Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCV0-004Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

CV0-004 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
90 min time limit
Pass: 750/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Operations and Support2. Cloud Architecture and Design3. Security4. Deployment5. Troubleshooting
1

Domain 1: Operations and Support

All Operations and Support questions
Q1
mediumFull explanation →

A cloud administrator notices that a virtual machine running a critical application is using 95% CPU consistently. The application is single-threaded and performance is degraded. Which action should the administrator take to resolve the issue?

A

Deploy additional VMs and load balance the application.

B

Increase the RAM allocation to the VM.

C

Migrate the VM to a host with a higher CPU clock speed.

Higher clock speed improves single-threaded performance.

D

Increase the number of vCPUs assigned to the VM.

Why: The application is single-threaded, meaning it can only utilize one CPU core at a time. Increasing the CPU clock speed directly improves the processing speed of that single thread, which resolves the performance degradation. Option C is correct because migrating to a host with a higher CPU clock speed provides a faster core for the single-threaded workload.
Q2
easyFull explanation →

A cloud engineer needs to ensure that a web application can scale out automatically during traffic spikes. Which design best practice should be implemented?

A

Deploy a larger instance size.

B

Use a single powerful VM with more vCPUs.

C

Manually provision additional VMs during peak times.

D

Configure an auto scaling group with a load balancer.

Auto scaling automatically adjusts capacity.

Why: Option D is correct because an auto scaling group combined with a load balancer automatically adds or removes VM instances based on predefined metrics (e.g., CPU utilization, request count), ensuring the web application scales out horizontally during traffic spikes without manual intervention. This aligns with cloud elasticity best practices for handling variable workloads.
Q3
hardFull explanation →

A company uses a hybrid cloud model with an on-premises data center and a public cloud. The network team reports that traffic between the cloud and on-premises is experiencing high latency and packet loss. The cloud administrator verifies that the VPN connection is up. What is the most likely cause?

A

A firewall rule is blocking ICMP packets.

B

VMs are placed in different cloud regions.

C

The VPN tunnel has a mismatched MTU size.

Mismatched MTU causes fragmentation and packet loss.

D

The cloud provider is throttling bandwidth.

Why: When a VPN tunnel is up but traffic experiences high latency and packet loss, a mismatched Maximum Transmission Unit (MTU) size is a common cause. This occurs because packets larger than the tunnel's MTU must be fragmented, and if fragmentation is not properly handled (e.g., due to the DF bit being set), packets are dropped, leading to retransmissions and increased latency. The symptoms align with MTU issues rather than simple connectivity or throttling problems.
Q4
mediumFull explanation →

Which TWO metrics should be monitored to determine if a cloud database is experiencing a memory bottleneck?

A

Network bytes sent

B

Swap usage

High swap usage indicates memory pressure.

C

Average disk queue length

D

Disk latency

E

Page faults per second

High page faults indicate insufficient memory.

Why: Swap usage (B) is a direct indicator of memory pressure; when the operating system moves memory pages to disk, it signals that the database cannot fit its working set in RAM, causing severe performance degradation. Page faults per second (E) measures how often the database must retrieve memory pages from disk; a sustained high rate indicates the buffer pool is too small for the workload, confirming a memory bottleneck.
Q5
hardFull explanation →

A cloud administrator is troubleshooting an application that fails to connect to a database. The application and database are in the same VPC. Which THREE steps should the administrator take to diagnose the issue?

A

Check the routing table for a route to the internet.

B

Test connectivity to the database using a telnet or netcat command from the application server.

Direct connectivity test isolates the issue.

C

Verify that the security group associated with the database instance allows inbound traffic from the application's security group on the database port.

Security groups control traffic to the database.

D

Check the DNS resolution of the database endpoint in the application's subnet.

E

Verify that the network ACL for the database subnet allows inbound traffic on the database port.

Network ACLs are stateless and must allow traffic.

Why: Option B is correct because telnet or netcat can test basic TCP connectivity to the database port, confirming whether the database is reachable from the application server at the network layer. This step isolates whether the issue is a network connectivity problem versus an authentication or configuration issue within the database itself.
Q6
easyFull explanation →

A cloud administrator is planning a migration of on-premises workloads to the cloud. Which TWO factors should be considered when selecting the appropriate cloud service model (IaaS, PaaS, SaaS)?

