AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 826900

1705 questions total · 23pages · All types, answers revealed

Page 11

Page 12 of 23

Page 13
826
MCQeasy

A company is designing a multi-VPC architecture in the same region. The VPCs need to communicate with each other using private IP addresses. The company must minimize cost and operational overhead. Which solution should the company use?

A.Set up AWS Site-to-Site VPN connections between each VPC.
B.Use ClassicLink to connect the VPCs.
C.Create VPC peering connections between each pair of VPCs.
D.Create a Transit Gateway and attach all VPCs.
AnswerC

VPC peering is simple, low-cost, and uses private IPs.

Why this answer

Option C is correct because VPC peering connections provide direct, private IP connectivity between VPCs using the AWS global network, with no bandwidth bottlenecks or single points of failure. It is the most cost-effective solution for a small number of VPCs (e.g., fewer than 10) as there are no hourly charges for the peering connection itself—only data transfer costs. This minimizes operational overhead compared to managing VPN tunnels or a Transit Gateway, as peering is a simple, one-to-one relationship that does not require additional appliances or complex routing policies.

Exam trap

The trap here is that candidates often choose Transit Gateway (Option D) because it is a modern, centralized solution, but they overlook the specific constraint of minimizing cost and operational overhead for a small number of VPCs, where VPC peering is simpler and cheaper.

How to eliminate wrong answers

Option A is wrong because AWS Site-to-Site VPN connections require a virtual private gateway on each VPC and incur hourly charges per VPN connection, plus data transfer costs, making it more expensive and operationally complex than VPC peering for intra-region VPC communication. Option B is wrong because ClassicLink is a legacy feature that only allows EC2 instances in the EC2-Classic platform to communicate with VPCs using private IPs; it does not support connecting multiple VPCs together and has been deprecated for most use cases. Option D is wrong because while a Transit Gateway simplifies routing for many VPCs, it incurs an hourly attachment fee per VPC and data transfer costs, which is unnecessary overhead for a small number of VPCs that can be directly peered at lower cost.

827
MCQeasy

A company wants to allow its developers to access Amazon RDS databases from their on-premises network without traversing the public internet. Which solution meets this requirement?

A.Use a NAT gateway in the VPC
B.Create a VPC endpoint for RDS
C.Configure VPC Peering between the on-premises network and the VPC
D.Establish an AWS Site-to-Site VPN connection
AnswerD

A VPN connection securely connects on-premises to the VPC, allowing private access to RDS.

Why this answer

Option B is correct because an AWS Site-to-Site VPN connection creates an encrypted tunnel between on-premises and the VPC, allowing private access to RDS. Option A is wrong because RDS does not have a VPC endpoint. Option C is wrong because NAT gateways are used for outbound traffic to the internet, not inbound.

Option D is wrong because VPC Peering connects VPCs, not on-premises networks.

828
MCQhard

Refer to the exhibit. A network engineer reviews the NACL entries for a subnet. What is the effect of this NACL on inbound traffic?

A.Only SSH from the internal network and HTTPS from any IP are allowed.
B.All inbound traffic is allowed.
C.Only HTTPS traffic is allowed from any IP.
D.All inbound traffic is denied.
AnswerA

Inbound rules allow SSH from 10.0.0.0/16 and HTTPS from 0.0.0.0/0.

Why this answer

Option B is correct. Inbound rules: Rule 100 allows SSH from 10.0.0.0/16. Rule 200 allows HTTPS from anywhere.

Rule 300 denies all other traffic. So only SSH from 10.0.0.0/16 and HTTPS from anywhere are allowed. Option A is wrong because SSH is not allowed from anywhere.

Option C is wrong because HTTPS is allowed. Option D is wrong because the NACL is not fully open.

829
Multi-Selectmedium

A company is designing a network security architecture for a multi-tier application. Which TWO of the following are best practices for implementing defense in depth?

Select 2 answers
A.Use network ACLs as stateful firewalls at the subnet level
B.Use security groups to control traffic between instances
C.Attach internet gateways to all subnets for high availability
D.Place web servers in public subnets and application servers in private subnets
E.Use the same security group for all tiers to simplify management
AnswersB, D

Security groups act as instance-level firewalls.

Why this answer

Option A is correct because placing web servers in public subnets and app servers in private subnets adds a layer of separation. Option C is correct because using security groups as instance-level firewalls provides granular control. Option B is wrong because network ACLs are stateless and not stateful.

Option D is wrong because public subnets should not have direct internet access for tiers that don't need it. Option E is wrong because using the same security group for all tiers reduces security.

830
MCQhard

A company is deploying a critical application that requires low latency between EC2 instances in the same AWS region but across multiple Availability Zones. The instances are part of an Auto Scaling group behind a Network Load Balancer. Which network design provides the lowest latency while maintaining high availability?

A.Use a cluster placement group across two Availability Zones.
B.Do not use a placement group; enable Enhanced Networking (ENA) on all instances.
C.Use a spread placement group across two Availability Zones.
D.Use a partition placement group across two Availability Zones.
AnswerB

Placement groups are limited to single AZ for low latency; Enhanced Networking provides low latency across AZs without placement group constraints.

Why this answer

Option C is correct. A placement group with a partition strategy spreads instances across logical partitions but within a single AZ, which does not provide multi-AZ HA. For low latency across AZs, a cluster placement group is not possible because it is limited to a single AZ.

Therefore, the best practice is to place instances in the same VPC and subnet in the same AZ for lowest latency, but that sacrifices AZ-level HA. Actually, the question asks for low latency across multiple AZs, so the best option is to use a cluster placement group in a single AZ (which is not across AZs). The correct answer is to use a cluster placement group in a single AZ, but the option that mentions that is D? Let me review: Option D says 'Cluster placement group across two AZs' which is not possible.

Option C says 'Partition placement group across two AZs' which provides low latency? Actually, partition placement groups are not designed for low latency; they are for large distributed workloads. The correct answer is that cluster placement groups are limited to one AZ, so for low latency across AZs, you cannot use placement groups. The question might be tricky.

The best answer is B: 'Use a spread placement group across two AZs' but spread placement groups increase latency. I think the intended answer is D: 'Cluster placement group across two AZs' is not possible, so that's wrong. Option A: 'No placement group, use Enhanced Networking' is the correct approach because placement groups cannot be used across AZs for low latency.

Actually, Enhanced Networking (ENA) provides low latency regardless. So correct answer is A.

831
Multi-Selecteasy

A company is designing a hybrid network using AWS Direct Connect. Which TWO of the following are required to establish a private virtual interface (VIF) to a single VPC?

Select 2 answers
A.A Direct Connect Gateway to connect to the VPC.
B.A VLAN ID for the virtual interface.
C.A public IP address for the AWS side of the BGP session.
D.A BGP session with the AWS Direct Connect endpoint using public IPs.
E.A BGP session to exchange routing information.
AnswersB, E

VLAN ID is required to tag traffic.

Why this answer

A private VIF requires a VLAN ID and a BGP session. Option A is optional; Option C is for public VIF; Option E is for transit VIF.

832
MCQmedium

A company wants to use AWS Certificate Manager (ACM) to provide a TLS certificate for a website hosted on an ALB. The domain is example.com, and the certificate must be renewed automatically. Which type of certificate should be requested?

A.A private certificate issued by ACM Private CA
B.A self-signed certificate generated with OpenSSL
C.A certificate imported into ACM from a third-party CA
D.A public certificate issued by ACM with DNS validation
AnswerD

ACM handles renewal automatically.

Why this answer

Option B is correct because ACM automatically renews public certificates if DNS validation is used. Option A is wrong because private certificates are not for public websites. Option C is wrong because imported certificates must be manually renewed.

Option D is wrong because self-signed certificates are not trusted by browsers.

833
Multi-Selecthard

A company wants to implement a defense-in-depth strategy for a web application hosted on AWS. Which THREE services should they combine to protect against common web attacks and network threats?

Select 3 answers
A.Amazon GuardDuty
B.AWS WAF
C.AWS Shield Advanced
D.AWS Direct Connect
E.AWS Certificate Manager (ACM)
AnswersA, B, C

GuardDuty provides intelligent threat detection by analyzing logs and network traffic.

Why this answer

A defense-in-depth strategy for web applications includes AWS WAF to protect against web exploits, AWS Shield Advanced for DDoS protection, and Amazon GuardDuty for threat detection. Option A, C, and E are correct. Option B (AWS Certificate Manager) is for SSL/TLS certificates, not security.

Option D (AWS Direct Connect) is for dedicated network connectivity, not security.

834
Multi-Selecthard

A company is deploying a global application and wants to use AWS Global Accelerator to improve performance. The application runs behind an Application Load Balancer (ALB) in us-east-1. Which THREE components are part of a Global Accelerator deployment?

Select 3 answers
A.Route 53 hosted zones
B.Endpoint groups
C.AWS edge locations
D.Lambda@Edge functions
E.Two static anycast IP addresses
AnswersB, C, E

Endpoint groups define endpoints and traffic distribution.

Why this answer

Option A, Option C, and Option D are correct. Option A is correct because Global Accelerator uses anycast IP addresses. Option C is correct because it uses edge locations.

Option D is correct because endpoint groups are a core component. Option B is wrong because Lambda@Edge is for CloudFront. Option E is wrong because Route 53 is DNS, not part of Global Accelerator.

835
MCQhard

Refer to the exhibit. A subnet is created in VPC vpc-abcde but no explicit route table association is set. What is the default route for internet-bound traffic from this subnet?

