AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 751825

1705 questions total · 23pages · All types, answers revealed

Page 10

Page 11 of 23

Page 12
751
Multi-Selectmedium

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which TWO services should they use to protect against common web exploits and DDoS attacks?

Select 2 answers
A.AWS WAF
B.AWS Shield Advanced
C.Amazon Inspector
D.AWS Network Firewall
E.Amazon GuardDuty
AnswersA, B

WAF protects against web exploits.

Why this answer

Option A and C are correct: AWS WAF protects against web exploits like SQL injection, and AWS Shield Advanced provides enhanced DDoS protection. Option B is wrong because Network Firewall is for network-level filtering, not specifically web exploits. Option D is wrong because GuardDuty is for threat detection, not inline prevention.

Option E is wrong because Inspector is for vulnerability scanning.

752
Multi-Selecthard

A company is migrating its on-premises data center to AWS using Direct Connect and a VPN connection as backup. The company has multiple VPCs connected via a Transit Gateway. They want to ensure high availability for the Direct Connect connection. Which TWO actions should be taken? (Choose TWO.)

Select 2 answers
A.Replace the VPN backup with a second Direct Connect connection
B.Enable jumbo frames on the Direct Connect connection
C.Use a single Direct Connect connection but with higher bandwidth
D.Configure BGP with multiple virtual interfaces on the Direct Connect connections
E.Provision a second Direct Connect connection at a different location
AnswersD, E

Correct; BGP allows dynamic failover between virtual interfaces.

Why this answer

Option A and Option D are correct. Option A: A second Direct Connect connection provides physical redundancy. Option D: Using BGP with multiple virtual interfaces allows active-active or active-passive failover.

Option B is incorrect because a VPN connection is already in place as backup, but for Direct Connect high availability, you need redundant connections. Option C is incorrect because a single Direct Connect location is a single point of failure; you need two separate locations. Option E is incorrect because increasing bandwidth does not provide redundancy.

753
Multi-Selecthard

A company is designing a hybrid network using AWS Direct Connect. They have a VPC with CIDR 10.0.0.0/16 and an on-premises network with CIDR 192.168.0.0/16. They want to establish a Direct Connect private virtual interface with a virtual private gateway. Which THREE steps are required to complete the connectivity? (Choose three.)

Select 3 answers
A.Create a Transit Gateway and attach the VPC to it.
B.Create a virtual private gateway and attach it to the VPC.
C.Update the VPC route table to add a route for the on-premises CIDR pointing to the virtual private gateway.
D.Configure a private virtual interface on the Direct Connect connection, associating it with the virtual private gateway.
E.Create a customer gateway object in the AWS account.
AnswersB, C, D

The virtual private gateway is the AWS side endpoint for the Direct Connect private virtual interface.

Why this answer

Option B is correct because a virtual private gateway (VGW) is the required AWS-side endpoint for a Direct Connect private virtual interface (VIF) to terminate on a single VPC. The VGW must be created and attached to the VPC before the private VIF can be associated with it, enabling private connectivity between the on-premises network and the VPC.

Exam trap

The trap here is that candidates confuse the customer gateway object (used for VPN) with the virtual private gateway (used for Direct Connect), leading them to incorrectly select Option E as a required step.

754
Multi-Selecthard

A company is troubleshooting connectivity issues between an on-premises network and a VPC connected via AWS Direct Connect. The network team has verified that the virtual interface (VIF) is up and BGP is established. However, traffic is not flowing. Which two configuration issues could cause this problem? (Choose TWO.)

Select 2 answers
A.The on-premises router is not advertising the on-premises CIDR prefix via BGP.
B.The AWS Direct Connect connection is not associated with the correct Direct Connect gateway.
C.The virtual interface is in a 'down' state.
D.The VPC route table does not have a route to the on-premises CIDR pointing to the Direct Connect virtual interface.
E.The security group attached to the EC2 instance blocks inbound traffic from on-premises.
AnswersA, D

If BGP does not advertise the prefix, the Direct Connect gateway will not propagate the route to the VPC.

Why this answer

Correct routes on both sides are needed. If the VPC route table does not have a route to the on-premises CIDR via the Direct Connect VIF, traffic won't flow. Similarly, if the on-premises router does not advertise the correct prefix, or if the VPC's route table lacks a route, connectivity fails.

Security group rules might block, but they are not the most likely if BGP is up. The VIF state is up, so that's not the issue.

755
MCQeasy

A company is designing a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to download patches from the internet. The database should not have direct internet access. Which architecture meets these requirements?

A.Place the web server in the public subnet with an Internet Gateway, and the database in the private subnet without any internet access.
B.Place both instances in the public subnet and use security groups to restrict inbound access to the database.
C.Place the web server in the public subnet with an Internet Gateway, and the database in the private subnet with a route to a NAT Gateway in the public subnet for outbound access only.
D.Place the web server in the private subnet with a NAT Gateway, and the database in the public subnet with an Internet Gateway.
AnswerC

Web server gets internet via IGW; database can initiate outbound traffic via NAT Gateway without being directly reachable.

Why this answer

Option B is correct. A NAT Gateway in the public subnet allows the web server (in the same public subnet) to access the internet via its public IP or via the NAT Gateway if it's actually in a private subnet. However, the web server is in a public subnet, so it can have a public IP and access the internet directly.

The database in the private subnet can use the NAT Gateway for outbound access if needed, but the question says database should not have direct internet access, so it should not have a public IP. Option A is wrong because an Internet Gateway alone does not provide outbound access for private instances. Option C is wrong because a VPN is not needed.

Option D is wrong because a NAT Instance is not recommended; NAT Gateway is managed.

756
MCQeasy

A company wants to ensure that traffic between EC2 instances in the same VPC but different subnets is encrypted. Which solution should be used?

A.Use security groups to allow traffic.
B.Use VPC Peering.
C.Use network ACLs to allow traffic.
D.Use IPsec VPN between the instances.
AnswerD

IPsec provides encryption for traffic between instances.

Why this answer

Option C is correct because IPsec VPN between instances provides encryption. Option A is wrong because security groups do not encrypt traffic. Option B is wrong because NACLs do not encrypt.

Option D is wrong because VPC Peering does not encrypt traffic.

757
MCQhard

A network engineer is reviewing VPC Flow Logs for a VPC. The logs show that traffic from 10.0.1.5 to 10.0.2.10 on port 443 is being accepted and rejected intermittently. Both instances are in the same VPC. What is the most likely cause?

A.The security group on the destination instance is configured to allow inbound HTTPS but deny outbound traffic.
B.The network ACL is blocking traffic.
C.The route table is misconfigured.
D.The source instance's security group is denying outbound traffic.
AnswerA

Security groups are stateful; if outbound is denied, return traffic is rejected.

Why this answer

Option C is correct because a security group that allows inbound HTTPS but denies outbound can cause intermittent rejects if the return traffic is blocked. NACLs are stateless and would block consistently. B and D are less likely.

758
Multi-Selecthard

A financial services company is deploying a multi-account environment using AWS Organizations. The security team requires that all network traffic to and from the internet must flow through a centralized inspection VPC that hosts third-party firewall appliances. The architecture uses a single AWS Transit Gateway with a centralized inspection VPC attached. Which THREE steps are necessary to enforce this architecture? (Choose THREE.)

Select 3 answers
A.Configure each VPC's route table with a default route (0.0.0.0/0) pointing to the transit gateway attachment.
B.Use AWS Organizations service control policies to prevent direct internet access from spoke VPCs.
C.Deploy VPC Gateway Endpoints for S3 and DynamoDB in each spoke VPC.
D.In the inspection VPC, route traffic from the transit gateway to the firewall appliances, then back to the transit gateway for egress.
E.Create separate transit gateway route tables for the inspection VPC and spoke VPCs, and propagate routes appropriately.
AnswersA, D, E

Correct: This sends all internet traffic to the transit gateway.

Why this answer

Option A is correct because all VPCs need default routes pointing to the transit gateway for internet-bound traffic. Option C is correct because the inspection VPC must have routes to send inspected traffic to an egress VPC or Direct Connect for internet access. Option D is correct because the transit gateway route tables must be configured with blackhole routes or specific routes to force traffic through the inspection VPC.

Option B is wrong because VPC endpoints do not route internet traffic. Option E is wrong because service control policies do not enforce routing.

759
MCQhard

A company is designing a network for a real-time trading application that requires extremely low latency (sub-millisecond) between two EC2 instances located in the same AWS region. The instances are in different Availability Zones. The trading application uses a proprietary protocol over TCP. The company wants to minimize latency as much as possible. They are considering using a placement group. Which type of placement group should they use, and what network optimization should they apply?

A.Use a spread placement group and enable dedicated tenancy
B.Use a partition placement group and enable EBS-optimized instances
C.Use a cluster placement group for both instances and enable enhanced networking (SR-IOV)
D.Use a cluster placement group but launch instances in different Availability Zones
AnswerC

Cluster placement group provides low latency; enhanced networking reduces overhead.

Why this answer

A cluster placement group is the only placement group type that provides low-latency, high-bandwidth network performance by placing instances in a single Availability Zone within the same rack. Enhanced networking using SR-IOV (Single Root I/O Virtualization) bypasses the hypervisor's network stack, reducing per-packet processing latency and jitter, which is critical for sub-millisecond trading traffic over TCP.

Exam trap

AWS often tests the misconception that a cluster placement group can span multiple Availability Zones, but in reality, it is confined to a single AZ to guarantee low-latency physical proximity.

How to eliminate wrong answers

Option A is wrong because spread placement groups spread instances across distinct hardware to reduce failure risk, which increases network distance and latency, and dedicated tenancy does not improve network performance. Option B is wrong because partition placement groups isolate instances across logical partitions for large distributed workloads, not for low latency, and EBS-optimized instances improve storage throughput, not network latency. Option D is wrong because a cluster placement group requires all instances to be in the same Availability Zone to achieve low latency; placing instances in different Availability Zones negates the benefit and introduces cross-AZ latency.