A

The scalability requirements of the application.

B

The level of control required over the operating system and runtime environment.

Determines if IaaS (full control) or PaaS (less control) is needed.

C

The security compliance requirements for data at rest.

D

The compatibility of the application with managed database or middleware services.

If app uses compatible services, PaaS/SaaS may be viable.

E

The total cost of ownership compared to on-premises.

Why: Option B is correct because the level of control over the operating system and runtime environment is a defining factor when choosing between IaaS, PaaS, and SaaS. IaaS provides full control over the OS and runtime, PaaS abstracts the OS and runtime but allows control over application deployment, and SaaS offers no control over the underlying infrastructure. This directly impacts migration decisions, especially for legacy applications that require specific OS configurations or custom runtime dependencies.

Want more Operations and Support practice?

Practice this domain
2

Domain 2: Cloud Architecture and Design

All Cloud Architecture and Design questions
Q1
easyFull explanation →

A company is migrating a legacy on-premises application to a public cloud. The application currently uses a single monolithic architecture and relies on a local file system for storage. The cloud architect needs to redesign the application to take advantage of cloud-native features. Which design principle should the architect prioritize to ensure scalability and resilience?

A

Maintain the monolithic architecture and connect via VPN to on-premises storage

B

Use vertical scaling by increasing vCPU and RAM on a single large VM

C

Refactor the application into microservices deployed across multiple instances

Microservices enable independent scaling and fault isolation.

D

Deploy the entire application in a single availability zone to reduce latency

Why: Option C is correct because refactoring the monolithic application into microservices enables independent scaling of components, improves fault isolation, and aligns with cloud-native patterns like containerization and orchestration (e.g., Kubernetes). This approach leverages horizontal scaling across multiple instances, which is essential for achieving elasticity and resilience in a public cloud environment, unlike the legacy single-point-of-failure monolithic design.
Q2
mediumFull explanation →

A cloud architect is designing a multi-tier web application in a cloud environment. The application must handle unpredictable traffic spikes while minimizing costs. The architect decides to use auto-scaling groups for the web tier and a managed database service for the data tier. Which additional design consideration is MOST important to ensure the application remains available during a regional outage?

A

Distribute the auto-scaling group across multiple availability zones

Multi-AZ deployment ensures high availability during zone failures.

B

Configure the auto-scaling group to burst into on-premises resources during spikes

C

Increase the size of the web tier instances to handle more traffic

D

Use a read replica of the database to distribute read traffic

Why: Distributing the auto-scaling group across multiple Availability Zones (AZs) ensures that if one AZ fails, the web tier continues to serve traffic from the remaining AZs. This is the most critical design consideration for maintaining availability during a regional outage because it provides fault isolation at the AZ level, which is a fundamental principle of high availability in cloud architecture.
Q3
hardFull explanation →

A company is deploying a critical financial application on a private cloud. The compliance team requires that all data at rest be encrypted with a key managed by the company's hardware security module (HSM). The cloud architect must select a storage solution that supports customer-managed keys and integrates with the existing HSM. Which storage option should the architect choose?

A

Object storage with server-side encryption using a cloud provider key

B

Instance store volumes on the compute nodes

C

Encrypted volumes on a software-defined storage (SDS) cluster

SDS volumes can use customer-managed keys and integrate with HSMs.

D

Network-attached storage (NAS) appliance with built-in encryption

Why: Option C is correct because a software-defined storage (SDS) cluster can be configured to use customer-managed encryption keys that integrate directly with the company's existing hardware security module (HSM) via standard interfaces like PKCS#11 or KMIP. This allows the company to maintain full control over key management and meet the compliance requirement for data-at-rest encryption with HSM-managed keys.
Q4
easyFull explanation →

A cloud engineer is troubleshooting a performance issue in a virtualized environment. A critical application is running slowly, and the engineer suspects resource contention. The host server has 32 vCPUs and 256 GB of RAM, running four VMs. Which tool should the engineer use to determine if CPU ready time is causing the performance degradation?

A

Run the 'top' command inside the affected VM

B

Deploy a network analyzer to capture traffic between VMs

C

Check the performance monitor in the guest operating system

D

Use the hypervisor's monitoring console to view CPU ready time

Hypervisor consoles provide CPU ready metrics indicating contention.

