CompTIA · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A cloud administrator notices that a virtual machine running a critical application is using 95% CPU consistently. The application is single-threaded and performance is degraded. Which action should the administrator take to resolve the issue?
Deploy additional VMs and load balance the application.
Increase the RAM allocation to the VM.
Migrate the VM to a host with a higher CPU clock speed.
Higher clock speed improves single-threaded performance.
Increase the number of vCPUs assigned to the VM.
A cloud engineer needs to ensure that a web application can scale out automatically during traffic spikes. Which design best practice should be implemented?
Deploy a larger instance size.
Use a single powerful VM with more vCPUs.
Manually provision additional VMs during peak times.
Configure an auto scaling group with a load balancer.
Auto scaling automatically adjusts capacity.
A company uses a hybrid cloud model with an on-premises data center and a public cloud. The network team reports that traffic between the cloud and on-premises is experiencing high latency and packet loss. The cloud administrator verifies that the VPN connection is up. What is the most likely cause?
A firewall rule is blocking ICMP packets.
VMs are placed in different cloud regions.
The VPN tunnel has a mismatched MTU size.
Mismatched MTU causes fragmentation and packet loss.
The cloud provider is throttling bandwidth.
Which TWO metrics should be monitored to determine if a cloud database is experiencing a memory bottleneck?
Network bytes sent
Swap usage
High swap usage indicates memory pressure.
Average disk queue length
Disk latency
Page faults per second
High page faults indicate insufficient memory.
A cloud administrator is troubleshooting an application that fails to connect to a database. The application and database are in the same VPC. Which THREE steps should the administrator take to diagnose the issue?
Check the routing table for a route to the internet.
Test connectivity to the database using a telnet or netcat command from the application server.
Direct connectivity test isolates the issue.
Verify that the security group associated with the database instance allows inbound traffic from the application's security group on the database port.
Security groups control traffic to the database.
Check the DNS resolution of the database endpoint in the application's subnet.
Verify that the network ACL for the database subnet allows inbound traffic on the database port.
Network ACLs are stateless and must allow traffic.
A cloud administrator is planning a migration of on-premises workloads to the cloud. Which TWO factors should be considered when selecting the appropriate cloud service model (IaaS, PaaS, SaaS)?
The scalability requirements of the application.
The level of control required over the operating system and runtime environment.
Determines if IaaS (full control) or PaaS (less control) is needed.
The security compliance requirements for data at rest.
The compatibility of the application with managed database or middleware services.
If app uses compatible services, PaaS/SaaS may be viable.
The total cost of ownership compared to on-premises.
Want more Operations and Support practice?
Practice this domainA company is migrating a legacy on-premises application to a public cloud. The application currently uses a single monolithic architecture and relies on a local file system for storage. The cloud architect needs to redesign the application to take advantage of cloud-native features. Which design principle should the architect prioritize to ensure scalability and resilience?
Maintain the monolithic architecture and connect via VPN to on-premises storage
Use vertical scaling by increasing vCPU and RAM on a single large VM
Refactor the application into microservices deployed across multiple instances
Microservices enable independent scaling and fault isolation.
Deploy the entire application in a single availability zone to reduce latency
A cloud architect is designing a multi-tier web application in a cloud environment. The application must handle unpredictable traffic spikes while minimizing costs. The architect decides to use auto-scaling groups for the web tier and a managed database service for the data tier. Which additional design consideration is MOST important to ensure the application remains available during a regional outage?
Distribute the auto-scaling group across multiple availability zones
Multi-AZ deployment ensures high availability during zone failures.
Configure the auto-scaling group to burst into on-premises resources during spikes
Increase the size of the web tier instances to handle more traffic
Use a read replica of the database to distribute read traffic
A company is deploying a critical financial application on a private cloud. The compliance team requires that all data at rest be encrypted with a key managed by the company's hardware security module (HSM). The cloud architect must select a storage solution that supports customer-managed keys and integrates with the existing HSM. Which storage option should the architect choose?
Object storage with server-side encryption using a cloud provider key
Instance store volumes on the compute nodes
Encrypted volumes on a software-defined storage (SDS) cluster
SDS volumes can use customer-managed keys and integrate with HSMs.
Network-attached storage (NAS) appliance with built-in encryption
A cloud engineer is troubleshooting a performance issue in a virtualized environment. A critical application is running slowly, and the engineer suspects resource contention. The host server has 32 vCPUs and 256 GB of RAM, running four VMs. Which tool should the engineer use to determine if CPU ready time is causing the performance degradation?
Run the 'top' command inside the affected VM
Deploy a network analyzer to capture traffic between VMs
Check the performance monitor in the guest operating system
Use the hypervisor's monitoring console to view CPU ready time
Hypervisor consoles provide CPU ready metrics indicating contention.
