AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 901975

1705 questions total · 23pages · All types, answers revealed

Page 12

Page 13 of 23

Page 14
901
MCQeasy

A network engineer is analyzing VPC Flow Logs for a VPC with CIDR 10.0.0.0/16. The exhibit shows a sample log entry. The engineer notices that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted. However, the application team reports that the connection is failing. What is the most likely reason for the disconnect?

A.The security groups are blocking the traffic.
B.The route tables are incorrectly configured, causing packet loss.
C.The flow logs are misconfigured and not capturing all traffic.
D.The application layer is failing to establish a proper connection.
AnswerD

Flow logs only show network-level acceptance; application issues are not captured.

Why this answer

The VPC Flow Logs show that traffic from 10.0.1.10 to 10.0.2.10 on port 443 is being accepted (ACCEPT record), which indicates that the network layer (security groups, network ACLs, and routing) is permitting the traffic. Since the application team reports the connection is failing, the issue must be at a higher layer, specifically the application layer (e.g., TLS handshake failure, certificate mismatch, or the application not listening on port 443). Flow logs capture only network-layer metadata (IP, port, protocol, action) and cannot detect application-layer errors.

Exam trap

AWS often tests the distinction between network-layer acceptance (ACCEPT in flow logs) and application-layer success, trapping candidates who assume an ACCEPT record guarantees a successful connection.

How to eliminate wrong answers

Option A is wrong because if security groups were blocking the traffic, the flow log entry would show a REJECT or DROP action, not ACCEPT. Option B is wrong because incorrect route tables would cause packet loss or unreachability, which would also result in DROP or no flow log entry for the destination, not an ACCEPT record. Option C is wrong because the flow log entry is present and shows ACCEPT, indicating the logs are capturing traffic correctly; misconfiguration would result in missing or incomplete logs, not a false ACCEPT.

902
MCQhard

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application must have the lowest possible latency for global users. Which design meets these requirements?

A.Use AWS Global Accelerator with endpoints in both regions and configure traffic dials to distribute traffic.
B.Use Amazon CloudFront with multiple origins pointing to each ALB.
C.Use Amazon Route 53 with latency routing policy to route users to the closest ALB.
D.Use AWS Global Accelerator with a single endpoint in one region and failover to the other region.
AnswerA

Global Accelerator provides anycast IPs and can distribute traffic across multiple regions with traffic dials.

Why this answer

AWS Global Accelerator uses the Anycast static IP addresses to route traffic over the AWS global network to the optimal endpoint based on health, latency, and traffic dials. By configuring endpoints in both regions with traffic dials, you can distribute traffic actively across both regions, ensuring the lowest possible latency for global users by directing them to the nearest healthy endpoint.

Exam trap

The trap here is that candidates often confuse DNS-based routing (Route 53 latency routing) with anycast-based routing (Global Accelerator), not realizing that DNS caching and propagation delays prevent true real-time, lowest-latency routing for active-active architectures.

How to eliminate wrong answers

Option B is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for caching static and dynamic content at edge locations, not for accelerating TCP/UDP traffic to ALBs with active-active multi-region load balancing; it adds an extra hop and does not provide the same low-latency, anycast-based routing for non-HTTP(S) workloads. Option C is wrong because Amazon Route 53 latency routing policy operates at the DNS level, which introduces DNS caching and propagation delays, and cannot route traffic based on real-time network conditions or provide fast failover for active-active architectures; it also does not offer static IP addresses. Option D is wrong because using a single endpoint in one region with failover to the other region creates an active-passive architecture, not active-active, which means users are always routed to the primary region unless it fails, increasing latency for users far from that region and failing to meet the requirement for lowest possible latency for global users.

903
MCQmedium

A company is deploying a new application in a VPC that uses a single Availability Zone. The application consists of an Application Load Balancer (ALB) in a public subnet and EC2 instances in a private subnet. The EC2 instances need to send logs to an Amazon S3 bucket. The company has created a VPC gateway endpoint for S3 and associated it with the route table for the private subnet. The EC2 instances have an instance profile that grants access to the S3 bucket. However, the log delivery fails. The network team has verified that the route table for the private subnet includes a route to the S3 prefix list via the gateway endpoint. What is the MOST likely cause of the failure?

A.The route table does not have a route to the S3 prefix list.
B.The VPC endpoint is not configured with private DNS.
C.The security group on the EC2 instances does not allow outbound traffic to the S3 prefix list.
D.The VPC endpoint policy does not allow the PutObject action on the S3 bucket.
AnswerD

Correct: Endpoint policy must allow the action.

Why this answer

The most likely cause is that the VPC endpoint policy does not allow the PutObject action on the S3 bucket. Even though the route table has a route to the S3 prefix list via the gateway endpoint and the EC2 instance profile grants access, the endpoint policy acts as an additional layer of authorization. If the endpoint policy does not explicitly allow the s3:PutObject action for the target bucket, requests will be denied, causing the log delivery to fail.

Exam trap

The trap here is that candidates often assume that if routing is correct and the instance has IAM permissions, the request will succeed, overlooking that the VPC endpoint policy is a separate authorization layer that must explicitly allow the action.

How to eliminate wrong answers

Option A is wrong because the network team has verified that the route table includes a route to the S3 prefix list via the gateway endpoint, so routing is correctly configured. Option B is wrong because private DNS is only relevant for interface endpoints (which use private IP addresses and DNS resolution), not for gateway endpoints, which do not support private DNS. Option C is wrong because security groups do not filter traffic to prefix lists for gateway endpoints; gateway endpoints use route tables for routing and security groups apply to traffic at the instance level, but outbound traffic to the S3 prefix list is not blocked by a security group since the traffic is routed through the endpoint and not through a NAT or internet gateway.

904
MCQhard

A company attaches the above bucket policy to an S3 bucket. A user from the IP range 203.0.113.0/24 makes a request over HTTPS (TLS) to download an object from the bucket. Will the request succeed?

A.Yes, but only if the request also includes a valid AWS signature.
B.No, because the Allow statement is overridden by the Deny statement.
C.No, because the Deny statement denies all requests regardless of the condition.
D.Yes, because the request uses HTTPS and comes from the allowed IP range.
AnswerD

The Deny only blocks non-HTTPS requests, and the Allow permits the IP range.

Why this answer

Option D is correct because the bucket policy includes an Allow statement that grants s3:GetObject access to requests coming from the IP range 203.0.113.0/24 over HTTPS (using the aws:SecureTransport condition). The Deny statement only denies requests that do not use HTTPS (i.e., aws:SecureTransport equals false), so a request from the allowed IP range using TLS is not affected by the Deny and is permitted by the Allow statement.

Exam trap

AWS often tests the nuance that an explicit Deny only applies when its conditions are fully satisfied, and candidates mistakenly assume any Deny statement automatically blocks all requests regardless of conditions.

How to eliminate wrong answers

Option A is wrong because the policy does not require a valid AWS signature; the Allow statement uses only IP address and HTTPS conditions, and anonymous requests from the allowed IP range over HTTPS are permitted without authentication. Option B is wrong because the Deny statement does not override the Allow statement for this request; the Deny only applies when aws:SecureTransport is false, which is not the case for an HTTPS request. Option C is wrong because the Deny statement does not deny all requests; it is conditional on the request not using HTTPS, so requests over HTTPS are not denied.

905
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a VPC with a CIDR of 10.0.0.0/16 attached to the transit gateway. They also have a Direct Connect virtual interface attached to the transit gateway. The on-premises network can reach some VPCs but not the VPC with CIDR 10.0.0.0/16. The transit gateway route table has a static route for the on-premises CIDR and a route propagation from the VPC attachment. What is the most likely issue?

A.The transit gateway has reached the maximum number of attachments
B.The VPC CIDR overlaps with the on-premises CIDR
C.The transit gateway route table does not have a route to the on-premises network
D.The VPC attachment is not associated with the transit gateway route table
AnswerB

Overlapping CIDRs cause routing issues in a transit gateway.

Why this answer

Option A is correct because the VPC CIDR 10.0.0.0/16 might overlap with the on-premises CIDR, causing routing conflicts. Option B is wrong because the VPC attachment is attached and propagating. Option C is wrong because the transit gateway route table does have routes.

Option D is wrong because there is no such limit.

906
Multi-Selecteasy

A company is setting up a new VPC and needs to ensure that instances in the VPC can resolve DNS names within AWS (e.g., ec2-203-0-113-25.compute-1.amazonaws.com). Which TWO configurations are required? (Select TWO.)

Select 2 answers
A.Set the VPC's 'enableDnsSupport' attribute to true
B.Set the VPC's 'enableDnsHostnames' attribute to true
C.Configure the Amazon Route 53 Resolver to forward queries to the VPC DNS
D.Create a public hosted zone in Amazon Route 53 and associate it with the VPC
E.Create a custom DHCP option set with the domain-name-servers option set to the VPC DNS IP
AnswersA, B

This enables DNS resolution through the Amazon DNS server.