A.Traffic is dropped because no explicit association is set.
B.Traffic goes through the Internet Gateway.
C.Traffic goes through the NAT Gateway nat-67890.
D.Traffic is dropped because no Internet Gateway is present.
AnswerC

The main route table has a route to the NAT Gateway.

Why this answer

Option C is correct because the subnet inherits the main route table (rtb-12345) which has a route to a NAT Gateway for 0.0.0.0/0. Option A is wrong because the local route is for VPC internal traffic. Option B is wrong because an Internet Gateway is not present.

Option D is wrong because no explicit association exists.

836
MCQeasy

Refer to the exhibit. An EC2 instance is associated with the IAM role shown. Which action can the EC2 instance perform?

A.Read objects from any S3 bucket.
B.Write objects to any S3 bucket.
C.Delete objects from any S3 bucket.
D.Upload objects to any S3 bucket.
AnswerA

s3:Get* includes GetObject.

Why this answer

Option A is correct. The policy allows s3:Get* and s3:List* actions, which include GetObject. Option B is wrong because PutObject is not allowed.

Option C is wrong because DeleteObject is not allowed. Option D is wrong because no write actions are allowed.

837
MCQmedium

An organization needs to securely connect its on-premises data center to multiple VPCs in different AWS Regions. The on-premises network uses BGP. Which AWS service should be used to simplify routing and provide a single point of attachment for the on-premises router?

A.Direct Connect gateway with a private VIF.
B.AWS Transit Gateway with inter-Region peering attachments.
C.VPC Peering connections between each VPC and the on-premises network.
D.AWS Client VPN endpoint.
AnswerB

Centralized hub with BGP and multi-region support.

Why this answer

Option C is correct because Transit Gateway provides a hub for multi-VPC and on-premises connectivity with BGP support. Option A is wrong because VPC peering is point-to-point, not hub. Option B is wrong because Direct Connect gateway doesn't connect multiple regions natively.

Option D is wrong because Client VPN is for individual users.

838
MCQhard

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company has a single hosted virtual interface (VIF) with a private VIF to a VPC. The network team notices that traffic from on-premises to AWS is asymmetric—some packets go through the Direct Connect while others use a VPN backup. The team wants all traffic to use Direct Connect when available. What should they do?

A.Disable AS_PATH prepending on the Direct Connect BGP session.
B.Convert the private VIF to a public VIF.
C.Remove the VPN connection to force all traffic through Direct Connect.
D.Advertise more specific prefixes (e.g., /24) over Direct Connect and less specific (e.g., /16) over VPN.
AnswerD

Correct: More specific BGP routes are preferred, so Direct Connect will be used when available.

Why this answer

Option D is correct because BGP route selection prefers more specific prefixes (longest prefix match) over less specific ones. By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /16) over the VPN, the on-premises router will prefer the Direct Connect path for the more specific route, ensuring all traffic uses Direct Connect when available. This leverages BGP's prefix-length-based path selection without requiring removal of the VPN backup.

Exam trap

The trap here is that candidates often assume AS_PATH prepending or removing the VPN is the solution, but the key is understanding that BGP's longest prefix match overrides all other path selection attributes, making prefix specificity the most reliable way to enforce traffic flow.

How to eliminate wrong answers

Option A is wrong because disabling AS_PATH prepending on the Direct Connect BGP session would make the Direct Connect path appear shorter (lower AS_PATH length), but it does not address the root cause of asymmetric routing if the VPN is advertising a more specific prefix or if the on-premises router is using a different metric. Option B is wrong because converting a private VIF to a public VIF would change the connectivity type from private (VPC access) to public (AWS public services), which is unrelated to fixing asymmetric routing between on-premises and a VPC. Option C is wrong because removing the VPN connection eliminates the backup path entirely, which violates the requirement to have a backup available and does not solve the routing preference issue—it forces traffic through Direct Connect but removes redundancy.

839
MCQmedium

A company has deployed a transit gateway with multiple VPC attachments and VPN attachments. The network team notices that traffic between two VPCs is taking an unexpected path and experiencing high latency. Which tool should be used to trace the path and identify the specific transit gateway route table that is being used?

A.AWS CloudTrail
B.Amazon CloudWatch ServiceLens
C.AWS X-Ray
D.VPC Reachability Analyzer
AnswerD

Reachability Analyzer performs path analysis between resources and shows the route table decisions, including transit gateway routes.

Why this answer

VPC Reachability Analyzer performs connectivity and path analysis between sources and destinations, showing the route table decisions. Option B is correct. Options A, C, and D are not designed for path tracing.

840
MCQhard

A company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates for an Application Load Balancer (ALB). The security team notices that an ACM-issued certificate is about to expire. How can they automate renewal?

A.Set a CloudWatch alarm to send a notification when the certificate is about to expire, then manually renew.
B.Manually remove the certificate from ACM and re-issue a new one.
C.Use AWS Certificate Manager's automatic renewal feature; no additional configuration is required if the certificate was issued by ACM.
D.Configure an AWS Lambda function to monitor certificate expiration and re-issue the certificate.
AnswerC

ACM automatically renews certificates it issued, provided the domain validation records are in place.

Why this answer

ACM automatically renews certificates issued by ACM if the domain is validated with DNS or email. No manual action is needed. Imported certificates must be manually renewed.

Removing and re-adding is not automatic. Lambda is unnecessary.

841
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. They have a central inspection VPC that uses AWS Network Firewall to inspect traffic. The security team wants to ensure that all traffic between VPCs and between VPCs and on-premises is routed through the inspection VPC. They have created a transit gateway route table for each VPC and the Direct Connect/VPN attachments. They have configured the route tables to propagate routes from the inspection VPC's attachment. However, traffic is still bypassing the inspection VPC. What should the security team do to ensure traffic is inspected?

A.Enable route propagation for all attachments in the transit gateway route tables.
B.Create static routes in each VPC's transit gateway route table pointing to the inspection VPC attachment for all destination CIDRs, and remove any routes that point directly to other attachments.
C.Configure network ACLs in the inspection VPC to block traffic that does not come from the transit gateway.
D.Create VPC peering connections between all VPCs and the inspection VPC.
AnswerB

Static routes can force traffic to the inspection VPC.

Why this answer

Option C is correct because to force traffic through the inspection VPC, you must use transit gateway route tables with specific routes pointing to the inspection VPC's attachment, and ensure that no other routes allow direct communication. Option A is wrong because enabling route propagation alone does not force traffic through inspection; the inspection VPC must be the next hop. Option B is wrong because VPC peering bypasses the transit gateway.

Option D is wrong because network ACLs in the inspection VPC do not affect routing in the transit gateway.

842
MCQhard

A company has a multi-account AWS environment with hundreds of VPCs connected via a transit gateway. The network team needs to centrally monitor network traffic and detect anomalies such as unusual outbound data transfers. Which combination of services would provide the most scalable and cost-effective solution?

A.Use AWS Trusted Advisor to check for unusual traffic patterns
B.Enable VPC Flow Logs in each VPC, publish to CloudWatch Logs, and create cross-account CloudWatch dashboards
C.Use AWS Network Manager to monitor all VPCs and Transit Gateway attachments
D.Enable VPC Flow Logs in each VPC, publish to Amazon S3, and use Amazon Athena to query logs from a central account
AnswerD

S3 is cost-effective for storage and Athena allows querying across accounts.

Why this answer

Option D is correct because VPC Flow Logs capture IP traffic metadata at scale, and publishing to Amazon S3 provides a cost-effective, durable storage layer. Using Amazon Athena to query the logs from a central account enables serverless, on-demand analysis across hundreds of VPCs without provisioning servers, making it both scalable and cost-effective for anomaly detection.

Exam trap

The trap here is that candidates assume CloudWatch Logs is the only or best destination for VPC Flow Logs, overlooking the cost and scalability advantages of S3 combined with Athena for large-scale, cross-account analysis.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor checks for AWS service limits, security best practices, and cost optimization, but it does not analyze VPC traffic patterns or detect anomalies in outbound data transfers. Option B is wrong because publishing VPC Flow Logs to CloudWatch Logs incurs ingestion and storage costs that become prohibitively expensive at scale across hundreds of VPCs, and cross-account CloudWatch dashboards do not provide a queryable interface for ad-hoc anomaly detection. Option C is wrong because AWS Network Manager provides a global view of transit gateway networks and topology, but it does not perform deep packet inspection or traffic anomaly detection; it lacks the query and analysis capabilities needed to identify unusual outbound data transfers.

843
MCQmedium

A company is implementing a network architecture for a critical application that requires ultra-low latency between two Amazon EC2 instances. The instances are launched in two different Availability Zones within the same AWS Region. The network engineer needs to ensure that traffic between the instances uses the lowest latency path possible. The instances are placed in a cluster placement group. The application uses TCP. The engineer has configured the security groups to allow all traffic between the instances. However, latency is higher than expected. What should the engineer do to reduce latency?

A.Configure the instances to use their private IP addresses instead of public IPs for communication.
B.Enable Elastic Network Adapter (ENA) and enhanced networking on both instances.
C.Move the instances to the same subnet within the same Availability Zone.
D.Set up a VPC peering connection between the subnets in the two Availability Zones.
AnswerB

ENA reduces latency by offloading network processing.

Why this answer

Option A is correct because Elastic Network Adapter (ENA) with enhanced networking provides lower latency and higher throughput. Option B is incorrect because cluster placement group is already used. Option C is incorrect because using private IP ensures traffic stays within AWS network, but ENA is more impactful.

