Reinforce CV0-004 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For CV0-004 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the CV0-004 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your CV0-004 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real CV0-004 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass CV0-004.
Sample cards from the CV0-004 flashcard bank. Read the question, think of the answer, then read the explanation below.
A company wants to migrate its on-premises workload to the cloud and needs to maintain full control over the operating system, middleware, and applications. Which cloud service model should the company choose?
IaaS
IaaS provides virtualized computing resources (VMs, storage, networking) where the customer manages the OS and above, making it the right choice for full control.
A cloud architect is creating a Terraform configuration to deploy resources in AWS. The architect needs to store the state file in a remote backend that supports state locking and encryption at rest. Which backend should the architect configure?
S3 with DynamoDB for state locking
S3 with DynamoDB for locking is a recommended backend for Terraform state in AWS. Azure Blob Storage is for Azure, GCS for GCP, and local backend does not support remote state or locking.
A cloud engineer is configuring a web application on AWS and needs to ensure that only HTTP and HTTPS traffic from the internet is allowed to reach the EC2 instances. Which AWS service should be used to control inbound traffic at the instance level?
Security Group
Security groups are stateful virtual firewalls that control inbound and outbound traffic at the instance level. Network ACLs operate at the subnet level and are stateless.
A cloud architect is designing a monitoring solution for a web application. Which service should they use to collect and visualize metrics such as CPU utilization and network throughput?
AWS CloudWatch
AWS CloudWatch is the service for collecting and visualizing metrics on AWS.
A cloud administrator receives an alert that a virtual machine (VM) is unresponsive. The VM is hosted on a hypervisor that shows high CPU ready time. Which of the following is the most likely cause?
Over-provisioning of vCPUs on the hypervisor
High CPU ready time indicates that the VM is ready to execute instructions but is waiting for the hypervisor to schedule physical CPU time. This is a classic symptom of over-provisioning vCPUs, where the total number of vCPUs assigned to all VMs exceeds the available physical cores, causing contention at the hypervisor scheduler level.
A cloud administrator notices that a virtual machine has been running for 180 days without a reboot. The administrator needs to install critical security patches that require a reboot. Which of the following actions should the administrator take FIRST?
Check for existing snapshots and create a new snapshot.
Option B is correct because before applying patches that require a reboot, the administrator should first check for existing snapshots and create a new snapshot. This ensures a rollback point is available in case the patching process fails or causes instability. Snapshots capture the virtual machine's state, including disk and memory, allowing the administrator to revert to the pre-patch state without data loss.
A cloud engineer is troubleshooting a connectivity issue between two virtual networks in different regions. The engineer has verified that the virtual networks are peered and the routing tables are correct. Which of the following is the MOST likely cause of the issue?
A network security group blocking the traffic
Option C is correct because network security groups (NSGs) operate at the subnet or NIC level and can filter traffic between peered virtual networks even when routing is correctly configured. Since the engineer has verified peering and routing tables, the most likely remaining cause is an NSG rule explicitly or implicitly denying the traffic, as NSGs are stateful and evaluated after routing decisions.
A load balancer log entry shows the above for a request. What is the MOST likely cause of the 504 error?
The backend server took too long to respond to the request.
A 504 Gateway Timeout error from a load balancer indicates that the load balancer sent the request to a backend server but did not receive a timely response. The load balancer has a configured timeout value (often 30-120 seconds), and if the backend server fails to respond within that window, the load balancer terminates the connection and returns a 504. This is the most common cause of 504 errors in load-balanced environments.
A cloud architect is deploying a web application across multiple availability zones within a single region to achieve high availability. The application requires that if one availability zone fails, traffic should automatically be rerouted to the remaining zones without manual intervention. Which configuration is required?
Active-active across availability zones with a load balancer
Option B is correct because deploying an active-active configuration across multiple availability zones with a load balancer ensures that traffic is automatically distributed to healthy instances. If one availability zone fails, the load balancer's health checks detect the failure and reroute traffic to the remaining zones without manual intervention, meeting the high availability requirement.