Why this answer

Options A and B are correct. To enable DNS resolution for private hosted zones and instance hostnames, both 'enableDnsHostnames' and 'enableDnsSupport' must be set to true. Option C is wrong because a public hosted zone is not required for private DNS resolution.

Option D is wrong because the Amazon Route 53 Resolver is not needed; the VPC provides DNS resolution. Option E is wrong because a DHCP option set with domain-name-servers is not required; the default VPC DNS is provided.

907
MCQhard

A company has a hybrid network architecture with an AWS VPC (10.0.0.0/16) connected to an on-premises data center via AWS Direct Connect with a private VIF. The on-premises network uses 10.1.0.0/16. The VPC has subnets in two Availability Zones, each with a private subnet (10.0.1.0/24 and 10.0.2.0/24) and a public subnet. The company recently deployed a new application in the VPC that uses an Application Load Balancer (ALB) in the public subnets. The ALB targets EC2 instances in the private subnets. Users on-premises report that they cannot access the application using the ALB's DNS name. The on-premises network team confirms that they can ping the ALB's private IP address from on-premises. The VPC route tables have routes for the on-premises network pointing to the virtual private gateway (VGW). The security groups and network ACLs are configured to allow traffic from on-premises. What is the most likely cause of the issue?

A.The VPC route tables do not have a route to the on-premises network for the ALB's subnet.
B.The security group on the ALB blocks inbound traffic from the on-premises CIDR.
C.The ALB is deployed in private subnets instead of public subnets.
D.The on-premises DNS resolver does not resolve the ALB's DNS name to a private IP address, causing traffic to go over the internet.
AnswerD

ALB DNS name resolves to public IPs; for private connectivity, private hosted zone or Route 53 Resolver must be used.

Why this answer

Option D is correct because the ALB's DNS name resolves to public IPs, and on-premises traffic to public IPs would go over the internet, not Direct Connect, unless the DNS resolution is configured to return private IPs. Since the users can ping the private IP, the issue is DNS resolution. Option A is wrong because the route tables already have routes to on-premises.

Option B is wrong because the ALB is in public subnets and should be accessible. Option C is wrong because security groups are not the issue as they allow traffic.

908
MCQhard

A large enterprise uses AWS Organizations with multiple accounts. The central networking account hosts a Transit Gateway with attachments from VPCs in various accounts. The enterprise uses AWS Resource Access Manager (RAM) to share the Transit Gateway with other accounts. A network engineer in a spoke account creates a VPC and attaches it to the shared Transit Gateway. The attachment shows 'available' state. However, traffic from the spoke VPC to other attached VPCs fails. The spoke VPC route table has a route to the Transit Gateway for 0.0.0.0/0. The Transit Gateway route table has routes for the spoke VPC CIDR and other VPC CIDRs. What is the most likely cause?

A.The spoke account does not have an IAM role to access the Transit Gateway
B.The spoke VPC route table does not have routes to the other VPC CIDRs
C.The Transit Gateway route table does not propagate routes from the spoke VPC attachment
D.The Transit Gateway owner has not accepted the VPC attachment
AnswerD

Shared TGW attachments must be accepted by owner.

Why this answer

When a Transit Gateway is shared via RAM, the owner account must accept the attachment request. The attachment shows 'available' but not 'associated'? Actually, for shared TGW, the owner account needs to accept the attachment. The attachment state 'available' means it's ready but not yet associated with a TGW route table in the owner's account.

The owner must associate it. Option B is wrong because the TGW route table has routes. Option C is wrong because the spoke route table has a route.

Option D is wrong because no cross-account roles are needed for attachment.

909
MCQmedium

Refer to the exhibit. A VPC endpoint for S3 is created as a Gateway endpoint. The route tables rtb-11111111 and rtb-22222222 are associated with the endpoint. An EC2 instance in a subnet associated with rtb-11111111 cannot access S3 via the endpoint. What is the most likely cause?

A.The route table rtb-11111111 does not have a route to the S3 prefix list with the target as the VPC endpoint.
B.The endpoint policy denies access to S3 from the instance's IAM role.
C.The security group on the EC2 instance does not allow outbound traffic to the S3 prefix list.
D.The VPC does not have DNS resolution enabled for the endpoint.
AnswerA

Without this route, traffic to S3 does not go through the endpoint.

Why this answer

A Gateway endpoint automatically adds a prefix list route to the route table, but the route must point to the endpoint. If the route table already has a route to S3 via an Internet Gateway or NAT, the endpoint route may not be used. However, the most common issue is that the subnet's route table does not have the prefix list route for the S3 endpoint.

The exhibit shows the endpoint is associated with the route table, but the route table itself must contain a route to the S3 prefix list (e.g., pl-12345) with the target as the endpoint. Option B (security group) is possible but less likely; Option C (DNS) is not required for Gateway endpoints; Option D (policy) is permissive.

910
MCQmedium

A company is designing a multi-region application with Amazon RDS for MySQL as the primary database. The application requires read-after-write consistency across regions. Which design should the company choose to meet this requirement?

A.Use Amazon RDS with cross-Region replication enabled using MySQL binary log
B.Use Amazon RDS Multi-AZ deployments in each region with read replicas
C.Use Amazon Aurora Global Database with cluster endpoints in each region
D.Use Amazon RDS with synchronous replication across regions
AnswerC

Aurora Global Database uses dedicated replication infrastructure with typical latency under 1 second and supports read-after-write consistency via global transaction IDs.

Why this answer

Amazon Aurora Global Database is the correct choice because it provides dedicated cluster endpoints in each region that automatically route write traffic to the primary region and read traffic to local replicas, ensuring read-after-write consistency through its storage-layer replication with typical latency under 1 second. Unlike standard RDS cross-Region replication, Aurora Global Database uses a physical storage-based replication mechanism that guarantees global consistency without relying on MySQL binary logs, which can introduce replication lag and potential inconsistency.

Exam trap

AWS often tests the misconception that standard RDS cross-Region replication (Option A) can provide read-after-write consistency, but the trap is that MySQL binary log replication is inherently asynchronous and cannot guarantee global consistency, whereas Aurora Global Database's storage-level replication is designed specifically for this purpose.

How to eliminate wrong answers

Option A is wrong because cross-Region replication using MySQL binary log is asynchronous and can introduce significant replication lag, making it impossible to guarantee read-after-write consistency across regions. Option B is wrong because Multi-AZ deployments provide high availability within a single region only and do not support cross-Region read replicas for global consistency; read replicas in other regions would still be asynchronous. Option D is wrong because Amazon RDS does not support synchronous replication across regions; synchronous replication would require a custom solution and would introduce unacceptable latency over inter-region distances.

911
Multi-Selectmedium

A company is designing a multi-account AWS environment using AWS Organizations. They need to enforce that all new S3 buckets created across accounts have encryption enabled and block public access. Which TWO approaches meet these requirements? (Choose two.)

Select 2 answers
A.Apply a service control policy (SCP) to the root organizational unit that denies s3:PutBucketPublicAccessBlock and s3:PutBucketEncryption if the configuration does not meet requirements.
B.Use an S3 bucket policy that denies all principals unless encryption is enabled.
C.Create an AWS Config conformance pack with rules that check for encryption and public access, and auto-remediate non-compliant buckets.
D.Enable AWS CloudTrail to monitor bucket creation and send alerts to the security team.
E.Create an IAM role in each account that requires MFA for creating S3 buckets.
AnswersA, C

Correct: SCPs can deny non-compliant actions across accounts.

Why this answer

Option A is correct because SCPs can deny actions that create buckets without encryption or with public access allowed, enforcing the policy across all accounts. Option C is correct because AWS Config rules can be applied via a conformance pack to detect and remediate non-compliant buckets. Option B is wrong because CloudTrail only logs API calls; it cannot enforce or remediate.

Option D is wrong because IAM roles in individual accounts cannot enforce organization-wide policies; they grant permissions to principals. Option E is wrong because bucket policies are per-bucket and cannot be enforced globally across all accounts.

912
Multi-Selecthard

A company is designing a network for a critical application that requires an SLA of 99.99% availability. The application runs on EC2 instances in an Auto Scaling group across three Availability Zones. The company needs to ensure that the network design meets the SLA. Which THREE components should the company include? (Choose THREE.)

Select 3 answers
A.A single AWS Direct Connect connection for all inbound traffic.
B.A NAT gateway in each Availability Zone for outbound internet access.
C.A single AWS Site-to-Site VPN connection for administrative access.
D.VPC endpoints for AWS services used by the application.
E.An Application Load Balancer (ALB) configured to route traffic to instances in all three Availability Zones.
AnswersB, D, E

NAT gateways per AZ eliminate single point of failure.

Why this answer

Options A, B, and C are correct. A: Application Load Balancer distributes traffic across AZs. B: NAT gateways in each AZ provide highly available outbound access.

