Practice 200-901 Application Deployment and Security questions with full explanations on every answer.
Start practicing
Application Deployment and Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A developer wants to ensure that a Docker container running a web application can only accept incoming traffic on port 443. Which Docker run option should be used?
2During a security audit, an engineer discovers that a CI/CD pipeline is storing API keys in plain text in environment variables. Which best practice should be implemented to mitigate this risk?
3A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?
4A developer needs to ensure that microservice A can securely communicate with microservice B over HTTPS within a Kubernetes cluster. What is the simplest approach?
5An engineer is designing a CI/CD pipeline for a Python application. The pipeline should automatically run unit tests, build a Docker image, push it to a private registry, and deploy to a Kubernetes cluster. Which sequence of stages is correct?
6A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?
7A DevOps engineer wants to automate the configuration of network devices using Ansible. Which file format is commonly used for Ansible playbooks?
8In a Cisco DNA Center environment, an application needs to retrieve the network device list using REST API. Which authentication method is required?
9Which TWO statements about Dockerfile best practices are correct? (Choose two.)
10Which THREE security measures should be implemented in a CI/CD pipeline to protect against supply chain attacks? (Choose three.)
11Which TWO are valid methods to secure a REST API? (Choose two.)
12Refer to the exhibit. A Python script uses the Cisco IOS-XE RESTCONF API to retrieve the device configuration. The returned JSON is shown. What must be done to enable the GigabitEthernet0/1 interface using the API?
13Refer to the exhibit. A developer is building a Docker image for a Node.js application. The Dockerfile contains: ``` FROM node:14 WORKDIR /usr/src/app COPY package*.json ./ RUN npm install COPY . . CMD ["node", "app.js"] ``` When building, the error shown occurs. What is the most likely cause?
14A company runs a microservices application on a Kubernetes cluster with 10 worker nodes. The application consists of 3 services: frontend, backend, and database. The database service is stateful and uses persistent volumes. Recently, the operations team noticed that the backend service is experiencing intermittent failures with 'Connection refused' errors when trying to connect to the database. The database service is exposed via a ClusterIP service named 'database-service'. The backend service uses environment variable DB_HOST=database-service to connect. The pod logs show that the connection is attempted to an IP address that does not correspond to any database pod. Further investigation reveals that the database pod has been restarted multiple times due to OOMKilled errors. The backend service is configured with a liveness probe that checks the health endpoint every 10 seconds, and a readiness probe that checks the same endpoint every 5 seconds. The database pod has resource limits set to 512Mi memory and 500m CPU. The node running the database pod has 4Gi memory and 2 CPU cores. What is the most likely cause of the intermittent connection failures?
15A network engineer is automating the deployment of a new VLAN across multiple Cisco switches using Ansible. The engineer has written a playbook that uses the ios_vlan module to create VLAN 100 with name 'Users'. The playbook runs successfully on the first switch but fails on the second switch with the error message: 'VLAN name is already in use'. The engineer checks the second switch and confirms that VLAN 100 does not exist, but a different VLAN with the name 'Users' exists. The engineer wants to ensure that the playbook creates VLAN 100 with the exact name 'Users' only if it does not already exist, and without conflicting with existing VLANs. Which approach should the engineer take?
16A DevOps team is deploying a microservices application on Cisco UCS using Docker containers. They need to ensure that secrets such as database credentials are securely managed without hardcoding them in the application code or container images. Which approach should they use?
17Which TWO of the following are valid security considerations when deploying an application to a Kubernetes cluster managed by Cisco Intersight? (Choose two.)
18Refer to the exhibit. An engineer applied this configuration to a Cisco switch port connected to an application server. The server runs a critical business application that should not be disrupted. However, after applying the configuration, the port goes into errdisable state. What is the most likely cause?
19Drag and drop the steps to set up a basic DHCP server on a Cisco router into the correct order.
20Drag and drop the steps to configure a Cisco IOS device for NETCONF access into the correct order.
21Match each network automation tool to its primary purpose.
22Match each Python library to its typical use in network automation.
