AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 676750

1705 questions total · 23pages · All types, answers revealed

Page 9

Page 10 of 23

Page 11
676
Multi-Selectmedium

Which TWO of the following are benefits of using an AWS Transit Gateway over VPC peering for connecting multiple VPCs? (Select TWO.)

Select 2 answers
A.Lower data transfer costs between VPCs.
B.Built-in internet gateway for all attached VPCs.
C.Automatic encryption of traffic between VPCs.
D.Transitive routing between all attached VPCs.
E.Centralised management of network policies and routing.
AnswersD, E

Hub-and-spoke model allows any-to-any connectivity.

Why this answer

Options B and C are correct. Transit Gateway provides transitive routing (hub-and-spoke) and centralised management. Option A is wrong because Transit Gateway does not reduce data transfer costs; it may increase.

Option D is wrong because it does not automatically encrypt traffic. Option E is wrong because it does not provide built-in internet access.

677
MCQhard

A company has created a VPC Interface Endpoint for Amazon ECR (Docker registry API) as shown in the exhibit. However, an EC2 instance in the same VPC is unable to authenticate with the ECR registry using the private DNS name. What is the most likely cause?

A.Private DNS is not enabled for the endpoint
B.The endpoint service name is incorrect; it should be com.amazonaws.us-east-1.ecr.api
C.The endpoint is not in the 'available' state
D.The endpoint type should be Gateway, not Interface
AnswerA

When PrivateDnsEnabled is false, the private DNS name for the service is not automatically resolved to the endpoint's IPs, causing authentication failures.

Why this answer

The most likely cause is that Private DNS is not enabled for the VPC Interface Endpoint. When Private DNS is enabled, the endpoint automatically associates a Route 53 private hosted zone with the VPC, allowing the default private DNS name (e.g., *.dkr.ecr.us-east-1.amazonaws.com) to resolve to the endpoint's elastic network interface IP addresses. Without this, the EC2 instance will resolve the private DNS name to the public IP of the ECR service, bypassing the endpoint and failing authentication due to network path issues.

Exam trap

The trap here is that candidates often confuse the endpoint service name for ECR (dkr vs. api) or assume a Gateway endpoint can be used for ECR, but the core issue is the Private DNS toggle, which is a subtle but critical setting for Interface endpoints.

How to eliminate wrong answers

Option B is wrong because the endpoint service name for ECR Docker registry API is com.amazonaws.us-east-1.ecr.dkr, not com.amazonaws.us-east-1.ecr.api (the latter is for the ECR API, not the registry). Option C is wrong because if the endpoint were not in the 'available' state, it would not be functional at all, but the question states the endpoint is created as shown, implying it is available; the issue is DNS resolution, not endpoint state. Option D is wrong because ECR requires an Interface endpoint (powered by AWS PrivateLink) for private connectivity to the Docker registry API; a Gateway endpoint is only used for services like S3 and DynamoDB, not for ECR.

678
MCQeasy

A company uses AWS Site-to-Site VPN to connect its on-premises network to AWS. The VPN connection is established, but traffic from on-premises to AWS is not working. The on-premises network team confirms that the on-premises firewall is allowing traffic to the VPC CIDR. What should the network engineer check in AWS to resolve the issue?

A.Verify that the VPN tunnel status is UP.
B.Review the customer gateway configuration for incorrect BGP settings.
C.Ensure the virtual private gateway is attached to the correct VPC.
D.Check the VPC route tables to ensure routes to the on-premises network point to the virtual private gateway.
AnswerD

Missing routes in the VPC route table would prevent inbound traffic from reaching instances.

Why this answer

Option D is correct because even if the VPN tunnel is up and BGP is peering, traffic will not flow unless the VPC route tables have a route pointing to the virtual private gateway (VGW) for the on-premises CIDR. Without this route, the VPC has no path to forward return traffic back to the on-premises network, causing asymmetric routing or blackholing.

Exam trap

The trap here is that candidates assume a tunnel status of UP (Option A) guarantees traffic flow, but AWS explicitly separates tunnel health from routing configuration, and the exam tests this distinction by requiring you to check the VPC route tables for the correct target.

How to eliminate wrong answers

Option A is wrong because a tunnel status of UP only indicates the IPsec tunnel is established; it does not guarantee that routing or traffic forwarding is configured correctly. Option B is wrong because BGP settings on the customer gateway affect dynamic route exchange, but the question states the VPN connection is established, and BGP misconfiguration would typically prevent route propagation, not cause traffic failure if static routes are used. Option C is wrong because if the VGW were attached to the wrong VPC, the VPN connection would not be established at all, as the VGW is a required endpoint for the VPN; the question confirms the VPN is established, so the VGW is correctly attached.

679
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team notices that users in the 'Developers' account can launch EC2 instances with public IP addresses, even though the SCP denies ec2:AssociateAddress. What is the most likely reason?

A.The SCP was applied to the wrong organizational unit.
B.The users logged in as the root user of the account.
C.The SCP only applies to the root user, not IAM users.
D.The users assumed an IAM role that bypasses the SCP.
AnswerB

Root user actions are not restricted by SCPs.

Why this answer

Option C is correct because SCPs do not affect the root user of a member account; root user actions are not restricted by SCPs. Option A is wrong because SCPs apply to all IAM users and roles, not just root. Option B is wrong because SCPs are not bypassed by IAM roles.

Option D is wrong because SCPs apply to all accounts, but root user is exempt.

680
MCQeasy

A network engineer is setting up a site-to-site VPN connection between an on-premises network and an AWS VPC. The engineer configures the customer gateway device with the correct parameters. However, the VPN tunnel status remains 'DOWN'. What is the most likely cause?

A.The virtual private gateway is not attached to the customer gateway.
B.The VPN connection is not associated with a subnet.
C.The pre-shared key on the customer gateway device does not match the pre-shared key configured in the VPN connection.
D.The security group associated with the VPN endpoint is blocking the traffic.
AnswerC

Mismatched PSK prevents IKE negotiation.

Why this answer

Option B is correct because the VPN tunnel pre-shared keys (PSK) must match exactly between the customer gateway and the AWS VPN endpoint. Option A is wrong because security groups do not affect VPN tunnel establishment; they control traffic within the VPC. Option C is wrong because the virtual private gateway (VGW) is attached to the VPC, not the customer gateway.

Option D is wrong because the VPN connection must be associated with the VGW, not a subnet.

681
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. They want to ensure that only traffic from specific on-premises IP ranges is allowed into the production VPC. Which approach should they use?

A.Configure the Direct Connect gateway to only advertise specific prefixes to the Transit Gateway.
B.Deploy AWS Network Firewall in the production VPC and configure stateful rule groups to allow only the on-premises IP ranges.
C.Use Transit Gateway route tables to blackhole traffic from other IP ranges.
D.Create a VPC peering connection between the on-premises network and the production VPC.
AnswerB

AWS Network Firewall can inspect and filter traffic between the Transit Gateway attachment and the production VPC.

Why this answer

AWS Transit Gateway supports route tables and can propagate routes from Direct Connect virtual interfaces. To filter traffic, you can use a network firewall appliance or AWS Network Firewall. However, the simplest approach is to use security groups and network ACLs within the VPC, but the question is about Transit Gateway.

The best practice is to use AWS Network Firewall to inspect and filter traffic between attachments. Option C is correct. Option A (VPC peering) is not relevant.

Option B (Direct Connect gateway) does not filter traffic. Option D (Transit Gateway route tables) does not filter by IP; they only determine routing.

682
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The VPC uses a virtual private gateway (VGW). The on-premises network advertises a route to a specific subnet (10.0.0.0/24) via BGP. However, traffic from the VPC to that subnet is failing. What should the network engineer check first?

A.Verify that the customer gateway device is advertising the subnet route.
B.Verify that the virtual interface is in the 'available' state and BGP session is established.
C.Verify that the VGW is attached to the VPC.
D.Verify that route propagation is enabled on the VPC's route tables associated with the subnets.
AnswerD

Without route propagation, the BGP routes from Direct Connect are not added to the route tables.

Why this answer

Option B is correct because the route propagation from the VGW to the VPC route tables must be enabled for the learned BGP routes to be used. Option A is wrong because the VGW is the correct attachment. Option C is wrong because the VIF state being up doesn't guarantee route propagation.

Option D is wrong because the customer gateway (CGW) is configured on the AWS side; the on-premises router is separate.

683
MCQeasy

A company is using AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection patterns. Which WAF rule type should be used?

A.SQL injection match condition
B.Geographic match rule
C.IP set rule
D.Rate-based rule
AnswerA

AWS WAF includes managed rule groups specifically for SQL injection detection.

Why this answer

Option B is correct because AWS WAF has a managed rule group for SQL injection that can be added to the web ACL. Option A is incorrect because rate-based rules are for DDoS protection. Option C is incorrect because geo-match rules block based on geographic location.

Option D is incorrect because IP set rules block based on source IP addresses.

684
MCQhard

A company is migrating a legacy application to AWS. The application requires multicast communication between instances. The company needs to implement a multicast solution within a VPC. Which AWS service or feature should be used to support multicast?

A.Create a Transit Gateway multicast domain
B.Configure multicast in the VPC's route tables
C.Use AWS Global Accelerator for multicast distribution
D.Set up VPC peering to enable multicast between subnets
AnswerA

Transit Gateway supports multicast groups and can distribute multicast traffic.

Why this answer

Option D is correct because AWS Transit Gateway supports multicast groups. Option A is incorrect because VPC does not natively support multicast. Option B is incorrect because AWS Global Accelerator is for anycast, not multicast.

Option C is incorrect because VPC peering does not support multicast.

685
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a VPC and an on-premises data center over a Direct Connect virtual interface. The engineer notices that the BGP session is flapping. Which configuration should the engineer verify first?

A.Verify that the BGP hold timer and keepalive interval are consistent between the on-premises router and the AWS side.
B.Verify that the MTU setting on the Direct Connect virtual interface matches the on-premises router.
C.Verify that the on-premises router is advertising the correct prefix to AWS.
D.Verify that the Direct Connect virtual interface is in the 'available' state.
AnswerA

BGP timer mismatch causes session flapping.