Why: CPU ready time is a hypervisor-level metric that measures the time a VM is ready to execute but must wait for a physical CPU core to become available. Since the engineer suspects resource contention among VMs on the same host, the hypervisor's monitoring console (e.g., vSphere, Hyper-V Manager) is the only tool that can expose this metric directly. Guest OS tools like 'top' or Performance Monitor cannot see CPU ready time because it occurs at the virtualization layer, not inside the VM.
Q5
mediumFull explanation →

A cloud architect is designing a disaster recovery plan for a cloud-based application. The primary site is in a cloud region, and the recovery site is in a different geographic region. The application uses a relational database with synchronous replication. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which replication strategy BEST meets these objectives?

A

Perform daily backups of the database and restore at the recovery site

B

Use storage-level asynchronous replication between regions

C

Use a script to copy database logs every hour to the recovery site

D

Configure synchronous database replication with automated failover

Synchronous replication provides near-zero RPO and fast failover.

Why: Synchronous database replication with automated failover ensures that every write transaction is committed to both the primary and recovery site databases before acknowledging success, guaranteeing zero data loss (RPO=0) and near-instantaneous failover within seconds to minutes, which comfortably meets the RTO of 1 hour and RPO of 15 minutes. This strategy directly satisfies the strict RPO requirement by maintaining a fully synchronized, hot standby replica that can be promoted immediately upon failure.
Q6
mediumFull explanation →

A cloud architect is designing a hybrid cloud environment that connects an on-premises data center to a public cloud. The architect needs to ensure secure, low-latency connectivity and isolate traffic between different business units. Which TWO solutions should the architect implement? (Choose two.)

A

Configure a NAT gateway to allow outbound internet access

B

Establish a dedicated VPN or direct connect between on-premises and cloud

Provides secure, low-latency connectivity.

C

Implement VPC peering to connect VPCs for different business units

VPC peering allows isolated traffic between VPCs.

D

Deploy a bastion host in a public subnet for administrative access

E

Use a transit gateway to interconnect all VPCs

Why: Option B is correct because a dedicated VPN or Direct Connect establishes a secure, low-latency, and private connection between the on-premises data center and the public cloud, bypassing the public internet to reduce latency and improve security. This is essential for hybrid cloud environments where consistent performance and isolation from internet-based threats are required.

Want more Cloud Architecture and Design practice?

Practice this domain
3

Domain 3: Security

All Security questions
Q1
mediumFull explanation →

A cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?

A

The user's VM is isolated from the subnet due to a misconfigured VLAN.

B

The user's account has been disabled due to a failed login attempt.

C

The hypervisor is denying access to the application due to a resource quota violation.

D

A host-based firewall rule is blocking the specific application port on the user's VM.

A host-based firewall rule could block only the specific port used by the application, which explains why other applications work.

Why: Option D is correct because the user can access other applications in the same subnet, indicating network connectivity is intact, but a specific application is blocked. A host-based firewall rule on the user's VM (e.g., Windows Firewall or iptables) can filter traffic by port or protocol, and a newly implemented security policy likely added a rule blocking the port used by the critical application. This explains why only that application is inaccessible while others work.
Q2
easyFull explanation →

An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?

A

Enable multi-factor authentication (MFA) for all console users.

MFA provides strong authentication by requiring two or more factors.

B

Implement strong password policies with complex passwords.

C

Disable the web console and require API access only.

D

Restrict console access to a specific IP address range.

Why: Multi-factor authentication (MFA) is the best method because it adds an additional layer of security beyond just a password, requiring a second factor (e.g., a time-based one-time password from an authenticator app or a hardware token). This significantly reduces the risk of unauthorized access even if credentials are compromised, as the attacker would also need the second factor. In cloud environments like AWS, Azure, or GCP, MFA is a fundamental security best practice for protecting the management console.
Q3
hardFull explanation →

A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?

A

Create a VPN connection between the application and database subnets.

A VPN encrypts traffic between the two subnets, and a static IP can be assigned to the application.

B

Assign an elastic IP and use NAT.

C

Use TLS certificates on the web server.

D

Deploy a site-to-site VPN from the cloud to the on-premises data center.