760
MCQeasy

A company wants to connect its VPC to an on-premises data center using AWS Direct Connect. The company has two Direct Connect locations in the same AWS region. For high availability, they plan to establish two separate connections. Which configuration ensures that if one connection fails, traffic automatically fails over to the other?

A.Establish one Direct Connect connection and one AWS Site-to-Site VPN connection as backup.
B.Establish two Direct Connect connections from the same Direct Connect location to the same VPC.
C.Establish two Direct Connect connections from different Direct Connect locations to the same VPC, each with a private VIF attached to the same virtual private gateway.
D.Establish a single Direct Connect connection with two virtual interfaces (VIFs) to the same VPC.
AnswerC

Different locations provide physical diversity; BGP routing handles failover automatically.

Why this answer

Option C is correct. Two Direct Connect connections from different locations to the same VPC, each with a private VIF attached to the same virtual private gateway, and using BGP with ASN prepending on one path to make it less preferred, provides automatic failover. Option A is wrong because a single connection cannot provide failover.

Option B is wrong because two connections to the same DX location are not fully diverse. Option D is wrong because VPN backup is not required; two DX connections can provide HA.

761
Multi-Selectmedium

Which TWO measures can be taken to protect an AWS account's root user credentials? (Choose two.)

Select 2 answers
A.Create an IAM user with administrative privileges and use that instead of the root user
B.Use the root user for daily administrative tasks
C.Delete the root user account after creating IAM users
D.Enable multi-factor authentication (MFA) on the root user
E.Store the root user credentials in a shared password manager
AnswersA, D

Best practice is to use IAM users for administration.

Why this answer

Options B and D are correct. Enabling MFA and creating an IAM admin user are best practices. Option A is wrong because using root user regularly is not recommended.

Option C is wrong because deleting the root user is not possible. Option E is wrong because sharing credentials is insecure.

762
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic from a specific VPC to an on-premises network is being dropped. All other VPCs can reach the on-premises network. Which configuration should be checked first?

A.Check the on-premises firewall rules
B.Check the VPC's security groups
C.Check the VPC's network ACLs
D.Check the Transit Gateway route tables
AnswerD

The Transit Gateway route table associated with the VPC attachment might be missing the route to the on-premises network.

Why this answer

The issue is isolated to one VPC, so route tables are the most likely cause. Transit Gateway route tables might not have the route for the on-premises network propagated from that VPC's attachment.

763
MCQhard

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that the BGP session for the public VIF is flapping intermittently. Which configuration change on the customer router would most likely stabilize the BGP session?

A.Set the BGP multi-hop TTL to 255.
B.Configure BGP route filtering to limit the number of routes advertised to AWS to no more than 100.
C.Increase the BGP hold timer to 180 seconds.
D.Disable BGP fast-external-fallover on the customer router.
AnswerB

AWS limits public VIF to 100 prefixes; exceeding causes flapping.

Why this answer

BGP flapping due to route advertisements exceeding the maximum allowed is a known issue. The maximum number of routes allowed on a public VIF is 100. Advertising more than this will cause the session to flap.

Limiting routes to 100 will stabilize.

764
MCQmedium

A company has an S3 bucket with the bucket policy shown. The VPC endpoint ID is correct. However, an EC2 instance in a private subnet in the same VPC cannot download objects from the bucket. What is a possible reason?

A.The EC2 instance does not have a route to the VPC endpoint
B.The bucket policy does not allow s3:ListBucket
C.The EC2 instance is accessing S3 via a NAT Gateway instead of the VPC endpoint
D.The VPC endpoint security group is blocking traffic
AnswerC

The policy only allows requests coming through the VPC endpoint; requests via NAT Gateway are denied.

Why this answer

The bucket policy allows access only via the specified VPC endpoint. If the EC2 instance is accessing S3 through a NAT Gateway or internet gateway, the source VPC endpoint will not be present, and access will be denied. The instance should use the VPC endpoint.

765
MCQeasy

A company is designing a network for a new VPC. They want to ensure that the VPC can connect to an on-premises data center via a site-to-site VPN. The on-premises network uses a CIDR block of 10.0.0.0/8. The VPC will use a CIDR block of 10.0.0.0/16. The network engineer is concerned about overlapping IP addresses. What is the best way to avoid IP address overlap?

A.Use the same CIDR block and rely on NAT
B.Use a different RFC 1918 CIDR block for the VPC
C.Use a smaller subnet within the same 10.0.0.0/8 range
D.Use a public IP range for the VPC
AnswerB

Avoids overlap.

Why this answer

Option B is correct because using a different RFC 1918 CIDR block (e.g., 172.16.0.0/12 or 192.168.0.0/16) for the VPC completely avoids IP address overlap with the on-premises 10.0.0.0/8 network. Overlapping CIDR blocks (both using 10.0.0.0/8) would prevent successful route propagation and cause asymmetric routing or connectivity failures in the site-to-site VPN. NAT can mitigate overlap but adds complexity and is not the 'best' design choice when a non-overlapping private range is available.

Exam trap

AWS often tests the misconception that NAT can always solve IP overlap issues, but the best practice is to design non-overlapping private IP spaces from the start to avoid complexity and routing failures.

How to eliminate wrong answers

Option A is wrong because using the same CIDR block (10.0.0.0/16 within 10.0.0.0/8) creates an overlap that NAT alone cannot fully resolve for bidirectional traffic without complex rules and potential performance issues; it is not the best architectural practice. Option C is wrong because using a smaller subnet within the same 10.0.0.0/8 range still overlaps with the on-premises network, as the on-premises CIDR encompasses the entire 10.0.0.0/8 space, leading to routing conflicts. Option D is wrong because using a public IP range for the VPC violates RFC 1918 private addressing best practices, is not routable over a VPN without additional NAT or BGP complexities, and can cause conflicts with internet-bound traffic.

766
Multi-Selecthard

Which THREE factors should be considered when designing a VPC for a multi-tier application that requires high availability and security? (Choose three.)

Select 3 answers
A.Provision subnets in at least two Availability Zones
B.Assign public IP addresses to all instances for direct access
C.Use separate subnets for web, application, and database tiers
D.Use a single Availability Zone to reduce latency
E.Use NAT Gateways in public subnets for outbound internet access from private subnets
AnswersA, C, E

Provides high availability in case of AZ failure.

Why this answer

Option A is correct because deploying subnets across at least two Availability Zones (AZs) ensures high availability by eliminating a single point of failure. If one AZ experiences an outage, the application can continue serving traffic from the other AZ. This is a foundational principle for building fault-tolerant architectures in AWS.

Exam trap

AWS often tests the misconception that high availability can be achieved within a single Availability Zone by using redundant components, but the correct approach requires at least two AZs to survive an AZ-level failure.

767
Multi-Selecthard

A company has a VPC with a public subnet and a private subnet. The private subnet needs to access an S3 bucket for backups. Which TWO actions are required to provide private connectivity to S3 without using a NAT Gateway?

Select 2 answers
A.Create a NAT Gateway in the public subnet.
B.Create a VPC Gateway Endpoint for S3.
C.Add a route for the S3 prefix list in the private subnet route table pointing to the gateway endpoint.
D.Create a VPC Interface Endpoint for S3.
E.Create a VPC Peering connection to an S3 VPC.
AnswersB, C

Gateway Endpoint provides private S3 access.

Why this answer

Options B and D are correct. A VPC Gateway Endpoint (B) provides private access to S3. The route table for the private subnet must have a route to the gateway endpoint (D) to direct S3 traffic through it.

Option A is wrong because a NAT Gateway is not used. Option C is wrong because a VPC Interface Endpoint is for other services, not S3. Option E is wrong because a VPC Peering connection is not needed.

768
MCQmedium

A global company wants to connect multiple VPCs across different AWS Regions using a hub-and-spoke model. The hub VPC contains shared services such as Active Directory and DNS. Which AWS service provides the most scalable and maintainable solution for this architecture?

A.AWS VPN CloudHub to interconnect all VPCs.
B.AWS Direct Connect gateway with virtual interfaces to each VPC.
C.VPC peering between each spoke VPC and the hub VPC.
D.AWS Transit Gateway with inter-Region peering attachments.
AnswerD

Transit Gateway provides a scalable hub-and-spoke architecture and supports inter-Region peering.

Why this answer

Option D is correct because AWS Transit Gateway is designed for hub-and-spoke connectivity across many VPCs and Regions, providing scalability and centralized management. Option A is wrong because VPC peering is point-to-point and does not scale well for many VPCs. Option B is wrong because VPN CloudHub is for VPN-based connectivity, not VPC-to-VPC.

Option C is wrong because Direct Connect gateway is for connecting Direct Connect to multiple VPCs, not for VPC-to-VPC peering.

769
MCQeasy

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. Which AWS service should be used to provide internet access to instances in the private subnets without assigning public IP addresses?

A.NAT gateway in a public subnet.
B.Internet gateway attached to the VPC.
C.VPC Gateway Endpoint for Amazon S3.
D.Site-to-Site VPN connection.
AnswerA

NAT gateway enables outbound internet access for private instances.

Why this answer

Option A is correct because a NAT gateway allows instances in private subnets to initiate outbound traffic to the internet. Option B is wrong because Internet Gateway alone does not provide NAT; it requires public IPs. Option C is wrong because VPN does not provide direct internet access.

Option D is wrong because VPC endpoint is for accessing AWS services.

770
MCQmedium

A company has a VPC with an AWS Transit Gateway connecting multiple VPCs and an on-premises network via AWS Direct Connect. The network team needs to ensure that only specific VPCs can communicate with each other. They create a transit gateway route table for each VPC and attach the VPC to the route table. They also propagate routes from the Direct Connect virtual interface. However, after configuration, traffic between two VPCs that should not communicate is still flowing. What is the MOST likely cause?