C: VPC endpoints avoid internet dependency. Option D is incorrect because a single Direct Connect connection is a single point of failure. Option E is incorrect because a VPN connection alone is not highly available.

913
MCQmedium

A company wants to ensure that all traffic to and from its Amazon EC2 instances in a VPC is inspected by a third-party security appliance. The instances are in private subnets and must maintain their private IP addresses. Which solution should be used?

A.Deploy a Transit Gateway with a site-to-site VPN to the appliance
B.Configure a Gateway Load Balancer and Gateway Load Balancer endpoints in the VPC
C.Use VPC Peering to connect to a central inspection VPC
D.Set up a Network Load Balancer in front of the instances
AnswerB

Gateway Load Balancer with GWLBe allows transparent inline inspection of traffic.

Why this answer

Option A is correct because Gateway Load Balancer with a Gateway Load Balancer endpoint (GWLBe) allows you to insert third-party appliances inline for traffic inspection without changing the instances' IP addresses. Option B is wrong because a Network Load Balancer is for load balancing, not inline inspection. Option C is wrong because VPC Peering does not provide traffic inspection.

Option D is wrong because a Transit Gateway with a VPN does not provide inline inspection.

914
MCQhard

A company has a hybrid network with an AWS Direct Connect connection to a VPC. They also have a site-to-site VPN connection as a backup. The VPC routing tables are configured with a route to the on-premises CIDR via the virtual private gateway. The network engineer notices that traffic from the VPC to on-premises is not using the Direct Connect connection even when it is healthy. What is the most likely cause?

A.The VPC route table has a more specific route pointing to the VPN connection
B.The VPN connection is down
C.The VPN connection is attached to a Customer Gateway
D.The Direct Connect virtual interface is in the 'Down' state
AnswerA

If the VPN BGP route is more specific (e.g., /24 vs /16), it will take precedence over the static route to Direct Connect.

Why this answer

Option A is correct because when both Direct Connect and VPN are configured, the VPC route table typically has a single route to the on-premises CIDR via the virtual private gateway. Without more specific routing, the VPN BGP route may be preferred depending on route propagation and prefix matching. Option B is wrong because the VPN connection being down would not cause traffic to avoid Direct Connect.

Option C is wrong because the Direct Connect virtual interface must be in the 'Available' state to pass traffic. Option D is wrong because the AWS Site-to-Site VPN connection uses a virtual private gateway or transit gateway, not a Customer Gateway as the target.

915
Matchingmedium

Match each AWS networking monitoring or troubleshooting tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Capture IP traffic information for security and troubleshooting

Monitor network performance metrics like throughput and latency

Test network path between two resources and identify configuration issues

Copy network traffic for content inspection or security analysis

Trace requests through distributed applications, including network calls

Why these pairings

These tools help monitor and diagnose network issues.

916
MCQhard

A company has a VPC with multiple subnets across three Availability Zones. The VPC contains an Auto Scaling group of EC2 instances that process messages from an SQS queue. The instances are deployed in private subnets and need to access the SQS queue over the internet. The company wants to minimize data transfer costs and improve security by keeping traffic within the AWS network. The VPC has a NAT gateway in each AZ for outbound internet access. The network team has configured the route tables for the private subnets to send 0.0.0.0/0 traffic to the NAT gateway in the same AZ. However, the team notices that the EC2 instances are still using the NAT gateways to reach SQS, resulting in higher costs. What should the team do to ensure traffic to SQS stays within the AWS network?

A.Create an interface VPC endpoint for SQS in each private subnet.
B.Create a gateway VPC endpoint for SQS in the VPC and update the route tables for the private subnets to include a route for the SQS prefix list pointing to the endpoint.
C.Set up an AWS Direct Connect connection to route SQS traffic directly.
D.Modify the network ACLs and security groups to allow traffic to SQS without going through the NAT gateway.
AnswerB

Correct: Gateway Endpoints keep traffic within AWS and are free of charge.

Why this answer

Option B is correct because VPC Gateway Endpoints for SQS allow traffic to SQS to stay within the AWS network, avoiding NAT gateways and reducing costs. Option A is wrong because VPC Interface Endpoints are used for services that require private IPs, but SQS supports Gateway Endpoints. Option C is wrong because NACLs and security groups do not change the path; they only filter traffic.

Option D is wrong because Direct Connect is for on-premises, not for VPC-to-SQS traffic.

917
Multi-Selectmedium

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in multiple Availability Zones. Which TWO configurations are required to achieve high availability?

Select 2 answers
A.The ALB must be configured with subnets in at least two Availability Zones
B.The ALB must be internet-facing
C.At least three EC2 instances must be registered with the ALB
D.A NAT gateway must be deployed in each Availability Zone
E.Cross-zone load balancing must be enabled on the ALB
AnswersA, B

Multiple AZs provide redundancy.

Why this answer

Option A is correct because ALB must have subnets in at least two Availability Zones. Option B is correct because the ALB must be internet-facing to be accessible from the internet. Option C is wrong because cross-zone load balancing is enabled by default and not required for high availability.

Option D is wrong because a single NAT gateway is a single point of failure. Option E is wrong because a single instance per AZ is sufficient.

918
Multi-Selectmedium

A network engineer is troubleshooting high latency on a Direct Connect connection. The engineer wants to use monitoring tools to identify the source of the latency. Which two AWS services can provide metrics and logs to help diagnose the issue? (Choose TWO.)

Select 2 answers
A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch
D.AWS Trusted Advisor
E.VPC Flow Logs
AnswersC, E

Provides Direct Connect metrics.

Why this answer

Options A and E are correct. CloudWatch provides metrics for Direct Connect (e.g., connection state, BGP status, packet loss). VPC Flow Logs capture IP traffic information that can be analyzed for latency patterns.

Option B is wrong because CloudTrail logs API calls. Option C is wrong because AWS Config tracks configuration changes. Option D is wrong because Trusted Advisor provides recommendations, not real-time metrics.

919
Multi-Selectmedium

A company is deploying a new application that requires low latency between EC2 instances. Which THREE placement group strategies should the network engineer consider?

Select 3 answers
A.Cross-zone load balancing
B.Spread placement group
C.Availability Zone placement group
D.Partition placement group
E.Cluster placement group
AnswersB, D, E

Spreads instances across distinct hardware for high availability.

Why this answer

Options A, B, and C are valid placement group strategies. Option D is not a placement group type. Option E is not a placement group but a feature of Network Load Balancer.

920
MCQeasy

A company wants to securely connect an on-premises data center to a VPC in AWS. The connection must be encrypted and use the public internet. The company has a moderate volume of traffic and needs a quick setup. Which solution meets these requirements?

A.AWS Client VPN
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Site-to-Site VPN provides encrypted tunnels over the internet and can be set up quickly.

Why this answer

Option B is correct because AWS Site-to-Site VPN creates an encrypted IPSec tunnel over the public internet and can be set up quickly. Option A is wrong because Direct Connect provides a dedicated connection, not over the internet. Option C is wrong because Client VPN is for individual client connections, not site-to-site.

Option D is wrong because Transit Gateway is a network transit hub, not a connection method.

921
Multi-Selecteasy

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC? (Select TWO.)

Select 2 answers
A.AWS Direct Connect
B.AWS Site-to-Site VPN
C.VPC peering connection
D.VPC endpoint
E.Internet Gateway
AnswersA, B

Provides a dedicated private connection.

Why this answer

Options A and D are correct. AWS Site-to-Site VPN and AWS Direct Connect are the primary methods for connecting on-premises networks to VPCs. Option B is incorrect because VPC peering connects VPCs, not on-premises.

Option C is incorrect because an Internet Gateway is for internet access. Option E is incorrect because VPC endpoints are for accessing AWS services privately.

922
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

A.Launch a NAT instance in a public subnet and assign an Elastic IP. Configure the private subnet route table to point to the NAT instance.
B.Create an internet gateway and attach it to the private subnet, then configure the route table.
C.Create a VPC endpoint for Amazon S3 and route software update traffic through that endpoint.
D.Create a NAT gateway in each Availability Zone and assign the same Elastic IP to both.

Why this answer

Option B is correct because a NAT gateway in each AZ provides high availability and a single elastic IP per AZ, but if you need a single IP, you can use a single NAT gateway in one AZ (with a single EIP) or use a NAT instance with an EIP. However, the requirement is highly available and single IP. A NAT gateway in each AZ would have multiple IPs.

Option A is wrong because NAT instance is not highly available. Option C is wrong because internet gateway in private subnet is not allowed. Option D is wrong because VPC endpoint for S3 does not provide internet access.

923
MCQeasy

A company needs to block traffic from a specific IP address range in their VPC. Which component should be used?

A.Route table
B.Network ACL
C.Internet gateway
D.Security group
AnswerB

NACLs can deny traffic from specific IP ranges.