A cloud architect is designing a disaster recovery plan for a cloud-based application. The primary site is in a cloud region, and the recovery site is in a different geographic region. The application uses a relational database with synchronous replication. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. Which replication strategy BEST meets these objectives?
Perform daily backups of the database and restore at the recovery site
Use storage-level asynchronous replication between regions
Use a script to copy database logs every hour to the recovery site
Configure synchronous database replication with automated failover
Synchronous replication provides near-zero RPO and fast failover.
A cloud architect is designing a hybrid cloud environment that connects an on-premises data center to a public cloud. The architect needs to ensure secure, low-latency connectivity and isolate traffic between different business units. Which TWO solutions should the architect implement? (Choose two.)
Configure a NAT gateway to allow outbound internet access
Establish a dedicated VPN or direct connect between on-premises and cloud
Provides secure, low-latency connectivity.
Implement VPC peering to connect VPCs for different business units
VPC peering allows isolated traffic between VPCs.
Deploy a bastion host in a public subnet for administrative access
Use a transit gateway to interconnect all VPCs
Want more Cloud Architecture and Design practice?
Practice this domainA cloud administrator is troubleshooting an issue where a user in the finance department cannot access a critical application hosted on a private cloud. The user can access other applications in the same subnet. The security team recently implemented a new network security policy. Which of the following is MOST likely causing the issue?
The user's VM is isolated from the subnet due to a misconfigured VLAN.
The user's account has been disabled due to a failed login attempt.
The hypervisor is denying access to the application due to a resource quota violation.
A host-based firewall rule is blocking the specific application port on the user's VM.
A host-based firewall rule could block only the specific port used by the application, which explains why other applications work.
An organization wants to ensure that only authorized personnel can access the cloud management console. Which of the following is the BEST method to achieve this?
Enable multi-factor authentication (MFA) for all console users.
MFA provides strong authentication by requiring two or more factors.
Implement strong password policies with complex passwords.
Disable the web console and require API access only.
Restrict console access to a specific IP address range.
A company is migrating a legacy application to a public cloud. The application requires a static IP address for licensing. The security team insists on encrypting all traffic between the application and the database. Which of the following should the cloud architect implement?
Create a VPN connection between the application and database subnets.
A VPN encrypts traffic between the two subnets, and a static IP can be assigned to the application.
Assign an elastic IP and use NAT.
Use TLS certificates on the web server.
Deploy a site-to-site VPN from the cloud to the on-premises data center.
A cloud administrator is tasked with ensuring that only encrypted connections are used to transfer files to a cloud storage bucket. Which of the following should the administrator enforce?
Use HTTP with a custom header.
Allow FTP but restrict to specific IPs.
Require HTTPS for all uploads.
HTTPS encrypts data in transit.
Enable SFTP access to the bucket.
A company is implementing a cloud-based SIEM solution. Which TWO of the following are essential data sources that should be integrated to ensure comprehensive security monitoring?
Physical access logs from the data center.
Firewall configuration backup files.
Employee vacation schedule.
DNS query logs from the cloud DNS service.
DNS logs can reveal C2 communications.
Network flow logs from virtual network appliances.
Flow logs provide traffic metadata for analysis.
A cloud administrator is designing a secure multi-tenant environment. Which THREE of the following are best practices for isolating tenant workloads?
Use a single virtual switch for all tenants.
Deploy tenant workloads on dedicated hypervisors.
Dedicated hypervisors prevent hypervisor-level attacks.
Implement micro-segmentation using virtual firewalls.
Micro-segmentation limits east-west traffic.
Use separate VLANs for each tenant.
VLANs provide Layer 2 isolation.
Place all tenants on the same storage array for efficiency.
Want more Security practice?
Practice this domainA company is deploying a new web application in a hybrid cloud environment. The application must be able to scale out automatically during peak usage and scale in during low usage. The deployment must also ensure that the application remains available if a single Availability Zone fails. Which deployment strategy should the architect recommend?
Deploy a cluster of instances in a single Availability Zone with a load balancer.
Create an auto-scaling group spanning multiple Availability Zones.
Auto-scaling provides automatic scaling and multi-AZ ensures high availability.
Use a single large instance and manually resize during peak periods.
Deploy a load balancer in front of a single instance.
A cloud administrator is deploying a critical application that requires the lowest possible latency between compute instances. The instances will be running in a private subnet and must communicate with each other using their private IP addresses. Which of the following deployment configurations would best meet these requirements?
Deploy instances in different Availability Zones within the same region.
Deploy instances in the same subnet behind a NAT gateway.
Deploy instances in different regions and use inter-region peering.
Deploy instances in a placement group within the same Availability Zone.