A.The VPC route tables have a route for the other VPC CIDR pointing to the transit gateway.
B.The transit gateway route tables are not associated with the VPC attachments.
C.The VPC attachments are using the default transit gateway route table instead of custom route tables.
D.The Direct Connect virtual interface is propagating routes into all route tables.
AnswerC

Default route table allows all routes.

Why this answer

If the transit gateway has a default route table that is shared, all attachments may be associated with it by default. If the team did not explicitly associate each VPC with its own route table, they might be using the default route table, which allows all routes. Option B is correct.

Option A is not possible because route tables are not associated with attachments; attachments are associated with route tables. Option C would affect on-premises connectivity, not inter-VPC. Option D is the opposite of what is needed.

771
MCQeasy

A company wants to allow a specific IP address range to access an EC2 instance in a private subnet using a bastion host. The bastion host is in a public subnet. Which security group configuration is correct?

A.Bastion security group: inbound SSH from the private instance security group. Private instance security group: inbound SSH from the bastion security group.
B.Bastion security group: inbound SSH from the private instance security group. Private instance security group: inbound SSH from the IP range.
C.Bastion security group: inbound SSH from the IP range. Private instance security group: inbound SSH from the IP range.
D.Bastion security group: inbound SSH from the IP range. Private instance security group: inbound SSH from the bastion security group.
AnswerD

This follows the principle of least privilege.

Why this answer

Option A is correct because the bastion host should allow SSH from the IP range, and the private instance should allow SSH only from the bastion host's security group. Option B is wrong because the bastion host should not allow SSH from the private instance. Option C is wrong because the private instance should not allow SSH from the internet.

Option D is wrong because the bastion host should not allow SSH from the private instance.

772
Multi-Selecthard

A company has a VPC with multiple subnets and uses AWS Transit Gateway to connect to on-premises via AWS Direct Connect. They want to implement network segmentation so that certain VPCs can only communicate with specific on-premises networks. Which THREE components should they use? (Choose THREE.)

Select 3 answers
A.VPC peering connections
B.Direct Connect gateway
C.Transit Gateway association to Direct Connect gateway
D.Transit Gateway route tables
E.Site-to-Site VPN connection
AnswersB, C, D

Provides connectivity to on-premises networks.

Why this answer

Options A, C, and D are correct. Transit Gateway route tables allow separate routing domains, Direct Connect gateways route traffic to on-premises, and gateway associations link the gateways. Option B is wrong because VPC peering is not needed with Transit Gateway.

Option E is wrong because VPN is not required if using Direct Connect.

773
Multi-Selectmedium

A network engineer is diagnosing connectivity issues between an on-premises network and AWS over a Direct Connect connection. The BGP session is established, and the engineer can ping the VPC's private IP addresses. However, TCP connections to EC2 instances are failing. Which TWO actions should the engineer take to identify the issue?

Select 2 answers
A.Review the security group rules associated with the EC2 instance
B.Review the VPC route table for the subnet
C.Verify the BGP session status
D.Check the MTU settings on the Direct Connect virtual interface
E.Check the EC2 instance's operating system firewall
AnswersA, E

Security groups may be blocking TCP traffic.

Why this answer

Options A and D are correct. Checking the host-based firewall (A) is essential because OS firewalls can block TCP while allowing ICMP. Checking security group rules (D) is also critical because security groups are stateful and may be blocking inbound TCP.

Option B is incorrect because the BGP session is established. Option C is incorrect because the VPC route table is likely correct if pings work. Option E is incorrect because MTU issues would affect all traffic.

774
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet for software updates. The instance has a route to a NAT Gateway in the public subnet. However, the instance cannot reach the internet. Which step should the network engineer take to troubleshoot?

A.Move the NAT Gateway to a private subnet
B.Verify that the NAT Gateway is in the same subnet as the EC2 instance
C.Verify that the NAT Gateway has an Elastic IP and the private subnet's route table has a route to the NAT Gateway
D.Attach an Internet Gateway to the private subnet
AnswerC

These are required for outbound internet access.

Why this answer

Option B is correct because the NAT Gateway's Elastic IP must be associated and the route table of the private subnet must point to the NAT Gateway. Option A is wrong because the NAT Gateway is in the public subnet. Option C is wrong because an Internet Gateway is attached to the VPC, not the subnet.

Option D is wrong because the NAT Gateway is not in a public subnet if it has an EIP and route to IGW.

775
MCQhard

A company has a VPC with public and private subnets in three Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and a fleet of EC2 instances in the private subnets. The ALB needs to send traffic to the instances on port 443. What is the most secure way to configure the security groups?

A.ALB SG: inbound from 0.0.0.0/0 on all ports. Instance SG: inbound from ALB SG on all ports.
B.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from 0.0.0.0/0 on port 443.
C.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from ALB SG on port 443.
D.ALB SG: inbound from 0.0.0.0/0 on port 443. Instance SG: inbound from ALB SG on all ports.
AnswerC

Only allows HTTPS from ALB SG to instances.

Why this answer

Option C is correct because it follows the principle of least privilege by restricting the ALB security group to only allow inbound traffic on port 443 from the internet (0.0.0.0/0) and the instance security group to only allow inbound traffic on port 443 from the ALB security group. This ensures that only the ALB can communicate with the instances on the required port, preventing direct access from other sources and reducing the attack surface.

Exam trap

The trap here is that candidates often assume that allowing traffic from 0.0.0.0/0 to the instances is acceptable because the instances are in private subnets, but security groups are stateful and do not consider subnet routing; they evaluate traffic based on the source IP, so a rule allowing 0.0.0.0/0 would permit direct internet traffic if the instances had a route to an internet gateway.

How to eliminate wrong answers

Option A is wrong because it allows inbound traffic to the ALB on all ports from the internet, which is overly permissive and violates security best practices. Option B is wrong because it allows inbound traffic to the instances directly from 0.0.0.0/0 on port 443, bypassing the ALB and exposing the instances to the internet, which is insecure. Option D is wrong because it allows inbound traffic to the instances from the ALB security group on all ports, which is unnecessary and violates the principle of least privilege since only port 443 is required.

776
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has set up a NAT gateway in the public subnet. However, instances in the private subnet cannot reach the internet. What is the most likely cause?

A.The NAT gateway does not have a route to the internet gateway
B.The security group for the instances blocks outbound traffic
C.The NAT gateway is not associated with an Elastic IP
D.The private subnet route table does not have a route to the NAT gateway
AnswerD

Without a default route to the NAT gateway, traffic from private subnet cannot reach the internet.

Why this answer

Option B is correct because the private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT gateway. Option A is wrong because NAT gateway does not need an internet gateway route; it uses the internet gateway of the public subnet. Option C is wrong because security group rules for outbound traffic are usually allowed by default.

Option D is wrong because the NAT gateway is in the public subnet, so it has internet access; the issue is routing from private subnet.

777
MCQhard

A company is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets across the organization are encrypted with AWS KMS. Which approach should be used to enforce this policy?

A.Configure each S3 bucket with a bucket policy that denies access if encryption is not used.
B.Apply a service control policy (SCP) at the root level that denies S3 bucket creation unless encryption is configured.
C.Use AWS Config rules to detect unencrypted S3 buckets and automatically remediate them.
D.Create an IAM policy that denies creating S3 buckets without encryption and attach it to all users.
AnswerB

SCPs can be applied to organizational units to centrally enforce policies across accounts.

Why this answer

Option C is correct because a service control policy (SCP) can be applied to the root organizational unit to deny creation or modification of S3 buckets without KMS encryption. Option A is incorrect because an SCP cannot be applied to individual S3 buckets; it applies to accounts. Option B is incorrect because IAM policies are account-specific and cannot enforce across the organization.

Option D is incorrect because bucket policies are per-bucket and not centrally enforced.

778
MCQmedium

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for compliance. The logs should be published to a central S3 bucket in the logging account. The logging account has an S3 bucket policy that allows cross-account writes. However, flow logs are not being delivered. What is the most likely missing configuration?

A.The VPC Flow Logs service is not enabled in the source account.
B.The S3 bucket policy does not grant 's3:PutObject' to the source account.
C.The source account lacks an IAM role that grants the Flow Logs service permission to write to the central S3 bucket.
D.The VPC Flow Logs destination is set to CloudWatch Logs instead of S3.
AnswerC

Cross-account delivery requires an IAM role with appropriate trust and permissions.

Why this answer

For cross-account flow log delivery, the source account must have an IAM role that trusts the logging account and allows the flow logs service to assume it. The role must have permissions to write to the S3 bucket. Without this role, logs cannot be delivered.

779
Multi-Selectmedium

A company is deploying a containerized application on Amazon ECS using the Fargate launch type. The application requires outbound internet access to download updates, but the company does not want to assign public IP addresses to the tasks. Which TWO actions should the company take to provide internet access to the tasks? (Choose two.)

Select 2 answers
A.Configure a security group that allows outbound traffic to 0.0.0.0/0
B.Launch the tasks in private subnets that do not have a route to an Internet Gateway
C.Create a NAT gateway in a public subnet and update the route tables for the task subnets to route 0.0.0.0/0 traffic to the NAT gateway
D.Launch the tasks in public subnets with auto-assign public IP enabled
E.Create a VPC Gateway Endpoint for Amazon ECR
AnswersB, C

Private subnets ensure no public IPs are assigned; outbound traffic goes through the NAT gateway.

Why this answer

Option B is correct because tasks in private subnets without a route to an Internet Gateway cannot directly access the internet, which is the desired behavior to avoid public IP addresses. Option C is correct because a NAT gateway in a public subnet provides outbound internet access for tasks in private subnets by translating their private IP addresses to the NAT gateway's public IP, allowing them to reach the internet without assigning public IPs to the tasks.

Exam trap

AWS often tests the misconception that a security group rule allowing outbound traffic to 0.0.0.0/0 alone is sufficient for internet access, when in fact the subnet's route table must direct traffic to a NAT gateway or Internet Gateway.