Option D is incorrect because VPC peering does not help; instances are in same VPC.

844
Multi-Selecthard

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network engineer needs to ensure that traffic between VPC A and VPC B follows a specific path through a Network Virtual Appliance (NVA) in VPC C. Which TWO actions should the engineer take?

Select 2 answers
A.Associate VPC A's and VPC B's route tables with a different Transit Gateway route table that has a default route pointing to the VPC C attachment.
B.Add a static route in the Transit Gateway route table for VPC A's CIDR pointing to the VPC B attachment with a blackhole.
C.Enable route propagation for VPC A and VPC B attachments in the same Transit Gateway route table.
D.Add a specific route for VPC B's CIDR in the Transit Gateway route table used by VPC A, pointing to the VPC C attachment.
E.Create a VPC peering connection between VPC A and VPC B.
AnswersB, D

This prevents VPC A from directly reaching VPC B via the Transit Gateway.

Why this answer

Option B is correct because adding a static route in the Transit Gateway route table for VPC A's CIDR pointing to the VPC B attachment with a blackhole forces traffic destined to VPC B to be dropped at the Transit Gateway, preventing direct routing. Option D is correct because adding a specific route for VPC B's CIDR in the Transit Gateway route table used by VPC A, pointing to the VPC C attachment, ensures traffic from VPC A to VPC B is forwarded through the NVA in VPC C, enforcing the desired inspection path.

Exam trap

The trap here is that candidates often think enabling route propagation (Option C) is sufficient for traffic inspection, but it actually allows direct routing between VPCs, bypassing the NVA, unless specific static routes are added to override the propagated routes.

845
MCQeasy

A company has a requirement to encrypt all data in transit between its on-premises network and AWS over a VPN connection. Which solution provides encryption in transit?

A.AWS Site-to-Site VPN
B.AWS Transit Gateway
C.VPC Peering
D.AWS Direct Connect
AnswerA

Uses IPsec to encrypt traffic between on-premises and AWS.

Why this answer

Option A is correct because AWS Site-to-Site VPN uses IPsec tunnels to encrypt data in transit. Option B is wrong because Direct Connect does not natively encrypt traffic; encryption must be added at the application layer. Option C is wrong because VPC Peering does not encrypt traffic.

Option D is wrong because Transit Gateway alone does not provide encryption.

846
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic is intermittently dropping and the BGP session between the on-premises router and the AWS Direct Connect virtual interface goes down. Which configuration should be checked first to resolve this issue?

A.Ensure the BGP hold timer values are consistent on both ends
B.Increase the BGP keepalive timer on the on-premises router to 90 seconds
C.Disable BGP authentication on the virtual interface
D.Enable BGP MD5 authentication on the on-premises router
AnswerA

Mismatched hold timers cause session drops.

Why this answer

The BGP hold timer mismatch can cause session flapping. Option B is correct because setting the hold timer to a consistent value (e.g., 30 seconds) on both sides stabilizes the session. Option A is wrong because increasing the BGP timers may mask the issue but doesn't address the root cause.

Option C is wrong because AWS allows BGP authentication. Option D is wrong because MD5 authentication is supported.

847
MCQmedium

An engineer is reviewing VPC Flow Logs for connectivity issues between two EC2 instances (10.0.1.5 and 10.0.2.10) on TCP port 443. The first log entry shows ACCEPT, the second shows REJECT. What is the most likely cause of the REJECT?

A.The destination instance has an incorrect network interface configuration.
B.The network ACL is blocking the traffic due to an incorrect inbound rule.
C.The route table for the subnet does not have a route to the destination.
D.A security group rule is blocking the return traffic.
AnswerD

Security groups are stateful and if the return traffic does not match the allowed outbound rule, it can be rejected.

Why this answer

Option A is correct because the REJECT indicates that the packet was dropped by a security group or NACL. Since the first packet was accepted, a stateful security group might be blocking the return traffic if the session is not tracked. Option B is incorrect because REJECT is not due to routing.

Option C is incorrect because the log shows the traffic as OK. Option D is incorrect because Flow Logs do not indicate interface issues.

848
MCQhard

A company is migrating a legacy application to AWS. The application requires that all network traffic between two VPCs be inspected by a third-party firewall appliance. The firewall must be able to inspect traffic bidirectionally and automatically fail over if the appliance becomes unhealthy. Which architecture meets these requirements?

A.Use AWS Transit Gateway with a Network Load Balancer in front of multiple firewall appliances
B.Use VPC Peering between the two VPCs and route traffic through a firewall instance in one of the VPCs
C.Deploy a single firewall instance in a shared VPC and route all inter-VPC traffic through it
D.Use AWS PrivateLink to connect the VPCs and place the firewall in the consumer VPC
AnswerA

Transit Gateway enables centralized routing, and NLB provides health checks and failover.

Why this answer

Option B is correct because Transit Gateway with Network Load Balancer for firewall appliances supports asymmetric routing and health checks for failover. Option A is wrong because VPC Peering does not support central inspection without additional routing. Option C is wrong because a single instance is a single point of failure.

Option D is wrong because an ALB at Layer 7 is not suitable for all traffic types (e.g., non-HTTP).

849
MCQmedium

A network engineer is troubleshooting connectivity between two VPCs that are peered. The VPC peering connection is active, and the route tables have appropriate routes. However, instances in VPC A cannot reach instances in VPC B. The security groups in both VPCs allow all traffic. What is the most likely issue?

A.The security groups are not allowing ICMP traffic
B.The route tables in both VPCs do not have routes pointing to the peering connection for the other VPC's CIDR
C.The VPC peering connection is not in the 'active' state
D.The instances are in different availability zones
AnswerB

Without these routes, traffic cannot traverse the peering connection.

Why this answer

VPC peering does not support transitive routing; if there is an intermediate resource (like a VPN or another VPC) involved, it won't work. But the question doesn't mention that. Another common issue is that the VPC peering connection requires that the route tables of both VPCs have routes to each other's CIDR, and that security groups reference each other's CIDR or security group IDs.

Since security groups allow all, the issue might be that the security group rules are not allowing traffic from the peer VPC's CIDR. However, since they allow all, the problem is likely that the instances are in different regions and the peering is intra-region? Actually, VPC peering works across regions but requires appropriate route table entries. The most likely issue is that the route tables are missing the necessary routes.

Option A is correct.

850
MCQmedium

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. The Client VPN endpoint is associated with a single subnet in the VPC, and the authorization rules allow access to the entire VPC CIDR (10.0.0.0/16). The security group assigned to the Client VPN endpoint allows all traffic. What is the most likely cause of this issue?

A.The security group assigned to the Client VPN endpoint does not allow inbound traffic from the client CIDR.
B.The route table associated with the Client VPN subnet does not have a route for the client IP range.
C.The authorization rule is too broad and is blocking traffic.
D.The Client VPN endpoint does not have a security group association group configured.
AnswerB

Without a return route, traffic from instances cannot reach the VPN clients.

Why this answer

The Client VPN endpoint is associated with a single subnet in the VPC. For traffic from the VPN clients to reach resources in the VPC, the route table of that subnet must include a route pointing the client IP range back to the VPN endpoint's network interface. Without this route, the subnet has no path to forward return traffic to the clients, even though the clients can establish the VPN tunnel.

Option B correctly identifies this missing route as the root cause.

Exam trap

AWS often tests the misconception that security groups or authorization rules are the primary cause of connectivity issues after a successful VPN connection, when in reality the missing route in the subnet's route table is the most common culprit for one-way traffic failures in AWS Client VPN.

How to eliminate wrong answers

Option A is wrong because the security group assigned to the Client VPN endpoint controls traffic entering or leaving the endpoint itself, not inbound traffic from the client CIDR; the security group already allows all traffic, so this is not the issue. Option C is wrong because an authorization rule that is too broad (allowing the entire VPC CIDR) would permit traffic, not block it; authorization rules are permissive, not restrictive. Option D is wrong because a 'security group association group' is not a valid AWS Client VPN configuration; the endpoint uses a single security group, and the absence of such a group does not cause connectivity failures.

851
MCQeasy

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. What is the effect of the policy?

A.All requests are denied
B.Only HTTPS requests are allowed, and HTTP requests are denied
C.Only HTTP requests are allowed
D.All requests are allowed
AnswerB

The Deny effect blocks HTTP requests; HTTPS requests are implicitly allowed.

Why this answer

This policy denies all S3 actions on the bucket if the request is not using HTTPS (SecureTransport false). Option A is wrong because it does not allow all. Option B is wrong because it denies HTTP only.

Option C is wrong because it does not allow HTTPS.

852
MCQmedium

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket contains sensitive data that should only be accessible from the corporate network (192.0.2.0/24). What is a potential security issue with this policy?

A.The condition should be applied to the Principal element
B.The Resource ARN is missing the bucket name
C.The policy does not require authentication; anonymous access is allowed from the specified IP range
D.The IP address range is not specific enough
AnswerC

The Principal is "*", which includes anonymous users.

Why this answer

Option B is correct because the policy allows any authenticated AWS user (Principal: "*") to access objects from the specified IP range, but it does not require authentication. Unauthenticated requests from the allowed IP range will also be allowed if the bucket is public. Option A is wrong because the IP condition is correct.

Option C is wrong because the condition is on the action, not on the principal. Option D is wrong because the resource ARN is correct.