Why: Option A is correct because creating a VPN connection between the application and database subnets establishes an encrypted tunnel (using IPsec or TLS-based VPN protocols) that ensures all traffic between the two subnets is encrypted, meeting the security team's requirement. Additionally, the application's need for a static IP address can be satisfied by assigning a static private IP to the application instance within its subnet, while the VPN provides secure communication without exposing traffic to the public internet.
Q4
easyFull explanation →

A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?

A

Use HTTP with a custom header.

B

Allow FTP but restrict to specific IPs.

C

Require HTTPS for all uploads.

HTTPS encrypts data in transit.

D

Enable SFTP access to the bucket.

Why: HTTPS (HTTP over TLS) encrypts data in transit using TLS, ensuring that files uploaded to a cloud storage bucket are protected from eavesdropping and tampering. By requiring HTTPS for all uploads, the administrator enforces encrypted connections as mandated by the security policy, which is a standard practice for cloud storage services like AWS S3 or Azure Blob Storage.
Q5
mediumFull explanation →

A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?

A

Physical access logs from the data center.

B

Firewall configuration backup files.

C

Employee vacation schedule.

D

DNS query logs from the cloud DNS service.

DNS logs can reveal C2 communications.

E

Network flow logs from virtual network appliances.

Flow logs provide traffic metadata for analysis.

Why: DNS query logs from the cloud DNS service (Option D) are essential because they provide visibility into domain resolution activities, which can reveal command-and-control (C2) communications, data exfiltration via DNS tunneling, or connections to malicious domains. In a cloud-based SIEM, these logs are critical for detecting threats that leverage DNS as a covert channel, as they capture the source IP, queried domain, and response codes in real time.
Q6
hardFull explanation →

A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?

A

Use a single virtual switch for all tenants.

B

Deploy tenant workloads on dedicated hypervisors.

Dedicated hypervisors prevent hypervisor-level attacks.

C

Implement micro-segmentation using virtual firewalls.

Micro-segmentation limits east-west traffic.

D

Use separate VLANs for each tenant.

VLANs provide Layer 2 isolation.

E

Place all tenants on the same storage array for efficiency.

Why: Deploying tenant workloads on dedicated hypervisors provides strong physical isolation, preventing a compromised hypervisor from affecting other tenants. This approach eliminates the risk of side-channel attacks or resource contention that could cross tenant boundaries, ensuring each tenant's virtual machines run on separate hardware with no shared compute resources.

Want more Security practice?

Practice this domain
4

Domain 4: Deployment

All Deployment questions
Q1
mediumFull explanation →

A company is deploying a new web application in a hybrid cloud environment. The application must be able to scale out automatically during peak usage and scale in during low usage. The deployment must also ensure that the application remains available if a single Availability Zone fails. Which deployment strategy should the architect recommend?

A

Deploy a cluster of instances in a single Availability Zone with a load balancer.

B

Create an auto-scaling group spanning multiple Availability Zones.

Auto-scaling provides automatic scaling and multi-AZ ensures high availability.

C

Use a single large instance and manually resize during peak periods.

D

Deploy a load balancer in front of a single instance.

Why: Option B is correct because an auto-scaling group spanning multiple Availability Zones ensures both automatic scaling based on demand and high availability. If one Availability Zone fails, the load balancer distributes traffic to healthy instances in the remaining zones, meeting the requirement for continuous availability during a zone failure.
Q2
hardFull explanation →

A cloud administrator is deploying a critical application that requires the lowest possible latency between compute instances. The instances will be running in a private subnet and must communicate with each other using their private IP addresses. Which of the following deployment configurations would best meet these requirements?

A

Deploy instances in different Availability Zones within the same region.

B

Deploy instances in the same subnet behind a NAT gateway.

C

Deploy instances in different regions and use inter-region peering.

D

Deploy instances in a placement group within the same Availability Zone.

Placement groups ensure low latency and high throughput.

Why: Deploying instances in a placement group within the same Availability Zone ensures they are physically close together, often in the same rack or cluster, which minimizes network hops and achieves the lowest possible latency. This configuration is ideal for latency-sensitive applications because it leverages non-blocking, high-bandwidth inter-instance communication without traversing additional network infrastructure.
Q3
easyFull explanation →

An organization is migrating its on-premises virtualization environment to a public cloud. The current environment uses VMware vSphere with VM templates. The cloud provider supports importing VMs in OVF format. Which step should the cloud administrator take to prepare the VMs for migration?

