AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 175

1705 questions total · 23pages · All types, answers revealed

Page 1 of 23

Page 2
1
MCQeasy

A company wants to securely connect multiple VPCs in the same region to a common on-premises network using a single Direct Connect connection. Which AWS service should they use to simplify the network architecture?

A.Virtual Private Gateway
B.Direct Connect Gateway
C.VPC Peering
D.Transit Gateway
AnswerB

Direct Connect Gateway enables multiple VPCs to use a single Direct Connect connection.

Why this answer

Option B is correct. A Direct Connect gateway allows you to associate multiple VPCs (via virtual private gateways or transit gateways) to a single Direct Connect connection. Option A is wrong because a transit gateway alone does not include Direct Connect.

Option C is wrong because a VPC peering connection is for VPC-to-VPC, not Direct Connect. Option D is wrong because a VPN gateway is for VPN, not Direct Connect.

2
MCQmedium

A company is implementing a hybrid network with AWS Direct Connect and a VPN connection as backup. They have a Direct Connect gateway (DXGW) attached to a private VIF and a virtual private gateway (VGW) attached to a VPN connection. The VPC is attached to the VGW. They want to use the Direct Connect connection for all traffic when available. The on-premises router advertises the same prefix over both connections. However, traffic from on-premises to the VPC is using the VPN connection. BGP is configured correctly on both connections. What should the company do to prefer the Direct Connect path?

A.Set a higher weight on the Direct Connect BGP session.
B.Set a higher local preference on the Direct Connect VIF.
C.Change the BGP timers on the Direct Connect VIF to have a lower hold time.
D.Configure AS_PATH prepending on the VPN BGP session.
E.Configure a lower MED (Multi-Exit Discriminator) on the Direct Connect VIF.
AnswerE

Lower MED is preferred for inbound traffic; setting a lower MED on the Direct Connect VIF will make it the preferred path.

Why this answer

Option E is correct because the Multi-Exit Discriminator (MED) is a BGP attribute used to influence inbound traffic from an AS to the local AS. By setting a lower MED on the Direct Connect VIF, the on-premises router will prefer the Direct Connect path over the VPN path when both advertise the same prefix, assuming all other BGP path selection criteria are equal. This directly addresses the requirement to prefer the Direct Connect connection for all traffic.

Exam trap

The trap here is that candidates often confuse BGP attributes that influence outbound traffic (weight, local preference) with those that influence inbound traffic (MED), leading them to incorrectly select options A or B instead of the correct MED-based solution.

How to eliminate wrong answers

Option A is wrong because weight is a Cisco-proprietary attribute that influences outbound traffic from the local router, not inbound traffic from on-premises; it is not applicable to the on-premises router's path selection. Option B is wrong because local preference is used to influence outbound traffic from an AS to external destinations, not inbound traffic from on-premises to the VPC. Option C is wrong because changing BGP timers (e.g., hold time) affects convergence speed and failure detection, not path preference; it does not influence which path is chosen for traffic.

Option D is wrong because AS_PATH prepending on the VPN BGP session would make the VPN path appear longer (less preferred), which would actually help prefer Direct Connect, but the question asks for a configuration on the Direct Connect side; moreover, AS_PATH prepending is typically applied to the less preferred path, not the preferred one, and the correct approach is to set a lower MED on the Direct Connect VIF.

3
MCQhard

Refer to the exhibit. A bucket policy allows access to an S3 bucket. What is the intended effect?

A.Allows requests from any public IP address
B.Allows any request to the bucket
C.Denies all requests because the IP condition uses a private IP range
D.Allows requests only from a VPC with CIDR 10.0.0.0/16
AnswerC

Private IPs are not seen by S3, so the condition never matches.

Why this answer

The bucket policy includes a condition that denies requests unless the source IP is within the private IP range 10.0.0.0/16. Since private IP addresses are not routable over the public internet, any request originating from outside the VPC (i.e., from the internet) will not have a source IP in that range, causing the Deny statement to block the request. This effectively denies all requests because the only allowed IP range is a private CIDR that cannot be the source of a public internet request.

Exam trap

AWS often tests the misconception that a Deny statement with a NotIpAddress condition acts as an Allow for the specified IP range, but candidates forget that the Deny effect overrides any Allow and that private IP ranges cannot be the source of public internet requests, leading them to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because the policy explicitly denies requests that do not originate from the 10.0.0.0/16 range, so requests from any public IP address are denied, not allowed. Option B is wrong because the policy does not allow any request; it denies requests that do not match the IP condition, and since private IPs cannot be the source of internet requests, all external requests are denied. Option D is wrong because the policy does not allow requests only from a VPC; it uses a Deny effect with a NotIpAddress condition, which means requests from 10.0.0.0/16 are allowed only if they are not blocked by other statements, but the explicit Deny overrides any Allow, and the condition effectively blocks all internet-originated requests, not just those from a specific VPC.

4
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS region? (Select TWO.)

Select 2 answers
A.VPC peering
B.AWS Direct Connect
C.VPC endpoints
D.Site-to-Site VPN
E.Transit gateway
AnswersA, E

Direct connection between two VPCs.

Why this answer

VPC peering (Option A) is a valid method to connect multiple VPCs in the same AWS region. It uses the AWS global network infrastructure to create a one-to-one, private IPv4 or IPv6 routing connection between two VPCs, allowing traffic to flow as if they were on the same network. This is a direct, non-transitive connection that does not require a separate transit hub.

Exam trap

The trap here is that candidates often confuse VPC endpoints (which are for service access) with VPC peering or transit gateway, or mistakenly think Direct Connect or Site-to-Site VPN can connect VPCs directly, when they are actually designed for hybrid connectivity.

5
MCQhard

A company uses AWS WAF to protect a web application. They notice that some malicious requests are being allowed. After investigating, they find that the requests have valid AWS WAF tokens but the payloads are obfuscated. Which WAF configuration should be reviewed to improve detection?

A.Bot Control managed rule group
B.Rate-based rule
C.SQL injection match condition
D.IP set match rule
AnswerA

Bot Control can detect and block sophisticated bots with obfuscated payloads.

Why this answer

AWS WAF Bot Control can detect and block requests from bots that may use obfuscated payloads. Option A is wrong because rate-based rules limit request rate. Option B is wrong because IP set rules block by IP.

Option D is wrong because SQL injection match conditions detect SQLi patterns, not obfuscation.

6
MCQmedium

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer discovers that an EC2 instance was compromised via SSH. The engineer needs to identify which IAM user created the overly permissive security group rule. Which AWS service or feature should the engineer use?

A.VPC Flow Logs
B.AWS Config
C.Amazon GuardDuty
D.AWS CloudTrail
AnswerD

CloudTrail records API calls and the IAM user who made them.

Why this answer

AWS CloudTrail is the correct service because it records API calls made within the AWS environment, including the AuthorizeSecurityGroupIngress API call that created the overly permissive security group rule. By searching CloudTrail logs for this specific API event, the engineer can identify the IAM user, source IP, and timestamp of the rule creation. VPC Flow Logs, AWS Config, and GuardDuty do not capture IAM user identity for API-level changes.

Exam trap

AWS often tests the distinction between services that log API calls (CloudTrail) versus those that monitor network traffic (VPC Flow Logs) or detect threats (GuardDuty), and the trap here is assuming that VPC Flow Logs or AWS Config can identify the IAM user responsible for a security group rule change.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) but do not record API calls or IAM user identity, so they cannot identify who created the security group rule. Option B is wrong because AWS Config evaluates resource compliance and tracks configuration changes, but it does not directly attribute the change to a specific IAM user; it records the resource state, not the API caller identity. Option C is wrong because Amazon GuardDuty is a threat detection service that analyzes network and account activity for malicious behavior, but it does not log API calls or provide the IAM user who made a specific security group modification.

7
MCQmedium

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, while the application and database tiers must be isolated. The security team wants to minimize the attack surface. Which design should they choose?

A.Place the web tier in public subnets with an internet gateway, and the app and DB tiers in private subnets. Use security groups to allow traffic only from the web tier to the app tier and from the app tier to the DB tier.
B.Place all tiers in private subnets and use a NAT gateway for internet access.
C.Place all tiers in the same subnet and use a single security group for all instances.
D.Place all tiers in public subnets and use network ACLs to restrict inbound traffic to the app and DB tiers.
AnswerA

This follows the principle of least privilege and isolation.

Why this answer

Using public subnets for web tier and private subnets for app and DB tiers, with security groups to control traffic, is best practice. Option A is correct. Option B is wrong because NACLs are stateless and less flexible than security groups for traffic filtering.

Option C is wrong because putting all tiers in public subnets increases attack surface. Option D is wrong because using one security group for all tiers violates least privilege.

8
MCQhard

An enterprise is migrating a critical application to AWS. The application requires low latency (under 5 ms) between two EC2 instances that are in different VPCs in the same region. The company also needs to ensure that traffic is encrypted in transit and that the connection is highly available. Which design should be used?

A.Use an AWS Direct Connect connection between the VPCs
B.Configure VPC Peering and use an AWS Transit Gateway with VPN attachments
C.Use VPC endpoints with PrivateLink
D.Establish an AWS Site-to-Site VPN between the VPCs
AnswerB

Correct; VPC Peering provides low latency, and Transit Gateway with VPN adds encryption and high availability.

Why this answer

Option B is correct because AWS Transit Gateway with VPN attachments provides encrypted transit (using IPsec) and high availability (via redundant VPN tunnels) between VPCs in the same region. VPC Peering alone does not encrypt traffic, but when combined with Transit Gateway VPN attachments, it meets the sub-5 ms latency requirement (since both VPCs are in the same region and traffic stays within the AWS backbone). This design also supports the required encryption and high availability without the complexity of Direct Connect or the latency overhead of internet-based VPNs.

Exam trap

The trap here is that candidates assume VPC Peering alone (Option B's first part) is sufficient, but they overlook the encryption requirement; the correct answer combines Transit Gateway with VPN attachments to satisfy both low latency and encryption, while a standalone Site-to-Site VPN (Option D) introduces internet latency that fails the 5 ms requirement.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated physical connection from on-premises to AWS, not between VPCs; it does not inherently encrypt traffic (unless combined with a VPN) and adds unnecessary cost and complexity for inter-VPC connectivity. Option C is wrong because VPC endpoints with PrivateLink are designed for private access to AWS services or third-party services, not for routing traffic between two EC2 instances in different VPCs; they do not provide a general-purpose network path for inter-VPC communication. Option D is wrong because an AWS Site-to-Site VPN between VPCs would route traffic over the public internet, introducing variable latency that likely exceeds the 5 ms requirement, and it lacks the high availability of Transit Gateway with multiple VPN attachments.