780
MCQhard

A company is designing a VPC with a CIDR block of 10.0.0.0/16. The VPC will host multiple environments (dev, test, prod) and requires subnets in three Availability Zones. The network engineer must allocate subnets efficiently while reserving at least 25% of the address space for future growth. What is the minimum subnet size that should be used for each environment?

A./20
B./18
C./22
D./21
AnswerA

Provides 4094 addresses per subnet, fits within the reserved space and allows growth.

Why this answer

Option B is correct. The total /16 has 65536 addresses. Reserving 25% leaves 49152 addresses for use.

With 3 environments × 3 AZs = 9 subnets, each subnet gets 5461 addresses on average. A /19 subnet provides 8191 addresses per subnet, totaling 9×8191=73719, which exceeds the available 49152. A /20 provides 4095 addresses per subnet (9×4095=36855), which is within the available 49152 and allows efficient use.

The smallest subnet that fits the requirement is /20. Option A (/18) is too large, C (/21) provides too few addresses per subnet, D (/22) also insufficient.

781
Multi-Selecthard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team observes that traffic between two VPCs (VPC A and VPC B) is not being forwarded correctly. The transit gateway route table is configured with static routes for the VPC CIDRs. Which THREE steps should the engineer take to troubleshoot this issue? (Choose THREE.)

Select 3 answers
A.Verify that the transit gateway route table contains the CIDR blocks of both VPCs.
B.Check the route tables in VPC A and VPC B to ensure they have routes pointing to the transit gateway for the other VPC's CIDR.
C.Check the association of the VPC attachments with the transit gateway route table.
D.Check the Direct Connect virtual interface status.
E.Verify that the NAT Gateway in each VPC is properly configured.
AnswersA, B, C

The transit gateway route table must have routes for both VPC CIDRs to forward traffic between them.

Why this answer

Option A is correct because the transit gateway route table must contain the CIDR blocks of both VPCs for traffic to be forwarded between them. Without these static routes, the transit gateway has no destination to route the traffic, causing it to be dropped. Verifying the route table entries ensures the necessary paths exist.

Exam trap

AWS often tests the misconception that NAT Gateway or Direct Connect configurations are involved in VPC-to-VPC routing, when in fact Transit Gateway relies solely on route tables and attachment associations for inter-VPC traffic.

782
Multi-Selectmedium

Which TWO features are provided by AWS Shield Advanced that are not available in AWS Shield Standard? (Choose 2)

Select 2 answers
A.Automatic web application firewall rule updates
B.DDoS cost protection
C.Access to detailed DDoS logs
D.24/7 access to the AWS DDoS Response Team
E.Network-layer DDoS protection
AnswersB, D

Shield Advanced offers protection against scaling charges due to DDoS.

Why this answer

Option A is correct because Shield Advanced provides DDoS cost protection for scaling resources. Option D is correct because Shield Advanced includes 24/7 access to the DDoS Response Team. Option B is wrong because network-layer protection is available in Standard.

Option C is wrong because basic logging is available without Shield. Option E is wrong because WAF is separate; Shield Advanced includes WAF at no extra cost but does not manage rules automatically.

783
Multi-Selectmedium

Which TWO actions should be taken to secure an EC2 instance that is used as a bastion host? (Choose 2)

Select 2 answers
A.Use a security group that only allows necessary inbound ports
B.Use HTTPS instead of SSH for administration
C.Place the bastion host in a private subnet
D.Restrict inbound SSH access to a specific IP range using security group
E.Allow all inbound traffic on port 22 in the network ACL
AnswersA, D

Minimize attack surface.

Why this answer

Option A is correct because a bastion host should only expose necessary inbound ports (typically TCP 22 for SSH) to minimize the attack surface. By using a security group that restricts inbound traffic to only required ports, you enforce the principle of least privilege at the network layer, preventing unauthorized access to other services that might be running on the instance.

Exam trap

AWS often tests the misconception that a bastion host should be placed in a private subnet for security, but the correct design requires it to be in a public subnet to serve as an entry point, with security group restrictions providing the necessary protection.

784
MCQhard

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer notices that the BGP session is flapping intermittently. The connection is a 1 Gbps dedicated connection with a single private VIF. The router configuration uses default BGP timers. What is the most likely cause of the flapping?

A.The MTU size is set to 9001 (jumbo frames) on the Direct Connect interface.
B.The link experiences occasional packet loss causing BGP hold timer expiration.
C.The BGP authentication key is mismatched between the customer router and AWS.
D.The Multi-Exit Discriminator (MED) value is set too high on the customer router.
AnswerB

Packet loss can cause keepalive messages to be lost, leading to hold timer expiry and BGP session reset.

Why this answer

Option D is correct because BGP hold timers (default 90 seconds) may cause the session to drop if the link has high latency or occasional packet loss. Increasing the hold timer can prevent flapping. Option A is wrong because jumbo frames are unrelated to BGP flapping.

Option B is wrong because BGP authentication errors would cause persistent failures, not intermittent flaps. Option C is wrong because the MED attribute is used for inbound traffic engineering, not session stability.

785
Multi-Selectmedium

A network engineer is diagnosing a connectivity issue between an on-premises network and an Amazon VPC connected via a site-to-site VPN. The VPN tunnel is up, but traffic is not reaching the VPC. Which TWO actions should the engineer take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Review the security group rules associated with the VPC resources to ensure they allow traffic from the on-premises network
B.Confirm the customer gateway is associated with the correct VPC
C.Verify that the VPC route tables include routes for the on-premises network pointing to the virtual private gateway
D.Verify that the on-premises network has a NAT device configured
E.Check that the VPN tunnel's status is 'UP'
AnswersA, C

Security groups act as a firewall for the instances.

Why this answer

Option A is correct because incorrect route propagation can prevent the VPC from knowing the on-premises network. Option D is correct because security group rules might block inbound traffic from the VPN. Option B is wrong because the VPN tunnel is up.

Option C is wrong because the customer gateway is the on-premises endpoint, not the VPC. Option E is wrong because the issue is about routing, not NAT.

786
MCQmedium

A company uses AWS Direct Connect and VPN as backup. The network team notices that during a VPN failover, traffic drops for several minutes. The VPN tunnels are configured with BGP dynamic routing. Which configuration change would MOST likely reduce failover time?

A.Configure static routes over the VPN instead of BGP
B.Increase the BGP keepalive interval and decrease the hold timer
C.Enable BFD on the VPN BGP sessions
D.Decrease the BGP keepalive interval and increase the hold timer
AnswerC

BFD provides sub-second failure detection, reducing failover time.

Why this answer

Option B is correct because BFD (Bidirectional Forwarding Detection) provides sub-second failure detection for BGP sessions, reducing failover time. Option A is wrong because increasing the keepalive interval and decreasing the hold timer can help but may not be as fast as BFD. Option C is wrong because decreasing the keepalive interval and increasing the hold timer would slow down failure detection.

Option D is wrong because static routes do not dynamically adapt to failures.

787
Multi-Selecthard

A company has a Direct Connect connection and wants to use it for both private and public resources. Which TWO components are required to achieve this?

Select 2 answers
A.Transit Gateway
B.Internet gateway
C.VPN connection to the VPC
D.Public virtual interface (VIF)
E.Private virtual interface (VIF)
AnswersD, E

Public VIF connects to public AWS services.

Why this answer

Option B and Option D are correct. A private VIF is required for private IP connectivity to VPCs, and a public VIF is required for public IP connectivity to AWS public services. Option A is wrong because a VPN connection is not required for Direct Connect.

Option C is wrong because a Transit Gateway is optional. Option E is wrong because an internet gateway is not used with Direct Connect public VIF.

788
Multi-Selecthard

A company has a multi-account AWS environment using AWS Transit Gateway with multiple VPC attachments. The network team wants to centralize logging of all network traffic crossing the Transit Gateway. Which TWO services can be used together to achieve this?

Select 2 answers
A.VPC Flow Logs published to a central Amazon S3 bucket
B.AWS Site-to-Site VPN flow logs
C.AWS Direct Connect Gateway flow logs
D.AWS Transit Gateway Network Manager
E.AWS CloudTrail for Transit Gateway events
AnswersA, D

VPC Flow Logs capture traffic; publishing to a central S3 bucket allows aggregation.

Why this answer

Option A is correct because VPC Flow Logs can be published to a central account. Option C is correct because Transit Gateway Network Manager can centralize flow logs. Option B is incorrect because CloudTrail does not capture network traffic.

Option D is incorrect because Direct Connect is for on-premises connectivity. Option E is incorrect because VPN is a site-to-site connection, not a logging service.

789
Multi-Selecthard

Which THREE of the following are benefits of using AWS Global Accelerator over Amazon CloudFront for a global application that uses TCP traffic? (Select THREE.)

Select 3 answers
A.Provides content caching at edge locations.
B.Provides static IP addresses that act as a fixed entry point.
C.Supports TCP and UDP traffic.
D.Can be used with Application Load Balancers as endpoints.
E.Automatically integrates with AWS WAF and AWS Shield Advanced.
AnswersB, C, D

Global Accelerator provides anycast IPs.

Why this answer

AWS Global Accelerator provides static IP addresses that act as a fixed entry point for your application, which is a key benefit over Amazon CloudFront. CloudFront uses dynamic, regional edge IP addresses that can change, whereas Global Accelerator offers two static anycast IP addresses that remain constant, simplifying DNS management and firewall whitelisting for TCP-based global applications.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator with CloudFront, assuming both provide caching and similar features, but Global Accelerator focuses on network performance optimization for TCP/UDP traffic without caching, while CloudFront is a CDN that caches content and primarily supports HTTP/HTTPS.

790
Multi-Selecthard

A company is using AWS Direct Connect with a private VIF to connect to multiple VPCs in the same region. The company wants to use AWS Transit Gateway to simplify management. Which three components are required to achieve this? (Choose THREE.)