23A developer wants to deploy a containerized application on a Cisco Container Platform (CCP) cluster. The application requires persistent storage. Which Kubernetes resource should be used to provision storage?
24Which of the following is a best practice for securing API keys in a CI/CD pipeline?
25An application running on Kubernetes is experiencing intermittent 503 errors. The logs show 'upstream timed out'. The application is behind a Cisco Application Policy Infrastructure Controller (APIC) load balancer. What is the most likely cause?
26A DevOps team is using Cisco AppDynamics to monitor a microservices application. They notice that a specific service's response time spikes under load. Which AppDynamics feature should be used to drill down into the transaction trace?
27Which Docker command is used to build an image from a Dockerfile?
28A Kubernetes cluster is configured with a NetworkPolicy that allows ingress traffic only from pods with label 'app: frontend'. A new backend service needs to communicate with the database pod. What must be done to allow this?
29In a CI/CD pipeline using Jenkins, which plugin is commonly used to integrate with Cisco Container Platform for deploying containers?
30Which Cisco product provides end-to-end application visibility and performance monitoring across hybrid cloud environments?
31A developer is using a Dockerfile to build an image. The image must be based on a minimal Linux distribution to reduce attack surface. Which base image should be used?
32Which TWO are valid methods to secure a Docker container?
33Which THREE are valid ways to expose ConfigMap data to a pod in Kubernetes?
34Which THREE are best practices for securing a CI/CD pipeline?
35A developer is deploying a microservice to a Kubernetes cluster. The application needs to read a database password securely without hardcoding it in the image. Which Kubernetes resource should be used?
36A team is implementing a CI/CD pipeline using Jenkins. The pipeline must build a Docker image and push it to a private registry. Which Jenkins plugin is specifically designed to handle Docker builds and pushes?
37An application exposes a REST API. To ensure that only authorized clients can access the API, the developer implements token-based authentication. Which HTTP header is typically used to transmit the bearer token?
38A company uses a blue/green deployment strategy for their web application. The current live version is blue, and a new version green is ready. The load balancer currently routes all traffic to blue. What is the correct next step to switch traffic to green with minimal downtime?
39A developer needs to run a temporary container that executes a command and then exits. Which Docker command should be used?
40A developer is designing an API that needs to support rate limiting per API key. The application is deployed on multiple instances. Which approach ensures consistent rate limiting across all instances?
41An organization uses a private Docker registry with TLS. A developer attempts to pull an image and receives the error: "x509: certificate signed by unknown authority". What is the most likely cause and solution?
42A developer is writing a Kubernetes Deployment YAML and wants to set a CPU limit of 500 millicores. Which of the following is the correct YAML snippet?
43An application uses OAuth 2.0 for authorization. The developer receives an access token but needs to know the user's identity. Which OAuth flow should be used to also obtain an ID token that contains user claims?
44A developer is deploying a containerized application using Docker Compose. Which TWO statements about Docker Compose are correct?
45A company is implementing a secure CI/CD pipeline. Which THREE practices are essential for securing the pipeline?
46A developer is building a RESTful API with Python Flask. Which TWO are recommended security best practices for exposing the API over HTTPS?
47Refer to the exhibit. During a rolling update, a developer notices that the new pods are not passing the readiness probe and the update stalls. What is the most likely reason?
48Refer to the exhibit. A security audit reveals that the authentication mechanism is vulnerable. Which attack is most likely possible?
49Refer to the exhibit. The Docker image built from this Dockerfile is larger than expected. Which optimization should be recommended?
50A network engineer runs an Ansible playbook to backup a Cisco router configuration. The playbook fails with the error: 'ssh: connect to host 192.168.1.1 port 22: Connection timed out'. What is the most likely cause?
51A Python script uses the Cisco Meraki API to list networks in an organization. The API returns HTTP 403 Forbidden. What is the most likely cause?
52A DevOps team uses GitLab CI to deploy a containerized application to a Kubernetes cluster. The deployment pipeline fails at the 'deploy' stage with an error: 'unable to connect to server'. What is the most likely cause?