Why this answer

Option D is correct: Network ACLs are stateless and can block IP ranges at the subnet level. Option A is wrong because security groups are stateful and can't deny specific IPs (only allow). Option B is wrong because route tables control routing, not filtering.

Option C is wrong because internet gateway is a gateway, not a filter.

924
Multi-Selecthard

A company has a multi-account AWS environment using AWS Organizations. The network team wants to centralize VPC traffic inspection using a Transit Gateway and a firewall appliance in a central account. Which THREE steps are required to implement this design? (Choose THREE.)

Select 3 answers
A.Create a VPC peering connection between each spoke VPC and the central VPC.
B.Create a Transit Gateway in the central account and attach the central VPC.
C.Accept the Transit Gateway share in each spoke account and attach their VPCs.
D.Deploy a firewall appliance in each spoke VPC.
E.Use AWS Resource Access Manager to share the Transit Gateway with spoke accounts.
AnswersB, C, E

Transit Gateway is the hub.

Why this answer

Option B is correct because a Transit Gateway (TGW) in the central account acts as the hub for VPC traffic inspection. Attaching the central VPC (which contains the firewall appliance) to the TGW allows all inter-VPC traffic to be routed through the central inspection VPC, enabling centralized traffic inspection without requiring VPC peering or per-spoke firewalls.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing in a hub-and-spoke model, but the trap here is that VPC peering does not support transitive routing, so a Transit Gateway is required for centralized inspection across multiple VPCs.

925
Multi-Selectmedium

Which TWO configuration steps are required to enable VPC Flow Logs to be published to an S3 bucket in a different AWS account? (Select TWO.)

Select 2 answers
A.Attach a resource-based policy to the S3 bucket that grants the source account's Flow Logs service permission to write.
B.Configure the Flow Logs destination as a CloudWatch Logs log group in the source account.
C.Create an IAM role in the source account with a trust policy that allows the Flow Logs service to assume it and grants s3:PutObject to the destination bucket.
D.Create an IAM user in the source account with programmatic access and share the access keys.
E.Enable S3 cross-account replication.
AnswersA, C

The bucket policy must allow cross-account writes.

Why this answer

For cross-account flow logs, you need an IAM role in the source account that the Flow Logs service can assume, and that role must have permissions to write to the destination bucket. Additionally, the S3 bucket policy must grant the source account (or the role) the necessary permissions.

926
MCQmedium

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. It needs to connect to an on-premises data center over AWS Direct Connect. The on-premises network uses the 10.0.0.0/8 address space. The company cannot change the on-premises addressing. Which solution will allow connectivity without overlapping IP addresses?

A.Use VPC peering between the existing VPC and a new VPC with a non-overlapping CIDR, then route traffic through the new VPC.
B.Create a new VPC with a non-overlapping CIDR such as 172.16.0.0/16 and migrate resources.
C.Assign IPv6 CIDR to the existing VPC, use IPv6 for all resources, and connect over Direct Connect using IPv6.
D.Use AWS Transit Gateway with a Network Address Translation (NAT) attachment to translate the VPC CIDR.
AnswerC

IPv6 addresses do not overlap with the on-premises IPv4 space, providing unique addressing.

Why this answer

Option C is correct because assigning an IPv6 CIDR to the existing VPC and using IPv6 for all resources avoids the IPv4 address overlap with the on-premises 10.0.0.0/8 network. AWS Direct Connect supports both IPv4 and IPv6 traffic, so you can establish a BGP session over IPv6 and route IPv6 traffic between the VPC and on-premises, completely bypassing the conflicting IPv4 address space.

Exam trap

The trap here is that candidates assume Direct Connect only works with IPv4 or that overlapping IPv4 addresses can be resolved with NAT or Transit Gateway, but the exam tests the understanding that IPv6 is a clean way to avoid IPv4 overlap without changing the existing VPC CIDR.

How to eliminate wrong answers

Option A is wrong because VPC peering does not resolve IP address overlap; the existing VPC still uses 10.0.0.0/16, which overlaps with the on-premises 10.0.0.0/8, and routing through a new VPC does not change the fact that overlapping addresses cannot be communicated with directly. Option B is wrong because migrating resources to a new VPC with a non-overlapping CIDR (e.g., 172.16.0.0/16) is a valid long-term solution but does not allow connectivity without changing the existing VPC's addressing; the question asks for a solution that allows connectivity without overlapping IP addresses, and migration is a disruptive change, not a direct connectivity solution. Option D is wrong because AWS Transit Gateway does not have a 'NAT attachment'; NAT is typically implemented at the instance or gateway level (e.g., NAT gateway or instance), and Transit Gateway itself cannot perform network address translation between the VPC and on-premises networks.

927
Multi-Selecthard

A company is designing a network architecture for a multi-tier web application. The application includes a public-facing Application Load Balancer (ALB) in a public subnet, web servers in private subnets, and an Amazon RDS database in a private subnet. The company requires that the database is not directly accessible from the application servers except through specific ports, and that traffic between the web servers and the database is encrypted. Which TWO actions should the company take to meet these requirements? (Choose two.)

Select 2 answers
A.Place the RDS database in a public subnet with a security group that allows only the web servers' IP addresses
B.Establish a VPC peering connection between the web servers' VPC and the RDS VPC
C.Enable SSL/TLS encryption for connections between the web servers and the RDS database
D.Configure a security group on the RDS instance that allows inbound traffic from the web servers' security group on the database port
E.Use a network ACL to restrict inbound traffic to the RDS subnet to only the web server's IP range
AnswersC, D

SSL/TLS encrypts data in transit, meeting the encryption requirement.

Why this answer

Option C is correct because enabling SSL/TLS encryption for connections between the web servers and the RDS database ensures that data in transit is encrypted, meeting the requirement for encrypted traffic. Option D is correct because configuring a security group on the RDS instance that allows inbound traffic from the web servers' security group on the database port provides a stateful, instance-level firewall rule that restricts direct access to only the web servers, without exposing the database to the public subnet or relying on IP-based rules.

Exam trap

AWS often tests the distinction between security groups (stateful, instance-level) and network ACLs (stateless, subnet-level), and candidates mistakenly choose network ACLs for fine-grained access control when security groups are the correct choice for allowing traffic based on source security group IDs.

928
MCQeasy

A company uses VPC Flow Logs to monitor network traffic. The flow logs are published to Amazon S3. The security team wants to analyze the logs for suspicious traffic patterns using Amazon Athena. After creating the Athena table, queries return zero results. The logs are in the correct S3 bucket. What is the most likely cause?

A.The flow logs are encrypted with SSE-KMS and Athena does not have permission to decrypt
B.The Athena table is in a different AWS Glue database
C.The flow logs are in gzip format, which Athena does not support
D.The Athena table is not configured to read from the correct S3 partition structure
AnswerD

Partition structure must match the log location.

Why this answer

Option A is correct because VPC Flow Logs are stored in a partitioned folder structure (e.g., AWSLogs/account-id/vpcflowlogs/region/year/month/day/). If the Athena table does not use partition projection or the partition location is incorrect, queries return no data. Option B is wrong because encryption does not prevent Athena from reading.

Option C is wrong because the table can be in any database. Option D is wrong because file format (gzip) is supported by Athena.

929
Multi-Selecthard

A company is deploying a new VPC with public and private subnets. The VPC will host web servers in the public subnet and database servers in the private subnet. The web servers need to access the internet for updates, and the database servers need to receive traffic only from the web servers. Which THREE components are essential for this architecture?

Select 3 answers
A.NAT gateway in the public subnet
B.Network ACL for subnets
C.Internet gateway
D.VPC endpoint for S3
E.Security groups for web and database servers
AnswersA, C, E

Allows private instances to access internet.

Why this answer

Options A, C, and D are correct because an internet gateway provides internet access for public subnets, a NAT gateway provides internet access for private subnets, and security groups act as firewalls for EC2 instances. Option B is wrong because NACLs are stateless and less granular. Option E is wrong because VPC endpoint is not needed for general internet access.

930
Multi-Selecthard

A company is troubleshooting an issue where an application running on an EC2 instance cannot connect to an Amazon S3 bucket using a VPC endpoint. The security groups and network ACLs appear correct. Which THREE items should the network team verify to resolve the issue? (Choose three.)

Select 3 answers
A.The VPC endpoint policy allows access to the S3 bucket.
B.S3 Transfer Acceleration is enabled on the bucket.
C.The route table of the subnet includes a route for the S3 prefix list via the VPC endpoint.
D.The VPC endpoint is associated with the subnet where the EC2 instance resides.
E.The VPC has an Internet Gateway attached.
AnswersA, C, D

The endpoint policy controls what actions are allowed.

Why this answer

Option A is correct because the VPC endpoint policy may deny access to the specific S3 bucket. Option C is correct because the route table must have a route for the S3 prefix list via the endpoint. Option D is correct because the endpoint must be associated with the correct subnet (or require DNS resolution).