Select 3 answers
A.Direct Connect private virtual interface
B.AWS Transit Gateway
C.VPC peering connection
D.AWS Site-to-Site VPN connection
E.AWS Direct Connect gateway
AnswersA, B, E

Required for Direct Connect connection.

Why this answer

Options A, C, and D are correct. A Direct Connect gateway is needed to connect the Direct Connect connection to the Transit Gateway. A Transit Gateway is the central hub.

A Direct Connect virtual interface is the connection from on-premises to AWS. Option B is wrong because a VPN connection is not required. Option E is wrong because a VPC peering connection is not used with Transit Gateway.

791
MCQeasy

A company has a VPC with public and private subnets. The public subnet hosts a web server that must be accessible from the internet. The private subnet hosts a database that should only be accessible from the web server. Which security group configuration should be used?

A.Database security group: inbound rule allowing traffic from the web server security group on the database port
B.Database security group: inbound rule allowing traffic from the VPC CIDR on the database port
C.Database security group: inbound rule allowing traffic from the web server's private IP on the database port
D.Database security group: inbound rule allowing traffic from 0.0.0.0/0 on the database port
AnswerA

This ensures only the web server can reach the database.

Why this answer

Security groups can reference other security groups as sources. Option A is correct because it allows traffic from the web server's security group. Option B is wrong because it allows all traffic from the VPC CIDR, which is too permissive.

Option C is wrong because it allows all inbound traffic. Option D is wrong because it allows traffic from the web server but not specifically via its security group.

792
MCQeasy

A company is deploying a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is internet-facing and uses a public subnet. The EC2 instances are in private subnets. The application needs to be accessible from the internet. The security group for the ALB allows inbound HTTP and HTTPS from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic from the ALB's security group. The route tables for the private subnets have a default route to a NAT gateway. Users report that they cannot access the application. The ALB target group shows the instances as unhealthy. What is the MOST likely cause?

A.The security group for the EC2 instances does not allow inbound traffic from the ALB's security group on the health check port.
B.The ALB is deployed in a private subnet instead of a public subnet.
C.The ALB does not have an associated internet gateway route.
D.The NAT gateway is not correctly routing traffic from the instances to the internet.
AnswerA

Health checks fail if security group blocks traffic.

Why this answer

Option D is correct because the security group for EC2 instances must allow health check traffic from the ALB. Option A is incorrect because ALB is in public subnet. Option B is incorrect because ALB does not need internet gateway; it's already public.

Option C is incorrect because NAT gateway is for outbound traffic.

793
MCQhard

A company is deploying a multi-tier application in a VPC. The web tier is in public subnets, and the application tier is in private subnets. The application tier needs to communicate with an on-premises database via an AWS Direct Connect connection. The company wants to minimize latency and maximize throughput. Which design should they use?

A.Place the application tier instances in a private subnet in the same VPC as the web tier. Attach a virtual private gateway to the VPC and connect it to the on-premises network via a Direct Connect private virtual interface.
B.Place the application tier in a private subnet and use a NAT Gateway to route traffic to the on-premises network.
C.Place the application tier in a separate VPC and peer it to the web tier VPC. Use a Direct Connect connection attached to the web tier VPC.
D.Place the application tier in a separate VPC and use a VPN connection over the internet to connect to on-premises.
AnswerA

This provides low-latency, high-throughput connectivity directly between the application tier and on-premises.

Why this answer

Option A is correct because a Direct Connect private virtual interface (VIF) connected to a virtual private gateway (VGW) provides a dedicated, low-latency, high-throughput connection from the VPC to on-premises. The application tier in the private subnet can route traffic directly to the on-premises database via the VGW without traversing the internet or a NAT device, minimizing latency and maximizing throughput.

Exam trap

AWS often tests the misconception that a NAT Gateway or VPN can provide equivalent performance to Direct Connect, but the trap here is that NAT Gateways are for internet egress only and VPNs introduce internet-based latency, whereas a private VIF offers dedicated, consistent performance.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway is used for outbound internet traffic from private subnets, not for routing to on-premises networks over Direct Connect; it would add unnecessary latency and does not leverage the private VIF. Option C is wrong because placing the application tier in a separate VPC and peering it to the web tier VPC introduces an extra hop (VPC peering) and requires the Direct Connect to be attached to the web tier VPC, which forces traffic to traverse the peering connection, increasing latency and complexity. Option D is wrong because a VPN connection over the internet introduces variable latency, potential throughput bottlenecks, and security risks compared to a dedicated Direct Connect private VIF, failing to minimize latency and maximize throughput.

794
MCQeasy

A company wants to connect its on-premises data center to AWS using AWS Direct Connect. The company requires a dedicated 1 Gbps connection with low latency and high bandwidth for mission-critical workloads. Which type of Direct Connect interface should be used?

A.AWS Transit VIF
B.VPN Connection
C.Hosted Connection
D.Dedicated Connection
AnswerD

A dedicated connection provides a physical port dedicated to the customer.

Why this answer

Option B is correct because a dedicated connection provides a physical Ethernet link dedicated to the customer. A virtual interface is used on top of a dedicated connection. C and D are incorrect as they are not types of Direct Connect interfaces.

795
MCQmedium

A financial services company has a VPC with a public subnet and a private subnet. EC2 instances in the private subnet need to download patches from the internet. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, instances cannot reach the internet. The NAT gateway is in an 'available' state and has an Elastic IP attached. The security group for the NAT gateway allows all outbound traffic. What is the most likely cause of the issue?

A.The security group for the NAT gateway is blocking inbound traffic from private instances
B.The NAT gateway is not provisioned with sufficient bandwidth
C.The NAT gateway does not have an IAM role to access the internet
D.The route table for the public subnet does not have a default route (0.0.0.0/0) pointing to an internet gateway
AnswerD

NAT gateway needs internet gateway route to forward traffic.

Why this answer

The most common cause is that the route table for the public subnet (where the NAT gateway resides) does not have a default route to an internet gateway. The NAT gateway needs a route to the internet gateway to forward traffic. Option B is wrong because NAT gateway does not require an IAM role.

Option C is wrong because security group is correct. Option D is wrong because the NAT gateway is in 'available' state and has an EIP, so it is not provisioned incorrectly.

796
MCQeasy

A company is deploying a VPC with IPv6 support. The VPC has a CIDR block of 10.0.0.0/16 and an assigned IPv6 CIDR block of 2600:1f16:xxxx:xxxx::/56. The company wants EC2 instances in a public subnet to be able to communicate with the internet using IPv6. Which configuration is necessary?

A.Attach a NAT gateway to the VPC and add a route for ::/0 to the NAT gateway in the public subnet route table.
B.Attach an internet gateway to the VPC and add a route for 0.0.0.0/0 to the internet gateway in the public subnet route table.
C.Set up a NAT64 translation service to convert IPv6 requests to IPv4.
D.Attach an egress-only internet gateway to the VPC and add a route for ::/0 to the egress-only internet gateway in the public subnet route table.
AnswerD

Provides outbound-only IPv6 internet access.

Why this answer

Option A is correct because an egress-only internet gateway allows outbound IPv6 traffic from EC2 instances while preventing inbound connections, similar to a NAT gateway for IPv4. Option B is wrong because an internet gateway with route 0.0.0.0/0 is for IPv4. Option C is wrong because NAT64 is for translating IPv6 to IPv4, not required here.

Option D is wrong because a NAT gateway is for IPv4 only.

797
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company has a NAT gateway in a public subnet. The EC2 instance can connect to other instances in the VPC but cannot reach the internet. What is the most likely cause?

A.The security group of the EC2 instance blocks outbound HTTPS traffic.
B.The NAT gateway does not have an Elastic IP address.
C.The network ACL of the private subnet blocks inbound traffic from the NAT gateway.
D.The route table in the private subnet does not have a default route to the NAT gateway.
AnswerD

Missing default route prevents internet access.

Why this answer

Option C is correct because the route table associated with the private subnet must have a default route (0.0.0.0/0) pointing to the NAT gateway. Option A is incorrect because the NAT gateway itself does not require a public IP for outbound traffic (though it needs one for inbound). Option B is incorrect because security group rules are stateful and allow outbound traffic.

Option D is incorrect because the NACL must allow outbound traffic, but the route is the primary issue.

798
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC with public and private subnets. The ALB is in public subnets, and the web servers are in private subnets. Clients report intermittent connection errors. Investigation shows that the ALB is marking targets as unhealthy. What is the MOST likely cause?

A.The network ACL for the private subnets is blocking inbound traffic from the ALB.
B.The security group for the web servers does not allow inbound traffic from the internet.
C.The ALB is deployed in private subnets and cannot reach the internet.
D.The health check is configured to use the public IP address of the targets, but the targets are in private subnets without public IPs.
AnswerD

Health checks must target the private IP of the instances; using public IPs will fail.

Why this answer

If the ALB health checks are configured to use the public IP of the targets, the private subnet instances will not respond because they do not have public IPs. Option A is wrong because security groups should allow traffic from the ALB. Option B is wrong because the ALB is in public subnets.

Option D is wrong because security groups should be on the instance side.

799
MCQhard

A company runs a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The security team needs to block a specific IP address range that has been launching DDoS attacks. The solution must be implemented at the network edge, before traffic reaches the ALB. What should the security team do?

A.Update the security group for the ALB to deny traffic from the IP range.
B.Create an AWS WAF web ACL with an IP set rule that blocks the IP range and attach it to the ALB.
C.Add a network ACL rule on the ALB's subnet to deny inbound traffic from the IP range.
D.Deploy Amazon CloudFront in front of the ALB and use AWS WAF to block the IP range at CloudFront.
AnswerB

WAF at the ALB blocks traffic before it reaches the backend.