853
MCQhard

A company has a VPC (10.0.0.0/16) with two subnets: public (10.0.1.0/24) and private (10.0.2.0/24). They have an Application Load Balancer (ALB) in the public subnet that distributes traffic to EC2 instances in the private subnet. The ALB is internet-facing and has a security group that allows inbound HTTP/S from 0.0.0.0/0. The EC2 instances have a security group that allows inbound HTTP from the ALB's security group. Users report that they can access the application, but the application is slow and sometimes times out. The network engineer checks CloudWatch metrics and sees that the ALB's target response time is high. The engineer suspects that the EC2 instances are overwhelmed. Which action should the engineer take to improve performance?

A.Add a NAT gateway in the public subnet to reduce latency.
B.Replace the ALB with a Network Load Balancer to reduce overhead.
C.Increase the size of the EC2 instances in the private subnet.
D.Add EC2 instances in another Availability Zone and register them with the ALB.
AnswerD

Distributing load across AZs improves performance and availability.

Why this answer

Option C is correct because using multiple Availability Zones increases capacity and fault tolerance. Option A is incorrect because increasing instance size may help but is not the best practice for high availability. Option B is incorrect because a NAT gateway is for outbound internet access.

Option D is incorrect because an NLB does not offload processing from the instances.

854
MCQhard

A company has a multi-account AWS Organizations setup with hundreds of VPCs across multiple regions. The network team needs to centralize outbound internet traffic through a set of inspection VPCs for security monitoring. Which solution is MOST scalable and cost-effective?

A.Use a Network Load Balancer in each VPC to distribute traffic to inspection appliances.
B.Create a Transit Gateway with a central inspection VPC that has a NAT Gateway and route all VPCs to the inspection VPC for egress.
C.Deploy a NAT Gateway in each VPC and route traffic directly to the internet.
D.Set up VPC peering between all VPCs and route traffic through a single VPC with an Internet Gateway.
AnswerB

Scalable, centralized, and cost-effective.

Why this answer

Option B is correct because AWS Transit Gateway with central VPC attachment allows routing all egress traffic through inspection VPCs, and using a single NAT Gateway per AZ in the inspection VPC is scalable and cost-effective. Option A is wrong because each VPC with its own NAT Gateway is not centralized. Option C is wrong because Network Load Balancer is not designed for internet egress.

Option D is wrong because VPC peering does not scale to hundreds of VPCs and lacks transitive routing.

855
MCQeasy

A company has a VPC with multiple subnets. They want to centrally manage and inspect all traffic between subnets using a security appliance. Which AWS service should be used to achieve this?

A.VPC peering
B.AWS Route 53 Resolver
C.AWS Network Firewall
D.Transit Gateway with a security appliance in a central VPC
AnswerD

Allows centralized inspection.

Why this answer

Option B is correct because Transit Gateway with a middlebox appliance (e.g., firewall) in a shared services VPC allows traffic inspection. Option A is wrong because VPC peering is point-to-point and not centralized. Option C is wrong because AWS Network Firewall can be used but Transit Gateway provides the architecture for central inspection.

Option D is wrong because Route 53 is DNS.

856
Multi-Selecteasy

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. Which THREE steps are necessary?

Select 3 answers
A.Create a VPC peering connection between the VPCs to allow traffic flow
B.Deploy a Gateway Load Balancer (GWLB) in the firewall VPC and register the firewall instances as targets
C.Configure Transit Gateway route tables to route traffic between VPCs through the firewall VPC
D.Configure a NAT Gateway in each VPC to route traffic through the firewall
E.Attach a VPC containing the firewall appliance to the Transit Gateway
AnswersB, C, E

GWLB integrates with Transit Gateway and transparently routes traffic to the firewall instances.

Why this answer

To inspect traffic, the firewall must be placed in the path. Transit Gateway supports routing to a network appliance in a VPC. The firewall VPC must be attached to the Transit Gateway.

Route tables in the Transit Gateway must be configured to direct traffic to the firewall VPC. A Gateway Load Balancer (GWLB) is the modern way to deploy firewall appliances transparently. A simple VPC peering bypasses Transit Gateway.

NAT Gateway is for outbound internet traffic, not for east-west inspection.

857
MCQhard

A company has a Direct Connect connection to AWS. They want to encrypt all traffic between their on-premises network and their VPC. Which solution meets this requirement?

A.Use MACsec on the Direct Connect connection.
B.Set up a VPN connection over the Direct Connect link using IPsec.
C.Enable encryption on the Direct Connect virtual interface.
D.Use TLS for all traffic between on-premises and AWS.
AnswerB

IPsec VPN over Direct Connect encrypts all traffic between the customer gateway and the VPC.

Why this answer

Option D is correct because Direct Connect does not provide encryption; you must use IPsec VPN over the Direct Connect link or a MACsec at the physical layer. Option A is wrong because Direct Connect itself does not encrypt traffic. Option B is wrong because TLS is for application layer, not all traffic.

Option C is wrong because AWS Site-to-Site VPN can be used over Direct Connect to encrypt traffic.

858
MCQhard

An IAM policy is applied to a user. The user reports that they cannot run 'aws ec2 describe-instances --region eu-west-1' but can run the same command in us-east-1. What is the most likely reason?

A.The policy only applies to resources in us-east-1, so other regions are implicitly denied.
B.The policy condition uses StringEquals, which only allows requests from us-east-1.
C.The policy denies ec2:Describe* when the region is not us-east-1.
D.The policy allows ec2:Describe* in all regions, but the user lacks permissions in eu-west-1.
AnswerC

The condition denies requests to regions other than us-east-1.

Why this answer

Option C is correct because the condition 'StringNotEquals' with 'aws:RequestedRegion' denies the action if the region is not us-east-1. Option A is wrong because the policy explicitly denies ec2:Describe* actions. Option B is wrong because the condition is StringNotEquals, not StringEquals.

Option D is wrong because the policy does not specify resource-level conditions.

859
MCQmedium

A company has an Amazon RDS for MySQL database in a private subnet. The database should only be accessible from a specific fleet of EC2 instances in the same VPC. Which combination of security controls should be used to meet this requirement?

A.Use a network ACL on the private subnet that allows MySQL traffic from the EC2 instances' IP addresses.
B.Set up a VPN connection between the EC2 instances and the RDS instance.
C.Use a security group for the RDS instance that allows inbound MySQL traffic from the security group of the EC2 instances.
D.Enable IAM database authentication for the RDS instance and require EC2 instances to use IAM credentials.
AnswerC

Security group rules can reference other security groups, providing instance-level access control.

Why this answer

Option A is correct because a security group on the RDS instance that allows inbound traffic from the security group of the EC2 instances restricts access to only those instances. Option B is wrong because network ACLs are stateless and less granular. Option C is wrong because IAM database authentication is for user authentication, not network access.

Option D is wrong because a VPN connection is not needed for in-VPC access.

860
MCQeasy

A small company has a single VPC with one public subnet and one private subnet. They have a web server in the public subnet and a database server in the private subnet. The web server needs to access the database server on port 3306 (MySQL). The network engineer has configured the security group for the database server to allow inbound TCP port 3306 from the security group of the web server. However, the web server cannot connect to the database server. The network ACL for the private subnet is the default (allows all inbound and outbound). The web server can ping the database server's private IP. What is the MOST likely cause of the connection failure?

A.The web server cannot reach the private IP of the database server because it is in a different subnet
B.The network ACL for the private subnet is blocking inbound traffic on port 3306
C.The security group for the database server is not allowing inbound traffic from the web server's security group
D.The MySQL service on the database server is not running or not listening on port 3306
AnswerD

Correct; the application layer is the most likely issue.

Why this answer

Option C is correct. The security group for the database server allows inbound from the web server's security group, which is correct. However, security groups are stateful, so the return traffic is automatically allowed.

The issue is likely that the database server is not listening on port 3306 or the MySQL service is not running. Since ping works, the network layer is fine. Option A is incorrect because NACLs are default allow.

Option B is incorrect because the security group rule is correct. Option D is incorrect because the web server is in the same VPC, so it can reach the private IP.

861
MCQeasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible from the internet. Which component must be attached to the VPC to allow internet traffic to reach the ALB?

A.NAT gateway
B.Virtual private gateway
C.Internet gateway
D.Transit gateway
AnswerC

An internet gateway is required for internet traffic to reach resources in a VPC.

Why this answer

Option A is correct. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet. It is required for internet-facing load balancers.

Option B is incorrect because a NAT gateway is for outbound-only traffic from private subnets. Option C is incorrect because a virtual private gateway is for VPN connections. Option D is incorrect because a transit gateway is for connecting multiple VPCs and on-premises networks.

862
MCQeasy

A company wants to provide internet access to instances in a public subnet. Which component must be attached to the VPC and have a route to it in the subnet's route table?

A.Transit Gateway
B.Virtual Private Gateway
C.NAT Gateway
D.Internet Gateway
AnswerD

Internet Gateway enables internet access for public subnets.

Why this answer

Internet Gateway must be attached to the VPC and a default route pointing to it is needed for internet access.

863
MCQeasy

A network engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?

A.AWS CloudTrail.
B.Amazon CloudWatch Metrics.
C.VPC Flow Logs.
D.AWS Config.
AnswerC

Flow Logs capture network traffic metadata.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information for network interfaces and can be used to analyze traffic between instances. Option A is wrong because CloudTrail logs API calls. Option C is wrong because AWS Config monitors configuration.

Option D is wrong because CloudWatch Metrics provide performance metrics, not packet-level details.

