all traffic unless it becomes unhealthy. Which routing policy should be used?

Question 259easymultiple choice
Read the full Networking and Content Delivery explanation →

A company has an Amazon CloudFront distribution with an S3 bucket as origin. The bucket contains sensitive data. Which configuration ensures that users access the content only through CloudFront and not directly via the S3 URL?

Question 260mediummulti select
Read the full NAT/PAT explanation →

A company is designing a VPC with public and private subnets. The private subnets need internet access for patching, but must not be directly reachable from the internet. Which TWO components should be used together?

Question 261hardmulti select
Review the full routing breakdown →

A SysOps administrator is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) connected via a VPC Peering connection. An EC2 instance in VPC-A cannot ping an EC2 instance in VPC-B. The route tables and security groups are correctly configured. Which THREE steps should the administrator take to resolve the issue?

Question 262easymulti select
Read the full NAT/PAT explanation →

A company has an Application Load Balancer (ALB) that distributes traffic to EC2 instances. The company wants to enable path-based routing to send requests to different target groups. Which TWO resources must be created to achieve this?

Question 263hardmultiple choice
Study the full ACL explanation →

An EC2 instance in the subnet associated with the network ACL above cannot receive HTTP traffic (port 80) from the internet. The instance has a security group allowing HTTP inbound. What is the cause?

Network Topology
$ aws ec2 describe-network-aclsregion us-east-1Refer to the exhibit.```"NetworkAcls": ["NetworkAclId": "acl-12345678","VpcId": "vpc-12345678","DefaultNetworkAcl": false,"Entries": ["RuleNumber": 100,"Protocol": "6","PortRange": {"From": 443,"To": 443},"RuleAction": "allow","Egress": false,"CidrBlock": "0.0.0.0/0""RuleNumber": 200,"Protocol": "-1","From": 0,"To": 65535"Egress": true,"RuleNumber": 300,"From": 80,"To": 80"RuleNumber": 400,"RuleAction": "deny",
Question 264mediummultiple choice
Read the full Networking and Content Delivery explanation →

A SysOps administrator manages a web application hosted on EC2 instances behind an Application Load Balancer. The application uses sticky sessions (session affinity) based on cookies. Recently, the development team deployed a new version that increases the load time for certain pages. Users report that they are randomly seeing other users' data. The administrator suspects that the sticky session configuration is not working correctly. The ALB target group is configured with stickiness enabled using the AWSALB cookie. What should the administrator do to verify that sticky sessions are being honored?

Question 265mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company uses Amazon CloudFront to serve static content from an S3 bucket. They want to restrict access to content based on geographic location. Some countries should be blocked entirely. The administrator configured a CloudFront geographic restriction (whitelist/blacklist) and updated the S3 bucket policy to allow only CloudFront access via Origin Access Identity (OAI). However, users from blocked countries are still able to access some content. What is the most likely cause?

Question 266hardmultiple choice
Read the full NAT/PAT explanation →

A company has a VPC with public and private subnets across two Availability Zones. They have a NAT Gateway in each public subnet for high availability. EC2 instances in the private subnets need to access an external service that requires a fixed IP address for whitelisting. The administrator configured the route tables to use the NAT Gateway in the same Availability Zone. However, when the NAT Gateway in AZ-A fails, instances in AZ-A lose internet connectivity. What should the administrator do to ensure high availability with fixed IP addresses?

Question 267mediummultiple choice
Read the full Networking and Content Delivery explanation →

A company has a web application that uses Amazon CloudFront and an Application Load Balancer as origin. The application requires HTTPS between CloudFront and the ALB. The ALB uses a certificate from AWS Certificate Manager (ACM) for the custom domain. The administrator notices that CloudFront returns HTTP 502 errors occasionally. The ALB target group shows healthy instances. What is the most likely cause of the 502 errors?

Question 268hardmultiple choice
Review the full subnetting walkthrough →

A company has a multi-tier application with a web tier, application tier, and database tier. All tiers are in the same VPC. The web tier is in public subnets, application tier in private subnets, and database tier in private subnets. The security groups are configured as follows: Web SG allows HTTP/HTTPS from 0.0.0.0/0; App SG allows HTTP from Web SG; DB SG allows MySQL from App SG. The application tier instances cannot connect to the database tier. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SOA-C02 Practice Test 1 — 10 Questions→SOA-C02 Practice Test 2 — 10 Questions→SOA-C02 Practice Test 3 — 10 Questions→SOA-C02 Practice Test 4 — 10 Questions→SOA-C02 Practice Test 5 — 10 Questions→SOA-C02 Practice Exam 1 — 20 Questions→SOA-C02 Practice Exam 2 — 20 Questions→SOA-C02 Practice Exam 3 — 20 Questions→SOA-C02 Practice Exam 4 — 20 Questions→Free SOA-C02 Practice Test 1 — 30 Questions→Free SOA-C02 Practice Test 2 — 30 Questions→Free SOA-C02 Practice Test 3 — 30 Questions→SOA-C02 Practice Questions 1 — 50 Questions→SOA-C02 Practice Questions 2 — 50 Questions→SOA-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Monitoring, Logging, and RemediationReliability and Business ContinuityDeployment, Provisioning, and AutomationSecurity and ComplianceNetworking and Content DeliveryCost and Performance Optimization

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Networking and Content Delivery setsAll Networking and Content Delivery questionsSOA-C02 Practice Hub