9
MCQhard

A company has a production VPC with a public and private subnet across two Availability Zones. The public subnet hosts a Network Load Balancer (NLB) that distributes traffic to EC2 instances in the private subnet. The application experiences periodic failures where the NLB marks all targets as unhealthy for about 2 minutes, then they recover. The health checks are HTTP on port 80 with a 5-second interval, 2 consecutive successes to be healthy, and 2 consecutive failures to be unhealthy. The target group health check timeout is 5 seconds. The EC2 instances are behind an Auto Scaling group with a minimum of 2 instances per AZ. CPU utilization on the instances is stable at 40%. The NLB's CloudWatch metrics show HealthyHostCount drops to zero suddenly. The network engineer suspects a network issue. What is the most likely cause?

A.The security group for the private subnet is blocking inbound traffic from the NLB.
B.The health check timeout is equal to the interval, causing timeouts under transient network delays.
C.The NLB's cross-zone load balancing is disabled, causing all traffic to go to one AZ.
D.The route tables for the private subnets are missing a route to the NLB's subnet.
AnswerB

If timeout equals interval, any delay in response results in consecutive failures, marking the instance unhealthy. Increasing the interval or decreasing the timeout would help.

Why this answer

If the health check timeout equals the interval, a single delayed response can cause consecutive failures. Under load, if the health check request is delayed, the NLB might timeout, count a failure, and after two such timeouts, mark the instance unhealthy. The instances are not overloaded (CPU 40%), but network contention or latency could cause timeouts.

However, the most common cause is that the health check timeout is equal to the interval, meaning a missed response leads to immediate failure. The recommended practice is to set timeout less than interval to allow for retries. Option D addresses this by increasing the interval or decreasing the timeout.

10
MCQmedium

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs is encrypted. What should they do?

A.Use a third-party VPN appliance in each VPC to create an IPsec tunnel between them
B.Establish a VPN connection between the VPCs using virtual private gateways
C.Enable encryption on the VPC peering connection
D.Use AWS Direct Connect to connect the VPCs
AnswerA

Provides encryption over VPC peering.

Why this answer

Option D is correct because VPC peering does not encrypt traffic; an overlay of IPsec or using a third-party appliance is needed. Option A is wrong because VPC peering is not encrypted. Option B is wrong because Direct Connect is for on-prem.

Option C is wrong because VPN is for on-prem.

11
MCQmedium

A company has deployed a centralized NAT gateway in a VPC and uses VPC Flow Logs to monitor traffic. The network team notices that traffic from an EC2 instance in a private subnet to the internet is not being logged in the flow logs. The flow logs are configured at the VPC level with the 'ALL' format. What is the most likely cause of this issue?

A.The EC2 instance is using a different VPC than the one where flow logs are configured.
B.The flow log format is set to 'ALL' which excludes NAT gateway traffic.
C.The flow logs are configured to capture only rejected traffic by default.
D.Flow logs must be created specifically for the NAT gateway's elastic network interface to capture its traffic.
AnswerD

VPC-level flow logs do not capture traffic for the NAT gateway's ENI; a separate flow log for the NAT gateway ENI is required.

Why this answer

VPC Flow Logs capture traffic at the elastic network interface (ENI) level. A centralized NAT gateway has its own ENI in the public subnet, and traffic from private instances is routed through that ENI when it reaches the internet. To log that traffic, flow logs must be created specifically for the NAT gateway's ENI, not just at the VPC level, because VPC-level flow logs capture traffic for ENIs within that VPC but do not inherently capture traffic passing through the NAT gateway's ENI unless that ENI is explicitly targeted.

Exam trap

AWS often tests the misconception that VPC-level flow logs automatically capture all traffic traversing the VPC, including traffic through intermediate appliances like NAT gateways, when in fact flow logs must be applied to each specific ENI to log its traffic.

How to eliminate wrong answers

Option A is wrong because if the EC2 instance were in a different VPC, its traffic would not be routed through the centralized NAT gateway in the original VPC at all, and the question states the traffic is not being logged, not that it fails to reach the internet. Option B is wrong because the 'ALL' format includes all traffic metadata (accepted and rejected), and it does not exclude NAT gateway traffic; the format only controls which fields are logged, not which traffic is captured. Option C is wrong because VPC Flow Logs do not have a default setting to capture only rejected traffic; they capture all traffic by default when created, and the 'ALL' format includes both accepted and rejected traffic.

12
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to minimize cost and management overhead. Which solution should be used?

A.Deploy a NAT Gateway in each Availability Zone for high availability.
B.Launch a NAT instance in a public subnet and configure routing.
C.Attach an Internet Gateway to the VPC and add a default route pointing to the IGW in private subnets.
D.Deploy a single NAT Gateway in one public subnet and configure route tables to route 0.0.0.0/0 traffic to it.
AnswerD

A single NAT Gateway provides internet access for all private subnets with minimal cost and management.

Why this answer

Option A is correct because a single NAT Gateway in one AZ provides internet access for all private subnets with low cost. Option B is wrong because using a NAT Gateway per AZ increases cost unnecessarily. Option C is wrong because an Internet Gateway alone does not provide private subnet access; it requires a NAT device.

Option D is wrong because a NAT instance requires management and is less reliable.

13
MCQeasy

A company needs to encrypt data at rest in Amazon S3. Which AWS service manages the encryption keys?

A.AWS Secrets Manager
B.AWS Certificate Manager
C.AWS CloudHSM
D.AWS KMS
AnswerD

KMS provides key management for S3 encryption.

Why this answer

Option A is correct: AWS KMS manages encryption keys for S3. Option B is wrong because AWS Certificate Manager manages SSL/TLS certificates. Option C is wrong because AWS CloudHSM is a hardware security module but is not the default key manager for S3.

Option D is wrong because AWS Secrets Manager manages secrets.

14
MCQeasy

A company wants to restrict access to an Amazon S3 bucket so that only requests from a specific VPC endpoint are allowed. Which policy element should be used?

A.ec2:Vpc
B.aws:SourceVpc
C.aws:SourceIp
D.aws:SourceVpce
AnswerD

Restricts to a specific VPC endpoint.

Why this answer

Option D is correct because the aws:SourceVpce condition key allows restricting to a specific VPC endpoint. Option A is wrong because aws:SourceVpc restricts to a VPC, not a specific endpoint. Option B is wrong because aws:SourceIp is for IP addresses.

Option C is wrong because ec2:Vpc is for EC2 actions, not S3.

15
MCQhard

Refer to the exhibit. A company has an S3 bucket policy that allows public read access only from a specific IP range (203.0.113.0/24). Users outside this range report that they can still access objects in the bucket. What is the most likely reason?

A.The bucket policy uses the wrong condition key; it should be aws:SourceIpAddress
B.The bucket policy is not being evaluated because the bucket is in a different region
C.The bucket is configured with server-side encryption, which prevents the policy from being applied
D.The bucket also has a bucket ACL that grants public read access, overriding the policy condition
AnswerD

ACLs can grant public access that bypasses the IP restriction in the bucket policy.

Why this answer

Option C is correct. The condition key `aws:SourceIp` does not work if the request comes through an AWS service (e.g., CloudFront) because the source IP becomes the CloudFront IP. Also, if the bucket policy allows access via a pre-signed URL, the condition is not evaluated? Actually, pre-signed URLs bypass the bucket policy? No, pre-signed URLs still require the request to match the policy.

However, the most common reason is that the bucket has an ACL that allows public access, overriding the policy. Option A is wrong because the bucket policy is evaluated. Option B is wrong because AWS does not use `aws:SourceIp` for requests made through an AWS service? The condition works for direct requests.

Option D is wrong because the bucket is not encrypted. The most likely is that the bucket also has a bucket ACL that grants public access, and since ACLs are evaluated before bucket policies? Actually, ACLs and bucket policies are evaluated together, but if an ACL allows access, the policy condition might be ignored? No, the effective access is the union of all allowed permissions. So if ACL allows public access, the condition is irrelevant.

Thus, option C is correct.

16
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. The company needs to add a new subnet for a container cluster that requires at least 2000 IP addresses. Which TWO subnet CIDR blocks meet this requirement? (Choose two.)

Select 2 answers
A.10.0.0.0/24
B.10.0.0.0/25
C.10.0.0.0/20
D.10.0.0.0/21
E.10.0.0.0/26
AnswersC, D

4096 addresses, more than 2000.

Why this answer

Option C (10.0.0.0/20) provides 2^(32-20) = 4096 IP addresses, and option D (10.0.0.0/21) provides 2^(32-21) = 2048 IP addresses. Both meet the requirement of at least 2000 usable IP addresses (after subtracting AWS reserved addresses, each still offers well over 2000).

Exam trap

AWS often tests the misconception that a /24 subnet (256 addresses) is sufficient for 2000 IPs, or that candidates forget to calculate total addresses as 2^(32-prefix) and instead guess based on the prefix number alone.

17
MCQeasy

A company wants to audit all network traffic to and from an EC2 instance for compliance. The security team needs to capture full packet contents, including headers and payload, and store them in Amazon S3 for analysis. Which AWS service should they use?

A.Amazon CloudWatch Logs with the EC2 agent
B.Traffic Mirroring
C.AWS Config
D.VPC Flow Logs
AnswerB

Captures full packet contents.

Why this answer

Option B is correct because VPC Flow Logs capture metadata, not full packets. Option A is wrong because CloudWatch Logs can capture logs but not packets. Option C is correct because Traffic Mirroring captures full packets.

Option D is wrong because AWS Config records configuration changes, not traffic.

18
MCQhard

A network engineer is configuring an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer creates a customer gateway, VPN connection, and virtual private gateway. The VPN tunnel status shows 'down'. Which configuration step is most likely missing?

A.Attach the VPN connection to the virtual private gateway
B.Enable route propagation on the virtual private gateway
C.Add a static route to the VPN connection in the route table
D.Configure the on-premises router with the correct pre-shared key and tunnel IP addresses
AnswerD

The on-premises device must have matching parameters.

Why this answer

Option C is correct because the on-premises router must have the correct tunnel interface configuration matching AWS parameters. Option A is wrong because route propagation is for dynamic routing, not tunnel establishment. Option B is wrong because the VPN connection includes the tunnel configuration.

Option D is wrong because propagation is not required for tunnel status.

19
Multi-Selectmedium

A network engineer is troubleshooting connectivity between an on-premises data center and a VPC over an AWS Site-to-Site VPN. The tunnel status shows UP, but traffic from on-premises to the VPC is intermittently dropped. Which TWO of the following are likely causes? (Choose 2.)

Select 2 answers
A.Dead Peer Detection (DPD) timeout configuration
B.BGP hold timer expiration
C.Asymmetric routing across multiple tunnels
D.Incorrect MTU size causing packet fragmentation
E.IPsec SA lifetime mismatch between peers
AnswersC, D

Asymmetric routing can cause stateful devices to drop packets.

Why this answer

Incorrect MTU settings can cause fragmentation issues leading to drops, and asymmetric routing can cause stateful firewalls to drop return traffic. Dead Peer Detection (DPD) timeout would cause the tunnel to go down, not intermittent drops; BGP hold timer expiration would cause BGP session reset; IPsec SA lifetime mismatch would cause periodic rekey issues but not typical intermittent drops.