864
Multi-Selecteasy

A company is deploying a web application on EC2 instances behind an Application Load Balancer. The security team needs to protect the application from common web exploits like SQL injection and cross-site scripting. Which TWO AWS services should be used together?

Select 2 answers
A.AWS Shield Advanced
B.AWS WAF
C.AWS Network Firewall
D.Amazon GuardDuty
E.AWS Firewall Manager
AnswersA, B

DDoS protection.

Why this answer

Options B and D are correct. Option B: AWS WAF integrates with ALB to filter web requests. Option D: AWS Shield Advanced provides enhanced DDoS protection.

Option A is wrong because AWS Network Firewall is for network layer, not web application layer. Option C is wrong because Amazon GuardDuty is for threat detection, not prevention. Option E is wrong because AWS Firewall Manager is for central management, not direct protection.

865
Multi-Selectmedium

A company is designing a network architecture for a critical application that requires high availability across multiple AWS regions. The application uses an Application Load Balancer (ALB) in each region. Which TWO services can provide global routing and failover between the two ALBs?

Select 2 answers
A.Amazon Route 53 with failover routing and health checks
B.AWS WAF
C.Network Load Balancer (NLB)
D.Amazon CloudFront
E.AWS Global Accelerator
AnswersA, E

Route 53 can route traffic to the primary region and failover to the secondary based on health checks.

Why this answer

Options A and D are correct. Amazon Route 53 with health checks can route DNS queries to healthy endpoints across regions. AWS Global Accelerator provides anycast IPs and can route traffic to healthy regional endpoints.

Option B is wrong because CloudFront is a CDN and does not route to ALBs directly for failover. Option C is wrong because a Network Load Balancer is regional. Option E is wrong because AWS WAF is a web application firewall.

866
Multi-Selecteasy

Which TWO statements about AWS Key Management Service (KMS) are correct? (Choose two.)

Select 2 answers
A.Customer master keys (CMKs) can be automatically rotated every year.
B.KMS uses symmetric encryption only.
C.KMS can store encrypted data.
D.KMS is a regional service.
E.You cannot import your own key material into KMS.
AnswersA, D

AWS KMS can automatically rotate CMKs annually.

Why this answer

Options A and E are correct. KMS is a regional service (A). Customer master keys (CMKs) can be automatically rotated yearly (E).

Option B is wrong because KMS does not store data; it encrypts data keys. Option C is wrong because KMS uses envelope encryption. Option D is wrong because you can import your own key material.

867
MCQmedium

A company has a VPC with resources that need to access an S3 bucket in the same region. To minimize latency and avoid internet traffic, which configuration should be used?

A.Use a NAT Gateway in a public subnet and route traffic through it
B.Create a VPC Gateway Endpoint for S3
C.Use VPC peering to connect to an S3 bucket
D.Create a VPC Interface Endpoint for S3
AnswerB

Provides private, low-latency access.

Why this answer

Option B is correct because a VPC Gateway Endpoint for S3 provides private connectivity to S3 without internet. Option A is wrong because NAT Gateway is for internet access. Option C is wrong because AWS PrivateLink for S3 is not supported; Gateway Endpoints are used.

Option D is wrong because VPC peering does not provide S3 access.

868
MCQmedium

A company is migrating a legacy application that requires static IP addresses for its clients' firewall whitelisting. The application will be hosted on EC2 instances behind a Network Load Balancer (NLB) in a private subnet. Which approach should the company use to provide static IP addresses for outbound traffic?

A.Assign Elastic IPs to the EC2 instances
B.Use an internet-facing NLB with Elastic IPs
C.Use a VPC endpoint for the application
D.Deploy a NAT Gateway in a public subnet with an Elastic IP
AnswerD

NAT Gateway with an Elastic IP provides a static source IP for outbound traffic from private subnets.

Why this answer

Option D is correct because a NAT Gateway in a public subnet with an Elastic IP provides static IPs for outbound traffic from private instances. Option A is for inbound traffic. Option B is for internet-facing NLB.

Option C would not provide static IPs.

869
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. They need to add a new CIDR block 10.1.0.0/16 to accommodate more subnets. The VPC already has multiple subnets and route tables. What is the impact of adding this secondary CIDR?

A.The secondary CIDR will be automatically advertised to all route tables.
B.Existing subnets and route tables remain unchanged; new subnets can be created in the new CIDR.
C.The VPC will experience a brief outage while the new CIDR is being associated.
D.Existing subnets will automatically be extended to include IPs from the new CIDR.
AnswerB

Secondary CIDRs do not affect existing resources.

Why this answer

Adding a secondary CIDR block to an existing VPC is a non-disruptive operation. The existing subnets and route tables remain completely unchanged because the secondary CIDR is an additional IP address space, not a modification of the existing one. New subnets can be created within the new CIDR block, and you must explicitly associate them with route tables as needed.

Exam trap

AWS often tests the misconception that adding a secondary CIDR automatically propagates to route tables or extends existing subnets, when in fact it requires manual route table updates and new subnet creation.

How to eliminate wrong answers

Option A is wrong because secondary CIDRs are not automatically advertised to route tables; you must explicitly add routes for the new CIDR to each route table where it is needed. Option C is wrong because adding a secondary CIDR does not cause any outage or disruption to the VPC or its existing resources. Option D is wrong because existing subnets are not automatically extended; they are tied to their original CIDR block, and new subnets must be created in the new CIDR range.

870
MCQeasy

A company needs to resolve DNS names for their EC2 instances using custom domain names like "app.example.com". Which AWS service should they use?

A.AWS Cloud Map
B.AWS Directory Service
C.Amazon Route 53
D.Amazon Cognito
AnswerC

Managed DNS service.

Why this answer

Amazon Route 53 is a scalable DNS web service that can resolve custom domain names like 'app.example.com' to EC2 instance IP addresses. It supports private hosted zones for VPCs, enabling DNS resolution for internal resources without exposing them to the internet, and integrates with EC2 via alias records or health checks.

Exam trap

The trap here is that candidates confuse AWS Cloud Map's service discovery capabilities with DNS resolution, but Cloud Map is designed for dynamic service endpoints (e.g., ECS tasks) and does not natively resolve arbitrary custom domain names like 'app.example.com' without Route 53.

How to eliminate wrong answers

Option A is wrong because AWS Cloud Map is a service for service discovery that manages dynamic resource mappings (e.g., for microservices), not a DNS resolver for custom domain names; it relies on Route 53 for DNS resolution. Option B is wrong because AWS Directory Service provides managed Microsoft Active Directory or LDAP-based directory services for authentication and authorization, not DNS resolution for custom domain names. Option D is wrong because Amazon Cognito is an identity and access management service for user sign-up, sign-in, and federation, not a DNS service.

871
MCQeasy

A company needs to audit all changes to security groups in their AWS account. Which AWS service should they use?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

CloudTrail records all API calls, including security group modifications.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including changes to security groups. Option A is wrong because AWS Config records resource configuration changes but is not primarily for auditing API calls. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because CloudWatch Logs stores logs but does not capture API calls by default.

872
MCQeasy

A company wants to use Amazon Route 53 to resolve DNS queries for a domain they own. They want to ensure that DNS queries are answered quickly and that there is no single point of failure. Which configuration should they use?

A.Deploy Route 53 in multiple AWS Regions.
B.Create a hosted zone and let Route 53 automatically handle the DNS resolution.
C.Create multiple hosted zones in separate AWS accounts.
D.Create a single hosted zone and assign it to one Route 53 name server.
AnswerB

Route 53 is inherently highly available.

Why this answer

Option B is correct because when you create a hosted zone in Route 53, AWS automatically provisions four authoritative name servers (NS records) distributed across multiple globally redundant data centers. This design inherently provides high availability and low-latency DNS resolution without any additional configuration, as Route 53 uses Anycast routing to direct queries to the nearest healthy name server.

Exam trap

The trap here is that candidates may think Route 53 is a regional service like EC2 or RDS, leading them to choose Option A, or they may mistakenly believe that creating multiple hosted zones or accounts increases redundancy, when in fact a single hosted zone with its four automatically assigned name servers already provides full fault tolerance and low latency.

How to eliminate wrong answers

Option A is wrong because Route 53 is a global service, not a regional one; deploying it in multiple AWS Regions is not possible or necessary, as the service already operates from multiple edge locations worldwide via Anycast. Option C is wrong because creating multiple hosted zones in separate AWS accounts does not improve DNS resolution speed or fault tolerance; it only adds administrative complexity and potential synchronization issues, as each hosted zone would be authoritative for the same domain, causing conflicts. Option D is wrong because a single hosted zone is automatically assigned to four Route 53 name servers, not one; assigning it to a single name server would create a single point of failure and violate DNS best practices (RFC 1034/1035 require multiple authoritative servers).

873
Multi-Selecthard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. The network engineer needs to add an IPv6 CIDR block to the VPC and ensure that EC2 instances can communicate over IPv6. Which THREE steps are necessary to achieve this?

Select 3 answers
A.Update security group rules to allow IPv6 traffic.
B.Add a route in the subnet route table for ::/0 to an egress-only internet gateway.
C.Configure a NAT64 gateway for IPv6 to IPv4 translation.
D.Associate an Amazon-provided IPv6 CIDR block with the VPC.
E.Assign IPv6 addresses to the subnets and enable auto-assign IPv6 address.
AnswersB, D, E

Egress-only IGW allows outbound IPv6 traffic.

Why this answer

Options A, B, and D are correct. A: Associate an IPv6 CIDR block. B: Enable IPv6 on the subnet.