A

Take a snapshot of each VM and copy the snapshot files.

B

Export each VM as an OVF template.

OVF is a standard format for VM import/export.

C

Convert each VM to an ISO image.

D

Copy the VM's VMDK files and import them as VHDX.

Why: The cloud provider supports importing VMs in OVF format, which is an open standard for packaging and distributing virtual appliances. Exporting each VM as an OVF template from VMware vSphere creates the necessary .ovf descriptor file and accompanying disk files (e.g., .vmdk) that the provider can directly import. This is the correct preparation step because it produces the exact format required by the target cloud platform.
Q4
mediumFull explanation →

A cloud engineer is deploying a containerized application using Kubernetes. The application consists of a frontend, a backend API, and a database. The engineer needs to ensure that the backend API can be reached by the frontend but not from outside the cluster. Which Kubernetes resource should the engineer use to expose the backend API?

A

NodePort service

B

ClusterIP service

ClusterIP provides internal-only access.

C

Ingress resource

D

LoadBalancer service

Why: A ClusterIP service exposes the backend API on a cluster-internal IP address, making it reachable only from within the Kubernetes cluster. This meets the requirement that the frontend can communicate with the backend API, but external traffic is blocked. ClusterIP is the default service type and is ideal for internal service-to-service communication.
Q5
hardFull explanation →

A company is deploying a multi-tier application in a cloud environment. The application must comply with PCI DSS, which requires encryption of data at rest and in transit. The database tier must be isolated from direct internet access, while the web tier must be accessible from the internet. Which of the following deployment architectures best meets these requirements?

A

Place all tiers in the same subnet and use security groups to restrict traffic.

B

Use a single instance for web and database, and place it behind a load balancer.

C

Use a VPN connection from the web tier to the database tier and disable encryption.

D

Deploy web tier in a public subnet, database tier in a private subnet, and use SSL/TLS for encryption.

Public subnet for web, private for database, and encryption satisfies PCI DSS.

Why: Option D is correct because it separates the web tier into a public subnet for internet accessibility and the database tier into a private subnet for isolation, meeting PCI DSS requirements. SSL/TLS encryption ensures data in transit is protected, and encryption at rest can be applied to the database storage. This architecture aligns with cloud best practices for multi-tier applications requiring compliance.
Q6
mediumFull explanation →

Which TWO of the following are valid considerations when deploying a virtual machine in a cloud environment? (Choose two.)

A

The log retention policy

B

The password complexity requirements

C

The instance size and family

Instance size determines vCPU, memory, and cost.

D

The number of virtual CPUs assigned to the hypervisor

E

The type of storage (SSD or HDD)

Storage type impacts performance and cost.

Why: Option C is correct because the instance size and family directly determine the virtual machine's compute capacity, including vCPUs, memory, and network performance. Selecting the appropriate size and family ensures the workload has sufficient resources without over-provisioning, which is a fundamental deployment consideration in cloud environments like AWS EC2 or Azure VMs.

Want more Deployment practice?

Practice this domain
5

Domain 5: Troubleshooting

All Troubleshooting questions
Q1
mediumFull explanation →

A cloud administrator receives an alert that a virtual machine (VM) is unresponsive. The VM is hosted on a hypervisor that shows high CPU ready time. Which of the following is the most likely cause?

A

Insufficient memory allocated to the VM

B

Network latency between the VM and storage

C

Disk I/O contention from other VMs

D

Over-provisioning of vCPUs on the hypervisor

Correct; over-provisioned vCPUs cause contention and high ready time.

Why: High CPU ready time indicates that the VM is ready to execute instructions but is waiting for the hypervisor to schedule physical CPU time. This is a classic symptom of over-provisioning vCPUs, where the total number of vCPUs assigned to all VMs exceeds the available physical cores, causing contention at the hypervisor scheduler level.
Q2
hardFull explanation →

A company is designing a multi-cloud disaster recovery solution. They need to ensure RPO of 15 minutes and RTO of 1 hour for critical workloads. Which of the following should be implemented?

A

Asynchronous replication to a secondary cloud with a 30-minute delay

B

Synchronous replication to a standby environment in another cloud provider

Correct; synchronous replication provides low RPO and fast failover.