A company uses a hybrid cloud model with an on-premises data center and a public cloud. The network team reports that traffic between the cloud and on-premises is experiencing high latency and packet loss. The cloud administrator verifies that the VPN connection is up. What is the most likely cause?
The VPN tunnel has a mismatched MTU size.
When a VPN tunnel is up but traffic experiences high latency and packet loss, a mismatched Maximum Transmission Unit (MTU) size is a common cause. This occurs because packets larger than the tunnel's MTU must be fragmented, and if fragmentation is not properly handled (e.g., due to the DF bit being set), packets are dropped, leading to retransmissions and increased latency. The symptoms align with MTU issues rather than simple connectivity or throttling problems.
A cloud operations team receives an alert that the CPU usage of a VM has exceeded 90% for the past 30 minutes. The VM is part of an auto-scaling group configured to scale out when CPU exceeds 80% for 5 minutes. However, no new instances have been launched. What is the MOST likely reason the auto-scaling failed to trigger?
The auto-scaling group is in a cooldown period after a previous scaling action.
The auto-scaling group failed to trigger because it was in a cooldown period after a previous scaling action. Cooldown periods are designed to prevent rapid, successive scaling events that could destabilize the environment. During this time, the auto-scaling group ignores new alarms, even if the CPU threshold is exceeded, until the cooldown timer expires.
A cloud engineer is troubleshooting a web application that is not responding. The engineer examines the serial console output of the web-server instance and finds the error shown in the exhibit. What is the MOST likely cause of this issue?
A firewall rule is blocking traffic to the metadata server IP address 169.254.169.254.
The error shown in the serial console output indicates that the instance cannot reach the metadata server at 169.254.169.254. This IP address is a link-local address used by cloud providers (e.g., AWS, GCP, Azure) to serve instance metadata, including user data scripts. If a firewall rule blocks traffic to this IP, the instance cannot retrieve its user data, causing the web application to fail to start or respond.
A cloud administrator is troubleshooting connectivity to a virtual machine with IP address 10.10.10.10 from another VM on the same subnet. The output of ping and traceroute commands is shown. What is the most likely cause of the connectivity issue?
The destination VM's network interface is disabled.
The correct answer is A because a disabled network interface on the destination VM would cause the VM to be unreachable from the same subnet, even though the VM itself is powered on. Ping and traceroute would fail with no response, as the NIC is not operational at Layer 2, preventing ARP resolution and frame delivery. This matches the symptom of no connectivity despite being on the same subnet, where routing and security groups are not factors.
A company uses Azure and wants to centrally audit all management operations across subscriptions. Which service should be used to collect and analyze these logs?
Azure Monitor
Azure Monitor is the correct service because it provides a centralized platform for collecting, analyzing, and acting on telemetry data from Azure resources, including management operations across subscriptions. Specifically, the Azure Activity Log within Azure Monitor captures all control-plane events (e.g., resource creation, deletion, policy changes) at the subscription level, enabling auditing and alerting. This directly meets the requirement for centrally auditing management operations across multiple subscriptions.
A cloud architect is designing a serverless application using Azure Functions. The function must process messages from an Azure Storage Queue. How should the architect configure the trigger?
Queue trigger
The correct answer is C because Azure Functions natively supports a Queue trigger that automatically polls an Azure Storage Queue for new messages and executes the function code when a message is detected. This is the simplest and most efficient way to process messages from a Storage Queue without custom polling logic.
A cloud architect is designing a VPC with public and private subnets. Which component is required to allow instances in the private subnet to access the internet for software updates?
NAT gateway
A NAT gateway is required to enable instances in a private subnet to initiate outbound connections to the internet (e.g., for software updates) while preventing the internet from initiating inbound connections to those instances. It translates the private IP addresses of the instances to the NAT gateway's Elastic IP address using source network address translation (SNAT). An Internet gateway alone cannot serve private subnets because it requires a route table entry pointing to a public subnet with a public IP address.