Why this answer

Option B is correct because BGP timers mismatch is a common cause of BGP session flapping. Option A is wrong because MTU mismatch typically causes packet loss, not BGP flap. Option C is wrong because VIF state being active is required for BGP but flapping suggests a configuration issue.

Option D is wrong because route propagation is about route distribution, not BGP session stability.

686
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and Direct Connect. The network team wants to monitor network performance and detect anomalies. Which THREE AWS services should the team use together to achieve this goal? (Select THREE.)

Select 3 answers
A.Amazon CloudWatch
B.AWS Trusted Advisor
C.AWS Network Manager
D.VPC Flow Logs
E.AWS X-Ray
AnswersA, C, D

For log aggregation and metric analysis.

Why this answer

Options A, C, and D are correct. A: VPC Flow Logs capture IP traffic information. C: Amazon CloudWatch can aggregate and analyze logs and metrics.

D: AWS Network Manager provides a global view of Transit Gateway networks and performance metrics. Option B is wrong because AWS X-Ray is for application tracing, not network performance. Option E is wrong because AWS Trusted Advisor provides best practice checks, not real-time monitoring.

687
MCQeasy

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach any resources in the VPC. What is the most likely cause?

A.The authorization rules do not include the client's group.
B.The Client VPN endpoint does not have a subnet association.
C.The Client VPN endpoint security group does not allow inbound traffic from the client CIDR.
D.The client's VPN software is not configured with the correct DNS server.
AnswerB

Without a subnet association, traffic cannot be routed to the VPC.

Why this answer

Option D is correct because the subnet associations for the Client VPN endpoint route traffic to the VPC; without a proper subnet association, traffic is not forwarded. Option A is incorrect because the security group for the Client VPN endpoint controls access, but the endpoint can still be reachable. Option B is incorrect; the authorization rules allow specific users/groups, but connectivity issues are likely routing.

Option C is incorrect because the client is already connected.

688
MCQhard

A company runs a multi-tier application on AWS. The web tier consists of EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The application tier runs on EC2 instances in a separate Auto Scaling group, and the database tier uses an Amazon RDS MySQL instance. All resources are in the same VPC. The security team has identified that the application tier instances are receiving traffic from unknown IP addresses on port 22 (SSH). The team wants to ensure that only the web tier instances can communicate with the application tier on the application port (8080), and only from a specific security group. Additionally, the database tier should only accept traffic from the application tier on port 3306. Currently, the security groups are configured as follows: Web-SG allows inbound from 0.0.0.0/0 on ports 80 and 443; App-SG allows inbound from 0.0.0.0/0 on port 8080 and from 0.0.0.0/0 on port 22; DB-SG allows inbound from 0.0.0.0/0 on port 3306. The team has also noticed that the web tier instances can be accessed via SSH from the internet. Which course of action should the team take to remediate the security issues?

A.Update Web-SG to allow SSH from a specific management CIDR. Leave App-SG and DB-SG as is because they are not directly accessible from the internet.
B.Remove inbound SSH rules from all security groups and rely on AWS Systems Manager Session Manager for administrative access.
C.Update Web-SG to allow SSH from a specific management CIDR. Update App-SG to allow inbound on port 8080 from Web-SG only, and remove inbound SSH from App-SG (or restrict to management CIDR). Update DB-SG to allow inbound on port 3306 from App-SG only.
D.Use network ACLs on the subnets to restrict traffic between tiers instead of security groups.
AnswerC

This properly restricts traffic to only necessary sources and removes open SSH access.

Why this answer

The correct action is to update the security groups to restrict inbound traffic: Web-SG should allow SSH only from a trusted management IP, not from 0.0.0.0/0. App-SG should allow inbound on port 8080 only from Web-SG, and not allow SSH from 0.0.0.0/0. DB-SG should allow inbound on port 3306 only from App-SG.

Option A achieves this. Option B only addresses the web tier SSH issue. Option C removes SSH entirely, which might be needed for management.

Option D uses network ACLs but NACLs are stateless and would require complex rules; security groups are more appropriate for this use case.

689
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a route 0.0.0.0/0 pointing to the NAT gateway. However, the EC2 instance cannot reach the internet. Which additional configuration is needed?

A.Assign a public IP address to the EC2 instance.
B.Attach a security group to the NAT gateway allowing outbound traffic.
C.Add a route to the NAT gateway in the private subnet's route table for destination 0.0.0.0/0.
D.Ensure the public subnet's route table has a route 0.0.0.0/0 pointing to an internet gateway.
AnswerD

The NAT gateway needs internet access via the internet gateway.

Why this answer

The NAT gateway is in the public subnet, so the public subnet's route table must have a route to an internet gateway for the NAT gateway to function. Option A is wrong because the private subnet already has the correct route. Option C is wrong because security groups on the NAT gateway do not exist.

Option D is wrong because the instance might not have a public IP, but it uses the NAT gateway for outbound traffic, so a public IP is not required.

690
MCQmedium

A company is designing a network architecture for a two-tier web application. The web tier runs on EC2 instances behind an Application Load Balancer (ALB) in public subnets. The application tier runs on EC2 instances in private subnets. The application tier needs to access an Amazon RDS for PostgreSQL database in the same private subnets. The company requires that all traffic between the ALB and web tier, as well as between web tier and application tier, remain within the AWS network and not traverse the internet. The current design uses an Internet Gateway (IGW) for public subnet internet access and a NAT Gateway for private subnet outbound internet access. The web tier instances have a default route to the IGW, and the application tier instances have a default route to the NAT Gateway. The security groups are configured correctly. However, the application tier cannot connect to the RDS database. What is the MOST likely cause?

A.The application tier instances are using the RDS public DNS name instead of the private DNS name
B.The RDS database is in a different VPC
C.The ALB is not configured to forward traffic to the web tier
D.The NAT Gateway is not configured with the correct route to the RDS subnet
AnswerA

Using the public endpoint causes traffic to go to the NAT Gateway, which cannot connect to RDS's public endpoint from private subnet without proper routing.

Why this answer

The RDS database is in private subnets. The application tier instances are also in private subnets. They should be able to communicate within the same VPC via private IP addresses.

The issue is not about internet access. The most likely cause is that the application tier instances are trying to connect to the RDS endpoint using the public DNS name, which resolves to a public IP, and the traffic is being routed to the NAT Gateway, which blocks inbound traffic from the internet (the RDS public endpoint). The application tier should use the private DNS name or the private IP address of the RDS instance.

Alternatively, the security group might be misconfigured, but the question says security groups are correct. The most common mistake is using the public endpoint.

691
MCQhard

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

A.Use VPC peering to connect all VPCs to the shared services VPC and route traffic through the firewall.
B.Create a Transit Gateway with separate route tables for each VPC and a shared route table for the inspection VPC. Use Gateway Load Balancer to distribute traffic to a fleet of firewall instances.
C.Attach all VPCs to a Transit Gateway and configure a Network Load Balancer in the shared services VPC to distribute traffic to firewall instances.
D.Attach all VPCs to a Transit Gateway and use a single firewall instance with elastic network interfaces in each VPC.
AnswerB

This design is scalable and highly available, with Gateway Load Balancer for inspection and Transit Gateway for routing.

Why this answer

Option B is correct because it combines AWS Transit Gateway with separate route tables per VPC and a shared inspection route table, enabling centralized traffic steering to a fleet of firewall instances behind a Gateway Load Balancer (GWLB). GWLB transparently distributes traffic across multiple firewall instances at the network layer (GENEVE protocol), providing both horizontal scalability and high availability without introducing a single point of failure or requiring complex VPC peering meshes.

Exam trap

The trap here is that candidates often confuse Network Load Balancer (NLB) with Gateway Load Balancer (GWLB), assuming NLB can transparently inspect traffic, but GWLB is the only AWS load balancer designed for inline traffic inspection with third-party appliances.

How to eliminate wrong answers

Option A is wrong because VPC peering creates a full mesh of point-to-point connections that does not scale beyond a few VPCs, and it lacks centralized route control, forcing all traffic through a single firewall in the shared services VPC without built-in load balancing or failover. Option C is wrong because a Network Load Balancer (NLB) operates at Layer 4 and cannot transparently intercept traffic for stateful inspection without additional configuration (e.g., proxy or NAT), whereas GWLB is designed specifically for transparent traffic inspection using GENEVE encapsulation. Option D is wrong because a single firewall instance with elastic network interfaces (ENIs) in each VPC creates a brittle, non-scalable architecture with a single point of failure and no load balancing, violating high availability and scalability requirements.

692
MCQeasy

A solutions architect needs to design a VPC with both IPv4 and IPv6 support. The VPC will have public and private subnets. Resources in private subnets need outbound IPv6 access to the internet. Which combination of resources should be used?

A.Internet gateway for public subnets and VPC gateway endpoints for private subnets
B.Internet gateway for public subnets and NAT gateway for private subnets
C.Internet gateway for both public and private subnets using route tables
D.Internet gateway for public subnets and egress-only internet gateway for private subnets
AnswerD

Egress-only internet gateway provides IPv6 outbound access for private subnets.

Why this answer

Option D is correct because an egress-only internet gateway (EIGW) is the AWS-managed service designed specifically to provide outbound-only IPv6 access from private subnets to the internet, while an internet gateway (IGW) handles both inbound and outbound IPv4/IPv6 traffic for public subnets. Unlike a NAT gateway, which only supports IPv4, the EIGW works with IPv6 and prevents any inbound IPv6 connections from the internet, meeting the requirement for outbound-only IPv6 access.

Exam trap

AWS often tests the misconception that a NAT gateway can handle IPv6 traffic, but NAT gateways are IPv4-only; the trap here is confusing the IPv4 outbound solution (NAT gateway) with the IPv6 outbound solution (egress-only internet gateway), or assuming an internet gateway can be used in private subnets with route restrictions.