20
MCQeasy

A company is using AWS Direct Connect with a private VIF. They want to monitor the BGP session status and receive alerts if the session goes down. Which AWS service should they use?

A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS Config
D.AWS CloudTrail
AnswerB

Direct Connect metrics including BGP status are available in CloudWatch.

Why this answer

Amazon CloudWatch is the correct service because it can monitor the BGP session status of a Direct Connect private VIF by publishing metrics such as 'bgp_session_state' (0=down, 1=up) and 'connection_state' to CloudWatch. You can then create a CloudWatch alarm that triggers an alert (e.g., via SNS) when the BGP session state transitions to 0, providing real-time notification of a session failure.

Exam trap

The trap here is that candidates confuse network monitoring (CloudWatch metrics for BGP state) with logging (Flow Logs, CloudTrail) or configuration tracking (Config), assuming any AWS monitoring service can handle BGP session alerts, but only CloudWatch provides the specific metric and alarm functionality for Direct Connect BGP status.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol) at the VPC network interface level, not BGP session state or routing protocol status. Option C is wrong because AWS Config records resource configuration changes and evaluates compliance rules, but it does not monitor real-time BGP session health or provide metric-based alerts. Option D is wrong because AWS CloudTrail logs API calls and management events (e.g., creating a VIF), not the operational state of a BGP session between the customer router and AWS.

21
MCQmedium

A company has a VPC with multiple subnets. They have an AWS Network Firewall deployed in a firewall subnet. They want to inspect all outbound traffic from the VPC to the internet. Currently, the VPC route table has a default route (0.0.0.0/0) pointing to an internet gateway. What routing change is required to route outbound traffic through the firewall?

A.Create a VPC Gateway Endpoint for the firewall service.
B.Add a NAT gateway in a public subnet and route 0.0.0.0/0 to the NAT gateway, then point the NAT gateway to the firewall.
C.Add a route in the subnet route tables that sends 0.0.0.0/0 traffic to the Network Firewall endpoint's elastic network interface.
D.Add a transit gateway and attach the VPC and the internet gateway to it, then route traffic through the firewall.
AnswerC

This directs outbound traffic to the firewall for inspection before reaching the internet gateway.

Why this answer

Option A is correct because Network Firewall requires traffic to be routed through a firewall endpoint, which is done by adding a route to the firewall endpoint's elastic network interface. Option B is wrong because a NAT gateway is for outbound traffic but does not provide inspection. Option C is wrong because a transit gateway is for connecting VPCs, not for firewall routing.

Option D is wrong because a VPC endpoint is for private access to services.

22
MCQmedium

A company is deploying a multi-tier web application across three Availability Zones in a VPC. The web tier must be highly available and scale based on CPU utilization. The database tier uses an Amazon RDS Multi-AZ DB instance. The web tier must have the lowest possible latency to the internet. Which configuration should be used for the web tier subnets?

A.Place the web tier in public subnets with auto-assign public IP addresses disabled.
B.Place the web tier in public subnets with auto-assign public IP addresses enabled.
C.Place the web tier in private subnets and use a VPC endpoint for internet access.
D.Place the web tier in private subnets and use a NAT gateway for internet access.
AnswerB

Public subnets provide direct internet access with lowest latency.

Why this answer

Option A is correct because assigning public IP addresses to web instances in public subnets allows direct internet access with minimal latency. B would introduce NAT latency. C and D are incorrect for a public-facing web tier.

23
MCQeasy

A company wants to block incoming traffic from specific IP addresses at the edge of the AWS network before it reaches the application load balancer. Which AWS service should be used?

A.AWS WAF web ACL associated with the ALB
B.Network ACLs on the VPC subnet containing the ALB
C.Security Groups attached to the ALB
D.Amazon CloudFront with origin access identity
AnswerA

AWS WAF can block IP addresses using IP set match conditions at the ALB level.

Why this answer

Option B is correct because AWS WAF can be associated with an Application Load Balancer to filter incoming traffic based on IP addresses. Option A is wrong because Security Groups are stateful firewalls that operate at the instance level, not at the edge. Option C is wrong because Network ACLs operate at the subnet level and do not inspect HTTP traffic.

Option D is wrong because CloudFront is a CDN that can be used with WAF, but the question specifies blocking at the edge before the ALB.

24
MCQhard

A network engineer is designing a multi-region application that requires low-latency traffic between EC2 instances in two different AWS Regions. The engineer needs to ensure that traffic between the instances uses the AWS global network and not the public internet. Which AWS service should be used?

A.AWS Direct Connect
B.AWS Global Accelerator
C.AWS Transit Gateway
D.VPC Peering
AnswerB

Global Accelerator uses the AWS global network to improve latency.

Why this answer

The correct answer is D because VPC Peering does not support inter-region peering unless explicitly enabled, but Global Accelerator uses the AWS global network to route traffic. However, the question asks for low-latency traffic between EC2 instances in different Regions; AWS Transit Gateway does not support inter-region peering by default, and Direct Connect is for on-premises. Option A is wrong because VPC Peering requires explicit inter-region peering and does not provide low-latency optimization.

Option B is wrong because Transit Gateway does not natively support inter-region connectivity. Option C is wrong because Direct Connect is for on-premises to AWS. Option D is correct because Global Accelerator routes traffic over the AWS global network.

25
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They create a subnet 10.0.1.0/24 and launch an EC2 instance with a private IP 10.0.1.5. The instance needs to communicate with an on-premises server at 172.16.0.10 over a VPN connection. The VPN connection uses a Virtual Private Gateway. The VPC route table has a route 172.16.0.0/16 pointing to the VPG. The instance cannot reach the on-premises server. What is the most likely cause?

A.The security group attached to the instance does not allow outbound traffic to 172.16.0.10.
B.The instance's route table does not have a route to the internet gateway.
C.The network ACL for the subnet denies outbound traffic to the on-premises IP range.
D.The on-premises router is not advertising the 172.16.0.0/16 route to the Virtual Private Gateway.
AnswerD

Without the route advertisement, the VPG does not know how to reach the on-premises network.

Why this answer

The VPN connection requires that the on-premises network advertise routes to the VPG via BGP. If the on-premises router is not advertising the 172.16.0.0/16 route, the VPG will not have a route to forward traffic. Option A (security group) would affect inbound, not outbound; Option C (NACL) would need to be checked but default NACL allows all; Option D (internet gateway) is not needed for VPN.

26
MCQmedium

A company has multiple VPCs that need to communicate with each other. They want to use a hub-and-spoke model with centralized network management. Which AWS service should they use?

A.AWS Direct Connect
B.VPN CloudHub
C.VPC Peering
D.AWS Transit Gateway
AnswerD

Transit Gateway enables a hub-and-spoke topology with centralized routing.

Why this answer

AWS Transit Gateway (D) is the correct choice because it acts as a central hub that interconnects multiple VPCs and on-premises networks using a hub-and-spoke topology. It simplifies network management by providing a single point of connectivity and supports transitive routing between all attached VPCs, which is exactly what the company needs for centralized network management.

Exam trap

The trap here is that candidates often confuse VPC Peering (C) as the default solution for VPC connectivity, but they overlook its lack of transitive routing and the management overhead of creating a full mesh, which makes Transit Gateway the only correct choice for a hub-and-spoke model with centralized management.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect is a dedicated network connection from on-premises to AWS, not a service for interconnecting multiple VPCs in a hub-and-spoke model. Option B is wrong because VPN CloudHub is designed to connect multiple on-premises sites via VPN tunnels to a single AWS VPN endpoint, but it does not provide transitive routing between VPCs or centralized VPC management. Option C is wrong because VPC Peering creates a one-to-one, non-transitive connection between two VPCs; to interconnect multiple VPCs, you would need a full mesh of peering connections, which is complex and does not scale well, unlike the hub-and-spoke model required.

27
MCQmedium

A company deployed an Application Load Balancer (ALB) in front of a fleet of EC2 instances. Users report intermittent timeouts. The ALB's target group health checks are failing for some instances. The instances are in private subnets with a single NAT Gateway. What is the most likely cause?

A.The security group on the EC2 instances does not allow inbound traffic from the ALB's security group.
B.The route tables in the private subnets do not have a default route pointing to the NAT Gateway.
C.The EC2 instances are of an unsupported instance type for ALB target groups.
D.The NAT Gateway is in a single Availability Zone, causing traffic to fail during an AZ outage.
AnswerA

ALB health checks originate from the ALB's security group; if not allowed, health checks fail.

Why this answer

Health checks from the ALB originate from the ALB's subnet and do not require a NAT Gateway. However, if the security group for the instances does not allow inbound traffic from the ALB's security group, health checks will fail. Option A (NAT Gateway) is unrelated; Option B (route table) would affect outbound traffic; Option C (instance type) is unlikely.

28
MCQhard

A network engineer is troubleshooting connectivity issues between an on-premises network and a VPC over a Direct Connect private VIF. The on-premises network can reach EC2 instances in the VPC, but cannot reach an RDS database in the same VPC. The VPC has a single subnet. What is the MOST likely cause?

A.The VPC network ACL is blocking inbound traffic from on-premises
B.The direct connect virtual interface is configured for a different VLAN
C.The RDS database security group is not allowing inbound traffic from the on-premises CIDR
D.The VPC route table does not have a route to the on-premises network
AnswerC

Security groups are stateful and often the cause of such issues.

Why this answer

Option C is correct because the RDS security group likely does not allow inbound traffic from the on-premises CIDR. Option A is wrong because VPC route table would affect all traffic to the subnet. Option B is wrong if the security group is not the issue; NACLs are stateless and could be the cause but security group is more likely for RDS.

Option D is wrong because Direct Connect routing is working for EC2.

29
Multi-Selectmedium

A company is designing a highly available network architecture using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to ensure that if one connection fails, traffic automatically fails over to the other. Which TWO steps should they take? (Select TWO.)

Select 2 answers
A.Advertise the same prefix over both Direct Connect connections.
B.Use a different BGP AS number for each Direct Connect connection.
C.Use static routes instead of BGP for the Direct Connect connections.
D.Enable Bidirectional Forwarding Detection (BFD) on both BGP sessions.
E.Configure a single virtual interface for both connections.
AnswersA, D

Same prefix allows BGP to select the best path and fail over automatically.

Why this answer

To achieve high availability with Direct Connect, you should configure BGP with the same prefix advertised over both connections and enable Bidirectional Forwarding Detection (BFD) for fast failure detection. Option A (same AS number) is not required; Option B (same prefix) is correct; Option D (BFD) is correct; Option C (single VIF) is not recommended; Option E (static routes) is not preferred.

30
MCQmedium

A network engineer is troubleshooting connectivity from an EC2 instance in subnet-12345678 to a server on the internet. The instance has a public IP and a security group allowing all outbound traffic. However, traffic fails. Based on the exhibit, what is the issue?