C

Pilot light environment that is started manually during a disaster

D

Daily backups to object storage in a different region

Why: Synchronous replication ensures that data is written to both the primary and standby environments simultaneously, guaranteeing zero data loss and meeting the 15-minute RPO. With a pre-configured standby environment in another cloud provider, failover can occur within minutes, satisfying the 1-hour RTO. This approach provides the lowest possible RPO and RTO for critical workloads.
Q3
easyFull explanation →

A cloud engineer notices that an application is running slower than expected. Monitoring shows that the CPU utilization is consistently below 30%, but memory usage is at 95%. Which of the following is the most likely cause of the performance issue?

A

Insufficient disk space for application logs

B

Insufficient memory causing swapping to disk

Correct; high memory usage leads to swapping, slowing performance.

C

Network bandwidth saturation

D

CPU contention due to overprovisioning

Why: When memory usage is at 95% and CPU utilization is low, the system is likely thrashing—the operating system is forced to page memory to disk (swap) to free RAM. Disk I/O is orders of magnitude slower than RAM, so even with idle CPU, the application stalls waiting for swap operations. This explains the performance degradation despite low CPU load.
Q4
mediumFull explanation →

A cloud administrator is troubleshooting connectivity issues between two virtual networks in different regions. The VNets are peered, but instances cannot communicate. The administrator verifies that the peering status is 'Connected' and route tables appear correct. Which of the following should be checked next?

A

Network Security Group (NSG) rules on the instances and subnets

Correct; NSGs can block traffic even if VNet peering is established.

B

DNS resolution settings

C

Gateway subnet configuration

D

Service endpoint status

Why: Even when VNet peering status shows 'Connected' and route tables are correct, Network Security Group (NSG) rules can still block traffic. NSGs act as a stateful firewall at the subnet or NIC level, and by default they deny all inbound traffic unless explicitly allowed. Since the administrator has already verified routing, the next logical step is to check NSG rules for any implicit deny or missing allow rules that could be dropping the inter-region traffic.
Q5
hardFull explanation →

A company is implementing a cloud governance strategy. They need to ensure that all resources are tagged with cost center and environment, and any untagged resources are automatically remediated. Which of the following best practices should be applied?

A

Implement role-based access control to restrict resource creation

B

Set up budget alerts to notify when costs exceed thresholds

C

Create a manual audit process to check tags weekly

D

Use policy-as-code to enforce tagging and automatically apply tags to untagged resources

Correct; policy-as-code can enforce and auto-remediate tagging.

Why: Option D is correct because policy-as-code (e.g., Azure Policy, AWS Config Rules, or Open Policy Agent) allows you to define tagging requirements declaratively and automatically remediate non-compliant resources. This approach enforces governance in real-time without manual intervention, ensuring all resources are tagged with cost center and environment as specified.
Q6
mediumFull explanation →

A cloud engineer is troubleshooting a VM that is experiencing high latency. The VM is hosted on a hypervisor with other VMs. Which TWO metrics should the engineer review to identify if resource contention is occurring?

A

Memory ballooning

Correct; memory ballooning indicates memory contention.

B

CPU ready time

Correct; high CPU ready time indicates CPU contention.

C

Network packet drops

D

Swap usage

E

Disk queue length

Why: Memory ballooning (A) is a VMware mechanism where the hypervisor reclaims idle memory from a VM by inflating a balloon driver, forcing the VM to swap. High ballooning indicates memory overcommitment and contention, directly causing latency. CPU ready time (B) measures the time a VM is ready to run but waiting for a physical CPU core; elevated ready time signals CPU contention among VMs on the same hypervisor.

Want more Troubleshooting practice?

Practice this domain

Frequently asked questions

How many questions are on the CV0-004 exam?

The CV0-004 exam has 90 questions and must be completed in 90 minutes. The passing score is 750/1000.

What types of questions appear on the CV0-004 exam?

Scenario questions on cloud architecture, deployment, security, operations, and troubleshooting across major cloud platforms. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are CV0-004 questions organised by domain?

The exam covers 5 domains: Operations and Support, Cloud Architecture and Design, Security, Deployment, Troubleshooting. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CV0-004 exam questions?

No. These are original exam-style practice questions written against the official CompTIA CV0-004 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 90 CV0-004 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CV0-004 questionsTake a timed practice test