How to eliminate wrong answers

Option A is wrong because VPC gateway endpoints (e.g., S3, DynamoDB) provide private connectivity to AWS services, not general outbound internet access, and they do not support IPv6 traffic. Option B is wrong because a NAT gateway only supports IPv4 traffic and cannot provide outbound IPv6 access; it is used for IPv4 private subnet internet access. Option C is wrong because placing an internet gateway in private subnet route tables would allow inbound internet traffic (both IPv4 and IPv6) to those subnets, violating the requirement for private subnets that must not be directly reachable from the internet.

693
MCQeasy

A company is deploying a new VPC with public and private subnets. The company wants to ensure that EC2 instances in the private subnet can access the internet for software updates. The instances do not need to be accessible from the internet. The network engineer has created a NAT gateway in the public subnet and added a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT gateway. However, instances in the private subnet cannot reach the internet. The NAT gateway is in the 'available' state. What is the MOST likely cause?

A.The NAT gateway is not in a public subnet.
B.The NAT gateway does not have an Elastic IP address associated.
C.The private subnet's route table does not have a default route to the NAT gateway.
D.The security group of the EC2 instances blocks outbound traffic.
AnswerB

NAT gateway requires an EIP for internet access.

Why this answer

Option B is correct because an Elastic IP must be associated with the NAT gateway for it to work. Option A is incorrect because the NAT gateway is already in a public subnet. Option C is incorrect because the route is present.

Option D is incorrect because security groups do not block outbound traffic to internet by default.

694
MCQeasy

A company wants to audit all network traffic to and from EC2 instances for security analysis. Which AWS service should they enable?

A.VPC Flow Logs
B.Amazon GuardDuty
C.AWS CloudTrail
D.AWS Config
AnswerA

VPC Flow Logs capture information about IP traffic to and from network interfaces.

Why this answer

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC. Option D is correct. AWS CloudTrail records API calls, not network traffic.

AWS Config records resource configuration changes. Amazon GuardDuty analyzes logs and flows for threats, but it does not capture the raw traffic itself.

695
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have public subnets (10.0.1.0/24, 10.0.2.0/24) and private subnets (10.0.3.0/24, 10.0.4.0/24) in two Availability Zones. An Internet Gateway is attached to the VPC, and a NAT Gateway is in public subnet 10.0.1.0/24. The private subnets route 0.0.0.0/0 to the NAT Gateway. The security team notices that instances in private subnet 10.0.3.0/24 can reach the internet, but instances in private subnet 10.0.4.0/24 cannot. Both private subnets have the same route table configuration. The network ACLs for both private subnets are set to allow all inbound and outbound traffic. What is the most likely cause of the issue?

A.The route table for the public subnet 10.0.1.0/24 does not have a route to the Internet Gateway.
B.The security group on the instances in private subnet 10.0.4.0/24 is blocking outbound traffic.
C.The network ACL for private subnet 10.0.4.0/24 is blocking outbound traffic.
D.The route table for private subnet 10.0.4.0/24 does not have a route to the NAT Gateway.
AnswerA

The NAT Gateway needs a route to the Internet Gateway through its subnet's route table.

Why this answer

Option B is correct because if the NAT Gateway is in subnet 10.0.1.0/24, the route table for that subnet must have a route to the Internet Gateway for the NAT Gateway to work. Without that route, the NAT Gateway cannot send traffic to the internet. Option A is wrong because the route tables for private subnets are correct.

Option C is wrong because the network ACLs allow all traffic. Option D is wrong because security groups on the instances would affect both subnets equally.

696
Drag & Dropmedium

Arrange the steps to configure an AWS Transit Gateway with attachments to multiple VPCs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the transit gateway, then create attachments, associate them with a route table, update VPC routes, and test connectivity.

697
MCQeasy

A company needs to establish a dedicated, private, high-bandwidth connection between its on-premises data center and AWS. Which AWS service should be used?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC peering
AnswerA

Dedicated private connection.

Why this answer

Option B is correct because AWS Direct Connect provides dedicated private connectivity. Option A is wrong because VPN uses the public internet. Option C is wrong because Transit Gateway is a network hub, not a connection type.

Option D is wrong because VPC peering connects VPCs, not on-premises.

698
MCQmedium

A company has an AWS Transit Gateway with multiple VPC attachments. They want to centralize outbound internet traffic through a single VPC that has a NAT gateway and an internet gateway. All other VPCs should route internet-bound traffic through this central VPC. What configuration is required?

A.Attach a virtual private gateway to the central VPC and add a static route in the transit gateway route table pointing 0.0.0.0/0 to the virtual private gateway
B.Add a default route in the central VPC's subnet route tables pointing to the internet gateway
C.Create a route table in the central VPC and associate it with the transit gateway attachment
D.Add a route in the transit gateway route table pointing 0.0.0.0/0 to the NAT gateway in the central VPC
AnswerA

The virtual private gateway can route to the NAT gateway via the central VPC's route tables, and the transit gateway propagates the route to other attachments.

Why this answer

Option D is correct because you need to attach a virtual private gateway to the central VPC and add a static route in the transit gateway route table pointing 0.0.0.0/0 to that VGW, then the other VPCs need a default route in their route tables pointing to the transit gateway attachment. Option A is wrong because TGW attachments do not have route tables; route tables are associated with TGW. Option B is wrong because that would send traffic directly to the internet gateway, not through the central VPC.

Option C is wrong because that would route traffic to the NAT gateway directly in the central VPC, but the transit gateway cannot route to a NAT gateway directly; it needs a VGW or a prefix list.

699
MCQhard

A company's security team notices that a VPC flow log record shows an outbound connection from a private EC2 instance to an IP address in a restricted country. The security group allows outbound 0.0.0.0/0 for TCP 443. The network ACL allows outbound traffic to 0.0.0.0/0 on ephemeral ports. The company uses AWS Network Firewall with a firewall policy that has a stateful rule group that denies traffic to the restricted country. The flow log shows the traffic was accepted. What is the most likely cause?

A.VPC Flow Logs are not capturing all traffic.
B.The subnet's route table does not have a route that sends traffic to the AWS Network Firewall endpoint.
C.The network ACL inbound rule blocks the return traffic.
D.The security group outbound rule is not configured correctly.
AnswerB

If the route table does not point to the firewall, traffic bypasses the firewall and the stateful rule is not evaluated.

Why this answer

Option C is correct because AWS Network Firewall's stateful rules are evaluated only for traffic that goes through the firewall endpoint. If the subnet's route table does not point to the firewall endpoint, traffic bypasses the firewall. Option A is wrong because VPC Flow Logs capture traffic after security group and NACL evaluation.

Option B is wrong because security group allows outbound HTTPS. Option D is wrong because network ACL allows outbound traffic.

700
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They want to connect this VPC to a second VPC with CIDR 10.1.0.0/16 using VPC Peering. The VPCs are in the same account and Region. What is the minimum number of route table entries needed in each VPC to enable full bidirectional communication?

A.Two routes in each VPC's route table: one for the local CIDR and one for the peer CIDR
B.No routes are needed because VPC Peering automatically enables communication
C.One route in each VPC's route table
D.One route in only one VPC's route table
AnswerC

Each VPC needs a route to the peer VPC's CIDR via the peering connection.

Why this answer

Option A is correct because each VPC needs one route pointing to the peering connection for the other VPC's CIDR. Option B is wrong because each VPC does not need a route for its own CIDR. Option C is wrong because there is only one peering connection.

Option D is wrong because explicit routes are required.

701
MCQeasy

A company is designing a VPC with public and private subnets. The private subnets need to access the internet for software updates but must not be directly accessible from the internet. Which AWS service should be used to provide internet access to instances in the private subnets?

A.Internet gateway
B.NAT gateway
C.VPC endpoint
D.Transit gateway
AnswerB

NAT gateway provides outbound-only internet access for private subnets.

Why this answer

Option B is correct because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet but prevents inbound traffic from the internet. Option A is wrong because an internet gateway is for public subnets and allows inbound connections. Option C is wrong because a transit gateway connects VPCs but does not provide internet access.

Option D is wrong because a VPC endpoint is for accessing AWS services privately, not the internet.

702
MCQeasy

A company wants to securely connect two VPCs in different AWS regions using AWS infrastructure. Which service should be used?

A.AWS Direct Connect
B.Internet Gateway
C.VPC peering
D.AWS Transit Gateway
AnswerC

VPC peering supports inter-region connections.

Why this answer

Option C is correct because VPC peering supports inter-region peering. Option A is wrong because Direct Connect is for on-premises connectivity, not inter-region. Option B is wrong because Transit Gateway currently does not support inter-region peering natively (requires VPC peering).

Option D is wrong because Internet Gateway is for internet access.

703
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs. The security team wants to inspect all traffic between VPCs with a third-party firewall appliance deployed in a centralized inspection VPC. What is the MOST efficient way to route traffic to the inspection VPC?

A.Create VPC peering connections between all VPCs and route traffic through the inspection VPC.
B.Use AWS PrivateLink to route traffic through the inspection VPC.
C.Configure Transit Gateway route tables with a blackhole route for the inter-VPC traffic and a route pointing to the inspection VPC.
D.Attach a Network Load Balancer in each VPC and route traffic through it.
AnswerC

This allows traffic between VPCs to be forced through the inspection VPC for firewall inspection.

Why this answer

Option B is correct because Transit Gateway route tables can be used to steer inter-VPC traffic to the inspection VPC via a central appliance. Option A is wrong because VPC peering does not support transitive routing. Option C is wrong because Network Load Balancer is not needed for traffic inspection.

Option D is wrong because PrivateLink does not support traffic inspection.

704
MCQmedium

A company is deploying a multi-tier web application in a VPC. The architecture includes an internet-facing Application Load Balancer (ALB) in public subnets, a fleet of EC2 instances in private subnets, and an Amazon RDS database in a separate private subnet. The security team requires that the web application logs be stored in an Amazon S3 bucket for compliance. The EC2 instances have an instance profile that grants write access to the S3 bucket. The EC2 instances are in a private subnet that does not have a route to the internet. The company wants to ensure that the EC2 instances can upload logs to the S3 bucket without traversing the internet. Which solution should they implement?