A.The inbound rule only allows TCP traffic, which blocks return traffic for other protocols.
B.The inbound rule blocks TCP traffic on ephemeral ports.
C.The outbound rule blocks all traffic.
D.The security group does not allow outbound traffic.
AnswerA

The NACL inbound rule allows only TCP (protocol 6), so return traffic for UDP or ICMP is blocked.

Why this answer

Option A is correct because the inbound rule (egress=false) only allows TCP (protocol 6) on port unspecified (all ports), but the outbound rule allows all traffic. However, the inbound rule only allows TCP, so return traffic for non-TCP protocols (like ICMP) is blocked. But the question says connectivity fails, likely because the instance initiates outbound traffic (e.g., HTTP), which is TCP, so that should work.

Actually, the issue is that the outbound rule allows all traffic, but the inbound rule only allows TCP, so return traffic for non-TCP (like UDP or ICMP) is blocked. But typical HTTP uses TCP, so maybe the issue is something else. Let's re-evaluate: The outbound rule allows all traffic (protocol -1), but the inbound rule only allows TCP.

For outbound connections, the return traffic is inbound, so if the outbound connection is TCP, the return TCP packets are allowed by the inbound rule. However, if the outbound traffic is something else like ICMP (ping), the return ICMP is blocked. The question does not specify the protocol.

Option A is correct because the inbound rule only allows TCP, blocking other protocols. Option B is wrong because the outbound rule allows all traffic. Option C is wrong because the security group allows outbound.

Option D is wrong because the inbound rule does not restrict TCP on ephemeral ports; it allows TCP from 0.0.0.0/0.

31
MCQhard

A company has multiple AWS accounts and wants to centrally manage network security using AWS Network Firewall. The firewall must inspect traffic between VPCs in the same Region. Which deployment model achieves this with minimal latency?

A.Deploy AWS Network Firewall in each VPC and configure VPC peering between VPCs.
B.Deploy AWS Network Firewall in a shared services VPC and use VPC peering to connect all VPCs.
C.Use AWS Transit Gateway and attach AWS Network Firewall as a VPC attachment to the transit gateway.
D.Use a centralized inspection VPC with a Gateway Load Balancer and third-party appliances.
AnswerC

This centralizes inspection and routes traffic through the firewall with minimal latency.

Why this answer

Option D is correct because an AWS Network Firewall in the transit VPC can inspect traffic between VPCs when using Transit Gateway and route tables to steer traffic through the firewall. Option A is wrong because firewall per VPC would not inspect inter-VPC traffic unless routing is configured, and it adds overhead. Option B is wrong because a firewall in each VPC is not centralized.

Option C is wrong because the firewall must be in the path of traffic; simply inspecting at the egress point of each VPC would not catch all inter-VPC traffic.

32
MCQmedium

A company wants to allow an external auditor to access a specific EC2 instance in their VPC for a limited time. The auditor will connect via SSH from a known IP address. What is the MOST secure way to grant access?

A.Assign a public IP to the instance and create a security group rule allowing SSH from the auditor's IP.
B.Configure a security group for the instance that allows SSH from the VPC CIDR.
C.Create a bastion host in a public subnet with a security group allowing SSH from the auditor's IP, and allow SSH from the bastion to the instance.
D.Set up a client VPN endpoint and allow the auditor to connect to the VPC, then SSH to the instance.
AnswerC

The bastion acts as a jump box, limiting exposure and providing a single point of access.

Why this answer

Option B is correct because using a bastion host with a security group that restricts the source IP is a secure practice. Option A is wrong because opening port 22 to 0.0.0.0/0 is insecure. Option C is wrong because a VPN still exposes the instance to the VPC network.

Option D is wrong because a security group with a wide CIDR is less restrictive.

33
Multi-Selecthard

A company has a Direct Connect connection with a private VIF attached to a virtual private gateway. The VPC has multiple subnets in two Availability Zones. The on-premises network advertises a default route (0.0.0.0/0) via BGP. The company wants all internet-bound traffic from the VPC to go through the on-premises network. Which THREE actions are required to achieve this?

Select 3 answers
A.Deploy a NAT Gateway in a public subnet.
B.Add a default route pointing to the virtual private gateway in the private subnet route tables.
C.Remove the default route to the internet gateway from the main route table.
D.Attach an internet gateway to the VPC.
E.Enable route propagation on the VPC route tables.
AnswersB, C, E

Ensures private subnet traffic goes through Direct Connect.

Why this answer

Option B is correct because adding a default route (0.0.0.0/0) pointing to the virtual private gateway in the private subnet route tables ensures that all internet-bound traffic from those subnets is forwarded over the Direct Connect private VIF to the on-premises network. This leverages the BGP-advertised default route from the on-premises network, allowing the company to enforce its security and routing policies for internet access.

Exam trap

AWS often tests the misconception that a NAT Gateway or internet gateway is required for outbound internet traffic, but in this scenario, the on-premises network acts as the internet gateway, so the correct approach is to route traffic over the Direct Connect connection using the virtual private gateway.

34
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They have an Application Load Balancer (ALB) in public subnets and EC2 instances in private subnets. The ALB is configured to route traffic to the instances. Users can reach the ALB, but the ALB returns 502 Bad Gateway errors. The target group health checks are failing. The instances are running a web server on port 80. The security group for the instances allows inbound traffic from the ALB's security group on port 80. The network ACL for the private subnets allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24). What is the most likely cause of the health check failures?

A.The network ACL for the private subnets does not allow inbound traffic on port 80 from the ALB's subnet
B.The security group for the instances does not allow inbound traffic from the ALB
C.The network ACL for the private subnets is stateless and is blocking the return traffic from the instances to the ALB
D.The target group is configured with the wrong port
AnswerC

NACLs are stateless; outbound traffic from the private subnet to the ALB must be explicitly allowed.

Why this answer

Option B is correct because the health checks originate from the ALB's private IPs, which are in the public subnet CIDR 10.0.1.0/24, but the network ACL must allow inbound traffic from the ALB's security group source? Actually, the NACL allows from the public subnet CIDR, which should include the ALB's IPs. However, the NACL is stateless and must also allow outbound traffic from the instance's subnet to the ALB. The issue is likely that the NACL is blocking the return traffic.

Option A is wrong because the security group allows the traffic. Option C is wrong because the NACL allows inbound on port 80 from the public subnet. Option D is wrong because the target group port is correct.

35
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT Gateway. The security team wants to ensure that traffic from the private subnets to the internet is logged and inspected for malicious activity. Which solution meets these requirements?

A.Use AWS Shield Advanced to inspect traffic and detect malicious activity.
B.Deploy AWS WAF on the NAT Gateway to inspect and filter outgoing traffic.
C.Enable VPC Flow Logs on the NAT Gateway and analyze the logs with Amazon Detective.
D.Configure VPC Traffic Mirroring from the private subnet instances to a network security appliance (e.g., partner firewall) for deep packet inspection.
AnswerD

Traffic Mirroring captures packets for inspection.

Why this answer

Option B is correct because VPC Traffic Mirroring can mirror traffic from the private subnet ENIs to a security appliance for inspection. Option A is wrong because VPC Flow Logs only capture metadata, not packet contents. Option C is wrong because AWS WAF is for web application layer, not network layer inspection.

Option D is wrong because AWS Shield is for DDoS protection, not inspection.

36
MCQhard

A company is migrating a legacy application to AWS. The application requires a fixed IP address that must not change. The application will be deployed on Amazon EC2 instances behind an Application Load Balancer. Which solution meets the requirement for a static IP address?

A.Assign an Elastic IP address to the Application Load Balancer.
B.Replace the ALB with a Network Load Balancer and assign an Elastic IP to it.
C.Place the ALB behind AWS Global Accelerator, which provides static IP addresses.
D.Use an Elastic IP address on each EC2 instance and point a CNAME record to the ALB.
AnswerC

Global Accelerator provides two static anycast IPs that route traffic to the ALB.

Why this answer

Option C is correct because AWS Global Accelerator provides two static Anycast IP addresses that serve as fixed entry points for traffic. Traffic is then routed over the AWS global network to the Application Load Balancer, preserving the static IP requirement while still allowing the ALB to handle HTTP/HTTPS traffic. This decouples the static IP from the underlying load balancer, ensuring the IP does not change even if the ALB is replaced or recreated.

Exam trap

The trap here is that candidates assume an Elastic IP can be attached to any AWS resource, but ALBs are DNS-based and cannot accept Elastic IPs, leading them to incorrectly choose Option A or B without considering Global Accelerator.

How to eliminate wrong answers

Option A is wrong because an Elastic IP address cannot be directly assigned to an Application Load Balancer; ALBs are DNS-based and do not support Elastic IP attachments. Option B is wrong because while a Network Load Balancer can have Elastic IPs assigned, it operates at Layer 4 and does not support the HTTP/HTTPS header inspection, path-based routing, or sticky sessions that the legacy application likely requires from an ALB. Option D is wrong because assigning Elastic IPs to individual EC2 instances does not provide a single static IP for the application; traffic would still flow through the ALB's DNS name, and the Elastic IPs on instances are not used when the ALB is the frontend.

37
MCQmedium

A company has deployed a multi-tier web application in a single AWS region. The architecture includes a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier runs on EC2 instances in the private subnets. The database tier uses an Amazon RDS Multi-AZ deployment in the database subnets. The company is experiencing intermittent connectivity issues between the application tier and the database tier. The application logs show connection timeouts. The network engineer has verified that the security groups and network ACLs are correctly configured. The RDS instance is reachable from the application tier via a telnet test from one specific instance, but not consistently from all instances. What is the most likely cause of the intermittent connectivity?

A.The RDS Multi-AZ failover is causing the primary instance to change, and the application is not reconnecting to the new endpoint.
B.The network ACLs on the database subnets are blocking ephemeral ports used by the application.
C.The database subnets are in different Availability Zones than the application subnets, and the route tables in the application subnets do not have routes to the database subnet CIDRs.
D.The security group for the database is allowing traffic only from the application tier's security group, but the application tier instances are using a different security group.
AnswerC

Correct: Missing routes cause intermittent connectivity depending on which AZ the instance is in.

Why this answer

Option B is correct because if the RDS subnet group spans subnets in different AZs, the RDS endpoint may resolve to an IP in a different subnet that is not routable due to missing route table entries. Option A is wrong because RDS Multi-AZ does not use a separate IP for failover; the DNS CNAME changes. Option C is wrong because security groups are stateful and allow return traffic.

Option D is wrong because network ACLs are stateless but if configured correctly they should allow traffic.

38
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity for their internet-facing applications. The VPC currently has an internet gateway attached. What is the MOST efficient way to enable IPv6?

A.Assign an Amazon-provided IPv6 CIDR block to the VPC and subnets, and update route tables to use an internet gateway for IPv6
B.Create a transit gateway and attach the VPC, then route IPv6 traffic through a VPN
C.Create a NAT Gateway in a public subnet and route IPv6 traffic through it
D.Assign an IPv6 CIDR to the VPC and subnets, and add an egress-only internet gateway
AnswerA

The internet gateway supports both IPv4 and IPv6; route tables can direct IPv6 traffic to it.