Option B is wrong because the Internet Gateway is not needed if using a VPC endpoint. Option E is wrong because S3 Transfer Acceleration is for speed, not connectivity.

931
Multi-Selecthard

A company is setting up a Site-to-Site VPN connection between an on-premises network and AWS. The VPN tunnel is established, but traffic is not flowing. Which THREE configuration items should be checked?

Select 3 answers
A.Route tables in the VPC and on-premises router.
B.Security group rules for the EC2 instances.
C.NAT gateway configuration in the VPC.
D.Network ACL rules for the subnets.
E.Internet gateway attachment to the VPC.
AnswersA, B, D

Routes are required for traffic forwarding.

Why this answer

Option A is correct because route tables must have routes to the remote network. Option C is correct because security group rules must allow traffic. Option E is correct because network ACLs must allow traffic.

Option B is incorrect because a NAT gateway is not required for VPN. Option D is incorrect because an internet gateway is not needed for VPN traffic.

932
MCQeasy

Refer to the exhibit. The bucket policy shown is applied to an S3 bucket. A VPC endpoint for S3 is created in a VPC with CIDR 10.0.0.0/16. An EC2 instance in the VPC tries to access an object in the bucket using the VPC endpoint. The request fails. What is the most likely reason?

A.The bucket policy does not allow s3:ListBucket.
B.The condition uses aws:SourceIp, which does not work with VPC endpoint traffic.
C.The EC2 instance does not have an IAM role that allows s3:GetObject.
D.The VPC endpoint does not have a route table associated with the instance's subnet.
AnswerB

aws:SourceIp is not applicable for VPC endpoint requests; use aws:SourceVpce instead.

Why this answer

The condition in the bucket policy uses aws:SourceIp, but when traffic goes through a VPC endpoint, the source IP is the private IP of the instance, which is not evaluated by aws:SourceIp. Instead, aws:SourceVpce should be used. Option A (IAM role) is not shown; Option B (DNS) is unlikely; Option C (route table) is not the issue.

933
MCQmedium

A company uses AWS Direct Connect with a private VIF to connect to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection in real time. Which AWS service should be used?

A.AWS CloudTrail
B.VPC Flow Logs
C.AWS Config
D.Amazon CloudWatch
AnswerD

CloudWatch provides Direct Connect metrics such as ConnectionBandwidthUtilization.

Why this answer

Option D is correct because CloudWatch provides metrics for Direct Connect connections including bandwidth utilization. Option A is incorrect because VPC Flow Logs capture traffic per interface, not aggregate bandwidth. Option B is incorrect because CloudTrail logs API calls.

Option C is incorrect because AWS Config records configuration changes.

934
MCQmedium

A company wants to securely connect an on-premises data center to a VPC using AWS Site-to-Site VPN. The security team requires that all traffic between the on-premises network and the VPC be encrypted and that the VPN tunnel be highly available. Which design BEST meets these requirements?

A.Use AWS Direct Connect with a private VIF and enable encryption on the connection.
B.Create a single VPN tunnel with a virtual private gateway and enable encryption.
C.Create two VPN tunnels to the same virtual private gateway for redundancy.
D.Create a VPN connection with two tunnels, each terminating on a different virtual private gateway in the same VPC.
AnswerD

Provides encryption and high availability via diverse endpoints.

Why this answer

Option D is correct because using two VPN tunnels to two different AWS endpoints provides high availability and encryption. Option A is wrong because a single VPN tunnel is not highly available. Option B is wrong because Direct Connect does not provide encryption by default.

Option C is wrong because two tunnels to the same endpoint still has a single point of failure.

935
Multi-Selecteasy

A company is designing a VPC for a web application that requires high availability. The application will be deployed across multiple Availability Zones. Which THREE components are essential for a highly available network design? (Choose THREE.)

Select 3 answers
A.Subnets in at least two Availability Zones
B.A single VPN connection to on-premises
C.A NAT gateway in each Availability Zone
D.VPC peering with a backup VPC
E.An internet gateway attached to the VPC
AnswersA, C, E

Provides AZ redundancy.

Why this answer

Option A is correct: Multiple AZs ensure availability if one AZ fails. Option B is correct: An internet gateway provides internet access. Option D is correct: A NAT gateway in each AZ ensures outbound internet access even if one AZ fails.

Option C is wrong because a single VPN connection is a single point of failure. Option E is wrong because VPC peering is for connecting VPCs, not for high availability within a VPC.

936
Multi-Selecteasy

A company wants to encrypt all data in transit between an Application Load Balancer (ALB) and its target EC2 instances. Which TWO actions should be taken?

Select 2 answers
A.Enable Client Certificate Authentication on the ALB
B.Configure the target group to use HTTPS as the protocol
C.Add a listener rule to forward traffic based on path
D.Configure the ALB listener to use HTTPS
E.Configure security groups to allow only HTTPS traffic
AnswersB, D

HTTPS target group ensures traffic from ALB to targets is encrypted.

Why this answer

Options A and D are correct. The ALB listener must use HTTPS to terminate SSL. The target group for the ALB must use HTTPS protocol to encrypt traffic to targets.

Option B is wrong because listener rules do not affect encryption. Option C is wrong because security group rules do not encrypt traffic. Option E is wrong because Client Certificate Authentication is for client-to-ALB, not ALB-to-target.

937
MCQmedium

A company is designing a hybrid network architecture that connects multiple VPCs in different AWS regions to an on-premises data center. The company wants to minimize the number of VPN tunnels and reduce management overhead. Which AWS service should be used to simplify this design?

A.AWS Transit Gateway with VPN attachments
B.AWS Direct Connect with multiple virtual interfaces
C.AWS VPN CloudHub
D.VPC peering between each VPC and the on-premises network
AnswerA

Transit Gateway provides a central hub that can connect multiple VPCs and on-premises networks via VPN, reducing the number of connections and simplifying management.

Why this answer

AWS Transit Gateway with VPN attachments is correct because it acts as a central hub that connects multiple VPCs across different AWS regions and an on-premises data center through a single VPN connection. This minimizes the number of VPN tunnels by eliminating the need for individual VPN connections between each VPC and the on-premises network, and reduces management overhead through a single point of configuration and routing.

Exam trap

The trap here is that candidates often confuse VPC peering as a viable option for on-premises connectivity, not realizing that VPC peering only works between VPCs and cannot extend to an on-premises network, leading them to overlook the centralized hub-and-spoke model of Transit Gateway.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect with multiple virtual interfaces does not inherently reduce the number of VPN tunnels; it still requires separate VPN connections or complex routing for multi-region VPC connectivity, and does not provide a centralized hub for inter-VPC and on-premises traffic. Option C is wrong because AWS VPN CloudHub is designed for connecting multiple on-premises sites to AWS via VPN, but it does not natively support inter-VPC connectivity across different regions without additional configuration and still requires multiple VPN tunnels for each VPC. Option D is wrong because VPC peering between each VPC and the on-premises network is not supported; VPC peering only connects VPCs within AWS and cannot directly connect to an on-premises data center, requiring additional VPN or Direct Connect attachments for each VPC, which increases management overhead.

938
MCQhard

A company has a Direct Connect connection with two private virtual interfaces (VIFs) to two different VPCs. The company wants to use the same Direct Connect connection for both VPCs, but the on-premises router only has one physical port. The network engineer configures a single BGP session over a VLAN-tagged interface. After configuration, only one VPC is reachable. What is the most likely reason?

A.The on-premises router is using the same BGP ASN for both VIFs, which is not allowed
B.The BGP peer IP addresses must be in the same subnet for both VIFs
C.The VLAN ID must be the same for both VIFs to work over a single physical port
D.Each private VIF requires a separate BGP session, and only one session was configured
AnswerD

Each VIF needs its own BGP session.

Why this answer

Option C is correct because each private VIF requires a unique BGP session and VLAN ID. Using a single BGP session cannot serve two VIFs because the VIFs are logically separate. Option A is wrong because the same BGP ASN can be used on both VIFs if the Direct Connect gateway is used.

Option B is wrong because there is no requirement to use the same VLAN. Option D is wrong because the BGP session can be established with different peer IPs.

939
MCQhard

A company has a VPC with multiple subnets and an AWS Transit Gateway. They have a requirement to inspect traffic between subnets using a third-party firewall appliance that is deployed in a centralized inspection VPC. The firewall appliance must process all traffic between the VPC subnets, including traffic between subnets in the same Availability Zone. Which routing configuration achieves this?

A.Create a VPC route table that routes all traffic (0.0.0.0/0) to the Transit Gateway.
B.Create a VPC route table that routes the VPC CIDR to the Transit Gateway and associate it with each subnet.
C.Use the main route table and add a route for the VPC CIDR to the Transit Gateway.
D.Associate each subnet with a custom route table that has a route for the VPC CIDR to the Transit Gateway.
AnswerB

This forces all traffic destined for other subnets to go to the Transit Gateway for inspection.