Which of the following is a key benefit of using object storage like Amazon S3 over block storage?
Unlimited scalability for unstructured data
Amazon S3 is designed for unlimited scalability, allowing you to store and retrieve any amount of unstructured data (e.g., images, videos, backups) without provisioning storage in advance. Unlike block storage, which has fixed size limits per volume, S3 automatically scales to accommodate petabytes of data, making it ideal for modern cloud-native applications.
A company uses a public cloud IaaS model to host a database. They want to ensure the database remains available if an entire availability zone fails. Which configuration would provide the highest availability with automatic failover?
Deploy the database with a stand-by replica in a different availability zone using synchronous replication
Option D is correct because deploying a database with a stand-by replica in a different availability zone using synchronous replication ensures that all committed transactions are written to both the primary and the stand-by before acknowledging the client. This provides automatic failover with zero data loss (RPO=0) and high availability, as the stand-by replica can immediately take over if the entire availability zone fails.
A cloud architect is designing a VPC with three tiers: web, application, and database. Which subnet design provides the best security posture?
Web in public subnet, app and database in private subnets with appropriate routing
Option A is correct because it follows the principle of least privilege and network segmentation. Placing the web tier in a public subnet allows it to receive internet traffic, while the application and database tiers reside in private subnets with no direct internet access. This design ensures that only the web tier is exposed, and the database is isolated, accessible only via the application tier through controlled routing, significantly reducing the attack surface.
Which storage type is most suitable for hosting a shared file system accessible by multiple virtual machines in a cloud environment?
File storage
File storage (option D) is the correct choice because it provides a hierarchical, shared file system that multiple virtual machines can mount simultaneously using standard protocols like NFS (Network File System) or SMB/CIFS. This allows concurrent read/write access with file-level locking, making it ideal for shared workloads such as home directories, content management, or collaboration tools in a cloud environment.
A cloud architect is choosing a compute pricing model for a batch processing job that runs for 2 hours every night. The job can be interrupted. Which option is most cost-effective?
Spot instances
Spot instances are the most cost-effective option because the batch processing job is fault-tolerant (can be interrupted) and runs for a fixed, short duration (2 hours nightly). Spot instances offer significant discounts (often 60-90% off on-demand pricing) by leveraging unused cloud capacity, which can be reclaimed with a 2-minute warning. This aligns perfectly with the workload's tolerance for interruption and its predictable but non-critical schedule.
A cloud administrator notices that a security group rule allowing SSH (port 22) from any IP address (0.0.0.0/0) was created for a Linux server. The server is used for administrative purposes only. Which security best practice should be applied to reduce the attack surface?
Restrict the source IP address to the company's public IP range
Restricting the source IP address to the company's public IP range (option D) directly reduces the attack surface by limiting SSH access to only trusted administrative networks. This is the most effective security best practice because it prevents unauthorized external hosts from even attempting to connect to port 22, regardless of authentication method or port obscurity. In cloud environments like AWS, security group rules are stateful and evaluated before any packet reaches the instance, making source IP restriction a fundamental layer of defense.
A company is migrating a large Oracle database (2 TB) from on-premises to AWS RDS for Oracle. They require minimal downtime and need to keep the source database running during migration. Which AWS service should they use to achieve continuous replication?
AWS DMS with CDC
AWS DMS with Change Data Capture (CDC) is the correct choice because it enables continuous replication of ongoing changes from the source Oracle database to the target RDS for Oracle instance, allowing the source to remain fully operational during migration. CDC captures incremental changes (inserts, updates, deletes) from the source's redo logs, minimizing downtime to a brief cutover window. This meets the requirement of a 2 TB database with minimal downtime while keeping the source running.
The CV0-004 flashcard bank covers all 5 official blueprint domains published by CompTIA. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Cloud Architecture and Design
Deployment
Security
Operations and Support
Troubleshooting
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that CV0-004 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.CV0-004 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective CV0-004 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free CV0-004 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 997+ original CV0-004 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official CompTIA exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official CV0-004 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included