Why this answer

Option A is correct because the most efficient way to enable IPv6 for an existing VPC with an internet gateway is to request an Amazon-provided IPv6 CIDR block (a /56 block) for the VPC, assign a /64 IPv6 CIDR to each subnet, and then update the route tables to direct ::/0 traffic to the internet gateway. The internet gateway is a dual-stack resource that inherently supports both IPv4 and IPv6 traffic, so no additional gateway is needed for outbound-only or inbound IPv6 connectivity.

Exam trap

AWS often tests the misconception that an egress-only internet gateway is required for all IPv6 traffic, but the trap here is that an egress-only internet gateway is only for outbound-only scenarios, whereas internet-facing applications need bidirectional IPv6 traffic, which requires a standard internet gateway.

How to eliminate wrong answers

Option B is wrong because a transit gateway is used for inter-VPC or hybrid connectivity, not for enabling IPv6 internet access for a single VPC; routing IPv6 through a VPN would add unnecessary complexity and cost. Option C is wrong because a NAT Gateway only supports IPv4 traffic and cannot forward IPv6 packets; IPv6 traffic must be routed through an internet gateway or an egress-only internet gateway. Option D is wrong because an egress-only internet gateway is designed for outbound-only IPv6 traffic from private subnets and does not allow inbound IPv6 connections, which are required for internet-facing applications.

39
Multi-Selectmedium

A company is designing a Direct Connect solution for high availability. Which TWO actions meet the requirement for diverse physical paths?

Select 2 answers
A.Provision two Direct Connect connections at the same Direct Connect location.
B.Provision two Direct Connect connections at two different Direct Connect locations.
C.Use a Transit Gateway with attachments to multiple Direct Connect gateways.
D.Provision a single Direct Connect connection and use link aggregation (LAG).
E.Use a single Direct Connect connection with a VPN backup.
AnswersB, C

Different locations ensure physical diversity.

Why this answer

Option B is correct because provisioning two Direct Connect connections at two different Direct Connect locations ensures that the physical paths are geographically diverse, eliminating a single point of failure. Option C is correct because using a Transit Gateway with attachments to multiple Direct Connect gateways allows traffic to be routed over separate connections, providing path diversity even if the connections are at the same location, as long as they are associated with different gateways and virtual interfaces.

Exam trap

The trap here is that candidates often assume that multiple connections at the same Direct Connect location provide diversity, but AWS explicitly requires different locations for physical path diversity, as the same location shares common infrastructure like power and fiber entrance facilities.

40
MCQmedium

A company has a global application deployed across multiple AWS regions using Application Load Balancers (ALBs) and AWS Global Accelerator. Users in Asia report high latency. The network team wants to monitor the performance of the Global Accelerator endpoints. Which AWS service should they use to collect and analyze network metrics?

A.Amazon CloudWatch metrics for Global Accelerator
B.AWS VPC Flow Logs
C.AWS X-Ray
D.AWS CloudTrail
AnswerA

CloudWatch provides metrics like endpoint health and latency.

Why this answer

Option D is correct because CloudWatch metrics for Global Accelerator provide endpoint health and performance metrics. Option A is wrong because VPC Flow Logs capture IP traffic but not accelerator-level metrics. Option B is wrong because AWS X-Ray is for application tracing.

Option C is wrong because CloudTrail logs API calls, not performance.

41
MCQmedium

A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, and the application tier must only be accessible from the web tier. Which architecture should they use?

A.Web servers in private subnets with a NAT Gateway for outbound traffic, and application servers in public subnets
B.Web servers in public subnets with an Internet Gateway, and application servers in private subnets with security groups allowing traffic only from the web tier
C.All servers in a single VPC with VPC Peering to another VPC
D.Web servers and application servers in public subnets, each with their own security group
AnswerB

This follows best practices for multi-tier architectures.

Why this answer

Option A is correct because public subnets for web servers with Internet Gateway and private subnets for app servers with no direct internet access is standard. Option B is wrong because placing app servers in public subnets exposes them. Option C is wrong because NAT Gateway is for outbound, not inbound.

Option D is wrong because VPC Peering is not needed.

42
MCQhard

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The VPC has a virtual private gateway (VGW). The on-premises network uses BGP to advertise routes. The company wants to ensure high availability by using two Direct Connect connections from different providers. Both connections terminate at the same Direct Connect location (same AWS device). The company configures two private VIFs, each with a separate BGP session, and attaches both to the same VGW. However, when one connection fails, traffic does not fail over. What is the most likely cause?

A.Both Direct Connect connections are on the same AWS device, creating a single point of failure
B.The same BGP ASN is used for both VIFs, causing route conflict
C.The MTU size is mismatched between the VIFs
D.The allowed prefixes for the VIFs do not include the on-premises subnets
AnswerA

Same location and device means no redundancy.

Why this answer

If both connections terminate at the same AWS Direct Connect location and same device, they share the same physical infrastructure. A failure at that location would affect both. True high availability requires connections at different locations.

Also, BGP configuration may not have proper failover. The most likely cause is that both VIFs are on the same device, so a single point of failure exists. Option B (BGP ASN) is wrong because same ASN is allowed.

Option C (allowed prefixes) would cause routes not to be accepted. Option D (MTU) would not cause complete failover failure.

43
MCQmedium

A company has a VPC with public and private subnets in three Availability Zones. They have EC2 instances in private subnets that need to download patches from the internet. The company requires that all outbound traffic to the internet is logged and inspected. Which solution meets these requirements with the highest availability?

A.Launch a NAT instance in one public subnet and configure all private subnet route tables to send 0.0.0.0/0 to the NAT instance.
B.Place a single NAT Gateway in one public subnet and configure all private subnet route tables to send 0.0.0.0/0 to that NAT Gateway.
C.Attach an internet gateway to the VPC and add a route in the private subnet route tables to send 0.0.0.0/0 to the internet gateway.
D.Create a centralized egress VPC with a NAT Gateway in each AZ. Peer the application VPCs to the egress VPC and route 0.0.0.0/0 traffic through a firewall appliance in the egress VPC.
AnswerD

NAT Gateways in each AZ provide high availability, and centralized inspection allows logging.

Why this answer

Option D is correct because it meets the requirements for logging and inspecting all outbound internet traffic by routing it through a centralized firewall appliance in an egress VPC, while also providing high availability through NAT Gateways deployed in each Availability Zone. This architecture ensures that traffic is inspected before reaching the internet, and the use of multiple NAT Gateways eliminates single points of failure, achieving the highest availability compared to single-instance or single-gateway solutions.

Exam trap

The trap here is that candidates often assume a single NAT Gateway or NAT instance provides sufficient availability and inspection, overlooking the requirement for logging and inspection, which necessitates a firewall or inspection appliance, and the need for multi-AZ deployment to achieve high availability.

How to eliminate wrong answers

Option A is wrong because a single NAT instance in one public subnet is a single point of failure and does not provide high availability; additionally, NAT instances do not inherently support traffic logging and inspection without additional configuration, and they are not managed for automatic failover. Option B is wrong because a single NAT Gateway in one Availability Zone is not highly available; if that AZ fails, all private subnets lose internet connectivity, and NAT Gateways do not provide built-in traffic inspection or logging capabilities. Option C is wrong because attaching an internet gateway to the VPC and routing 0.0.0.0/0 from private subnets directly to the internet gateway would bypass any inspection or logging, and private subnets require a NAT device or transit gateway to access the internet through an internet gateway; direct routing would fail because internet gateways do not accept traffic from private IP addresses without source NAT.

44
Multi-Selecthard

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They have subnets in three Availability Zones. They need to add IPv6 connectivity to the VPC and allow instances in private subnets to initiate outbound IPv6 connections to the internet, but not allow inbound connections from the internet. Which TWO actions must be taken?

Select 2 answers
A.Create an egress-only internet gateway and add a route for ::/0 to it in the private subnet route tables.
B.Create an internet gateway and add a route for ::/0 to it in the private subnet route tables.
C.Allocate an IPv6 CIDR block to the VPC.
D.Create a NAT gateway in a public subnet.
E.Configure a security group that allows outbound IPv6 traffic.
AnswersA, C

An egress-only internet gateway allows outbound-only IPv6 traffic.

Why this answer

Option A is correct: Allocate an IPv6 CIDR block to the VPC and associate it with subnets. Option D is correct: Create an egress-only internet gateway and add a route for ::/0 to it in the private subnet route tables. Option B is incorrect because a NAT gateway is for IPv4.

Option C is incorrect because an internet gateway allows bidirectional IPv6 traffic, which would allow inbound connections. Option E is incorrect because a security group is used for fine-grained control but does not provide internet connectivity.

45
MCQeasy

A company wants to audit all changes to security groups in their AWS account. Which AWS service should they use to track API calls that modify security groups?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

Records API calls for auditing.

Why this answer

Option A is correct because AWS CloudTrail records API calls, including those that modify security groups. Option B is wrong because CloudWatch Logs can store logs but not capture API calls directly. Option C is wrong because AWS Config tracks resource configuration changes but not API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

46
MCQmedium

An organization has a multi-account setup using AWS Organizations. The security team wants to centrally manage and enforce security group rules across all VPCs in all accounts. Which solution should they implement?

A.Deploy a centralized network ACL in each VPC.
B.Enable VPC Flow Logs and analyze using Amazon Detective.
C.Use AWS Config rules to remediate non-compliant security groups.
D.Use AWS Firewall Manager to create common security group policies.
AnswerD

Firewall Manager centrally manages security groups across accounts.

Why this answer

Option A is correct because AWS Firewall Manager provides a centralized way to apply security group rules across accounts and VPCs in an organization. Option B is wrong because Network ACLs are stateless and not as flexible for application-level rules. Option C is wrong because AWS Config is for compliance and auditing, not enforcement.

Option D is wrong because VPC Flow Logs are for monitoring, not enforcement.

47
MCQeasy

A company has a VPC with a CIDR block of 172.16.0.0/16. They have a public subnet (172.16.1.0/24) and a private subnet (172.16.2.0/24). They have an internet gateway attached to the public subnet. They launch an EC2 instance in the public subnet with a public IP address. The instance is running a web server on port 80. They also launch an EC2 instance in the private subnet that needs to download updates from the internet. The private subnet does not have a route to the internet. The company wants to provide internet access to the private instance in a secure and cost-effective manner. Which solution should they implement?

A.Create a NAT Gateway in the public subnet and add a route in the private subnet's route table pointing to the NAT Gateway
B.Create a VPC Gateway Endpoint for S3 and configure the private instance to use it
C.Create a forward proxy server in the public subnet and configure the private instance to use it
D.Create a NAT instance in the public subnet and configure the private instance to use it
AnswerA

NAT Gateway provides outbound internet access for private instances.