A.Create a VPC Gateway Endpoint for S3 and add a route in the private subnet's route table pointing to the endpoint
B.Create a VPC Interface Endpoint for S3
C.Deploy a forward proxy server in a public subnet and configure the EC2 instances to use it
D.Attach a NAT Gateway to the private subnet and configure a route to the NAT Gateway
AnswerA

Gateway Endpoint provides private access to S3 without internet.

Why this answer

A VPC Gateway Endpoint for S3 allows EC2 instances in private subnets to access S3 over the AWS network without traversing the internet. Since the instances have an instance profile granting write access, adding a route in the private subnet's route table pointing to the gateway endpoint enables direct, private connectivity to S3. This meets the security requirement of keeping traffic within the AWS backbone.

Exam trap

The trap here is that candidates often confuse VPC Gateway Endpoints with Interface Endpoints, assuming Interface Endpoints are always required for private access, but Gateway Endpoints are the correct, cost-effective choice for S3 and DynamoDB from private subnets without internet.

How to eliminate wrong answers

Option B is wrong because a VPC Interface Endpoint for S3 is not the optimal choice; it uses private IPs and requires additional costs and complexity, while a Gateway Endpoint is simpler, free, and designed specifically for S3 and DynamoDB access from private subnets. Option C is wrong because deploying a forward proxy server in a public subnet would force traffic through an internet gateway, violating the requirement to avoid traversing the internet, and adds unnecessary latency and management overhead. Option D is wrong because attaching a NAT Gateway to the private subnet would route traffic to the internet, which contradicts the requirement to keep traffic off the internet, and NAT Gateways are not designed for private S3 access without internet egress.

705
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). They launch a NAT Gateway in the public subnet and add a route in the private subnet route table: destination 0.0.0.0/0, target nat-gateway-id. An EC2 instance in the private subnet can ping an external server, but cannot connect to it via SSH. The security group allows outbound SSH (port 22), and the NACL allows outbound ephemeral ports. What is the likely cause?

A.The NACL on the private subnet is blocking outbound ephemeral ports.
B.The route table in the private subnet does not have a route to the NAT Gateway.
C.The external server's firewall is blocking traffic from the NAT Gateway's Elastic IP address.
D.The NAT Gateway is not configured to allow SSH traffic.
AnswerC

The external server must allow the NAT Gateway's public IP on port 22.

Why this answer

The issue is likely that the external server's security group or firewall is blocking inbound SSH from the NAT Gateway's public IP. The NAT Gateway uses its Elastic IP for outbound traffic, and the external server must allow that IP. Option B is wrong because the NAT Gateway does not block SSH.

Option C is wrong because the NACL is permissive. Option D is wrong because the route is correct.

706
Multi-Selectmedium

Which TWO statements about AWS Transit Gateway are correct? (Choose two.)

Select 2 answers
A.It provides internet access for attached VPCs
B.It supports transitive routing between attached VPCs
C.It can be shared across AWS accounts using AWS Resource Access Manager
D.It can replace AWS Direct Connect for on-premises connectivity
E.It only supports VPN attachments
AnswersB, C

Transit Gateway allows VPCs to communicate through it.

Why this answer

Options B and C are correct. Transit Gateway supports transitive routing between attachments. It can be shared across accounts using AWS Resource Access Manager (RAM).

Option A is wrong because it does not replace Direct Connect. Option D is wrong because it does not provide internet access. Option E is wrong because it supports both IPsec VPN and Direct Connect attachments.

707
MCQeasy

A company is setting up a VPC with both public and private subnets. The private subnets need outbound internet access for software updates. Which component is required to enable this?

A.A NAT gateway in a public subnet.
B.A VPN connection to an on-premises network that has internet access.
C.A VPC peering connection to a VPC that has internet access.
D.An internet gateway attached to the VPC with a route in the private subnet's route table pointing to the internet gateway.
AnswerA

NAT gateway enables outbound internet for private subnets.

Why this answer

Option A is correct because a NAT gateway in a public subnet provides outbound internet access to instances in private subnets. Option B is wrong because an internet gateway does not provide outbound access for private subnets without a NAT device. Option C is wrong because VPC peering is for connecting VPCs, not internet access.

Option D is wrong because a VPN connection is for site-to-site connectivity, not internet access.

708
Multi-Selectmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The network team wants to isolate traffic between VPCs while allowing all VPCs to reach the on-premises network. Which TWO configurations should be implemented?

Select 2 answers
A.Attach the Direct Connect virtual interface to a VPN attachment on the Transit Gateway
B.Use a Direct Connect gateway to propagate routes to all VPCs
C.Create separate Transit Gateway route tables for each VPC and associate them with the respective VPC attachments
D.Use a single Transit Gateway route table for all attachments
E.Create VPC peering connections between each VPC
AnswersA, C

Provides on-premises connectivity.

Why this answer

Options B and C are correct because Transit Gateway route tables can be used to isolate traffic, and VPN attachments can be used for segmentation. Option A is wrong because VPC peering is not needed if Transit Gateway is used. Option D is wrong because a single route table would allow all VPCs to communicate.

Option E is wrong because Direct Connect gateway does not isolate traffic between VPCs.

709
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path, going through the on-premises network instead of staying within AWS. What is the most likely cause?

A.The Transit Gateway route table has a propagated route from the on-premises network with a longer prefix
B.The VPCs are also peered directly, creating a conflict
C.VPC Flow Logs are enabled, causing latency
D.Security groups are blocking direct traffic between VPCs
AnswerA

More specific routes override default routes, sending traffic on-premises.

Why this answer

Option D is correct because Transit Gateway route propagation from on-premises (VPN or Direct Connect) can advertise more specific routes that override the local VPC routes. Option A is wrong because VPC peering is not used with Transit Gateway. Option B is wrong because security groups do not affect routing.

Option C is wrong because flow logs are for monitoring, not routing decisions.

710
MCQeasy

A company needs to provide internet access to instances in a private subnet while preventing inbound connections from the internet. Which AWS service should be used?

A.NAT Gateway
B.Internet Gateway
C.AWS Direct Connect
D.VPC Endpoint
AnswerA

Provides outbound only.

Why this answer

A NAT Gateway enables instances in a private subnet to initiate outbound IPv4 traffic to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. It achieves this by translating the private source IP addresses of the instances to the NAT Gateway's Elastic IP address, and by default it does not allow inbound traffic unless an explicit inbound rule is added to the associated route table, which is not recommended for this use case.

Exam trap

AWS often tests the misconception that an Internet Gateway can be used in a private subnet with restrictive security groups or network ACLs, but the trap is that an Internet Gateway inherently allows bidirectional traffic and cannot prevent unsolicited inbound connections at the gateway level, whereas a NAT Gateway is specifically designed for outbound-only internet access.

How to eliminate wrong answers

Option B (Internet Gateway) is wrong because an Internet Gateway allows both outbound and inbound traffic from the internet; attaching it to a private subnet would expose instances to unsolicited inbound connections, violating the requirement. Option C (AWS Direct Connect) is wrong because it establishes a dedicated private network connection from on-premises to AWS, not internet access, and does not inherently provide internet connectivity or block inbound internet traffic. Option D (VPC Endpoint) is wrong because it provides private connectivity to AWS services (e.g., S3, DynamoDB) over the AWS network without traversing the internet, but it does not provide general internet access for instances.

711
Multi-Selectmedium

A company is designing a network for a multi-tier application that must meet compliance requirements. The architecture includes a VPC with public, private, and database subnets. Which TWO actions should be taken to ensure the database subnets are not directly accessible from the internet? (Select TWO.)

Select 2 answers
A.Attach an Internet Gateway to the database subnets.
B.Create a NAT Gateway in the database subnets.
C.Associate a security group that denies inbound traffic from 0.0.0.0/0.
D.Configure a network ACL on the database subnets to deny inbound traffic from 0.0.0.0/0.
E.Place the database subnets in private subnets.
AnswersD, E

Correct: Network ACLs can deny inbound traffic.

Why this answer

Options A and D are correct because a public subnet must not be used for databases, and a proper network ACL on the database subnet can deny inbound from 0.0.0.0/0. Option B is wrong because a NAT Gateway in the database subnet would still allow outbound but not inbound; however, placing NAT in database subnet is not best practice. Option C is wrong because security groups are stateful and allow return traffic, but a deny rule in network ACL is needed.

Option E is wrong because IGW in database subnet would expose it.

712
MCQhard

A media company runs a latency-sensitive streaming application on Amazon EC2 instances in a VPC. The application sends UDP traffic to multiple on-premises destinations via an AWS Transit Gateway with a VPN attachment. Users report occasional freezing. Network monitoring shows no packet loss on the VPN tunnel, but the application logs show out-of-order packets and high jitter. The company uses a single VPN tunnel with BGP dynamic routing over the public internet. The on-premises router has a 50ms latency to the AWS endpoint. The application requires low jitter and in-order delivery. What should a network engineer do to resolve the issue?

A.Add a second VPN tunnel to the same Transit Gateway to load balance traffic
B.Enable jumbo frames on the VPN tunnel to reduce packet overhead
C.Replace the VPN attachment with an AWS Direct Connect private VIF to provide a consistent path
D.Change the application to use TCP instead of UDP
AnswerC

Direct Connect provides consistent low latency and jitter.

Why this answer

UDP traffic over a single VPN tunnel over the internet can experience jitter and reordering due to variable network conditions. Using AWS Direct Connect provides a consistent, low-latency path that eliminates internet variability. Option A (multiple VPN tunnels) may not resolve jitter inherent to internet transit.

Option B (TCP instead of UDP) changes application protocol, not a network solution. Option D (enable jumbo frames) does not address jitter.

713
Multi-Selectmedium

A company is designing a network security architecture for a multi-account environment using AWS Organizations. Which TWO services can be used to centrally manage security policies across all accounts?