D: Add a route for ::/0 to an egress-only internet gateway or internet gateway. Option C is wrong because IPv6 traffic uses egress-only IGW, not NAT. Option E is wrong because security groups do not need to be updated specifically for IPv6; they work for both.

874
Multi-Selecteasy

A company is setting up AWS Site-to-Site VPN for connectivity between its on-premises network and AWS VPC. They want to ensure the VPN tunnel is highly available. Which THREE components should be configured? (Choose THREE.)

Select 3 answers
A.A single VPN connection with one tunnel
B.BGP dynamic routing over the VPN tunnels
C.Static routing instead of BGP
D.Two VPN tunnels per VPN connection
E.A second customer gateway device on-premises
AnswersB, D, E

Correct; BGP allows automatic failover between tunnels.

Why this answer

Options A, C, and D are correct. Option A: Two tunnels per VPN connection provide redundancy. Option C: A second customer gateway device ensures on-premises redundancy.

Option D: BGP dynamic routing allows automatic failover. Option B is incorrect because a single VPN connection with one tunnel is not highly available. Option E is incorrect because static routes do not provide dynamic failover.

875
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. The company has a single 1 Gbps dedicated connection and wants to connect to multiple VPCs in the same region. Which THREE steps are necessary to achieve this connectivity?

Select 3 answers
A.Create a Direct Connect gateway.
B.Create a private virtual interface for each VPC.
C.Create a public virtual interface for each VPC.
D.Attach the VPCs to the transit gateway.
E.Create a transit virtual interface and associate it with a transit gateway.
AnswersA, D, E

A Direct Connect gateway can connect to multiple VPCs.

Why this answer

Options A, C, and D are correct because a Direct Connect gateway allows multiple VPCs, and a transit VIF with a transit gateway is the recommended approach. B is not needed. E is incorrect because a private VIF can only connect to one VPC.

876
MCQhard

A company has a hub-and-spoke network architecture using AWS Transit Gateway. The hub VPC contains a central inspection appliance (NVA) for traffic inspection. Spoke VPCs are attached to the Transit Gateway and have routes pointing to the Transit Gateway for all traffic. The Transit Gateway has a default route table that routes traffic to the NVA for inspection. Recently, the network team noticed that traffic between two spoke VPCs is not being inspected. The team verified that the Transit Gateway route tables are correctly configured and that the NVA is healthy. What should the team do to ensure that inter-spoke traffic is inspected?

A.Configure route propagation in the Transit Gateway route tables to propagate routes from the spoke attachments
B.Enable VPC Flow Logs on the spoke VPCs to capture traffic
C.Add static routes in the spoke VPC route tables pointing to the NVA
D.Increase the bandwidth of the Transit Gateway attachments
AnswerA

Propagation ensures that spoke routes are learned and traffic is forwarded to the NVA for inspection.

Why this answer

Option B is correct because enabling route propagation from the Transit Gateway attachments to the route tables ensures that routes are dynamically updated. Option A is wrong because static routes may cause issues if the NVA IP changes. Option C is wrong because VPC Flow Logs do not configure inspection.

Option D is wrong because increasing bandwidth does not solve the inspection routing issue.

877
MCQmedium

A company is deploying a new VPC with both public and private subnets. The public subnet hosts an internet-facing Application Load Balancer (ALB), and the private subnet hosts EC2 instances running a web application. The EC2 instances need to download updates from the internet, but they must not be directly accessible from the internet. Which combination of steps should a network engineer implement to meet these requirements?

A.Create a NAT Gateway in a public subnet, and add a default route (0.0.0.0/0) to the NAT Gateway in the private subnet's route table.
B.Launch a proxy server in the public subnet and configure the private instances to use it for outbound traffic.
C.Set up a VPN connection to an on-premises network and route all internet traffic through the VPN.
D.Attach an Internet Gateway to the VPC and add a default route (0.0.0.0/0) to the Internet Gateway in the private subnet's route table.
AnswerA

This allows outbound internet access while blocking inbound connections.

Why this answer

A NAT Gateway in a public subnet allows EC2 instances in private subnets to initiate outbound traffic to the internet (e.g., for updates) while preventing any unsolicited inbound connections from the internet. Adding a default route (0.0.0.0/0) to the NAT Gateway in the private subnet's route table directs all outbound internet traffic through the NAT Gateway, which translates the private IPs to the NAT Gateway's Elastic IP. This meets the requirement of internet access for downloads without direct internet accessibility.

Exam trap

AWS often tests the misconception that an Internet Gateway in a private subnet's route table provides outbound-only access, but in reality, an Internet Gateway enables bidirectional traffic, making instances publicly reachable if they have public IPs or if the route is present.

How to eliminate wrong answers

Option B is wrong because a proxy server in the public subnet is an alternative but not the simplest or most AWS-native solution; it adds management overhead and a single point of failure, whereas a NAT Gateway is fully managed and highly available. Option C is wrong because a VPN connection to an on-premises network routes traffic through the corporate network, which does not provide direct internet access for the EC2 instances unless the on-premises network itself has internet connectivity and is configured to forward traffic, adding unnecessary complexity and latency. Option D is wrong because attaching an Internet Gateway and adding a default route to it in the private subnet's route table would make the EC2 instances directly accessible from the internet (since the Internet Gateway allows bidirectional traffic), violating the requirement that they must not be directly accessible.

878
Multi-Selecteasy

Which TWO of the following are valid options for implementing network segmentation in a VPC?

Select 2 answers
A.Security Groups
B.Subnets
C.Route Tables
D.NAT Gateway
E.Internet Gateway
AnswersA, B

Security groups act as virtual firewalls for instances.

Why this answer

Security Groups (A) are stateful virtual firewalls that operate at the instance level (ENI), allowing you to control inbound and outbound traffic based on rules. They are a valid mechanism for network segmentation because you can assign different Security Groups to different instances or groups of instances to isolate traffic between tiers (e.g., web, app, database). Subnets (B) provide network segmentation at the VPC subnet level by dividing the VPC's IP address range into smaller segments, each associated with a specific Availability Zone and route table, enabling logical separation of resources.

Exam trap

AWS often tests the misconception that Route Tables or NAT Gateways provide segmentation, but they are routing and translation services, not access control boundaries; the trap is confusing traffic direction with traffic filtering.

879
Multi-Selecthard

Which TWO of the following are characteristics of an AWS Network Load Balancer (NLB)?

Select 2 answers
A.Supports SSL offloading
B.Supports routing based on HTTP headers
C.Preserves the source IP address of the client
D.Operates at Layer 7 of the OSI model
E.Can handle millions of requests per second
AnswersC, E

NLB preserves the client IP.

Why this answer

The correct answers are B and D. NLB operates at Layer 4, handles millions of requests per second, and preserves source IP. Option A (Layer 7) is for ALB.

Option C (HTTP header) is Layer 7. Option E (SSL offloading) is Layer 7.

880
Multi-Selectmedium

Which TWO actions should a network engineer take to troubleshoot a BGP session that is not establishing between an on-premises router and AWS Direct Connect? (Select TWO.)

Select 2 answers
A.Verify that the BGP ASN configured on the customer router matches the one provided by AWS.
B.Increase the MTU on the customer router interface.
C.Ensure that the virtual interface is in the 'available' state.
D.Verify that the peer IP addresses on both sides are correct and reachable.
E.Check that the Direct Connect connection is in the 'available' state.
AnswersA, D

Mismatched ASN prevents BGP session establishment.

Why this answer

Common BGP issues include incorrect BGP ASN, incorrect peer IP addresses, missing authentication, and firewall rules blocking TCP port 179. Verifying these settings on both sides is key.

881
Multi-Selectmedium

Which THREE actions are required to enable an EC2 instance in a private subnet to download software updates from the internet? (Select THREE.)

Select 3 answers
A.Allocate an Elastic IP and associate it with the NAT Gateway
B.Configure the security group to allow outbound traffic to 0.0.0.0/0
C.Create a NAT Gateway in a public subnet
D.Add a route in the private subnet route table pointing to the NAT Gateway for 0.0.0.0/0
E.Attach an Internet Gateway to the VPC
AnswersA, C, D

EIP is required for NAT Gateway to communicate with Internet Gateway.

Why this answer

Options B, C, and D are correct. A NAT Gateway in a public subnet, a route to it, and an EIP for the NAT Gateway. Option A is wrong because an Internet Gateway alone does not provide outbound access for private subnets.

Option E is wrong because security groups allow outbound by default.

882
MCQmedium

A company has a VPC with a CIDR block of 10.0.0.0/16. They have two subnets: subnet-A (10.0.1.0/24) and subnet-B (10.0.2.0/24). An EC2 instance in subnet-A needs to communicate with an RDS database in subnet-B. Both subnets are in the same Availability Zone. What is the most efficient way to enable this communication?

A.Create a Transit Gateway and attach both subnets to it.
B.Place a NAT Gateway in subnet-A and configure route tables accordingly.
C.No additional configuration is required. The instance and database can communicate within the same VPC.
D.Create a VPC Peering connection between the two subnets.
AnswerC

VPC internal routing allows communication between subnets in the same VPC.

Why this answer

Option A is correct. By default, VPC subnets can communicate with each other; no additional configuration is needed if the security groups and network ACLs allow traffic. Option B is wrong because VPC Peering is for cross-VPC communication.

Option C is wrong because a NAT Gateway is for outbound internet access. Option D is wrong because a Transit Gateway is for connecting multiple VPCs or networks.