Why this answer

A NAT Gateway in the public subnet allows instances in the private subnet to initiate outbound connections to the internet (e.g., for downloading updates) while preventing inbound connections from the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. This is secure because the NAT Gateway uses Elastic IPs and does not accept unsolicited inbound traffic, and it is cost-effective as it is a managed service with no maintenance overhead.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with a NAT instance or assume a VPC Gateway Endpoint can provide general internet access, but the key distinction is that a NAT Gateway is a managed service for outbound-only internet access, while Gateway Endpoints are specific to AWS services like S3 and DynamoDB.

How to eliminate wrong answers

Option B is wrong because a VPC Gateway Endpoint for S3 only provides private connectivity to Amazon S3, not general internet access; it cannot be used to download updates from arbitrary internet hosts. Option C is wrong because a forward proxy server (e.g., Squid) is a valid but less cost-effective and more complex solution compared to a NAT Gateway; it requires manual configuration, patching, and scaling, and is not the simplest managed solution. Option D is wrong because a NAT instance is a legacy, self-managed EC2 instance that requires manual configuration (e.g., disabling Source/Destination Check), patching, and high-availability setup; it is less reliable and more operationally expensive than a managed NAT Gateway.

48
MCQhard

A company has deployed a Network Load Balancer (NLB) in a VPC. The NLB is configured with a target group that points to EC2 instances in the same VPC. The network engineer notices that traffic from clients is not being forwarded to the targets. The NLB's security groups and network ACLs allow all traffic. What is the most likely cause?

A.The security group attached to the NLB is blocking traffic.
B.The EC2 instances are missing a route back to the NLB's subnet.
C.The NLB health checks are failing, causing targets to be marked unhealthy.
D.Cross-zone load balancing is disabled on the NLB.
AnswerB

Preserve client IP is enabled, so targets must send response back to NLB; if they have a default route to NAT gateway, return traffic goes to internet.

Why this answer

Option C is correct. NLB uses the source IP of the client by default, so the target's route table must send return traffic back to the NLB. If the targets have a default route to a NAT gateway, return traffic goes straight to the internet, breaking the connection.

Option A is wrong because NLB does not use security groups for itself. Option B is wrong because health checks might fail but that's not the root cause. Option D is wrong because NLB supports cross-zone load balancing.

49
MCQeasy

A company wants to connect its on-premises data center to AWS using a dedicated, private network connection. Which AWS service should be used to establish a 1 Gbps dedicated connection?

A.AWS Direct Connect
B.AWS Transit Gateway
C.VPC Peering
D.AWS Site-to-Site VPN
AnswerA

Direct Connect provides a dedicated private connection.

Why this answer

AWS Direct Connect is the correct service for establishing a dedicated, private network connection from an on-premises data center to AWS. It provides a 1 Gbps (or higher) physical Ethernet link that bypasses the public internet, delivering consistent network performance and reduced bandwidth costs for high-volume data transfer.

Exam trap

AWS often tests the misconception that a VPN can provide a dedicated private connection, but VPNs traverse the public internet and lack the physical isolation and consistent latency of Direct Connect.

How to eliminate wrong answers

Option B is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself provide a physical dedicated connection; it relies on underlying connections like Direct Connect or VPN. Option C is wrong because VPC Peering connects two VPCs within AWS using the AWS global network, but it cannot extend to an on-premises data center. Option D is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not offer the dedicated, private, or consistent performance characteristics of a physical dedicated connection.

50
Multi-Selectmedium

Which THREE of the following are valid ways to restrict access to an S3 bucket that is accessed by EC2 instances in a VPC?

Select 3 answers
A.Use an S3 bucket policy that restricts access to the VPC or VPC endpoint.
B.Use a network ACL to restrict access to the S3 prefix list.
C.Use a VPC endpoint policy to allow access only to the specific S3 bucket.
D.Use an IAM role (instance profile) attached to the EC2 instance with permissions for the S3 bucket.
E.Use a security group to allow outbound traffic from the EC2 instance to the S3 bucket.
AnswersA, C, D

S3 bucket policies can use aws:SourceVpc or aws:SourceVpce conditions.

Why this answer

Options A, B, and C are correct. Option A: VPC endpoint policies can restrict access to specific S3 buckets. Option B: S3 bucket policies can restrict access based on source VPC or source VPC endpoint.

Option C: Instance profiles grant IAM roles to EC2 instances, which can be used with S3 bucket policies. Option D is wrong: Security groups do not apply to S3 bucket access. Option E is wrong: Network ACLs operate at the subnet level and do not filter by S3 bucket.

51
MCQmedium

A company is designing a multi-region architecture using AWS Global Accelerator and Application Load Balancers (ALBs) in two AWS Regions. They want to route traffic to the closest healthy endpoint and minimize latency. Which configuration best meets these requirements?

A.Deploy a single ALB in one region and use Route 53 geolocation routing to direct traffic.
B.Use Amazon Route 53 latency-based routing with ALBs in each region.
C.Create a Global Accelerator with endpoint groups in each region, each pointing to the regional ALB.
D.Use an Application Load Balancer in one region and a Network Load Balancer in another with cross-zone load balancing.
AnswerC

Global Accelerator uses anycast IPs to route traffic to the nearest healthy endpoint, with built-in health checks and fast failover.

Why this answer

AWS Global Accelerator uses the Anycast IP address to route traffic to the nearest edge location, then forwards it over the AWS global network to the closest healthy endpoint group. By configuring endpoint groups in each region, each pointing to the regional ALB, Global Accelerator provides both low-latency routing and automatic failover, meeting the requirement for multi-region traffic distribution to the closest healthy endpoint.

Exam trap

AWS often tests the misconception that Route 53 latency-based routing is equivalent to Global Accelerator for multi-region traffic optimization, but candidates must remember that DNS-based routing introduces caching delays and lacks the anycast edge routing and fast health check failover that Global Accelerator provides.

How to eliminate wrong answers

Option A is wrong because deploying a single ALB in one region with Route 53 geolocation routing does not provide multi-region architecture; it forces all traffic to a single region, increasing latency for distant users and creating a single point of failure. Option B is wrong because Route 53 latency-based routing relies on DNS resolution, which introduces caching and TTL delays, and does not provide fast failover or static anycast IPs; it also cannot route traffic based on endpoint health in real-time as efficiently as Global Accelerator. Option D is wrong because using an ALB in one region and a Network Load Balancer in another with cross-zone load balancing does not address multi-region traffic routing or latency optimization; cross-zone load balancing is a feature for distributing traffic within a single region, not between regions.

52
MCQeasy

A CloudFormation stack was created with the above snippet. An administrator notices that the EC2 instance can receive HTTP traffic from the internet, but cannot access the internet itself (e.g., to download updates). What is the most likely cause?

A.The security group egress rule restricts outbound traffic to only HTTP.
B.The instance is in a private subnet without a NAT gateway or route to an internet gateway.
C.The security group is not attached to the instance properly.
D.The security group ingress rule only allows HTTP from the internet, but not other protocols needed for updates.
AnswerB

Even with permissive security group rules, if the subnet has no route to the internet, outbound traffic fails.

Why this answer

Option A is correct because the security group egress rule allows all traffic (protocol -1) to 0.0.0.0/0, so outbound is allowed. The issue is likely that the instance is in a private subnet without a NAT gateway or internet gateway route. Option B is wrong because the egress rule is permissive.

Option C is wrong because the ingress rule allows HTTP. Option D is wrong because the security group is correctly associated.

53
MCQmedium

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to another VPC (192.168.0.0/16) using VPC peering. Both VPCs have overlapping CIDRs with some on-premises networks. What must be done to ensure proper routing?

A.Use AWS Transit Gateway instead and attach both VPCs.
B.Verify that the CIDR blocks do not overlap. If they do, you must re-IP one VPC or use other solutions like Transit Gateway with network address translation.
C.Use a NAT gateway in one VPC to translate addresses.
D.Create the peering connection and add routes for the full CIDR ranges in both route tables.
AnswerB

Without overlap, peering works. Overlap requires re-IP or alternative solutions.

Why this answer

Option B is correct because VPC peering does not support overlapping CIDRs; you cannot have routes to the same CIDR via different targets. If there is any overlap, you cannot create the peering connection or the routes. Option A is wrong because it suggests ignoring overlap.

Option C is wrong because NAT does not solve routing ambiguity. Option D is wrong because Transit Gateway also has limitations with overlapping CIDRs.

54
MCQhard

A security engineer is designing a network ACL for a public-facing web application in a VPC. The application uses an Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an RDS database in a private subnet. The engineer needs to allow HTTPS traffic from the internet to the ALB, and allow the ALB to forward traffic to the web servers on port 8080. The web servers need to query the database on port 3306. Which network ACL configuration should the engineer implement for the private subnet containing the web servers?

A.Inbound: allow 0.0.0.0/0 on port 3306; Outbound: allow 0.0.0.0/0 on port 8080
B.Inbound: allow 0.0.0.0/0 on port 8080; Outbound: allow 0.0.0.0/0 on all ports
C.Inbound: allow ALB subnet CIDR on port 8080 and ephemeral ports; Outbound: allow database subnet CIDR on port 3306
D.Inbound: allow 0.0.0.0/0 on port 443; Outbound: allow 0.0.0.0/0 on port 3306
AnswerC

Correctly restricts traffic to necessary ports and sources.

Why this answer

Option C is correct because inbound allows ALB traffic on port 8080 and ephemeral ports for responses, outbound allows database traffic. Option A is wrong because web servers do not need inbound on port 443. Option B is wrong because inbound port 3306 is not needed.

Option D is wrong because inbound should not allow all traffic.

55
MCQeasy

A company has a VPC with a NAT gateway in a public subnet. The security team wants to log all outbound traffic from private subnets to the internet. Which AWS service should be used to capture this traffic?

A.VPC Flow Logs
B.AWS CloudTrail
C.Amazon S3 Access Logs
D.AWS Config
AnswerA

Flow Logs on the NAT gateway ENI capture all outbound traffic.

Why this answer

The correct answer is B because VPC Flow Logs can be enabled on the NAT gateway's elastic network interface to capture all outbound traffic. Option A is wrong because CloudTrail does not capture network traffic. Option C is wrong because AWS Config does not log traffic.

Option D is wrong because S3 Access Logs are for S3 bucket access, not NAT gateway traffic.

56
Multi-Selectmedium

Which THREE are best practices for managing network security in a multi-VPC AWS environment using AWS Transit Gateway?

Select 3 answers
A.Use separate Transit Gateway route tables for different environments (e.g., production, development).
B.Centralize internet egress traffic through a shared VPC with a NAT gateway or proxy.
C.Attach all VPCs to a single Transit Gateway route table for simplicity.
D.Enable VPC Flow Logs on all VPCs and centralize logs in a security account.
E.Use network ACLs on every subnet to filter traffic between VPCs.
AnswersA, B, D

Separate route tables enable network isolation.