Why this answer

Option D is correct. To force all inter-subnet traffic through the Transit Gateway, you must create a VPC route table that routes traffic destined for other subnets (the VPC's CIDR) to the Transit Gateway. This ensures traffic leaves the VPC and goes through the Transit Gateway to the inspection VPC.

Option A is incorrect because the default route for intra-VPC traffic is local, which would bypass the Transit Gateway. Option B is incorrect because the main route table still has the local route for the VPC CIDR, so traffic between subnets stays within the VPC. Option C is incorrect because subnet route tables are attached to subnets, but if the route tables have the local route for the VPC CIDR, traffic will not go to the Transit Gateway.

940
MCQmedium

A company is using AWS WAF to protect its web application. The security team notices that the WAF logs show a high number of requests from a specific IP address range that are being blocked by the SQL injection rule. However, the application team reports that legitimate users from that IP range are unable to access the application. Which action should the security team take to resolve this issue while maintaining security?

A.Disable the SQL injection rule for the specific IP range.
B.Increase the rate limit for the entire WAF.
C.Add the IP range to the allow list in the WAF.
D.Create a rate-based rule to limit requests from the IP range.
AnswerD

A rate-based rule allows legitimate traffic while blocking excessive requests that may be malicious.

Why this answer

Option C is correct because creating a rate-based rule can limit the request rate from the IP range, allowing legitimate traffic while still blocking excessive requests. Option A is wrong because disabling the SQL injection rule removes protection. Option B is wrong because allowing the entire IP range bypasses security.

Option D is wrong because increasing the rate limit for the entire WAF is not granular enough.

941
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. They need to ensure high availability and failover. Which THREE components should be deployed to meet these requirements?

Select 3 answers
A.A single AWS Direct Connect connection.
B.Two Customer Gateways (CGWs).
C.Two Virtual Private Gateways (VGWs).
D.Two AWS Direct Connect connections.
E.An AWS Site-to-Site VPN connection as backup.
AnswersB, C, D

Two CGWs provide on-premises redundancy.

Why this answer

Options A, C, and D are correct. Two Direct Connect connections (A) provide redundancy. Two Customer Gateways (C) ensure redundant on-premises termination.

Two Virtual Private Gateways (D) provide redundant AWS-side termination. Option B is wrong because a single connection is a single point of failure. Option E is wrong because a VPN connection is not required if Direct Connect is used.

942
Multi-Selecthard

A company needs to ensure that all outbound internet traffic from a VPC goes through a centralized inspection appliance. The VPC has multiple subnets. Which THREE steps are required to implement this?

Select 3 answers
A.Configure security groups to allow outbound traffic from the instances
B.Launch a NAT gateway in a public subnet and associate it with an Elastic IP
C.Attach an Internet Gateway to the VPC and route all traffic to it
D.Create VPC endpoints for all required AWS services
E.Configure route tables in each private subnet to send 0.0.0.0/0 traffic to a NAT gateway in a public subnet
AnswersA, B, E

Security groups must allow outbound traffic for instances to communicate.

Why this answer

Options A, C, and D are correct. An egress-only Internet Gateway is used for IPv6, but for IPv4, the default route points to a NAT gateway or appliance. However, the question implies IPv4; using a NAT gateway is common.

Option A (route table) is essential. Option C (security groups) allows traffic. Option D (NAT gateway in public subnet) provides outbound connectivity.

Option B is wrong because VPC endpoints are for AWS services, not internet. Option E is wrong because IGW is for inbound, not outbound inspection.

943
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The on-premises network uses BGP to advertise a route for 10.0.0.0/8. The VPC CIDR is 10.1.0.0/16. The company wants to ensure that all traffic from the VPC to on-premises uses the Direct Connect connection, but if the Direct Connect fails, traffic should fail over to a VPN connection. Which configuration achieves this?

A.Create a static route in the VPC route table pointing to the VPN with a metric of 100, and let BGP propagate the Direct Connect route.
B.Configure a BGP local preference of 200 on the Direct Connect VIF and 100 on the VPN connection, and use the same ASN for both.
C.Set the MED attribute on the Direct Connect VIF to 100 and on the VPN to 200.
D.Configure AS path prepend on the Direct Connect side to advertise a longer AS path.
AnswerB

Higher local preference is preferred; thus Direct Connect will be primary and VPN backup.

Why this answer

Option A is correct because a lower BGP local preference on the VPN side makes the Direct Connect route more preferred. Option B is wrong because a higher AS path prepend on the Direct Connect side would make it less preferred. Option C is wrong because a static route with a high metric would be less preferred, not a backup.

Option D is wrong because setting a lower MED on the Direct Connect side would make it more preferred, but the question asks for failover order; the VPN should be backup, so VPN MED should be higher.

944
Drag & Dropmedium

Arrange the steps to configure VPC Flow Logs for a VPC and publish logs to CloudWatch Logs:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the log group, then the IAM role, then the flow log, then verify, then analyze.

945
Multi-Selecthard

A company is designing a multi-VPC architecture with AWS Transit Gateway. The security requirements include: (1) all inter-VPC traffic must be inspected by a central firewall, (2) traffic to the internet must egress through a centralized egress VPC, and (3) traffic to on-premises via Direct Connect must go through the same inspection firewall. Which THREE components are required to meet these requirements?

Select 3 answers
A.VPC peering connections between all VPCs
B.AWS Network Firewall in an inspection VPC
C.Virtual Private Gateway (VGW) attachment to the inspection VPC
D.NAT gateways in each VPC
E.AWS Transit Gateway with multiple route tables
AnswersB, C, E

Provides centralized traffic inspection.

Why this answer

Option A (Transit Gateway with route tables) is needed to control traffic routing. Option C (Network Firewall in inspection VPC) provides traffic inspection. Option E (Virtual Private Gateway attached to inspection VPC) allows Direct Connect traffic to be routed through the firewall.

Option B is wrong because NAT Gateway is for internet egress, but the requirement is for centralized egress VPC which may use NAT Gateway, but NAT Gateway alone is not a component required for all three requirements. Option D is wrong because VPC Peering is not used with Transit Gateway.

946
Multi-Selecteasy

A company is deploying a VPC with public and private subnets. They need to provide internet access to instances in the private subnets for software updates. Which THREE components are required to achieve this?

Select 3 answers
A.Route table in the private subnet with a default route pointing to the NAT Gateway
B.AWS Site-to-Site VPN connection
C.NAT Gateway in a public subnet
D.Internet Gateway attached to the VPC
E.AWS Direct Connect connection
AnswersA, C, D

The route table must direct traffic to the NAT Gateway for internet access.

Why this answer

Options B, C, and E are correct. A NAT Gateway (or NAT instance) in a public subnet, an Internet Gateway attached to the VPC, and a route table in the private subnet pointing to the NAT Gateway are required. Option A is wrong because a VPN connection is not needed.

Option D is wrong because a Direct Connect connection is not needed.

947
Multi-Selecteasy

Which TWO components are required when configuring a transit gateway to connect multiple VPCs and an on-premises network via Direct Connect? (Choose 2)

Select 2 answers
A.Internet gateway (IGW)
B.Transit Gateway association with the Direct Connect gateway
C.Virtual private gateway (VGW)
D.Customer gateway (CGW)
E.Direct Connect gateway
AnswersB, E

The Transit Gateway must be associated with the Direct Connect gateway to route traffic.

Why this answer

When using Transit Gateway with Direct Connect, you need a Direct Connect gateway, and the Transit Gateway must be associated with the Direct Connect gateway. A virtual private gateway (VGW) is not used with Transit Gateway; it is used with a VPC alone. A customer gateway is used for VPN, not Direct Connect.

An internet gateway is for public internet traffic.

948
MCQeasy

A company is deploying a web application on EC2 instances behind an ALB. The application must be accessible only over HTTPS. Which security group rule should be added to the ALB security group?

A.Inbound: TCP port 22 from 0.0.0.0/0
B.Inbound: TCP port 443 from 0.0.0.0/0
C.Inbound: TCP port 3306 from 0.0.0.0/0
D.Inbound: TCP port 80 from 0.0.0.0/0
AnswerB

HTTPS uses port 443.

Why this answer

The ALB must terminate HTTPS traffic, which requires an inbound rule allowing TCP port 443 (HTTPS) from 0.0.0.0/0. This ensures clients can establish encrypted TLS connections to the load balancer, as the application is only accessible over HTTPS.

Exam trap

AWS often tests the distinction between the ALB's security group (which needs port 443 for HTTPS) and the EC2 instances' security group (which needs only the ALB's source security group), leading candidates to mistakenly choose port 80 (HTTP) or port 22 (SSH) for the ALB.