53An engineer retrieves the list of devices in a Meraki network via the Dashboard API. The API returns HTTP 200 OK with an empty array. What is the most likely reason?
54A Python script using the Cisco ACI Toolkit (aciToolkit) fails with 'LoginError: unable to login to APIC'. The APIC is reachable via HTTPS. What is the most likely cause?
55A developer needs to securely store API keys for use in a CI/CD pipeline. Which best practice should be followed?
56An engineer uses the Cisco Webex Teams API to send a message to a room. The API returns HTTP 403 Forbidden. What is the most likely cause?
57A microservices application deployed on Kubernetes uses Istio service mesh. After a recent update, some services cannot communicate with each other. Which diagnostic step is most likely to identify the issue?
58A team uses Ansible Tower for network automation. They need to restrict a user to only view job results without making any changes. Which Tower role should be assigned?
59A developer is writing a Python script to back up Cisco router configurations via SSH. Which two libraries are appropriate for this task? (Choose two.)
60An application is secured using OAuth 2.0 for Cisco Webex API access. Which three components are involved in the authorization code grant flow? (Choose three.)
61A network automation script using NX-API on a Nexus switch fails intermittently with HTTP 500 errors. Which two troubleshooting steps are most effective in diagnosing the issue? (Choose two.)
62Refer to the exhibit. A developer from subnet 10.10.10.0/24 cannot reach the RESTCONF API on the IOS-XE device. What is the most likely cause?
63Refer to the exhibit. A Meraki network has a group policy 'Block Social Media' that references a content filtering rule. The policy is applied to VLAN 1. Users in that VLAN cannot access instagram.com but can access facebook.com. What is the most likely reason?
64Refer to the exhibit. A developer builds this Docker image and runs it. The container starts but cannot be accessed on port 5000 from the host. What is the most likely cause?
65A developer is deploying a containerized application to a Kubernetes cluster. To ensure that the application can securely access a third-party API, what is the best practice for storing the API key?
66During a CI/CD pipeline, a security scan reveals that a Docker image contains a vulnerability in a base layer. Which action BEST addresses the issue?
67A microservice application uses JWT for authentication. The JWT is signed with RS256. Which practice ensures that the public key used for verification is securely distributed to all services?
68A company wants to implement a zero-trust model for API access between microservices. What is the most effective way to authenticate service-to-service communication?
69In a Kubernetes deployment, the container image pull policy is set to "Always". This causes performance issues during rollouts because the image registry is slow. What is the best practice to reduce pull time while maintaining security?
70A security team wants to ensure that only signed Docker images are deployed in production. Which CI/CD pipeline step validates the image signature before deployment?
71An application running in a Kubernetes pod needs to access an external database securely. The database credentials are rotated every 24 hours. Which approach ensures that the pod always uses the current credentials without manual intervention?
72A developer is creating a Helm chart for a stateless web application. Where should the application's configuration settings (like log level and feature flags) be stored?
73During a security audit, it is found that a microservice exposes its internal IP address in error responses. This could help attackers map the network. What is the BEST remediation?
74A company is implementing an API gateway for its microservices. Which TWO security features should be enabled at the gateway to protect backend services?
75A DevOps team is securing a CI/CD pipeline that deploys containerized applications to Kubernetes. Which THREE practices enhance security?
76Which THREE are valid methods for managing Kubernetes application configuration?
77Refer to the exhibit. A security audit requires that the container cannot run as root. Which part of the pod spec ensures this?
78Refer to the exhibit. What is the most effective action to eliminate both vulnerabilities in the container image?
79A company has a microservices application deployed on Kubernetes. There are three services: frontend, backend, and database. The frontend is exposed via an Ingress. The API gateway is used for authentication. Recently, after updating the backend service, users are experiencing 401 Unauthorized errors when accessing endpoints that previously worked. The authentication mechanism uses JWT tokens issued by an external identity provider. The JWT tokens are validated by the API gateway. The backend service itself does not validate tokens; it relies on the gateway to forward user identity via headers. The development team checked the logs and found that the backend is receiving requests with the correct JWT from the gateway but still returning 401. What is the most likely cause?