Select 2 answers
A.AWS Config
B.AWS CloudTrail
C.AWS Organizations Service Control Policies (SCPs)
D.AWS Firewall Manager
E.Amazon VPC
AnswersC, D

SCPs centrally control permissions across accounts.

Why this answer

AWS Firewall Manager centrally manages WAF rules and Shield protections across accounts. AWS Organizations SCPs centrally control permissions. Option C is wrong because AWS Config is per-account.

Option D is wrong because CloudTrail is per-account. Option E is wrong because VPC is per-account.

714
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise the 10.0.0.0/8 prefix to AWS. The VPC has a route table that includes a route to the Virtual Private Gateway for 10.0.0.0/8. On-premises hosts can ping EC2 instances in the VPC, but EC2 instances cannot ping on-premises hosts. The VPC has an Internet Gateway and a NAT Gateway. The EC2 instances are in private subnets with routes to the NAT Gateway for 0.0.0.0/0. What is the most likely cause?

A.The Direct Connect virtual interface is configured for public VIF instead of private VIF.
B.The EC2 instances' security group outbound rules are blocking ICMP.
C.The VPC route table has a more specific local route (10.0.0.0/16) that overrides the route to the VGW for part of the on-premises CIDR.
D.The on-premises router is not advertising the 10.0.0.0/8 route to AWS.
AnswerC

Because the VPC uses 10.0.0.0/16, any on-premises IP within that range is considered local and not forwarded to the VGW.

Why this answer

For EC2 instances to reach on-premises hosts, the VPC route table must have a route for the on-premises CIDR pointing to the Virtual Private Gateway. The engineer has that route. However, the on-premises hosts are in the 10.0.0.0/8 range, and the VPC also uses 10.0.0.0/16.

The issue is that the VPC route table has a local route for 10.0.0.0/16, which is more specific than the 10.0.0.0/8 route to the VGW. Traffic from EC2 to on-premises hosts within the 10.0.0.0/16 range will be routed locally within the VPC, not through the VGW. The on-premises hosts must be in a different CIDR than the VPC's CIDR, or the VPC must use a different CIDR.

Since the VPC uses 10.0.0.0/16, any on-premises host with an IP in that range will be considered local and won't go through the VGW. The solution is to ensure the VPC CIDR does not overlap with the on-premises CIDR.

715
MCQeasy

A company uses AWS Client VPN to provide remote access to its VPC. Users report slow connection speeds. The CloudWatch metrics show high packet loss on the VPN connections. What is the most likely cause?

A.The client certificate has expired.
B.The Client VPN subnet is too small.
C.MTU mismatch between the client and the VPN endpoint.
D.Route propagation is not enabled in the VPC route table.
AnswerC

MTU mismatch leads to fragmentation and packet loss.

Why this answer

Option A is correct because MTU issues cause fragmentation and packet loss. Option B is incorrect because subnet size does not affect packet loss. Option C is incorrect because client authentication doesn't cause packet loss.

Option D is incorrect because route propagation does not cause packet loss.

716
MCQeasy

A company is planning to connect multiple VPCs in different AWS accounts using AWS Transit Gateway. The VPCs must be able to communicate with each other, but the company wants to centralize egress traffic to the internet through a single VPC that has a NAT gateway. Which configuration meets these requirements?

A.Attach all VPCs to a Transit Gateway, create a central egress VPC with a NAT gateway, and configure Transit Gateway route tables to send default traffic to the central VPC.
B.Use AWS Site-to-Site VPN to connect the VPCs and route traffic through a central VPN endpoint.
C.Use VPC peering to connect all VPCs and configure a NAT gateway in one VPC.
D.Attach each VPC to a Transit Gateway and configure a NAT gateway in each VPC.
AnswerA

Centralizes internet egress while allowing VPC-to-VPC communication.

Why this answer

Option A is correct because AWS Transit Gateway allows you to attach multiple VPCs from different accounts and centrally manage routing. By configuring the Transit Gateway route tables to send default traffic (0.0.0.0/0) to a central egress VPC that contains a NAT gateway, all other VPCs can route internet-bound traffic through that single NAT gateway, centralizing egress while maintaining inter-VPC communication.

Exam trap

The trap here is that candidates often confuse VPC peering with Transit Gateway, assuming VPC peering supports transitive routing (which it does not), or they think placing a NAT gateway in each VPC is acceptable, missing the explicit requirement for centralized egress.

How to eliminate wrong answers

Option B is wrong because AWS Site-to-Site VPN is designed for connecting on-premises networks to AWS, not for inter-VPC connectivity, and it would introduce unnecessary complexity, latency, and bandwidth limitations. Option C is wrong because VPC peering does not support transitive routing; to connect all VPCs in a mesh, you would need a full mesh of peering connections, which does not scale and still requires manual route table entries in each VPC to direct traffic to the central NAT gateway. Option D is wrong because configuring a NAT gateway in each VPC defeats the requirement to centralize egress traffic; each VPC would have its own independent internet egress, not a single centralized point.

717
Multi-Selecthard

Which THREE are valid methods to secure data in transit between a VPC and an on-premises network over the internet? (Choose three.)

Select 3 answers
A.VPC Endpoint (Gateway or Interface)
B.AWS Direct Connect with a VPN
C.AWS Client VPN
D.VPC Peering
E.AWS Site-to-Site VPN
AnswersB, C, E

Combines Direct Connect for reliability and VPN for encryption.

Why this answer

Options A, C, and D are correct. A VPN connection uses IPsec to encrypt traffic. Client VPN provides secure tunnels for individual clients.

Direct Connect is a physical connection but does not encrypt; however, a VPN over Direct Connect does encrypt. Option B is wrong because VPC Peering is for VPC-to-VPC, not for on-premises. Option E is wrong because VPC Endpoints are for private AWS service access, not for on-premises connectivity.

718
MCQeasy

A company wants to use AWS Direct Connect to connect their on-premises network to a VPC. They have two Direct Connect locations and want high availability. What is the minimum number of Direct Connect virtual interfaces needed?

A.One public VIF and one private VIF
B.Four private VIFs
C.Two private VIFs
D.One private VIF
AnswerC

Two VIFs, each on a separate Direct Connect connection, provide high availability.

Why this answer

Option B is correct because for high availability, you need at least two connections, each with a virtual interface (VIF). Option A is wrong because a single VIF is a single point of failure. Option C is wrong because you need at least two VIFs, one for each connection.

Option D is wrong because four is more than necessary.

719
Multi-Selecthard

A company has a VPC with multiple subnets spanning three Availability Zones. They have deployed an Application Load Balancer (ALB) in the VPC and need to ensure high availability and scalability for a web application. Which of the following are design considerations for implementing the ALB in this environment? (Choose THREE.)

Select 3 answers
A.Enable the ALB in at least two Availability Zones to provide high availability.
B.Remove an Availability Zone from the ALB if the targets in that AZ are unhealthy.
C.Configure the ALB to use subnets that span multiple Availability Zones.
D.Use VPC peering to connect the ALB to subnets in other VPCs.
E.Enable cross-zone load balancing to evenly distribute traffic across all targets.
AnswersA, B, E

ALB must have targets in multiple AZs to be highly available.

Why this answer

Option A is correct because AWS requires an Application Load Balancer to be enabled in at least two Availability Zones to achieve high availability. If one AZ fails, the ALB can continue routing traffic to healthy targets in the remaining AZs, ensuring fault tolerance and compliance with the ALB's regional service model.

Exam trap

AWS often tests the misconception that subnets can span multiple Availability Zones or that VPC peering can directly integrate an ALB with subnets in another VPC, but both are architecturally invalid in AWS.

720
MCQhard

A company uses AWS Direct Connect to connect their on-premises network to AWS. They want to encrypt all traffic between their on-premises router and the AWS Direct Connect location. Which solution should they implement?

A.Use an IPsec VPN over the internet for additional encryption.
B.Use AWS PrivateLink to create a secure connection.
C.Enable MACsec on the Direct Connect connection.
D.Use TLS to encrypt the traffic at the application layer.
AnswerC

MACsec encrypts the Direct Connect link at Layer 2.

Why this answer

Option C is correct: MACsec provides encryption at Layer 2 for Direct Connect. Option A is wrong because IPsec VPN over the internet is not over Direct Connect. Option B is wrong because TLS is for application layer.

Option D is wrong because AWS PrivateLink is for VPC endpoints.

721
Multi-Selecthard

A security engineer is designing a network security architecture for a hybrid cloud environment. The company has an AWS Direct Connect connection to its on-premises data center. They want to ensure that all traffic between on-premises and AWS is encrypted and that the encryption is enforced at the network layer. Which TWO solutions should the engineer consider?

Select 2 answers
A.Enable MACsec on the Direct Connect dedicated connection.
B.Set up an SSL VPN between on-premises and AWS.
C.Use VPC Peering to connect on-premises to AWS.
D.Configure an IPsec VPN over the Direct Connect virtual interface.
E.Use TLS encryption at the application layer.
AnswersA, D

MACsec provides Layer 2 encryption on the Direct Connect physical link.

Why this answer

Option A (IPsec VPN over Direct Connect) is correct because it creates an encrypted tunnel over the Direct Connect link. Option D (MACsec) is correct because it provides encryption at Layer 2 on the Direct Connect connection. TLS is Layer 5+ and not network layer.

SSL VPN is not relevant. VPC Peering does not apply to on-premises.

722
MCQeasy

A company wants to restrict access to an S3 bucket so that only objects with server-side encryption using AWS KMS (SSE-KMS) can be uploaded. Which bucket policy condition should be used?

A.kms:ViaService
B.s3:x-amz-server-side-encryption
C.aws:SourceVpce
D.s3:x-amz-server-side-encryption-aws-kms-key-id
AnswerD

This condition enforces a specific KMS key ID for SSE-KMS.