Why this answer

AWS WAF web ACL attached to the ALB can filter traffic based on IP addresses. Option B is correct because WAF is deployed at the edge (ALB or CloudFront) and can block IP sets. Option A is wrong because security groups are stateful but work at the instance level, not at the edge.

Option C is wrong because NACLs are applied at the subnet level, but ALB is in a subnet, so traffic reaches the ALB first; NACL is stateless and less suitable for layer 7 filtering. Option D is wrong because CloudFront with WAF is also edge, but the question says 'before traffic reaches the ALB' and ALB is already in place; adding CloudFront changes the architecture.

800
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer. The security team requires that all traffic to the application be inspected by a third-party firewall appliance for compliance. The firewall appliance must be deployed in a separate VPC and must inspect traffic without introducing a single point of failure. Which architecture meets these requirements?

A.Configure the Application Load Balancer to send all traffic to the firewall appliance using Proxy Protocol v2.
B.Use AWS Direct Connect to route all traffic through the firewall appliance.
C.Use AWS Network Firewall to inspect traffic.
D.Deploy Gateway Load Balancer endpoints in the application VPC and attach them to the firewall appliance in the inspection VPC across multiple Availability Zones.
AnswerD

Gateway Load Balancer allows transparent inspection of traffic by third-party appliances and supports multi-AZ deployment.

Why this answer

Option B is correct because using Gateway Load Balancer endpoints across multiple Availability Zones with the firewall appliance in a separate VPC allows traffic to be routed through the firewall for inspection while maintaining high availability. Option A is wrong because AWS Network Firewall does not support routing traffic to a third-party appliance in a different VPC. Option C is wrong because Direct Connect does not provide traffic inspection.

Option D is wrong because Proxy Protocol does not enable traffic inspection.

801
MCQhard

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN tunnel is up, but traffic from on-premises cannot reach EC2 instances in the VPC. The EC2 instances have a security group that allows inbound ICMP from the on-premises CIDR. What is the most likely cause?

A.The security group rule is using the wrong protocol.
B.The VPN connection does not have static routes configured.
C.The subnet route table does not have a route for the on-premises CIDR pointing to the virtual private gateway.
D.The subnet is not associated with the main route table.
AnswerC

Without this route, traffic from on-premises cannot be routed to the subnet.

Why this answer

Option B is correct because the route table of the VPC subnet must have a route pointing the on-premises CIDR to the virtual private gateway (VGW). Option A is wrong because the VPN static routes are configured on the customer gateway side. Option C is wrong because the security group rule is correct.

Option D is wrong because the route table association is not the issue.

802
MCQeasy

A company needs to connect two VPCs in the same AWS account and region. They want to use private IP addresses and avoid any single point of failure. Which solution should they use?

A.AWS Transit Gateway
B.VPC peering connection
C.Internet Gateway and public IPs
D.AWS Site-to-Site VPN between the VPCs
AnswerB

VPC peering is simple, uses private IPs, and has no single point of failure as it is a direct connection.

Why this answer

VPC peering allows direct connectivity between two VPCs using private IPs and has no single point of failure. Transit Gateway also works but adds cost and complexity. VPN is not needed within the same region.

Internet Gateway would expose traffic to the internet.

803
MCQmedium

A company uses AWS Organizations and has multiple VPCs in different accounts. They want to centrally manage network firewall rules for all VPCs using a single firewall policy. Which AWS service should they use?

A.AWS Firewall Manager
B.AWS WAF
C.AWS Network Firewall
D.AWS Shield Advanced
AnswerA

Centrally manages firewall policies across accounts.

Why this answer

Option A is correct. AWS Firewall Manager allows you to centrally manage firewall rules across accounts and VPCs. Option B is wrong because Network Firewall is a per-VPC service.

Option C is wrong because Shield is for DDoS. Option D is wrong because WAF is for web ACLs, not network firewalls.

804
MCQhard

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to establish a central inspection VPC for traffic inspection using a Gateway Load Balancer (GWLB). Traffic from all other VPCs should be routed through the inspection VPC before reaching the internet or on-premises. Which architecture should be used?

A.Use VPC Peering to connect all VPCs to the inspection VPC and configure routes to the GWLB.
B.Use AWS Direct Connect Gateway to connect all VPCs and route traffic through the inspection VPC.
C.Use AWS Transit Gateway with a centralized inspection VPC that hosts a GWLB. Configure route tables on the Transit Gateway to send traffic to the GWLB endpoint.
D.Use AWS Network Firewall in each VPC and route traffic to it.
AnswerC

Transit Gateway allows transitive routing and can force traffic through the inspection VPC.

Why this answer

Option C is correct because AWS Transit Gateway enables centralized routing between multiple VPCs, and when combined with a Gateway Load Balancer (GWLB) in an inspection VPC, it allows traffic from all other VPCs to be forwarded to the GWLB for inspection before reaching the internet or on-premises. Transit Gateway route tables can be configured with static routes pointing to the GWLB endpoint (using Gateway Load Balancer Endpoint service), ensuring all inter-VPC and egress traffic is steered through the inspection VPC. This architecture scales efficiently across many VPCs in an AWS Organizations multi-account setup without requiring complex peering or direct connections.

Exam trap

The trap here is that candidates often confuse VPC Peering's lack of transitive routing with the ability to create a hub-and-spoke model, leading them to select Option A, but AWS explicitly states that VPC Peering does not support transitive routing, making Transit Gateway the only viable option for centralized inspection across multiple VPCs.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; each peering connection is a one-to-one relationship, so traffic from one VPC cannot be routed through a central inspection VPC to another VPC or to the internet without explicit peering between every pair, making it unscalable and unable to enforce centralized inspection. Option B is wrong because AWS Direct Connect Gateway is used to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide routing between VPCs themselves or support forwarding traffic through a central inspection VPC; it lacks the transitive routing capability needed for this multi-VPC inspection pattern. Option D is wrong because AWS Network Firewall in each VPC would require deploying and managing separate firewall instances per VPC, which defeats the requirement for a central inspection VPC and does not provide a single point of traffic inspection across all VPCs; it also adds operational overhead and does not leverage the GWLB for centralized traffic steering.

805
Multi-Selecteasy

A company is designing a VPC with public and private subnets. The company needs to provide internet access to instances in the private subnets. Which TWO components are required? (Choose TWO.)

Select 2 answers
A.Internet Gateway attached to the VPC
B.Transit Gateway
C.NAT Gateway in a public subnet
D.VPC Gateway Endpoint for S3
E.Virtual Private Gateway
AnswersA, C

IGW is needed for public subnet and NAT.

Why this answer

An Internet Gateway (IGW) is required to provide a target in the VPC route tables for internet-bound traffic. For instances in private subnets, a NAT Gateway placed in a public subnet translates their private IP addresses to the public IP of the NAT Gateway, allowing outbound internet access while preventing unsolicited inbound connections. The private subnet's route table must point 0.0.0.0/0 to the NAT Gateway, and the public subnet's route table must point 0.0.0.0/0 to the IGW.

Exam trap

The trap here is that candidates often think a NAT Gateway alone is sufficient, forgetting that an Internet Gateway must be attached to the VPC and the public subnet's route table must point to it for the NAT Gateway to reach the internet.

806
Multi-Selecthard

A company wants to connect its on-premises data center to AWS using AWS Direct Connect and wants to use the same connection to access multiple VPCs in the same AWS region. The company also needs to maintain private IP connectivity between the VPCs. Which THREE components should the company use to meet these requirements? (Choose three.)

Select 3 answers
A.Transit Gateway VPC attachments
B.VPC peering connections between each VPC
C.AWS Site-to-Site VPN connection
D.AWS Direct Connect gateway
E.AWS Transit Gateway
AnswersA, D, E

Each VPC must be attached to the Transit Gateway to enable connectivity through the Transit Gateway.

Why this answer

Transit Gateway VPC attachments allow multiple VPCs to connect to a central transit gateway, enabling private IP connectivity between them. When combined with an AWS Direct Connect gateway, the on-premises data center can use a single Direct Connect connection to reach all attached VPCs via the transit gateway, meeting both requirements efficiently.

Exam trap

The trap here is that candidates often confuse VPC peering with transit gateway, assuming peering can provide transitive routing or work with a single Direct Connect connection, but AWS explicitly requires a transit gateway for hub-and-spoke connectivity with Direct Connect.

807
MCQhard

A company is implementing a hybrid network architecture with AWS Direct Connect and a VPN backup. The company has two Direct Connect connections from different providers terminating at two AWS Direct Connect locations, each connecting to a separate AWS Transit Gateway in the same region. The VPCs are attached to both transit gateways. The company needs to ensure that traffic from on-premises to VPCs uses the primary Direct Connect connection when available and fails over to the secondary Direct Connect connection, then to the VPN. How should the company configure routing to achieve this?

A.Configure BGP AS_PATH prepending on the secondary Direct Connect and VPN connections to make them less preferred than the primary Direct Connect.
B.Disable route propagation from the VPN to the transit gateway route tables, and rely on the Direct Connect connections only.
C.Configure equal-cost multipath (ECMP) routing across all three connections to load balance traffic.
D.Use static routes in the transit gateway route tables with higher metric values for the secondary Direct Connect and VPN.
AnswerA

AS_PATH prepending influences BGP best path selection.

Why this answer

Option A is correct because adjusting BGP attributes like AS_PATH prepending on the secondary Direct Connect and VPN connections will influence path selection, with the VPN having the longest AS_PATH. Option B is wrong because static routes cannot be used with Direct Connect; BGP is required. Option C is wrong because disabling route propagation on the VPN would not affect Direct Connect failover order.

Option D is wrong because equal-cost multipath (ECMP) would load balance, not provide failover priority.

808
MCQmedium

A company is designing a network for a three-tier web application in AWS. The web tier must be accessible from the internet, but the application and database tiers must be private. The company wants to use a single AWS Region and ensure high availability across multiple Availability Zones. What is the MOST cost-effective network design that meets these requirements?