Why this answer

Options A, C, and E are correct. Option B is incorrect because network ACLs are stateless and not needed if security groups are used. Option D is incorrect because a single route table would allow all VPCs to communicate, violating least privilege.

57
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect and Site-to-Site VPN. The network team wants to ensure that traffic between VPCs does not traverse the on-premises network. Which Transit Gateway feature should be used?

A.Transit Gateway Multicast
B.Transit Gateway Network Manager
C.Transit Gateway BGP over AWS Direct Connect
D.Transit Gateway route tables with separate associations and propagations
AnswerD

This allows creating isolated routing domains.

Why this answer

Option B is correct because Transit Gateway route tables allow isolation of traffic between different attachments (e.g., VPCs vs. VPN). Option A is wrong because multicast is not relevant.

Option C is wrong because flow logs monitor traffic, not control routing. Option D is wrong because BGP is used for dynamic routing, not for isolation.

58
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to monitor the number of packets dropped due to route table limits. Which CloudWatch metric should they use?

A.PacketsIn
B.PacketsDroppedByRouteTable
C.BytesOut
D.BytesDroppedByRouteTable
AnswerB

This metric tracks packets dropped due to route table limits.

Why this answer

Option A is correct because Transit Gateway publishes the metric 'PacketsDroppedByRouteTable' to CloudWatch. Option B is incorrect; 'BytesOut' is a measure of traffic volume. Option C is incorrect; 'PacketsIn' is incoming packets.

Option D is incorrect; 'BytesDroppedByRouteTable' does not exist; the metric is packet-based.

59
MCQhard

A company has a global application deployed across multiple AWS Regions. Users are routed to the nearest Region using Amazon Route 53. The application uses an Application Load Balancer in each Region. The network team wants to ensure that traffic is always routed to a healthy Region in case of a Regional failure. Which Route 53 routing policy should be used?

A.Latency-based routing with health checks
B.Weighted routing
C.Simple routing
D.Failover routing
AnswerA

This routes to the region with lowest latency and fails over on health check failure.

Why this answer

Option D is correct because Latency-based routing with health checks can route to the region with the lowest latency and fail over if health checks fail. Option A is wrong because Simple routing does not support health checks. Option B is wrong because Weighted routing distributes traffic based on weights, not latency.

Option C is wrong because Failover routing is primary/backup, not latency-based.

60
MCQhard

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have a CloudFront distribution and an Application Load Balancer (ALB) as origins. They want to receive notifications when a DDoS attack is detected. What is the MOST comprehensive way to set up notifications?

A.Enable Shield Advanced automatic notifications in the AWS Shield console.
B.Set up AWS Config rules to detect changes in the Shield Advanced configuration and send alerts.
C.Create a CloudWatch alarm on the AWS Shield Advanced metric DDoSDetected and configure an SNS notification.
D.Use Amazon Route 53 health checks to monitor the application and send notifications on failure.
AnswerC

Correct: Shield Advanced metrics are sent to CloudWatch, and alarms can trigger SNS.

Why this answer

Option B is correct because AWS Shield Advanced integrates with CloudWatch to send metrics, and you can create a CloudWatch alarm that triggers an SNS notification. Option A is wrong because Shield Advanced does not send notifications directly; you must use CloudWatch. Option C is wrong because Config does not monitor DDoS events.

Option D is wrong because Health checks are for endpoint health, not DDoS detection.

61
MCQmedium

A company is experiencing intermittent connectivity issues between a VPC and an on-premises data center over an AWS Direct Connect connection. The network engineer checks the Direct Connect virtual interface status and sees it is 'up'. However, BGP sessions are flapping. Which action should the engineer take to diagnose the issue?

A.Verify the VLAN configuration on the customer router.
B.Enable BFD on the Direct Connect virtual interface.
C.Recreate the virtual interface with a new VLAN ID.
D.Check the BGP keepalive and hold timers on both sides.
AnswerD

Inconsistent BGP timers can cause session flapping.

Why this answer

Option B is correct because checking BGP session logs and timers helps identify flapping due to misconfigured timers or routing updates. Option A is wrong because it does not address BGP-specific issues. Option C is wrong because it involves changing routing, not diagnosing.

Option D is wrong because it is an extreme measure that may not resolve the BGP issue.

62
MCQhard

A company is designing a network for a large-scale e-commerce platform that must handle sudden traffic spikes. The architecture uses an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances across multiple Availability Zones. The ALB is internet-facing. To protect against DDoS attacks, which AWS services should be used at the network edge?

A.Subscribe to AWS Shield Advanced and deploy AWS WAF on the ALB.
B.Configure network ACLs to allow only known IP ranges.
C.Enable AWS Shield Standard and configure security groups to block traffic from suspicious sources.
D.Use Amazon Route 53 with DNS-based failover to redirect traffic away from the ALB during an attack.
AnswerA

Shield Advanced provides DDoS protection at the edge, and WAF filters application-layer attacks.

Why this answer

Option D is correct. AWS Shield Advanced provides enhanced protection against DDoS attacks, and AWS WAF can be integrated with ALB to filter malicious traffic. Option A is wrong because Network ACLs are not at the edge; they are subnet-level.

Option B is wrong because AWS Shield Standard is included automatically but does not provide advanced protection. Option C is wrong because Route 53 is for DNS, not DDoS mitigation at the network edge.

63
MCQhard

A company is designing a multi-region architecture with two AWS Regions. They need to connect VPCs in each region to an on-premises data center using AWS Direct Connect. They want to minimize latency and use the same BGP ASN on both sides. Which solution meets these requirements?

A.Use a Direct Connect gateway and create a private virtual interface from each region's Direct Connect connection to the Direct Connect gateway. Use the same BGP ASN on AWS side.
B.Establish two separate private virtual interfaces from each region to the on-premises router using different BGP ASNs.
C.Use AWS Site-to-Site VPN over the internet as a backup and the Direct Connect as primary.
D.Create a transit virtual interface from each region to a Transit Gateway in each region and peer the Transit Gateways.
AnswerA

Direct Connect gateway allows same ASN across multiple VIFs and regions.

Why this answer

Option A is correct because a Direct Connect gateway allows you to associate multiple virtual interfaces from different regions to a single gateway, and you can use the same BGP ASN. Option B is wrong because transit VIFs connect to Transit Gateway, but Direct Connect gateway is needed for multi-region. Option C is wrong because each Direct Connect connection must use different ASNs if not using Direct Connect gateway.

Option D is wrong because VPN over internet adds latency and does not meet Direct Connect requirement.

64
Multi-Selectmedium

A company is designing a multi-VPC architecture in a single AWS Region. The company has three VPCs: Production, Development, and Shared Services. They want to enable transitive routing between all VPCs while minimizing operational overhead. Which TWO solutions meet these requirements?

Select 2 answers
A.Establish VPC peering connections between each pair of VPCs.
B.Configure a VPN connection between each VPC.
C.Use AWS Transit Gateway to connect all VPCs.
D.Configure AWS Direct Connect connections from each VPC to the same on-premises router.
E.Use Transit Gateway with VPN attachments to an on-premises router that performs routing between VPCs.
AnswersC, E

Transit Gateway enables transitive routing between all attached VPCs.

Why this answer

Option A is correct: Transit Gateway provides transitive routing between multiple VPCs and supports hub-and-spoke architecture. Option D is correct: A centralized VPN to on-premises can provide transitive routing if all VPCs connect to the same VPN via Transit Gateway. Option B is incorrect because VPC peering is not transitive; each pair must be explicitly peered.

Option C is incorrect because a VPN connection between two VPCs would require each pair to be connected. Option E is incorrect because Direct Connect alone does not provide transitive routing between VPCs.

65
MCQeasy

A company needs to monitor network traffic to and from EC2 instances for security analysis. Which AWS service should they use?

A.AWS CloudTrail
B.Amazon CloudWatch Logs
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information.

Why this answer

VPC Flow Logs capture IP traffic information for network interfaces in a VPC, including metadata such as source/destination IPs, ports, protocols, and packet accept/reject decisions. This makes it the correct service for monitoring network traffic to and from EC2 instances for security analysis, as it provides detailed network-level logs without requiring any agent installation on the instances.

Exam trap

The trap here is that candidates often confuse AWS CloudTrail (API auditing) with network traffic monitoring, or assume CloudWatch Logs can capture network flows directly, but VPC Flow Logs are the only service that provides raw network traffic metadata at the VPC level.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and management events (e.g., who launched an EC2 instance), not the actual network traffic flowing through the VPC. Option B is wrong because Amazon CloudWatch Logs is a service for storing and monitoring log files from applications, OS, or AWS services, but it does not natively capture network traffic metadata from EC2 instances. Option C is wrong because AWS Config evaluates resource configurations and compliance rules (e.g., whether a security group is too permissive), but it does not log or monitor network traffic flows.

66
MCQhard

A company has a global application that uses Amazon Route 53 for DNS. The application is deployed in us-east-1 and eu-west-1. The company wants to route users to the Region with the lowest latency, but also provide failover if one Region becomes unhealthy. Which Route 53 routing policy should be used?

A.Weighted routing with equal weights
B.Failover routing with primary in us-east-1
C.Latency-based routing with health checks
D.Geoproximity routing
AnswerC

Latency routing sends to lowest latency region; health checks ensure failover.

Why this answer

Option D is correct because latency-based routing with health checks automatically routes to the lowest latency region that is healthy. Option A is wrong because geoproximity routing uses location, not latency. Option B is wrong because failover routing does not consider latency.

Option C is wrong because weighted routing does not consider latency or health.

67
MCQeasy

A company has a VPC with public and private subnets in two Availability Zones. The private subnets need to access the internet for software updates. Which configuration meets this requirement securely?

A.Deploy a NAT Gateway in a public subnet and update the private subnet route tables to point 0.0.0.0/0 to the NAT Gateway.
B.Attach an Internet Gateway to the VPC and add a route to 0.0.0.0/0 in the private subnet route tables pointing to the Internet Gateway.
C.Create a VPC Peering connection to a second VPC that has an Internet Gateway and route all traffic through it.
D.Configure a Virtual Private Gateway and use an AWS Direct Connect connection to the internet.
AnswerA

Correct: NAT Gateway enables outbound internet access for private subnets.

Why this answer

Option A is correct because a NAT Gateway in a public subnet allows private instances to initiate outbound traffic to the internet. Option B is wrong because an Internet Gateway does not allow private instances to reach the internet. Option C is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a Virtual Private Gateway is used for VPN connections.

68
Multi-Selectmedium

A company is deploying a new application in a VPC. The application consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The ALB must only receive traffic from the company's on-premises network via an AWS Site-to-Site VPN. Which THREE steps should the network engineer take to meet this requirement?

Select 3 answers
A.Place the ALB in a private subnet and use a Transit Gateway.
B.Place the ALB in a public subnet.
C.Configure the network ACL on the ALB's subnet to allow inbound traffic from the on-premises CIDR range.
D.Configure the ALB security group to allow inbound traffic from the on-premises CIDR range.
E.Create a NAT gateway in the public subnet for outbound traffic.
AnswersB, C, D

The ALB needs to be internet-facing to respond to the VPN traffic.