Why this answer

Option B is correct because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key allows you to enforce a specific KMS key ID. Option A is wrong because s3:x-amz-server-side-encryption checks for AES256 or aws:kms but does not enforce a specific key. Option C is wrong because kms:ViaService is a KMS condition, not an S3 condition.

Option D is wrong because aws:SourceVpce restricts VPC endpoint, not encryption.

723
MCQhard

A company has a multi-tier application deployed in a VPC. The web tier consists of an internet-facing Application Load Balancer (ALB) in public subnets, and EC2 instances in private subnets. The application tier runs on EC2 instances in separate private subnets, and the database tier uses an Amazon RDS for MySQL instance in private subnets. The application tier needs to connect to the database on port 3306. The security group for the RDS instance (sg-database) has an inbound rule allowing TCP 3306 from the security group of the application tier (sg-app). The application tier instances can connect to the database, but the web tier instances cannot. The web tier instances should not have direct database access. What is the most likely reason for the web tier's inability to connect to the database?

A.The network ACL for the database subnet is blocking inbound traffic from the web tier subnets.
B.The security group of the RDS instance does not have an inbound rule allowing traffic from the web tier's security group.
C.The RDS instance is in a public subnet and requires a NAT Gateway for communication.
D.The route table for the web tier subnets does not have a route to the database subnets.
AnswerB

The rule only allows traffic from sg-app, not from the web tier's security group.

Why this answer

The security group rule on sg-database allows traffic from sg-app. Since the web tier instances are in a different security group, they are not allowed. Option A is wrong because the rule is from sg-app, not from the web tier's security group.

Option B is wrong because NACLs are stateless and if they were blocking, the application tier would also be affected. Option C is wrong because the database is in a private subnet and does not need a NAT Gateway. Option D is wrong because the route table is not relevant for security group rules.

724
MCQeasy

A company wants to block outbound traffic from a VPC to the internet except through a NAT Gateway for updates to specific software repositories. Which AWS service should be used to control outbound traffic?

A.Security Groups
B.Route Tables
C.VPC Endpoints
D.Network ACLs
AnswerD

Network ACLs are stateless and can control outbound traffic at the subnet level.

Why this answer

Option B is correct because Network ACLs can be attached to subnets to control inbound and outbound traffic at the subnet level, and can be used to block outbound internet traffic except through the NAT Gateway. Option A is wrong because VPC endpoints are for private connectivity to AWS services, not for controlling outbound internet traffic. Option C is wrong because Security Groups are stateful and cannot block outbound traffic based on destination IP ranges in a granular manner.

Option D is wrong because Route Tables control routing, not filtering.

725
MCQmedium

A network engineer is troubleshooting a Direct Connect private VIF. The VIF is in 'available' state but traffic is not flowing to the VPC. The VGW is attached to the VPC. What is the most likely cause?

A.The VPC route table lacks a route to the on-premises network pointing to the VGW.
B.The route filter prefix for the VPC CIDR is misconfigured.
C.BGP is not established between the on-premises router and the VGW.
D.The VIF state is not 'available'.
AnswerA

Without this route, traffic cannot be forwarded.

Why this answer

When a Direct Connect private VIF is in the 'available' state, the physical and logical layer 2 connectivity is established, and BGP sessions are typically up. However, traffic still cannot flow to the VPC unless the VPC route table contains a route that directs traffic destined for the on-premises network to the Virtual Private Gateway (VGW). Without this route, the VPC has no path to send traffic over the Direct Connect connection, even though the VIF and BGP are operational.

Exam trap

The trap here is that candidates assume an 'available' VIF and established BGP automatically mean traffic flows, but they overlook the critical requirement of a VPC route table entry pointing to the VGW as the next hop.

How to eliminate wrong answers

Option B is wrong because route filter prefixes control which BGP routes are advertised or accepted, but they do not prevent traffic flow if the VPC route table already has a static route pointing to the VGW; the question states the VIF is available and BGP is likely established, so a misconfigured route filter would affect route propagation, not the immediate lack of a route in the VPC. Option C is wrong because if BGP were not established, the VIF would typically show a 'down' or 'pending' BGP status, but the VIF is 'available' and the issue is traffic not flowing, implying BGP is up. Option D is wrong because the VIF state is explicitly stated as 'available', which means the physical and logical layer 2 connectivity is functioning correctly.

726
MCQhard

Refer to the exhibit. A network engineer has this IAM policy attached to their user. They attempt to create a VPC peering connection between VPC A (in account 123456789012) and VPC B (in account 210987654321). The request fails. Which additional permission is required?

A.The ec2:CreateVpcPeeringConnection action is not allowed on the accepter VPC.
B.The policy must include a condition that the accepter VPC owner is the target account.
C.The user needs ec2:ModifyVpcPeeringConnectionOptions permission.
D.The user needs ec2:CreateVpcEndpoint permission.
AnswerB

Without a condition, the peering request may be denied if the accepter account is not specified.

Why this answer

Option B is correct because when creating a VPC peering connection across AWS accounts, the requester's IAM policy must include a condition that explicitly allows the action only when the accepter VPC owner is the target account. Without this condition, the ec2:CreateVpcPeeringConnection action will fail because the policy lacks the necessary cross-account authorization context. The condition key aws:SourceAccount or ec2:AccepterVpcOwnerId must be used to restrict the action to the specific accepter account.

Exam trap

Cisco often tests the misconception that the ec2:CreateVpcPeeringConnection action alone is sufficient for cross-account peering, but the trap is that the IAM policy must include a condition to specify the accepter account ID, otherwise the request fails due to missing authorization context.

How to eliminate wrong answers

Option A is wrong because the ec2:CreateVpcPeeringConnection action is allowed on the requester VPC, not the accepter VPC; the accepter VPC is specified as a parameter, and the action itself is performed on the requester side. Option C is wrong because ec2:ModifyVpcPeeringConnectionOptions is used to update DNS resolution or other peering options after the connection is established, not to create the peering connection itself. Option D is wrong because ec2:CreateVpcEndpoint is unrelated to VPC peering; it is used to create VPC endpoints for AWS services like S3 or DynamoDB.

727
MCQhard

Refer to the exhibit. An AWS administrator is troubleshooting an issue where an EC2 instance cannot access an S3 bucket using an instance profile. The instance profile is associated with an IAM role that has the above trust policy. The S3 bucket policy allows s3:GetObject only for the role's ARN. What is the most likely cause of the access failure?

A.The VPC does not have an S3 VPC endpoint
B.The instance profile is not attached to the EC2 instance
C.The S3 bucket policy does not allow s3:ListBucket
D.The trust policy does not allow the S3 service to assume the role
AnswerB

Without the instance profile, the EC2 instance cannot assume the role.

Why this answer

The instance profile must be attached to the EC2 instance for the IAM role's credentials to be available to the instance. Without this attachment, the EC2 instance cannot assume the role or use its permissions to access the S3 bucket, even if the trust policy and bucket policy are correctly configured.

Exam trap

The trap here is that candidates often overlook the instance profile attachment step and instead focus on policy misconfigurations, assuming the trust policy or bucket policy is the issue when the real problem is the missing link between the instance and the role.

How to eliminate wrong answers

Option A is wrong because an S3 VPC endpoint is not required for EC2 instances to access S3 via an instance profile; it is only needed for private connectivity without traversing the internet. Option C is wrong because the s3:GetObject permission is sufficient to read an object; s3:ListBucket is only required for listing objects, not for a direct GetObject request. Option D is wrong because the trust policy in the exhibit allows the EC2 service (not S3) to assume the role, which is correct for an instance profile; the S3 service does not need to assume the role.

728
MCQmedium

A company is setting up a new AWS Direct Connect connection. They have provisioned a 1 Gbps dedicated connection. They need to create a private virtual interface (VIF) to connect to their VPC. The VIF has been created and is in the 'available' state, but the BGP session is not coming up. What is the most likely cause?

A.The BGP hold timer is set too high on the customer router.
B.The VLAN ID assigned to the VIF is already in use on another VIF.
C.The BGP authentication key does not match between the customer router and AWS.
D.The Direct Connect interface is in the 'down' state.
AnswerC

If BGP MD5 authentication is configured, both sides must have the same key, or the session will not establish.

Why this answer

Option B is correct because BGP authentication must match on both sides. Option A is wrong because VLAN ID must be unique per VIF but does not prevent BGP from coming up. Option C is wrong because the BGP timer can be adjusted but does not prevent session establishment.

Option D is wrong because the interface state is already available.

729
MCQhard

Refer to the exhibit. An IAM role ARN is shown. A security engineer wants to allow an EC2 instance to assume this role. What is required for the EC2 instance to successfully assume the role?

A.The trust policy must specify the EC2 instance's private IP address.
B.The role's trust policy must allow the EC2 service principal to assume the role, and the EC2 instance must be launched with an instance profile that includes this role.
C.The role's permissions policy must include an Allow for the EC2 instance's security group.
D.The EC2 instance must have a public IP address to access the IAM endpoint.
AnswerB

The trust policy grants the EC2 service permission to assume the role, and the instance profile associates the role with the instance.

Why this answer

Option A is correct because the trust policy of the role must allow the EC2 service to assume it. Additionally, the EC2 instance must have an instance profile with the role attached. Option B is incorrect because the role's permissions policy defines what the role can do, not who can assume it.

Option C is incorrect because the EC2 instance does not need a public IP. Option D is incorrect because the trust policy must allow ec2.amazonaws.com, not the instance's IP address.

730
MCQmedium

A company has an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The ALB is configured with a target group that has a health check path of /health. Some instances are failing health checks and being marked unhealthy, but the application logs show the instances are healthy. What is the most likely cause?

A.The health check path is incorrect
B.The target group's slow start duration is too long
C.The security group for the instances does not allow inbound traffic from the ALB's security group on the health check port
D.The ALB's stickiness is preventing health checks
AnswerC

The ALB's health checks must be allowed by the instance security group.

Why this answer

The health check is failing because the security group for the instances is not allowing traffic from the ALB. Option A is correct. Option B (health check path) is working as configured.