883
MCQmedium

A company is implementing an AWS Client VPN endpoint to provide remote access to its VPC resources. The company's on-premises network uses a split-tunneling configuration to route only corporate traffic through the VPN. The Client VPN endpoint is associated with a single subnet in the VPC. Users report that they can connect to the Client VPN but cannot reach resources in the VPC. The Client VPN endpoint's security group allows all traffic. What is the MOST likely cause of this issue?

A.The security group associated with the Client VPN endpoint does not allow inbound traffic from the client CIDR.
B.The authorization rules do not grant access to the target subnets.
C.The route table of the subnet where the Client VPN endpoint is attached does not have a route to the VPC CIDR.
D.The Client VPN endpoint is configured with full-tunneling instead of split-tunneling.
AnswerC

Without a route, traffic from clients won't reach VPC resources.

Why this answer

Option D is correct because the subnet's route table must have a route pointing to the Client VPN endpoint for traffic to reach VPC resources. Option A is incorrect because split-tunneling does not cause this issue. Option B is incorrect because authorization rules are separate from security groups.

Option C is incorrect because the Client VPN endpoint uses its own security group.

884
MCQmedium

A company wants to connect multiple VPCs across different AWS Regions using AWS Transit Gateway. Which feature allows the VPCs to communicate with each other using private IP addresses without creating peering connections?

A.AWS Direct Connect gateway
B.AWS PrivateLink
C.Transit Gateway inter-Region peering
D.VPC Peering
AnswerC

Transit Gateway supports inter-Region peering for transitive routing between VPCs across Regions.

Why this answer

Transit Gateway inter-Region peering allows VPCs in different AWS Regions to communicate using private IP addresses through a central Transit Gateway, without requiring individual VPC peering connections. This feature uses the AWS global network to route traffic between peered Transit Gateways, enabling cross-region connectivity with a hub-and-spoke architecture.

Exam trap

The trap here is that candidates may confuse Transit Gateway inter-Region peering with VPC Peering, assuming VPC Peering is the only way to connect VPCs across regions, but Transit Gateway provides a scalable, centralized alternative without the need for full-mesh peering.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect gateway is used to connect on-premises networks to AWS via Direct Connect, not to connect VPCs across regions. Option B is wrong because AWS PrivateLink enables private connectivity to services via Network Load Balancers and interface VPC endpoints, but it does not provide routing between multiple VPCs. Option D is wrong because VPC Peering requires creating individual peering connections between each pair of VPCs, which does not scale and does not use a central Transit Gateway.

885
MCQhard

A company is deploying a critical application across three AWS Regions using an active-active architecture with Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) as the endpoint. The application health checks are configured to check the /health endpoint every 10 seconds. During a regional failure, some users experience timeouts while others are redirected correctly. What is the most likely cause?

A.Route 53 health checkers take multiple intervals to detect failure, and timeouts occur before failover completes.
B.The ALB health check is misconfigured and returns a non-200 status code during normal operation.
C.The TTL on the Route 53 record is set too low, causing stale DNS responses.
D.Users have cached DNS records from the failed region, and Route 53 does not return healthy endpoints.
AnswerA

Route 53 health checks have a 30-second interval and multiple checks are needed to confirm failure.

Why this answer

Route 53 health checkers operate from multiple global locations and evaluate the /health endpoint every 10 seconds. However, to declare an endpoint unhealthy, Route 53 requires a configurable number of consecutive failures (default is 3), meaning it can take 30 seconds or more before the DNS record is updated to remove the failed region. During this detection window, some users whose DNS queries are answered by Route 53 before the failure is fully propagated may receive the IP of the failing ALB, leading to timeouts, while others who query after the failover complete successfully.

Exam trap

AWS often tests the misconception that Route 53 instantly fails over when an endpoint becomes unhealthy, but the trap here is that health check detection requires multiple consecutive failures (default 3) before the endpoint is removed from DNS responses, causing a delay that leads to intermittent timeouts for some users.

How to eliminate wrong answers

Option B is wrong because a misconfigured ALB health check returning a non-200 status during normal operation would cause Route 53 to mark the endpoint as unhealthy continuously, not just during a regional failure, and would not explain why some users experience timeouts while others do not. Option C is wrong because a low TTL on the Route 53 record actually reduces the time DNS responses are cached, which would help failover happen faster, not cause stale responses or timeouts. Option D is wrong because Route 53 latency-based routing does not return unhealthy endpoints; once a health check fails, Route 53 stops including that region's IP in responses, so cached DNS records from the failed region are not served by Route 53—the issue is that the health check failure detection itself takes multiple intervals, not that Route 53 returns unhealthy endpoints.

886
MCQeasy

A company uses AWS Client VPN to provide remote access to its corporate network. Users report that they can connect to the VPN but cannot reach resources in the VPC. The VPN is configured with mutual authentication and authorization rules. What should the network engineer verify first?

A.The security group associated with the VPN endpoint allows inbound traffic from the client CIDR
B.The server certificate is valid and trusted by the client
C.The client CIDR range does not overlap with the VPC CIDR
D.The authorization rules grant access to the target network
AnswerD

Authorization rules are required to allow traffic to the VPC.

Why this answer

Option B is correct because authorization rules control which groups can access which networks. Option A is incorrect because if the connection succeeds, the security group is not the issue. Option C is incorrect because the client CIDR range does not affect access to VPC resources.

Option D is incorrect because the server certificate is for authentication, not routing.

887
MCQmedium

An organization is migrating to AWS and needs to connect multiple VPCs in different AWS regions using a hub-and-spoke topology. The hub VPC will host centralized services. Which solution is most cost-effective and provides high throughput?

A.Deploy a software VPN appliance in the hub VPC and connect each spoke VPC with VPN tunnels.
B.Create VPC peering connections between the hub VPC and each spoke VPC.
C.Establish Direct Connect connections from each VPC to a central on-premises location.
D.Set up AWS Transit Gateway with attachments to each VPC.
AnswerB

VPC peering is cost-effective and high throughput for hub-and-spoke across regions.

Why this answer

Option C is correct because VPC peering provides high throughput and is cost-effective for hub-and-spoke topologies across regions, though it requires full mesh for transitive routing. However, the hub-and-spoke model does not support transitive routing via hub, but the question asks for connecting multiple VPCs; VPC peering is cost-effective. Option A is wrong because AWS Transit Gateway is managed but not the most cost-effective for few VPCs.

Option B is wrong because Direct Connect is expensive and not needed for VPC-to-VPC. Option D is wrong because software VPN is less reliable and lower throughput.

888
MCQmedium

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. The company wants to ensure that traffic from private subnets uses a single, highly available IP address for outbound traffic. Which solution meets these requirements?

A.Deploy a single EC2 instance configured as a NAT instance in a public subnet.
B.Configure a fleet of proxy servers in an Auto Scaling group with a Network Load Balancer.
C.Create a NAT gateway in a public subnet and route traffic from private subnets to it.
D.Use a VPC endpoint for Amazon S3 to access software updates.
AnswerC

NAT gateway is managed, highly available, and provides a single Elastic IP.

Why this answer

Option D is correct because a NAT gateway provides highly available outbound internet access with a single Elastic IP address. Option A is incorrect because a NAT instance is not highly available. Option B is incorrect because a VPC endpoint is for specific AWS services, not general internet access.

Option C is incorrect because a proxy fleet adds complexity and does not provide a single IP.

889
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between two VPCs that are peered. The VPC peering connection is in the 'active' state. ICMP ping from an instance in VPC A to an instance in VPC B fails intermittently. What is the most likely cause?

A.The network ACLs are blocking ICMP traffic.
B.The security groups on the instances do not allow inbound ICMP.
C.The VPC peering connection is not in the 'active' state.
D.The route tables in one or both VPCs lack routes to the peer VPC's CIDR via the peering connection.
AnswerD

Intermittent issues could be due to route propagation delays, but typical cause is missing routes.

Why this answer

Since the VPC peering connection is active, the issue is likely that the route tables in one or both VPCs are not correctly configured to route traffic to the peered VPC's CIDR via the peering connection. Without proper routes, traffic is dropped.

890
Multi-Selecteasy

Which TWO of the following are required to establish an AWS Site-to-Site VPN connection? (Select TWO.)

Select 2 answers
A.Direct Connect gateway
B.Virtual private gateway
C.Customer gateway
D.Transit gateway
E.VPN connection
AnswersB, C

AWS-side endpoint for the VPN.

Why this answer

A virtual private gateway (VGW) is required as the AWS-side endpoint for the VPN tunnel; it anchors the encrypted IPsec session and routes traffic from the VPC to the on-premises network. The customer gateway (CGW) represents the on-premises VPN device in AWS, providing the public IP and BGP ASN (for dynamic routing) or static route configuration needed to establish the tunnel. Both are mandatory components of an AWS Site-to-Site VPN connection.

Exam trap

AWS often tests the misconception that a transit gateway is required for Site-to-Site VPN, but it is only needed when connecting multiple VPCs or using advanced routing features; a simple VPN to a single VPC only needs a VGW and CGW.

891
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Transit Gateway. They want to centralize network management and ensure that VPCs in different accounts can communicate. Which THREE steps are required to achieve this? (Select THREE.)

Select 3 answers
A.Create a Transit Gateway in the central networking account
B.Use AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts
C.Create a separate Transit Gateway in each account and peer them together
D.Create a Transit Gateway route table and associate VPC attachments
E.Create a VPC peering connection between each VPC and the Transit Gateway
AnswersA, B, D

A central Transit Gateway is created in the networking account.