Why this answer

Option B is correct because an Application Load Balancer (ALB) must be placed in a public subnet to be reachable from an on-premises network via an AWS Site-to-Site VPN. The VPN connection terminates on a virtual private gateway or transit gateway, which routes traffic to the VPC, but the ALB itself needs a public subnet with a route to the internet gateway (or virtual private gateway) to accept inbound traffic from the VPN. Without a public subnet, the ALB cannot receive traffic from outside the VPC, including VPN traffic.

Exam trap

AWS often tests the misconception that an ALB in a private subnet can receive traffic from a VPN via a Transit Gateway or NAT gateway, but the ALB must be in a public subnet to have a route to the virtual private gateway for inbound traffic from on-premises.

69
MCQmedium

A company is connecting their on-premises data center to AWS using a site-to-site VPN. The customer gateway device has a dynamic routing configuration with BGP. The VPN connection is established, but the VPC route table does not contain the on-premises network routes. What is the most likely cause?

A.The customer gateway device is not configured with the correct BGP ASN.
B.The VPC route table has static routes pointing to the virtual private gateway.
C.Route propagation is not enabled on the VPC route table.
D.The VPN connection is using static routing instead of dynamic routing.
AnswerC

Route propagation must be enabled for dynamic BGP routes to be added.

Why this answer

Option B is correct. For dynamic VPN, you must enable route propagation on the VPC route table to automatically propagate BGP routes. Option A is wrong because static routes are not needed.

Option C is wrong because BGP is used. Option D is wrong because the customer gateway device is configured correctly.

70
Multi-Selectmedium

A company has a Direct Connect connection with a private VIF to a VPC. The network engineer needs to ensure that traffic from the on-premises network to the VPC uses the Direct Connect path, while internet-bound traffic from the VPC uses an Internet Gateway. Which TWO configurations are required? (Select TWO.)

Select 2 answers
A.Add a route in the VPC route table for the Direct Connect location prefix
B.Deploy a NAT Gateway in the VPC for internet access
C.Configure the on-premises router to send all internet traffic to the VPC
D.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway (VGW)
E.Add a default route (0.0.0.0/0) in the VPC route table pointing to the Internet Gateway
AnswersD, E

Directs traffic from VPC to on-premises via Direct Connect.

Why this answer

Options A and C are correct. A: The VPC route table must have a route to the on-premises CIDR via the virtual private gateway. C: The VPC route table must have a default route (0.0.0.0/0) to the Internet Gateway.

Option B is wrong because the VPC does not need a route to the Direct Connect location. Option D is wrong because the on-premises router should not have a default route to the VPC. Option E is wrong because the VPC does not need a NAT gateway for internet access if using an Internet Gateway.

71
MCQhard

A company is deploying a multi-region application with an Application Load Balancer (ALB) in us-east-1 and a second ALB in eu-west-1. They want to route traffic to the nearest region using Amazon Route 53. They have set up a latency-based routing policy. Users in North America are being routed to eu-west-1 instead of us-east-1. What is the most likely cause?

A.The routing policy is incorrectly configured as geolocation instead of latency
B.The us-east-1 ALB is not associated with a Route 53 record set
C.The health checks for the us-east-1 ALB are failing
D.Latency measurements between the user and us-east-1 are higher than expected due to transient network conditions
AnswerD

Latency-based routing uses measured latency; higher latency can cause routing to other region.

Why this answer

Option B is correct because latency-based routing uses measured latency, which can be inconsistent. If the latency measurement for us-east-1 is higher than expected (e.g., due to a temporary issue), Route 53 may route to eu-west-1. Option A is wrong because health checks affect routing only if they fail, but the question doesn't indicate failure.

Option C is wrong because routing policy is already set to latency. Option D is wrong because weight is not used in latency routing.

72
MCQhard

A network engineer is troubleshooting high latency on an AWS Transit Gateway attachment to a VPN. The VPN tunnel is established, and traffic flows, but latency spikes are observed during peak hours. The engineer suspects packet loss. Which diagnostic step should be taken first?

A.Run a traceroute from an on-premises host to an EC2 instance.
B.Use Amazon CloudWatch metrics for the Transit Gateway attachment to check for dropped packets.
C.Verify the VPN tunnel status in the AWS Management Console.
D.Review the VPN CloudWatch metrics for tunnel data.
AnswerB

Transit Gateway provides attachment-level metrics like bytes in/out and dropped packets.

Why this answer

Option A is correct because monitoring the Transit Gateway attachment metrics can show packet loss or errors. Option B is wrong because it only checks if the tunnel is up. Option C is wrong because CloudWatch metrics for the VPN are more granular.

Option D is wrong because it does not provide real-time diagnostics.

73
MCQmedium

A network engineer is troubleshooting an issue where an AWS Lambda function cannot create an Elastic Network Interface (ENI) in a VPC. The function has the IAM policy shown in the exhibit. Which statement explains why the function is failing?

A.The policy denies the ec2:CreateVpc action which is required to create an ENI
B.The policy allows ec2:DescribeInstances which conflicts with ENI creation
C.The policy denies the ec2:CreateNetworkInterface action
D.The policy is missing the ec2:CreateNetworkInterfacePermission action
AnswerD

Lambda requires ec2:CreateNetworkInterfacePermission to create ENIs on behalf of the function; without it, the call fails.

Why this answer

The correct answer is D because creating an Elastic Network Interface (ENI) in a VPC requires the `ec2:CreateNetworkInterfacePermission` action in addition to `ec2:CreateNetworkInterface`. The IAM policy shown in the exhibit explicitly denies `ec2:CreateNetworkInterface`, but even if that denial were removed, the Lambda function would still fail without the permission action, as it is necessary for cross-account or service-linked ENI creation scenarios. AWS Lambda uses this permission to allow the Lambda service to attach the ENI to the VPC on your behalf.

Exam trap

The trap here is that candidates focus on the explicit denial of `ec2:CreateNetworkInterface` in the policy and overlook the separate requirement for `ec2:CreateNetworkInterfacePermission`, which is necessary for Lambda to delegate ENI management to the AWS service.

How to eliminate wrong answers

Option A is wrong because the `ec2:CreateVpc` action is not required to create an ENI; ENIs are created within an existing VPC, and the VPC must already exist. Option B is wrong because allowing `ec2:DescribeInstances` does not conflict with ENI creation; it is a read-only action that does not interfere with resource creation. Option C is wrong because the policy in the exhibit explicitly denies `ec2:CreateNetworkInterface`, but the question asks why the function is failing, and the core missing permission is `ec2:CreateNetworkInterfacePermission`, not just the denial of `CreateNetworkInterface`.

74
MCQhard

A company has a hybrid network with multiple VPCs connected via a Transit Gateway. They need to centralize outbound internet traffic through a single VPC. Which architecture should be used?

A.Attach a NAT Gateway to each VPC's private subnets.
B.Attach an Internet Gateway to each VPC and route 0.0.0.0/0 to the IGW.
C.Designate one VPC as an egress VPC with a NAT Gateway and Internet Gateway, and use Transit Gateway route tables to route 0.0.0.0/0 from other VPCs to the egress VPC.
D.Use a VPN connection to an on-premises data center for internet access.
AnswerC

This centralizes outbound traffic through a single VPC.

Why this answer

Option D is correct because an egress VPC with a NAT Gateway and Internet Gateway can centralize outbound traffic via Transit Gateway route tables. Option A is wrong because each VPC with its own NAT Gateway does not centralize. Option B is wrong because a VPN does not provide internet access.

Option C is wrong because an Internet Gateway in each VPC does not centralize.

75
MCQmedium

An EC2 instance with the attached network interface shown above is unable to reach the internet. The instance is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What is the most likely cause?

A.The source/destination check is enabled, which prevents the instance from sending traffic to the internet if it is not the source of the traffic.
B.The network interface's attachment status is 'attached', but the instance may not have a public IP address.
C.The route table for the subnet does not have a 0.0.0.0/0 route pointing to the internet gateway.
D.The security group is not associated with the network interface.
AnswerC

Although not shown in the exhibit, this is the most common cause of internet access failure for instances in public subnets. The exhibit does not contradict this.

Why this answer

The network interface has 'SourceDestCheck' set to true. This is a property that must be disabled for NAT instances or for instances that act as routers. For a normal EC2 instance that is not performing NAT or routing, source/destination check should be enabled.

However, if the instance is a NAT instance, it should be disabled. But the question says the instance is a regular instance; the issue is likely that the source/destination check is enabled, but that is normal. Wait, the issue: the instance cannot reach the internet.

Since it's in a public subnet with a public IP, source/dest check should be enabled; that is not the problem. Actually, the most likely cause is that the security group outbound rule is missing, but the question says it allows outbound. Another common issue is that the route table for the subnet doesn't have a 0.0.0.0/0 route to the IGW.

But the exhibit does not show that. The exhibit shows sourceDestCheck is true, which is correct for most instances. However, if the instance is a NAT instance, sourceDestCheck must be false.

But the question does not specify it's a NAT instance. I need to think: The instance is unable to reach the internet. The security group allows outbound.

The subnet is public with route to IGW. The instance likely has a public IP. Then what? The sourceDestCheck being true could be a problem if the instance is a NAT instance, but it's not.

Another possibility: the security group inbound rules might block return traffic? No, security groups are stateful. The answer likely is that the sourceDestCheck is true, but that is not the issue; the correct answer is something else. Let's re-read: The exhibit shows sourceDestCheck is true, and the attachment status is attached.

The question says the instance cannot reach the internet. Maybe the issue is that the network interface is not the primary? But it is attached. Possibly the route table is missing.

However, the exhibit does not show the route table. I think the intended answer is that the sourceDestCheck is enabled, which should be disabled for NAT instances, but for a regular instance, it's fine. Alternatively, the security group might be blocking outbound, but the question says it allows.

The most likely cause from the exhibit is that the security group is associated with the interface, but the outbound rules are not shown. But the question says it allows. I need to choose an option that fits.

The exhibit shows the network interface with a security group. The issue might be that the security group does not allow outbound traffic to the internet. But the question says it does.

Perhaps the exhibit is meant to show that the security group is attached, but the engineer should check the security group rules. However, the exhibit does not show the rules. I'll go with a common misconfiguration: the source/destination check is enabled, but if the instance is a NAT instance, it should be disabled.

But the question does not indicate it's a NAT instance. Another common issue: the network interface is not the primary, but the exhibit shows it's attached. I think the most likely cause from the exhibit is that the security group is incorrect.

But since the question says it allows outbound, that's not it. Perhaps the answer is that the source/destination check should be disabled for instances that need to send traffic to the internet? No, that's only for NAT instances. Let's see the options.

I'll create plausible options.

Page 1 of 23

Page 2