Option C (slow start) does not cause health check failures. Option D (stickiness) does not affect health checks.

731
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no VPC in any account can have an internet gateway attached. Which option meets this requirement?

A.Create an IAM policy that denies ec2:AttachInternetGateway and attach it to each account's admin role.
B.Use security groups to block traffic from internet gateways.
C.Apply a service control policy (SCP) that denies ec2:AttachInternetGateway at the root level.
D.Use network ACLs to block traffic from internet gateways.
AnswerC

SCPs centrally control permissions for all accounts in the organization and can deny the action.

Why this answer

Option D is correct because a service control policy (SCP) can be applied to the root or OUs to deny the ec2:AttachInternetGateway action. Option A is wrong because IAM roles are per-account and not centrally enforced. Option B is wrong because security groups do not control internet gateway attachments.

Option C is wrong because network ACLs do not control internet gateway attachments.

732
MCQeasy

A company has an AWS Site-to-Site VPN connection between their on-premises network and a VPC. The VPN tunnel status shows 'UP'. However, instances in the VPC cannot ping an on-premises server at 192.168.1.10. Which step should be taken to troubleshoot?

A.Verify that the internet gateway is attached to the VPC
B.Verify that the VPC route table has a route to the on-premises network via the virtual private gateway
C.Verify that the security group for the instances allows outbound ICMP
D.Verify that the VPN tunnel is up on both ends
AnswerB

Without this route, traffic from VPC to on-premises is dropped.

Why this answer

Option B is correct because the VPC route table must have a route for the on-premises CIDR pointing to the virtual private gateway (or transit gateway). Option A is wrong because the tunnel is up. Option C is wrong because security groups are stateful and usually allow outbound ping.

Option D is wrong because the VPN connection uses the virtual private gateway, not the internet gateway.

733
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. It needs to create a secondary CIDR block for additional subnets that must not overlap with the existing CIDR. Which CIDR block should be used?

A.172.16.0.0/16
B.10.0.0.0/16
C.10.0.0.0/8
D.10.1.0.0/16
AnswerD

This does not overlap and is a valid private CIDR.

Why this answer

VPC secondary CIDR blocks must not overlap with the primary CIDR. Option C (10.1.0.0/16) is in the 10.0.0.0/8 range but does not overlap with 10.0.0.0/16. Option A overlaps (10.0.0.0/8 includes 10.0.0.0/16).

Option B overlaps (10.0.0.0/16 same). Option D (172.16.0.0/16) is valid but not in the 10.0.0.0/8 range; however, VPC can have any private CIDR, but the question implies a secondary CIDR that is not overlapping; Option C is correct because it is a common practice to use a different /16 within the 10.0.0.0/8.

734
MCQeasy

A company needs to centrally manage network security policies across multiple VPCs and on-premises networks. Which AWS service provides a centralized dashboard for managing firewall rules?

A.Network ACLs
B.Security Groups
C.AWS WAF
D.AWS Network Firewall
AnswerD

AWS Network Firewall provides centralized firewall management across VPCs.

Why this answer

Option C is correct because AWS Network Firewall provides a centralized firewall management service. Option A is incorrect because AWS WAF is for web application firewall, not network-level policies. Option B is incorrect because NACLs are per-subnet and not centralized.

Option D is incorrect because Security Groups are per-ENI and not centralized.

735
MCQhard

Refer to the exhibit. A Lambda function is attached to a VPC using the network interface eni-1234567890abcdef0. The Lambda function needs to send traffic to an on-premises server via a Direct Connect connection. The traffic is failing. Which setting on the network interface is most likely causing the issue?

A.The network interface is in a subnet that does not have a route to the Direct Connect.
B.The network interface has two private IP addresses.
C.The SourceDestCheck flag is enabled, which prevents the Lambda function from sending traffic that it is not the source or destination of.
D.The security group attached to the network interface may be blocking outbound traffic.
AnswerC

Lambda functions that forward traffic need to disable source/destination check.

Why this answer

The SourceDestCheck flag is set to true (default). For Lambda functions that are not the source or destination of traffic (e.g., when acting as a NAT or forwarding traffic), this check must be disabled. In this scenario, if the Lambda function is forwarding traffic, the source/destination check would drop packets.

Option A (multiple IPs) is not an issue; Option B (security group) could be but the exhibit doesn't show rules; Option C (subnet) is not the direct cause.

736
MCQmedium

Refer to the exhibit. A VPN connection has two tunnels. Which statement is correct about this VPN configuration?

A.The VPN uses BGP dynamic routing
B.The VPN provides high availability with two tunnels
C.The tunnel inside CIDRs are /24 networks
D.Both tunnels use the same inside CIDR
AnswerB

Two tunnels provide redundancy.

Why this answer

The exhibit shows a VPN connection with two tunnels, which is the standard design for AWS Site-to-Site VPN to provide high availability. Each tunnel is on a separate device and path, so if one tunnel fails, traffic automatically fails over to the other tunnel. This ensures that the VPN connection remains operational even during maintenance or failure of a single tunnel.

Exam trap

AWS often tests the misconception that two tunnels in a VPN connection are for load balancing, but in AWS Site-to-Site VPN, they are strictly for high availability (active/standby or active/active with BGP), not for aggregating bandwidth.

How to eliminate wrong answers

Option A is wrong because the VPN configuration shown does not indicate BGP dynamic routing; the tunnels could be using static routing or BGP, but the exhibit alone does not confirm BGP. Option C is wrong because the tunnel inside CIDRs are not necessarily /24 networks; AWS VPN tunnels use /30 or /31 networks for the inside IP addresses. Option D is wrong because both tunnels use different inside CIDRs (e.g., 169.254.10.0/30 and 169.254.11.0/30) to avoid IP overlap and allow independent routing.

737
MCQhard

Refer to the exhibit. A VPN connection is established between an on-premises network (10.0.0.0/16) and an AWS VPC (172.16.0.0/16). The on-premises network can ping the VPC's private IP addresses, but the VPC cannot ping the on-premises network's IP addresses. The VPC route table has a route to 10.0.0.0/16 pointing to the VGW. What is the MOST likely cause?

A.The VPN tunnels are not both in UP state
B.The VPN acceleration is disabled, causing high latency
C.The VPN connection is configured with static routes only and BGP is not used
D.The on-premises network does not have a route to the VPC CIDR (172.16.0.0/16) pointing to the customer gateway
AnswerD

Without a return route, traffic from VPC reaches on-premises but replies are dropped.

Why this answer

Option B is correct because the VPN connection has a static route for 10.0.0.0/16, but the remote network CIDR is 0.0.0.0/0, which may cause routing issues. However, the main issue is that the VPC has a route to 10.0.0.0/16, but the on-premises network may not have a route back to the VPC's CIDR (172.16.0.0/16). Option A is incorrect because the tunnels are up.

Option C is incorrect because static routes are configured. Option D is incorrect because acceleration is optional.

738
MCQeasy

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) across multiple Availability Zones. The application uses a MySQL database on an RDS instance in a private subnet. Security compliance requires that all traffic between the ALB and EC2 instances must be encrypted. The security team finds that the ALB currently sends traffic to the EC2 instances using HTTP on port 80. The EC2 security group allows inbound HTTP traffic from the ALB security group. The team needs to implement encryption with minimal changes and without disrupting the application. Which solution meets these requirements?

A.Set up an AWS Client VPN endpoint and have the ALB send traffic through the VPN to the EC2 instances.
B.Deploy an internal ALB in front of the EC2 instances and configure it with an HTTPS listener. Route traffic from the public ALB to the internal ALB.
C.Modify the ALB listener to use HTTPS on port 443. Create a new target group with protocol HTTPS on port 443. Install a valid SSL/TLS certificate on each EC2 instance. Update the EC2 security group to allow inbound HTTPS from the ALB security group.
D.Replace the ALB with a Network Load Balancer (NLB) and use TLS listeners to the EC2 instances.
AnswerC

This encrypts traffic between ALB and EC2 with minimal changes.

Why this answer

Option C is correct because it directly modifies the existing ALB to use an HTTPS listener on port 443, creates a new target group with HTTPS on port 443, and requires installing a valid SSL/TLS certificate on each EC2 instance. This ensures all traffic between the ALB and EC2 instances is encrypted with TLS, meeting the security requirement with minimal changes and no disruption to the application. The EC2 security group update to allow inbound HTTPS from the ALB security group completes the configuration.

Exam trap

The trap here is that candidates may think simply changing the ALB listener to HTTPS is enough, but they overlook the requirement to create a new target group with HTTPS protocol and install certificates on the EC2 instances to encrypt the traffic between the ALB and the instances, not just the client-to-ALB leg.

How to eliminate wrong answers

Option A is wrong because introducing an AWS Client VPN endpoint adds unnecessary complexity, latency, and cost; it does not encrypt traffic between the ALB and EC2 instances natively and would disrupt the existing architecture. Option B is wrong because deploying an internal ALB in front of the EC2 instances creates an unnecessary hop and does not encrypt the traffic between the public ALB and the internal ALB unless that leg is also configured with HTTPS, which still requires changes to the EC2 instances and adds complexity. Option D is wrong because replacing the ALB with an NLB would require reconfiguring the entire load balancing setup, potentially disrupting the application, and NLBs do not support native HTTPS health checks or path-based routing that the application may rely on; TLS listeners on an NLB still require certificates on the EC2 instances, but the change is more invasive than modifying the existing ALB.

739
MCQeasy

Based on the output, which of the following is true?

A.The Direct Connect Gateway uses ASN 64512
B.The Direct Connect Gateway is in a 'deleted' state
C.The Direct Connect Gateway is a virtual private gateway
D.The Direct Connect Gateway is owned by a different account
AnswerA

The amazonSideAsn is set to 64512.

Why this answer

Option A is correct because the output shows a Direct Connect Gateway with an Amazon-side ASN of 64512. Option B is wrong because the state is 'available'. Option C is wrong because the ID starts with 'dxgw'.

Option D is wrong because ownerAccount is present.