Why this answer

Options A, B, and D are correct. You need to share the Transit Gateway using Resource Access Manager (RAM), create a transit gateway route table, and associate the VPC attachments with the route table. Option C is wrong because VPC peering is not needed when using Transit Gateway.

Option E is wrong because you do not need to create a separate Transit Gateway in each account; you share a central one.

892
Multi-Selecteasy

A company needs to log all network traffic to and from EC2 instances for security analysis. Which TWO services can capture this data? (Choose 2)

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.Traffic Mirroring
E.Amazon CloudWatch Logs
AnswersB, D

Flow Logs capture network traffic metadata.

Why this answer

Options B and C are correct. VPC Flow Logs capture metadata about network traffic. Traffic Mirroring captures actual packet content.

Option A is wrong because CloudTrail logs API calls, not network traffic. Option D is wrong because CloudWatch Logs is for log storage, not capture. Option E is wrong because AWS Config records configuration changes.

893
MCQeasy

A company has an existing VPC with a public subnet and a private subnet. The company launches an EC2 instance in the private subnet. The instance needs to access an S3 bucket to download software updates. The company does not want the instance to have a public IP address. The company creates a VPC endpoint for S3 (Gateway type) in the VPC, and associates it with the private subnet route table by adding a route for the S3 prefix list. However, the instance still cannot access the S3 bucket. The security group for the instance allows all outbound traffic. The network ACL for the private subnet allows all inbound and outbound traffic. What is the MOST likely reason for the connectivity failure?

A.The network ACL is blocking the traffic
B.The security group does not allow outbound HTTPS traffic
C.The VPC endpoint policy does not grant access to the S3 bucket
D.The instance does not have a route to the internet
AnswerC

Correct; the endpoint policy may be restrictive.

Why this answer

The most likely reason is that the VPC endpoint policy does not grant access to the S3 bucket. Even though the Gateway VPC Endpoint is created and associated with the private subnet route table, the endpoint's policy controls which S3 buckets and actions are allowed. If the policy is too restrictive (e.g., default deny or does not explicitly allow access to the specific bucket), traffic will be dropped at the endpoint, preventing the instance from downloading updates.

The security group and network ACL are already permissive, and internet access is not required because the Gateway endpoint uses AWS's private network.

Exam trap

AWS often tests the misconception that a Gateway VPC Endpoint automatically grants access to all S3 buckets once the route is added, ignoring that the endpoint policy must explicitly allow the desired S3 actions and resources.

How to eliminate wrong answers

Option A is wrong because the network ACL for the private subnet allows all inbound and outbound traffic, so it is not blocking anything. Option B is wrong because the security group allows all outbound traffic (including HTTPS), so outbound HTTPS is permitted. Option D is wrong because the instance does not need a route to the internet; a Gateway VPC Endpoint for S3 provides connectivity to S3 over the AWS private network without requiring internet access.

894
Multi-Selecthard

A company is migrating a legacy application to AWS. The application uses multicast traffic between servers. The company needs to support multicast in the AWS VPC. Which TWO solutions can the network engineer recommend? (Choose TWO.)

Select 2 answers
A.Deploy a third-party virtual firewall or router that supports multicast inside the VPC.
B.Use VPC endpoints for multicast support.
C.Use VPC peering connections to allow multicast traffic between VPCs.
D.Use a transit gateway with multicast domain configuration.
E.Use AWS Direct Connect to extend the on-premises multicast domain.
AnswersA, D

Virtual appliances can handle multicast routing.

Why this answer

Options A and D are correct. Option A uses a transit gateway with multicast support. Option D uses a third-party virtual appliance to handle multicast.

Option B is wrong because VPC peering does not support multicast. Option C is wrong because Direct Connect does not provide multicast. Option E is wrong because VPC endpoints do not support multicast.

895
MCQmedium

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel status shows 'UP' but traffic is not passing. The engineer checks the route tables and finds that the VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. What is the most likely missing configuration?

A.The VPC route table does not have a route for the on-premises CIDR pointing to the virtual private gateway
B.The security group of the EC2 instances does not allow inbound traffic from on-premises
C.The VPN tunnel is using the wrong pre-shared key
D.The on-premises router is not advertising the VPC CIDR over BGP
AnswerC

Wrong PSK would prevent the tunnel from coming up, but tunnel is UP, so PSK is correct.

Why this answer

For a VPN to pass traffic, the on-premises router must have a route pointing back to the VPC CIDR via the VPN tunnel. Option B is correct. Options A, C, and D are either already done or not directly related to traffic passing.

896
MCQmedium

A company is designing a multi-region architecture with VPCs in us-east-1 and eu-west-1. The company needs low-latency connectivity between the VPCs and wants to avoid traffic over the public internet. The VPCs have overlapping CIDR blocks (10.0.0.0/16). Which solution should the network engineer recommend?

A.Set up an AWS Transit Gateway in each region and connect them via a VPN attachment.
B.Use a Direct Connect connection between the regions.
C.Use VPC peering between the two VPCs.
D.Place all resources in a single VPC with multiple Availability Zones.
AnswerA

Transit Gateway with VPN can handle overlapping CIDRs.

Why this answer

Option A is correct because AWS Transit Gateway supports inter-region peering attachments that use the AWS global network backbone, providing low-latency, private connectivity between VPCs in different regions. Even when VPCs have overlapping CIDR blocks, Transit Gateway can handle this through route table isolation and network segmentation (e.g., using separate route tables for each VPC attachment), which VPC peering cannot do. VPN attachments between Transit Gateways in each region establish encrypted tunnels over the AWS backbone, avoiding the public internet.

Exam trap

The trap here is that candidates assume VPC peering is always the simplest solution, but they overlook the critical requirement that VPC peering cannot work with overlapping CIDR blocks, making Transit Gateway with VPN attachments the only viable option for this scenario.

How to eliminate wrong answers

Option B is wrong because Direct Connect is a dedicated connection from on-premises to AWS, not between AWS regions; it does not provide inter-region VPC connectivity. Option C is wrong because VPC peering requires non-overlapping CIDR blocks; with overlapping 10.0.0.0/16 CIDRs, peering is impossible as it would cause routing conflicts and AWS explicitly prohibits peering with overlapping ranges. Option D is wrong because the requirement is for a multi-region architecture, and placing all resources in a single VPC with multiple Availability Zones only provides high availability within one region, not cross-region connectivity.

897
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add an IPv6 CIDR block to the VPC. Which action should they take?

A.Request an IPv6 CIDR block from your regional internet registry and associate it with the VPC.
B.Enable IPv6 on the subnets directly without associating a VPC CIDR.
C.Manually assign a /56 IPv6 CIDR block to the VPC.
D.Associate an Amazon-provided IPv6 CIDR block with the VPC.
AnswerD

Amazon provides a /56 block from their pool.

Why this answer

Option C is correct because AWS provides an Amazon-provided IPv6 CIDR block that is automatically assigned. Option A is wrong because you cannot bring your own IPv6 GUA. Option B is wrong because you cannot directly assign a /56; AWS gives a /56 block.

Option D is wrong because you must associate an IPv6 CIDR with the VPC, not just subnets.

898
MCQeasy

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. They want to add a second Direct Connect connection for redundancy. What is the MINIMUM number of virtual interfaces required to achieve active-active failover for the VPC?

A.Two transit virtual interfaces (one on each connection)
B.One private virtual interface and one transit virtual interface
C.Two private virtual interfaces (one on each connection)
D.One private virtual interface
AnswerC

Correct; two VIFs allow BGP to provide active-active failover.

Why this answer

Option B is correct because with two Direct Connect connections, you can create a private VIF on each, and using BGP and AS_PATH prepending, you can achieve active-active load balancing and failover. Option A is wrong because a single VIF cannot provide redundancy. Option C is wrong because you need two VIFs for active-active.

Option D is wrong because transit VIFs are for connecting to Direct Connect Gateway, not directly to a VPC.

899
MCQmedium

A security engineer needs to block traffic from a specific country from reaching an Application Load Balancer. Which AWS service should be used to accomplish this?

A.Network ACLs on the VPC subnet
B.Security groups associated with the ALB
C.Route 53 Resolver DNS Firewall
D.AWS WAF web ACL associated with the ALB
AnswerD

AWS WAF supports geo-match conditions to block traffic from specific countries.

Why this answer

AWS WAF can be associated with an ALB to create IP set rules that block traffic based on geographic origin. Option A is wrong because Security Groups do not support geo-blocking. Option B is wrong because NACLs operate at the subnet level and do not support geo-blocking.

Option D is wrong because Route 53 Resolver DNS Firewall filters DNS queries, not HTTP traffic.

900
MCQeasy

A company has a VPC with an Application Load Balancer (ALB) in front of a fleet of EC2 instances. The security group for the EC2 instances must allow traffic only from the ALB. Which source should be specified in the security group inbound rule?

A.The ALB's public IP address
B.The subnet CIDR block of the ALB's subnets
C.The ID of the ALB's security group
D.The VPC CIDR block
AnswerC

Referencing the ALB's security group as a source ensures only traffic from the ALB is allowed.

Why this answer

Option B is correct because the ALB's security group ID can be used as the source in the instance security group, allowing traffic only from the ALB. Option A is wrong because the ALB's public IPs can change; using security group IDs is more reliable. Option C is wrong because the VPC CIDR is too broad.

Option D is wrong because the subnet CIDR of the ALB is also too broad and not as secure.

Page 11

Page 12 of 23

Page 13