How to eliminate wrong answers

Option A is wrong because TCP port 22 (SSH) is used for remote administration of EC2 instances, not for web traffic to an ALB, and opening it to 0.0.0.0/0 would expose management interfaces unnecessarily. Option C is wrong because TCP port 3306 (MySQL) is a database port that should never be exposed to the internet from an ALB; database access should be restricted to application servers via private subnets. Option D is wrong because TCP port 80 (HTTP) would allow unencrypted traffic, which violates the requirement that the application be accessible only over HTTPS; allowing HTTP would bypass the encryption mandate.

949
Multi-Selectmedium

A company is designing a network architecture for a critical application that requires high availability and fault tolerance. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones. The instances must be able to communicate with each other across AZs. Which TWO design decisions improve the fault tolerance of the application? (Choose TWO.)

Select 2 answers
A.Use a single NAT Gateway in one Availability Zone for internet access
B.Use VPC endpoints for Amazon S3 to reduce internet dependency
C.Configure the Auto Scaling group to launch instances in multiple Availability Zones
D.Use a single Network Load Balancer in one Availability Zone
E.Deploy EC2 instances evenly across three Availability Zones
AnswersC, E

Auto Scaling across AZs automatically replaces failed instances and maintains capacity.

Why this answer

Options B and D are correct. Option B is correct because distributing instances across three AZs ensures that the application survives an AZ failure. Option D is correct because Auto Scaling across AZs automatically replaces failed instances.

Option A is wrong because a single NAT Gateway is a single point of failure. Option C is wrong because a single NLB in one AZ is a single point of failure. Option E is wrong because VPC endpoints do not improve fault tolerance for inter-instance communication.

950
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution meets this requirement?

A.Create a VPC gateway endpoint for S3 and attach an endpoint policy that restricts access to the specific bucket
B.Establish a VPN connection to the on-premises network and route through it
C.Set up a NAT gateway in the public subnet and route private subnet traffic to it
D.Deploy a proxy server in the public subnet and configure the instance to use it
AnswerA

Traffic stays within AWS network.

Why this answer

Option A is correct because a VPC gateway endpoint for S3 allows private subnet instances to access S3 without internet. Option B is wrong because NAT gateway still uses internet. Option C is wrong because a proxy server introduces internet.

Option D is wrong because VPN is for on-premises, not S3.

951
Multi-Selecthard

A company has a multi-account AWS environment with hundreds of VPCs interconnected via a transit gateway. The network team needs to centrally monitor VPC reachability and identify asymmetric routing paths. Which THREE services or features should be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Contributor Insights
B.VPC Reachability Analyzer
C.AWS Network Manager
D.AWS Config
E.AWS CloudHSM
AnswersA, B, C

Analyzes VPC Flow Logs to detect traffic patterns and anomalies.

Why this answer

VPC Reachability Analyzer can test paths and detect asymmetric routing. AWS Network Manager provides central visibility for transit gateway networks. Amazon CloudWatch Contributor Insights helps analyze VPC Flow Logs to identify traffic patterns.

AWS Config evaluates rules but not real-time path analysis. AWS CloudHSM is for hardware security modules.

952
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) in a VPC. The application experiences unpredictable traffic spikes. The company notices that during peak traffic, the ALB returns 503 errors. The network engineer checks the ALB's CloudWatch metrics and sees that the 'ActiveConnectionCount' is high but 'TargetResponseTime' is low. The ALB's target group is configured with a deregistration delay of 300 seconds. The ALB is internet-facing and uses an SSL/TLS certificate from AWS Certificate Manager. The security group for the ALB allows inbound HTTPS from 0.0.0.0/0. The target instances' security group allows inbound traffic from the ALB's security group. The VPC has a CIDR of 10.0.0.0/16 with public and private subnets. The ALB is in public subnets, and the instances are in private subnets. The route tables for private subnets have a default route to a NAT gateway in the public subnets. The company wants to resolve the 503 errors. What should the network engineer do?

A.Disable cross-zone load balancing on the ALB.
B.Increase the deregistration delay to 600 seconds.
C.Increase the idle timeout setting on the ALB to a higher value.
D.Move the ALB to private subnets and use a NAT gateway for internet access.
AnswerC

Higher idle timeout keeps connections alive, reducing connection rate.

Why this answer

Option C is correct. The 503 errors are likely due to the ALB's connection limit or insufficient target capacity. Since target response time is low, the targets are not overloaded.

The deregistration delay of 300 seconds may cause connections to drain slowly, but the main issue is that the ALB may be hitting its connection limit. Increasing the ALB's idle timeout will allow connections to stay open longer, reducing the rate of new connections. Option A is incorrect because increasing the deregistration delay would make the problem worse.

Option B is incorrect because the ALB is already in public subnets. Option D is incorrect because disabling cross-zone load balancing would reduce capacity.

953
MCQhard

A company has a VPC with multiple subnets across Availability Zones. An application load balancer (ALB) is deployed in public subnets. The network team notices that traffic from the ALB to targets in private subnets is intermittently failing. The targets are healthy. What is the MOST likely cause?

A.The ALB is not associated with a public subnet.
B.The target security group does not allow traffic from the ALB's security group.
C.The network ACL for the target subnets blocks outbound traffic.
D.Cross-zone load balancing is disabled.
AnswerB

The target security group must allow traffic from the ALB's security group; if not, traffic is dropped.

Why this answer

Option A is correct because if the ALB's security group does not allow inbound traffic from the ALB's source IP (the ALB's private IP), health checks may fail? Actually, the question says targets are healthy, but traffic from ALB to targets failing. The ALB communicates using its private IP addresses, and the target security group must allow traffic from the ALB's security group. Option B is incorrect because NACLs are stateless and must allow both inbound and outbound traffic.

Option C is incorrect because the ALB is in public subnets and can reach the internet. Option D is incorrect because cross-zone load balancing is enabled by default.

954
Multi-Selectmedium

A company is designing a network for a critical application that requires low-latency communication between EC2 instances in the same AWS Region. They want to maximize network throughput and minimize latency. Which TWO design choices should they make? (Choose two.)

Select 2 answers
A.Attach an internet gateway to the VPC and route traffic through it.
B.Enable enhanced networking (ENA) on the EC2 instances.
C.Use a VPN connection to route traffic between instances.
D.Use a spread placement group for the EC2 instances.
E.Place the EC2 instances in a cluster placement group.
AnswersB, E

Enhanced networking provides higher bandwidth and lower latency.

Why this answer

Option B is correct because enabling Enhanced Networking (ENA) on EC2 instances provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies by using a modern network interface driver that offloads network processing to dedicated hardware. This is essential for critical applications requiring maximum throughput and minimal latency within the same AWS Region.

Exam trap

AWS often tests the misconception that spread placement groups improve network performance, when in fact they are designed for high availability and fault tolerance, not low latency or high throughput.

955
MCQmedium

Refer to the exhibit. A network architect is reviewing an IAM policy for a junior engineer. What is the security concern with this policy?

A.The policy does not include a condition to restrict the actions to specific VPCs
B.The policy allows deletion of VPCs and subnets, which could lead to resource loss
C.The policy allows creation of VPCs and subnets, which could cause resource exhaustion
D.The policy allows read-only actions that could expose sensitive network configurations
AnswerB

Delete actions are destructive.

Why this answer

Option B is correct because the IAM policy grants `ec2:DeleteVpc` and `ec2:DeleteSubnet` permissions, which allow the junior engineer to delete VPCs and subnets. This could lead to irreversible resource loss, including all associated resources like route tables, security groups, and network interfaces, disrupting network connectivity and services.

Exam trap

AWS often tests the misconception that allowing creation actions (like `ec2:CreateVpc`) is the primary risk, but the trap here is that destructive actions (like `ec2:DeleteVpc`) pose a more immediate and severe security concern due to potential data loss and service disruption.

How to eliminate wrong answers

Option A is wrong because the policy does not include a condition to restrict actions to specific VPCs, but the primary security concern is the ability to delete resources, not the lack of conditions; conditions are a best practice but not the most immediate risk here. Option C is wrong because while creating VPCs and subnets could cause resource exhaustion, the policy also allows deletion, which poses a more direct risk of data loss and service disruption; resource exhaustion is a potential issue but less critical than destructive actions. Option D is wrong because the policy does not include read-only actions; it includes `ec2:CreateVpc`, `ec2:CreateSubnet`, `ec2:DeleteVpc`, and `ec2:DeleteSubnet`, which are all write or destructive actions, not read-only.

956
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company has a NAT Gateway in the public subnet. The network team notices that instances in the private subnets cannot reach the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT Gateway. What could be the issue?

A.The NAT Gateway does not have a route to the internet gateway
B.The NAT Gateway is in a private subnet
C.The VPC does not have a VPC endpoint for the software update service
D.The security group attached to the NAT Gateway is blocking traffic
AnswerB

NAT Gateway must be in a public subnet with a route to IGW.