740
Multi-Selecthard

A company is setting up a Site-to-Site VPN connection between their on-premises network and AWS. Which THREE components are required for a VPN connection?

Select 3 answers
A.VPN Tunnel
B.Transit Gateway
C.Internet Gateway
D.Virtual Private Gateway
E.Customer Gateway
AnswersA, D, E

Encrypted connection.

Why this answer

A VPN tunnel is a required component for an AWS Site-to-Site VPN connection because it provides the encrypted, secure communication channel between the on-premises customer gateway and the AWS virtual private gateway. Each VPN connection consists of two tunnels for high availability, each using IPsec (IKEv1 or IKEv2) to encrypt traffic. Without at least one VPN tunnel, no encrypted data can traverse the VPN connection.

Exam trap

AWS often tests the misconception that a Transit Gateway is a required component for a Site-to-Site VPN, but the correct required components are only the VPN Tunnel, Virtual Private Gateway, and Customer Gateway.

741
MCQhard

A company is experiencing high latency for traffic between EC2 instances in the same VPC but in different Availability Zones. The network team suspects the issue is related to the placement group used. The instances are in a spread placement group. What should the network engineer do to reduce latency?

A.Change the placement group to a cluster placement group and ensure instances are in the same Availability Zone.
B.Enable enhanced networking on the instances and increase the instance size.
C.Move the instances to the same subnet within the same Availability Zone but keep the spread placement group.
D.Create a VPC peering connection between the two AZs and route traffic through it.
AnswerA

Cluster placement groups provide low latency by grouping instances in a single AZ.

Why this answer

Option A is correct because a cluster placement group is recommended for low-latency, high-throughput traffic. Option B is wrong because moving to same subnet does not guarantee low latency across AZs. Option C is wrong because VPC peering does not reduce latency for intra-VPC traffic.

Option D is wrong because increasing bandwidth does not directly reduce latency.

742
Multi-Selecthard

A company is troubleshooting connectivity issues between two VPCs that are peered using an inter-region VPC peering connection. The VPCs have the following CIDR blocks: VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). Which THREE of the following are possible reasons for the connectivity failure?

Select 3 answers
A.The VPC CIDR blocks overlap.
B.The VPC peering connection is in a 'pending-acceptance' state.
C.The route tables in each VPC do not have routes pointing to the peer VPC's CIDR.
D.The network ACLs in VPC A are blocking inbound traffic from VPC B's CIDR.
E.The security group rules in VPC A do not allow inbound traffic from VPC B's CIDR.
AnswersC, D, E

Without routes, traffic will not be forwarded to the peering connection.

Why this answer

For VPC peering, route tables must have routes to the peer VPC, security groups must allow traffic, and network ACLs must allow traffic. Option A is wrong because overlapping CIDRs are not the issue. Option D is wrong because the peering connection is in 'active' state by default after acceptance.

743
MCQhard

An organization is using AWS Direct Connect with a private VIF to connect to a VPC. They want to extend connectivity to multiple VPCs in the same region without creating multiple private VIFs. Which solution should they implement?

A.Create VPC peering connections from the VPC with the Direct Connect VIF to the other VPCs.
B.Create a Direct Connect gateway and associate it with a Transit Gateway that is attached to the VPCs.
C.Provision separate private VIFs for each VPC.
D.Use a Transit VIF to connect directly to a Transit Gateway.
AnswerB

A Direct Connect gateway can be associated with multiple virtual private gateways or a Transit Gateway to connect to multiple VPCs.

Why this answer

Option A is correct because a Direct Connect gateway allows a single private VIF to connect to multiple VPCs via Transit Gateway or virtual private gateways. Option B is incorrect because Transit VIF is for transit gateways, but Direct Connect gateway is the key. Option C is incorrect because VPC peering does not use Direct Connect.

Option D is incorrect because multiple VIFs would be needed without a Direct Connect gateway.

744
MCQeasy

A company has an on-premises data center connected to AWS via a Site-to-Site VPN. The VPN connection uses BGP for dynamic routing. The company wants to add an additional VPN tunnel for redundancy. What must be configured?

A.Create a second virtual private gateway and attach it to the VPC.
B.Add a transit gateway to replace the virtual private gateway.
C.Create a second VPN connection to a second customer gateway device.
D.Configure static routes instead of BGP.
AnswerC

Provides redundant tunnels.

Why this answer

Option C is correct because to add an additional VPN tunnel for redundancy, you must create a second VPN connection that uses a second customer gateway device. This provides a second BGP session and a separate tunnel, ensuring failover if the primary tunnel or customer gateway fails. The existing virtual private gateway can support multiple VPN connections, so no replacement or additional VGW is needed.

Exam trap

The trap here is that candidates assume you need a second virtual private gateway for redundancy, but AWS allows multiple VPN connections to the same VGW, so the correct approach is to add a second VPN connection with a separate customer gateway device.

How to eliminate wrong answers

Option A is wrong because a single VPC can only have one virtual private gateway attached at a time; you cannot attach a second VGW to the same VPC. Option B is wrong because replacing the VGW with a transit gateway is unnecessary for simply adding a redundant VPN tunnel; a transit gateway is used for complex multi-VPC or hybrid network topologies, not for basic VPN redundancy. Option D is wrong because switching from BGP to static routes would eliminate the dynamic failover and route propagation benefits that BGP provides, which is counterproductive for redundancy.

745
MCQeasy

A company is deploying a new web application on AWS. They need to distribute incoming HTTPS traffic across multiple EC2 instances in different Availability Zones. Which AWS service should they use?

A.Amazon Route 53
B.Amazon CloudFront
C.Application Load Balancer (ALB)
D.Network Load Balancer (NLB)
AnswerC

ALB operates at Layer 7, can terminate HTTPS, and distribute traffic across instances in multiple AZs.

Why this answer

The correct answer is B because an Application Load Balancer (ALB) operates at Layer 7 and can route HTTPS traffic based on content, and it supports cross-zone load balancing. Option A (NLB) operates at Layer 4 and does not support native HTTPS termination. Option C (CloudFront) is a CDN, not a regional load balancer.

Option D (Route 53) is a DNS service.

746
MCQeasy

A company has a VPC with both IPv4 and IPv6 CIDRs. They need to allow outbound IPv6 traffic from private subnets to the internet. What should they use?

A.An internet gateway attached to the VPC.
B.A customer-managed prefix list.
C.A NAT gateway in a public subnet.
D.An egress-only internet gateway.
AnswerD

Designed for outbound-only IPv6 traffic from private subnets.

Why this answer

Option B is correct because an egress-only internet gateway allows outbound IPv6 traffic from private subnets while preventing inbound traffic. Option A is wrong because NAT gateway is for IPv4 only. Option C is wrong because internet gateway allows inbound traffic.

Option D is wrong because the prefix list is for route targets, not a device.

747
MCQeasy

A company wants to deploy a web application on EC2 instances behind an Application Load Balancer (ALB). The application must support sticky sessions (session affinity). What configuration is required on the ALB?

A.Enable stickiness on the target group and specify a cookie duration
B.Use path-based routing
C.Configure health checks on the target group
D.Enable proxy protocol v2
AnswerA

Stickiness (session affinity) ensures the same client is routed to the same target.

Why this answer

Option B is correct because enabling stickiness on the ALB target group with a cookie duration ensures requests from the same client are sent to the same target. Option A is for client IP preservation. Option C is for health checks.

Option D is for routing.

748
MCQeasy

A company has a VPC peering connection between VPC A (10.0.0.0/16) and VPC B (10.1.0.0/16). They have added routes in both route tables. However, instances in VPC A cannot ping instances in VPC B. The security groups and network ACLs allow ICMP. What is the most likely cause?

A.The security groups in VPC B do not allow inbound ICMP from VPC A CIDR
B.The route tables in VPC A do not have a route to VPC B CIDR pointing to the peering connection
C.The VPC peering connection is not in the 'active' state
D.The instances are in different Availability Zones
AnswerB

Without a specific route to the peered VPC CIDR, traffic will not be sent over the peering connection.

Why this answer

VPC peering does not support transitive routing. If VPC A tries to reach VPC B via a CIDR that is not directly peered, traffic will not be forwarded. The route tables must have specific routes for the peered VPC CIDR.

The issue likely is that the route tables are missing the route to the peer, or the route is pointing to an incorrect target.

749
MCQmedium

A security engineer is designing a network firewall solution for a VPC with multiple subnets. The solution must inspect traffic between instances in the same VPC, including traffic within the same subnet. Which AWS service should be used?

A.Security Groups
B.VPC Flow Logs
C.AWS Network Firewall
D.AWS WAF
AnswerC

Provides stateful and stateless inspection for all VPC traffic.

Why this answer

Option A is correct because AWS Network Firewall can inspect traffic between subnets and within a subnet when deployed in a VPC. Option B is wrong because AWS WAF is for web application layer 7 inspection, not for general network traffic. Option C is wrong because Security Groups are stateless and cannot perform deep packet inspection.

Option D is wrong because VPC Flow Logs only capture metadata, not inspect packets.

750
Multi-Selectmedium

A company is deploying a web application that will be accessed over the internet. They want to use an Application Load Balancer (ALB) to distribute traffic across EC2 instances in multiple Availability Zones. Which TWO configurations are required to make the ALB internet-facing? (Choose TWO.)

Select 2 answers
A.Configure a security group that allows inbound traffic from 0.0.0.0/0.
B.Assign an Elastic IP address to the ALB.
C.Associate the ALB with private subnets only.
D.Associate the ALB with public subnets that have a route to an Internet Gateway.
E.Select 'Internet-facing' as the scheme when creating the ALB.
AnswersD, E

Required for internet-facing ALB.

Why this answer

An internet-facing ALB must be in public subnets (with a route to an Internet Gateway) and have a public DNS name. Option A is wrong because the ALB does not need its own public IP; it uses the public subnets. Option C is wrong because the ALB can be in public subnets only.

Option D is wrong because security groups do not make it internet-facing.

Page 9

Page 10 of 23

Page 11