A.Place web servers in public subnets across three AZs. Place application and database servers in private subnets across three AZs. Use a NAT Gateway in each AZ for outbound traffic.
B.Place web servers in public subnets across three AZs. Place application and database servers in private subnets across three AZs. Use NAT instances in each AZ behind an Auto Scaling group.
C.Place web servers in public subnets and application/database servers in private subnets in one AZ. Use a single NAT Gateway in the public subnet for outbound traffic.
D.Place all tiers in public subnets and use security groups to restrict inbound traffic to the web tier only.
AnswerA

Highly available and cost-effective managed service.

Why this answer

Option A is correct because it places web servers in public subnets across three Availability Zones (AZs) for internet-facing access and high availability, while application and database servers reside in private subnets across three AZs for isolation. A NAT Gateway in each AZ provides cost-effective outbound internet connectivity for private instances without exposing them to inbound traffic, and using one NAT Gateway per AZ avoids cross-AZ data transfer charges, which would increase costs if a single NAT Gateway were shared across AZs.

Exam trap

AWS often tests the misconception that a single NAT Gateway is more cost-effective than multiple, but the trap is that cross-AZ data transfer costs from using a single NAT Gateway in a multi-AZ setup can exceed the cost of deploying one NAT Gateway per AZ, making the per-AZ design more cost-effective overall.

How to eliminate wrong answers

Option B is wrong because NAT instances behind an Auto Scaling group introduce management overhead, potential single points of failure during scaling events, and higher operational cost compared to managed NAT Gateways, making it less cost-effective. Option C is wrong because deploying all tiers in a single AZ violates the high availability requirement across multiple Availability Zones, as a single AZ failure would take down the entire application. Option D is wrong because placing all tiers in public subnets exposes application and database servers to the internet, violating the requirement that they remain private, even with security group restrictions, as security groups do not prevent all potential attack vectors like direct IP spoofing or misconfigurations.

809
MCQmedium

A company is deploying a multi-VPC architecture with connectivity requirements. The network team needs to establish private connectivity between VPCs in the same AWS account and region, using services that can scale to 100 Gbps throughput. Which solution meets these requirements?

A.Use AWS PrivateLink with Network Load Balancers to connect VPCs
B.Deploy AWS Client VPN and configure routes between VPCs
C.Create an AWS Transit Gateway and attach all VPCs to it
D.Configure VPC peering connections between each pair of VPCs
AnswerC

Transit Gateway provides scalable connectivity up to 100 Gbps per attachment.

Why this answer

Option C is correct because Transit Gateway supports up to 100 Gbps per attachment and provides centralized connectivity between multiple VPCs. Option A is wrong because VPC peering does not scale to 100 Gbps and is a point-to-point connection. Option B is wrong because AWS PrivateLink is for accessing services across VPCs, not for general VPC-to-VPC connectivity.

Option D is wrong because Client VPN is for remote access, not VPC-to-VPC.

810
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network team reports that they can ping the VPC's private IP addresses, but they cannot reach an internet-facing application hosted on an EC2 instance in a public subnet. The EC2 instance has a public IP and a security group allowing HTTP/HTTPS from 0.0.0.0/0. What is the most likely cause?

A.The route table in the public subnet does not have a default route to an internet gateway.
B.The security group is blocking traffic from the on-premises IP range.
C.The BGP session is not exchanging routes for the public IP range.
D.The private VIF does not route traffic to public IP addresses; the on-premises traffic to the public IP must traverse the internet.
AnswerD

A private VIF only carries traffic destined to private IP addresses in the VPC. Traffic to public IPs must go over the internet.

Why this answer

The issue is that the private VIF uses private IP addresses, and traffic from on-premises to the public IP of the EC2 instance will not go over the private VIF; it must go over the internet. Option A is correct because the private VIF only routes private IPs. Option B is incorrect because the security group allows all inbound HTTP/HTTPS.

Option C is incorrect because the route table can have a default route to an internet gateway. Option D is incorrect because BGP is typically used for prefix exchange and would not block traffic to public IPs.

811
MCQmedium

A company has multiple VPCs in the same AWS region that need to communicate with each other. The network team wants to minimize the number of connections and simplify management. The solution must support transitive routing between all VPCs. Which AWS service should be used?

A.VPC Peering
B.AWS Direct Connect Gateway
C.AWS Transit Gateway
D.VPC Endpoints
AnswerC

Correct; Transit Gateway provides transitive routing and simplifies connections.

Why this answer

AWS Transit Gateway (TGW) is a network transit hub that enables transitive routing between multiple VPCs and on-premises networks through a single gateway. It uses a hub-and-spoke architecture, which inherently supports transitive routing (e.g., VPC A can reach VPC C via the TGW without requiring direct peering between A and C). This minimizes the number of connections (N VPCs require only N attachments instead of N*(N-1)/2 VPC peering connections) and simplifies management with a central routing table.

Exam trap

The trap here is that candidates often confuse VPC Peering's lack of transitive routing with the ability to route through a central VPC (e.g., using a third-party appliance), but AWS explicitly prohibits transitive routing through VPC peering, making Transit Gateway the only native service that supports transitive routing between multiple VPCs.

How to eliminate wrong answers

Option A is wrong because VPC Peering does not support transitive routing; traffic cannot flow from VPC A to VPC C through a peering connection with VPC B, as peering is a one-to-one, non-transitive relationship. Option B is wrong because AWS Direct Connect Gateway is designed to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide transitive routing between VPCs themselves; it only facilitates connectivity between on-premises and VPCs. Option D is wrong because VPC Endpoints (Gateway or Interface endpoints) provide private connectivity to AWS services (e.g., S3, DynamoDB) from within a VPC, not inter-VPC routing or transitive connectivity between VPCs.

812
MCQeasy

A company wants to centrally manage and enforce security policies across multiple AWS accounts and VPCs. They need to ensure that all VPCs have a specific set of rules, such as disabling public subnets. Which AWS service should be used?

A.AWS Organizations with Service Control Policies (SCPs)
B.AWS Identity and Access Management (IAM)
C.AWS Shield
D.AWS Config
AnswerA

SCPs allow central control over the maximum permissions for accounts, enabling enforcement of network policies.

Why this answer

Option D is correct because AWS Organizations with Service Control Policies (SCPs) can centrally control permissions across accounts. Option A is wrong because AWS Config evaluates resource configurations but does not enforce policies. Option B is wrong because IAM is for users and roles, not for VPC-level controls.

Option C is wrong because AWS Shield is for DDoS protection.

813
Multi-Selecteasy

A company is deploying a web application in a VPC. They need to ensure that the web servers can be accessed from the internet and that traffic is encrypted. Which TWO services should they use?

Select 2 answers
A.AWS WAF
B.Application Load Balancer (ALB)
C.NAT Gateway
D.AWS Certificate Manager (ACM)
E.Amazon CloudFront
AnswersB, D

ALB can terminate SSL/TLS and route traffic to targets.

Why this answer

Options A and D are correct. An Application Load Balancer (ALB) can handle HTTPS termination and distribute traffic to web servers. AWS Certificate Manager (ACM) provides SSL/TLS certificates.

Option B is wrong because AWS WAF is for web application firewall, not encryption. Option C is wrong because CloudFront can be used but the question specifies two services; ALB+ACM is a standard combination. Option E is wrong because NAT Gateway is for outbound traffic.

814
MCQeasy

A company is designing a VPC with public and private subnets. They want EC2 instances in private subnets to be able to access the internet for software updates. Which AWS service should they use?

A.AWS Direct Connect
B.Internet Gateway (IGW)
C.VPC Peering connection
D.NAT Gateway
AnswerD

A NAT Gateway enables outbound internet access for instances in private subnets.

Why this answer

The correct answer is C because a NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A (Internet Gateway) is for public subnets. Option B (VPC Peering) is for connecting VPCs.

Option D (Direct Connect) is a dedicated connection to on-premises.

815
MCQmedium

A company is designing a network for a three-tier web application. The web tier must be able to scale out and in automatically based on CPU utilization. The database tier must be highly available and use Multi-AZ deployment. Which combination of AWS services should the architect use?

A.Network Load Balancer, Auto Scaling group, Amazon RDS Multi-AZ
B.Application Load Balancer, Auto Scaling group, Amazon DynamoDB
C.Application Load Balancer, Auto Scaling group, Amazon RDS Multi-AZ
D.Classic Load Balancer, Auto Scaling group, Amazon RDS Single-AZ
AnswerC

ALB handles HTTP/HTTPS traffic, Auto Scaling adjusts capacity, and RDS Multi-AZ provides HA.

Why this answer

Option C is correct because an Application Load Balancer (ALB) operates at Layer 7, which is ideal for distributing HTTP/HTTPS traffic to a web tier that scales out and in automatically via an Auto Scaling group based on CPU utilization. Amazon RDS Multi-AZ provides synchronous standby replication across Availability Zones, ensuring high availability for the database tier by automatically failing over to the standby in case of an outage.

Exam trap

AWS often tests the misconception that a Network Load Balancer is suitable for all web applications, but the trap here is that the web tier requires Layer 7 features (like HTTP header inspection) for proper scaling and routing, which only the Application Load Balancer provides.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) operates at Layer 4 and is not optimized for HTTP/HTTPS traffic inspection or path-based routing, which is typically required for a three-tier web application; it also lacks native integration with Auto Scaling group health checks for web tier scaling. Option B is wrong because Amazon DynamoDB is a NoSQL database, not a relational database, and does not support Multi-AZ deployment in the same way as RDS; it also does not meet the requirement for a highly available database tier using Multi-AZ deployment. Option D is wrong because Amazon RDS Single-AZ does not provide high availability, as it lacks automatic failover to a standby instance in a different Availability Zone, and the Classic Load Balancer is a legacy option that does not support advanced Layer 7 features like host-based or path-based routing.