80A developer is building a REST API for a Cisco DNA Center application. The API must allow external partners to retrieve network device inventory. Which security mechanism should be implemented to ensure that only authorized partners can access the API while maintaining the ability to revoke access for a specific partner without affecting others?
81During a security audit of a microservices application deployed on Cisco Container Platform, the auditor discovers that some containers are running with privileged access. The development team argues that certain containers need to modify kernel parameters. Which security best practice should be recommended to minimize risk while allowing necessary kernel adjustments?
82Which TWO of the following are recommended practices for securing a CI/CD pipeline in a DevOps environment? (Choose two.)
83Which THREE of the following are common security vulnerabilities listed in the OWASP Top 10? (Choose three.)
84A company uses Cisco Meraki APs and an internal web application hosted on AWS. The application store customer payment data. The security team discovers that sensitive application logs are being transmitted in plaintext over the network to the SIEM. The DevOps team wants to improve security without changing the application code because it is proprietary and cannot be modified. Which solution should be recommended?
85A team is deploying a new microservice on Cisco Container Platform. The microservice needs to access a database hosted on a separate VM. The security policy requires that only the microservice can communicate with the database, and all traffic must be encrypted. The team is using Kubernetes network policies and mutual TLS. During testing, the microservice cannot reach the database. The database team reports that the database is reachable from other services. What is the most likely cause?
86An organization uses Ansible for configuration management and wants to secure the automation secrets (e.g., SSH keys, API tokens). The secrets are currently stored in plaintext in inventory files. The security team requires that secrets be encrypted at rest and decrypted only at runtime by authorized users. Which solution should be implemented?
87A developer is deploying a Python web application on Cisco UCS servers using a CI/CD pipeline that runs on Jenkins. The application uses a PostgreSQL database. The security team mandates that all database credentials must be rotated every 30 days. Currently, credentials are stored as plaintext in a configuration file in the application repository. Which approach should the developer take to meet the rotation requirement without storing secrets in the repository?
88A company has a web application running on Cisco DNA Center. The application uses OAuth 2.0 for authentication with an external identity provider (IdP). Recently, users have reported that they are being logged out unexpectedly after a few minutes of inactivity, even though the IdP token has a 1-hour expiration. The application developer wants to maintain usability while keeping security controls. What is the most likely cause and solution?
89A financial services company deploys a multi-tier application on Cisco UCS with separate VMs for web, app, and database tiers. The security team runs a vulnerability scan and finds that the web server is vulnerable to SQL injection. The development team cannot fix the code immediately because of a pending third-party library update. The company needs to deploy a security control to mitigate the vulnerability as soon as possible without changing the application. Which of the following is the best immediate mitigation?
90Which TWO of the following are best practices for securely managing API tokens in a CI/CD pipeline?
91Refer to the exhibit. An application is deployed on a server at 192.168.1.10, listening on TCP port 8080. The ACL is applied inbound on the server's network interface. Which clients will be able to access the application?
92A network administrator is deploying a custom container application on a Cisco Catalyst 9300 switch running IOS XE 16.12. The application is packaged as a .tar file and installed using 'app-hosting install app myapp flash:myapp.tar'. The administrator configures the app-hosting context as follows: app-hosting app myapp app-default-gateway 192.168.1.1 app-vnic gateway0 guest-interface 0 guest-ipaddress 192.168.1.10 netmask 255.255.255.0 app-resource profile custom cpu 1000 memory 2048 storage 5000 The administrator also creates a virtual port group 'vg0' and assigns it to the management interface. The application fails to start with the error: 'Application failed to start: guest interface not ready'. The administrator verifies that the .tar file is valid, the resources are sufficient, and the gateway is reachable. What is the most likely cause of the failure?
The Application Deployment and Security domain covers the key concepts tested in this area of the 200-901 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-901 domains — no account required.
The Courseiva 200-901 question bank contains 92 questions in the Application Deployment and Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Application Deployment and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included