Placement groups ensure low latency and high throughput.
An organization is migrating its on-premises virtualization environment to a public cloud. The current environment uses VMware vSphere with VM templates. The cloud provider supports importing VMs in OVF format. Which step should the cloud administrator take to prepare the VMs for migration?
Take a snapshot of each VM and copy the snapshot files.
Export each VM as an OVF template.
OVF is a standard format for VM import/export.
Convert each VM to an ISO image.
Copy the VM's VMDK files and import them as VHDX.
A cloud engineer is deploying a containerized application using Kubernetes. The application consists of a frontend, a backend API, and a database. The engineer needs to ensure that the backend API can be reached by the frontend but not from outside the cluster. Which Kubernetes resource should the engineer use to expose the backend API?
NodePort service
ClusterIP service
ClusterIP provides internal-only access.
Ingress resource
LoadBalancer service
A company is deploying a multi-tier application in a cloud environment. The application must comply with PCI DSS, which requires encryption of data at rest and in transit. The database tier must be isolated from direct internet access, while the web tier must be accessible from the internet. Which of the following deployment architectures best meets these requirements?
Place all tiers in the same subnet and use security groups to restrict traffic.
Use a single instance for web and database, and place it behind a load balancer.
Use a VPN connection from the web tier to the database tier and disable encryption.
Deploy web tier in a public subnet, database tier in a private subnet, and use SSL/TLS for encryption.
Public subnet for web, private for database, and encryption satisfies PCI DSS.
Which TWO of the following are valid considerations when deploying a virtual machine in a cloud environment? (Choose two.)
The log retention policy
The password complexity requirements
The instance size and family
Instance size determines vCPU, memory, and cost.
The number of virtual CPUs assigned to the hypervisor
The type of storage (SSD or HDD)
Storage type impacts performance and cost.
Want more Deployment practice?
Practice this domainA cloud administrator receives an alert that a virtual machine (VM) is unresponsive. The VM is hosted on a hypervisor that shows high CPU ready time. Which of the following is the most likely cause?
Insufficient memory allocated to the VM
Network latency between the VM and storage
Disk I/O contention from other VMs
Over-provisioning of vCPUs on the hypervisor
Correct; over-provisioned vCPUs cause contention and high ready time.
A company is designing a multi-cloud disaster recovery solution. They need to ensure RPO of 15 minutes and RTO of 1 hour for critical workloads. Which of the following should be implemented?
Asynchronous replication to a secondary cloud with a 30-minute delay
Synchronous replication to a standby environment in another cloud provider
Correct; synchronous replication provides low RPO and fast failover.
Pilot light environment that is started manually during a disaster
Daily backups to object storage in a different region
A cloud engineer notices that an application is running slower than expected. Monitoring shows that the CPU utilization is consistently below 30%, but memory usage is at 95%. Which of the following is the most likely cause of the performance issue?
Insufficient disk space for application logs
Insufficient memory causing swapping to disk
Correct; high memory usage leads to swapping, slowing performance.
Network bandwidth saturation
CPU contention due to overprovisioning
A cloud administrator is troubleshooting connectivity issues between two virtual networks in different regions. The VNets are peered, but instances cannot communicate. The administrator verifies that the peering status is 'Connected' and route tables appear correct. Which of the following should be checked next?
Network Security Group (NSG) rules on the instances and subnets
Correct; NSGs can block traffic even if VNet peering is established.
DNS resolution settings
Gateway subnet configuration
Service endpoint status
A company is implementing a cloud governance strategy. They need to ensure that all resources are tagged with cost center and environment, and any untagged resources are automatically remediated. Which of the following best practices should be applied?
Implement role-based access control to restrict resource creation
Set up budget alerts to notify when costs exceed thresholds
Create a manual audit process to check tags weekly
Use policy-as-code to enforce tagging and automatically apply tags to untagged resources
Correct; policy-as-code can enforce and auto-remediate tagging.
A cloud engineer is troubleshooting a VM that is experiencing high latency. The VM is hosted on a hypervisor with other VMs. Which TWO metrics should the engineer review to identify if resource contention is occurring?
Memory ballooning
Correct; memory ballooning indicates memory contention.
CPU ready time
Correct; high CPU ready time indicates CPU contention.
Network packet drops
Swap usage
Disk queue length
Want more Troubleshooting practice?
Practice this domainThe CV0-004 exam has 90 questions and must be completed in 90 minutes. The passing score is 750/1000.
Scenario questions on cloud architecture, deployment, security, operations, and troubleshooting across major cloud platforms. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.
The exam covers 5 domains: Operations and Support, Cloud Architecture and Design, Security, Deployment, Troubleshooting. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official CompTIA CV0-004 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.