816
MCQeasy

A network engineer needs to capture TCP traffic between an EC2 instance (eni-abc123) and an RDS instance (eni-def456) in the same VPC for troubleshooting. Which AWS service should be used to capture the traffic and store it in S3?

A.Amazon Inspector
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information for network interfaces and can be published to S3 or CloudWatch Logs.

Why this answer

VPC Flow Logs capture IP traffic information at the network interface level and can publish logs to S3. Option C is correct. Options A, B, and D are not designed for packet capture or do not capture traffic between two specific ENIs.

817
Multi-Selecteasy

A company is designing a high-availability architecture for an application that will be deployed across multiple Availability Zones. Which THREE components are recommended for this design? (Choose three.)

Select 3 answers
A.One EC2 instance in each AZ
B.Application Load Balancer across multiple AZs
C.NAT Gateway in each AZ
D.Auto Scaling group with instances in multiple AZs
E.Single NAT Gateway in one AZ
AnswersB, C, D

Distributes traffic across AZs.

Why this answer

An Application Load Balancer (ALB) distributes incoming traffic across multiple targets in different Availability Zones (AZs). By enabling cross-zone load balancing, the ALB can route requests to healthy instances in any AZ, ensuring that if one AZ fails, traffic is automatically redirected to instances in the remaining AZs. This is a foundational component for high availability because it eliminates a single point of failure at the traffic distribution layer.

Exam trap

AWS often tests the misconception that a single NAT Gateway is sufficient for high availability, but in a multi-AZ architecture, you must deploy a NAT Gateway in each AZ to maintain outbound connectivity during an AZ failure.

818
MCQhard

A company uses AWS Direct Connect with multiple virtual interfaces (VIFs) to connect to multiple VPCs. The network team wants to ensure high availability and failover. Which configuration provides the best resiliency?

A.Provision two Direct Connect connections from different providers and configure BGP
B.Use a single Direct Connect connection with a VPN backup over the internet
C.Configure BGP with multiple AS paths on the same Direct Connect connection
D.Create multiple private VIFs on a single Direct Connect connection
AnswerA

Two separate connections from different providers provide physical diversity and high availability.

Why this answer

Option B is correct because using two separate Direct Connect connections provides path diversity; if one fails, the other can handle traffic. Option A is wrong because multiple VIFs on a single connection share the same physical link. Option C is wrong because a VPN backup over the same internet connection may not provide true diversity.

Option D is wrong because BGP alone does not provide physical redundancy.

819
MCQeasy

A company wants to connect its on-premises data center to AWS using AWS Direct Connect with a public VIF to access Amazon S3. The on-premises network team reports that they can ping the Direct Connect public VIF IP but cannot access S3. The VPC has a private subnet with an S3 VPC endpoint. What is the most likely reason for the failure?

A.Direct Connect does not support access to Amazon S3; you must use VPN.
B.The S3 endpoint is configured in the VPC, but the on-premises traffic is not using the endpoint.
C.The on-premises network is not routing traffic to S3 through the Direct Connect public VIF; instead, it is attempting to use the internet.
D.A security group is blocking traffic from the on-premises network to S3.
AnswerC

Public VIF requires proper routing; if not configured, traffic goes over internet.

Why this answer

Option A is correct. To access S3 via public VIF, traffic must go through the internet route; the VPC endpoint is only for instances within the VPC. Option B is incorrect because public VIF uses public IPs, not private IPs.

Option C is incorrect because Direct Connect can access public services. Option D is incorrect because security groups don't apply to on-premises traffic via Direct Connect.

820
MCQeasy

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure that if the primary VPN tunnel goes down, traffic automatically fails over to the secondary tunnel. Which configuration is required?

A.Use static routes with equal-cost multipath (ECMP)
B.Enable VPN CloudHub
C.Enable dynamic routing (BGP) on the VPN connection
D.Configure a second customer gateway device
AnswerC

BGP allows dynamic route advertisement and failover.

Why this answer

Option A is correct because dynamic routing with BGP allows automatic failover between tunnels by propagating routes. Option B is wrong because static routes require manual intervention for failover. Option C is wrong because customer gateways are not for failover; they are endpoints.

Option D is wrong because VPN CloudHub is for connecting multiple VPNs, not failover.

821
Multi-Selecthard

A company has a VPC with public and private subnets. They use a NAT Gateway in the public subnet to allow instances in the private subnet to access the internet. The security team wants to ensure that all outbound traffic from the private subnet is logged and inspected. Which THREE services should they use together to achieve this? (Choose THREE.)

Select 3 answers
A.VPC Flow Logs
B.AWS Direct Connect
C.AWS Network Firewall
D.Amazon Route 53 Resolver DNS Firewall
E.AWS Transit Gateway
AnswersA, C, D

Flow logs capture IP traffic information for logging.

822
MCQeasy

A company is designing a hybrid network where an Amazon VPC is connected to an on-premises data center via AWS Direct Connect and a VPN backup. They have a VPC with CIDR 10.0.0.0/16 and on-premises CIDR 192.168.0.0/16. They want to ensure that all traffic between the VPC and on-premises uses the Direct Connect connection when it is available, and automatically fails over to the VPN if Direct Connect fails. What should they do?

A.Create a virtual private gateway with a Direct Connect private virtual interface. Additionally, create a separate VPN connection directly to the VPC. Set longer AS path for the Direct Connect routes.
B.Create a virtual private gateway and establish both a Direct Connect private virtual interface and a VPN connection. Use BGP with equal AS path lengths to enable ECMP.
C.Create a virtual private gateway and attach a Direct Connect private virtual interface. For failover, add a static route in the VPC route table pointing to the VPN connection.
D.Create a virtual private gateway attached to the VPC. Establish a Direct Connect private virtual interface and a VPN connection to the virtual private gateway. Configure BGP on both connections and use a shorter AS path for the Direct Connect routes.
AnswerD

The shorter AS path makes Direct Connect preferred, and BGP provides automatic failover.

Why this answer

Option D is correct because it uses a virtual private gateway (VGW) for both the Direct Connect private virtual interface and the VPN connection, and configures BGP on both. By advertising a shorter AS path (e.g., prepending fewer AS numbers) for the Direct Connect routes, the VPC and on-premises routers prefer the Direct Connect path when available. If Direct Connect fails, the BGP session drops, and the VPN routes (with a longer AS path) become active, providing automatic failover.

Exam trap

AWS often tests the misconception that you can simply attach a Direct Connect private virtual interface to a VGW and then add a static route for failover, but this ignores the need for BGP-based dynamic failover and the risk of route conflicts or black-holing when both paths are active.

How to eliminate wrong answers

Option A is wrong because setting a longer AS path for Direct Connect routes would make them less preferred, causing traffic to use the VPN instead of Direct Connect when both are available. Option B is wrong because using equal AS path lengths with ECMP would load-balance traffic across both connections, not prioritize Direct Connect as the primary path. Option C is wrong because adding a static route in the VPC route table for failover does not provide automatic failover; the static route would be active simultaneously, potentially causing asymmetric routing or black-holing, and it lacks BGP-based dynamic failover detection.

823
MCQmedium

A security engineer is designing a network ACL for a public subnet. The subnet hosts a web server on port 443. Which inbound and outbound rules should be configured to allow HTTPS traffic from the internet? (Assume default deny all rule.)

A.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 1024-65535 to 0.0.0.0/0.
B.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
C.Inbound: allow TCP 1024-65535 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0.
D.Inbound: allow TCP 443 from 0.0.0.0/0; Outbound: allow TCP 443 to 0.0.0.0/0 for responses.
AnswerA

This allows incoming HTTPS and outgoing return traffic on ephemeral ports.

Why this answer

Option C is correct because NACLs are stateless; you need explicit rules for both inbound and outbound traffic. Inbound rule allows HTTPS from internet, outbound rule allows return traffic (ephemeral ports) to internet. Option A is wrong because it does not allow return traffic.

Option B is wrong because outbound rule is too restrictive (only port 443). Option D is wrong because inbound rule is too restrictive (only port 443 from ephemeral ports).

824
MCQmedium

A company has a VPN connection between an on-premises network and AWS using two tunnels for redundancy. The BGP sessions are established, but traffic is only flowing through one tunnel. The engineer wants to ensure both tunnels are actively used. What should be configured?

A.Enable load balancing on the VPN connection in the AWS console.
B.Configure static routes for the second tunnel.
C.Assign different BGP ASNs to each tunnel.
D.Advertise the same BGP prefixes over both tunnels from the on-premises router.
AnswerD

This allows AWS to load balance traffic across both tunnels.

Why this answer

Option D is correct because BGP supports load balancing by advertising the same prefixes from both tunnels. AWS VPN supports active/active mode if the customer gateway device is configured to advertise the same BGP routes over both tunnels. Option A is incorrect because static routes do not provide automatic failover.

Option B is incorrect because different ASNs would break BGP. Option C is incorrect because the VPN connection itself does not have a load balancer.

825
Multi-Selecteasy

A network engineer needs to monitor network traffic in a VPC. Which TWO AWS services can capture and analyze VPC flow logs?

Select 2 answers
A.Amazon GuardDuty
B.Amazon S3
C.VPC Traffic Mirroring
D.Amazon CloudWatch Logs
E.AWS Config
AnswersB, D

Flow logs can be delivered to S3.

Why this answer

Amazon S3 is a correct destination for VPC Flow Logs because you can publish flow log data directly to an S3 bucket, where it can be stored, queried with Amazon Athena, or processed by other analytics tools. Amazon CloudWatch Logs is also a correct destination, allowing you to publish flow logs to a log group for real-time monitoring, metric filters, and integration with CloudWatch alarms or third-party solutions via subscription filters.

Exam trap

AWS often tests the misconception that VPC Traffic Mirroring is a type of flow log, but it is a separate feature for capturing full packet payloads, not the aggregated metadata logs that VPC Flow Logs provide.

Page 10

Page 11 of 23

Page 12