Why this answer

Option B is correct because the NAT Gateway must be in a public subnet with an internet gateway route to function. Option A is wrong because the NAT Gateway itself does not have a route; the route table of the subnet where it resides needs a route to the internet gateway. Option C is wrong because security groups are for instances, not NAT Gateways.

Option D is wrong because VPC endpoints are for specific AWS services, not general internet access.

957
Multi-Selecteasy

Which TWO of the following are valid methods to connect an on-premises network to an Amazon VPC over a private, dedicated connection? (Select TWO.)

Select 2 answers
A.AWS Direct Connect Gateway
B.AWS Direct Connect
C.AWS Client VPN
D.VPC Peering
E.AWS VPN CloudHub
AnswersA, B

Extends Direct Connect to multiple VPCs.

Why this answer

Options B and D are correct. AWS Direct Connect provides dedicated private connectivity. AWS VPN CloudHub uses VPN connections over the internet, not dedicated.

VPC peering is between VPCs, not on-premises. AWS Client VPN is a remote access VPN. So B and D are correct: Direct Connect and Direct Connect gateway.

958
MCQhard

A financial services company must meet PCI DSS compliance for its VPC design. It requires that all traffic between application tiers be encrypted in transit and that no traffic can bypass the encryption. The architecture includes a public-facing Application Load Balancer (ALB), a web tier in public subnets, an app tier in private subnets, and a database tier in isolated subnets. Which design meets these requirements?

A.Terminate TLS at the ALB. Use HTTP between ALB and web tier. Use HTTPS between web and app tier. Use TLS between app and database tier.
B.Terminate TLS at the ALB. Use HTTP between ALB and web tier. Use HTTPS between web and app tier. Use TLS between app and database tier.
C.Terminate TLS at the ALB. Use HTTPS between ALB and web tier. Use TLS mutual authentication between web and app tier. Use TLS between app and database tier.
D.Terminate TLS at the ALB. Use HTTPS between ALB and web tier. Use HTTP between web and app tier. Use TLS between app and database tier.
AnswerC

All traffic is encrypted: ALB to web (HTTPS), web to app (TLS mutual auth), app to database (TLS).

Why this answer

Option C is correct because it ensures encryption in transit for all traffic between application tiers, meeting PCI DSS requirements. The ALB terminates TLS from clients, then uses HTTPS (TLS) to the web tier, mutual TLS between web and app tiers for strong authentication and encryption, and TLS between app and database tiers. This design prevents any unencrypted traffic from bypassing encryption, as every hop uses TLS.

Exam trap

The trap here is that candidates may assume terminating TLS at the ALB is sufficient for all internal traffic, overlooking the need for encryption between every tier, especially the web-to-app hop where HTTP is often mistakenly considered acceptable.

How to eliminate wrong answers

Option A is wrong because it uses HTTP between the ALB and web tier, which transmits data in plaintext, violating the requirement that no traffic can bypass encryption. Option B is identical to A and thus also wrong for the same reason. Option D is wrong because it uses HTTP between the web and app tier, leaving that hop unencrypted and failing to meet PCI DSS encryption requirements.

959
MCQmedium

An engineer is troubleshooting connectivity from on-premises to a VPC via Direct Connect private VIF. The BGP session is up, traffic is flowing, but the on-premises network cannot reach some subnets in the VPC. The VPC CIDR is 10.0.0.0/16. What is the most likely cause based on the exhibit?

A.The BGP session is up, but the on-premises router is not receiving the VPC CIDR route due to missing route propagation on the virtual private gateway.
B.The customer router configuration snippet is missing the BGP configuration for those subnets.
C.The security groups or network ACLs in the VPC are blocking traffic to those subnets.
D.The route filter prefixes only allow the VPC CIDR 10.0.0.0/16, but the VPC has additional CIDRs that are not being advertised.
AnswerC

Since the VPC CIDR is advertised, reachability issues within the VPC are more likely due to security group or NACL rules.

Why this answer

The exhibit shows that the route filter prefixes for the private VIF include only '10.0.0.0/16'. This means that only this prefix is allowed to be advertised from AWS to on-premises. If the VPC has subnets that are not part of the 10.0.0.0/16 block (e.g., if the VPC has additional CIDRs), they will not be advertised.

However, the VPC CIDR is 10.0.0.0/16, so all subnets should be within that. Another possibility: the on-premises router might be filtering routes. But the most likely cause from the exhibit is that the route filter prefixes are missing the specific subnet prefixes if the VPC uses multiple CIDRs.

But the VPC CIDR is a single /16, so the route filter should cover all. Wait, the issue is that some subnets are not reachable. Perhaps the VPC has multiple CIDRs, or the route filter is too restrictive.

The exhibit shows only one prefix. If the VPC has additional CIDRs (e.g., 10.1.0.0/16), they would not be advertised. But the question says VPC CIDR is 10.0.0.0/16.

So maybe the issue is that the on-premises router is not receiving the specific subnet routes because AWS sends only the VPC CIDR by default. That should be sufficient. If the on-premises network has routes to the VPC, it should reach all subnets.

Another common issue: the route filter prefixes on the private VIF are used to allow prefixes from on-premises, not to control what AWS advertises. Actually, the routeFilterPrefixes attribute on a private VIF defines the prefixes that the customer will advertise to AWS. It does not control what AWS advertises to the customer.

AWS advertises the VPC CIDR automatically. So the exhibit shows the customer's allowed prefixes. That might not be the issue.

The question might be misinterpreting. Possibly the issue is that the VIF's route filter is empty or missing, but it has one. I think the intended answer is that the route filter prefixes are not configured to allow the specific subnet prefixes from on-premises.

But the question is about reaching subnets in the VPC. Let's re-read: 'on-premises network cannot reach some subnets in the VPC'. That could be because the on-premises router does not have routes to those subnets.

AWS advertises the VPC CIDR, so the on-premises router should have a route to the whole /16. If it can reach some subnets but not others, it might be due to security groups or network ACLs. However, the exhibit shows the BGP session is up and traffic is flowing.

The most likely cause based on the exhibit is that the route filter prefixes are too restrictive for the on-premises advertised routes, but that affects traffic from VPC to on-premises? No. I think the correct answer is that the VPC has multiple CIDRs and the route filter only allows the main CIDR, but the question says VPC CIDR is 10.0.0.0/16. I'll go with the option that the VPC has additional CIDRs beyond /16.

But I need to craft options. Let's provide plausible options.

960
MCQeasy

A company needs to provide temporary, limited-privilege credentials to users so they can access AWS resources from mobile apps. Which AWS service should they use?

A.AWS Key Management Service (KMS)
B.Amazon Cognito user pools
C.AWS Security Token Service (STS)
D.IAM user with access keys
AnswerC

STS provides temporary, limited-privilege credentials.

Why this answer

AWS STS allows you to request temporary credentials. Option B is wrong because IAM user credentials are long-term. Option C is wrong because Cognito is for user pools.

Option D is wrong because KMS is for encryption keys.

961
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to a partner VPC with CIDR 10.0.0.0/16. Both VPCs are in the same region. They want to use VPC Peering. After creating the peering connection and adding routes, connectivity fails. What is the most likely cause?

A.The peering connection is not set up for transitive routing.
B.The peering connection status is 'pending-acceptance'.
C.Overlapping CIDR blocks prevent VPC peering connectivity.
D.The route tables do not have a route to the peering connection.
AnswerC

VPC peering does not support overlapping CIDRs.

Why this answer

Option A is correct because overlapping CIDRs are not allowed in VPC peering; routes cannot distinguish. Option B is wrong because there is no route conflict after peering. Option C is wrong because VPC peering does not support transitive routing.

Option D is wrong because any status other than active would prevent connectivity, but with overlapping CIDRs, even active won't work.

962
MCQhard

A company has a large AWS environment with hundreds of VPCs connected via a Transit Gateway. The network team is implementing a new hub-and-spoke architecture where all traffic between VPCs must be inspected by a centralized firewall appliance in a shared services VPC. The firewall appliance is a third-party virtual appliance that supports VRF-like segmentation. The network engineer has configured the Transit Gateway with separate route tables for each VPC, and the shared services VPC is associated with all route tables. The firewall appliance is deployed in the shared services VPC with two ENIs: one in a 'trust' subnet and one in an 'untrust' subnet. The trust subnet is used for traffic coming from spoke VPCs, and the untrust subnet is used for traffic going to other spoke VPCs. The firewall appliance performs stateful inspection and returns traffic to the Transit Gateway via the correct ENI. However, after implementation, traffic between two spoke VPCs (VPC A and VPC B) is being dropped. The engineer verifies that the Transit Gateway route tables have static routes for each spoke VPC CIDR pointing to the shared services VPC attachment. The spoke VPCs have routes to each other's CIDR via the Transit Gateway. The firewall logs show that traffic from VPC A reaches the trust ENI, but the firewall is unable to send traffic to VPC B because it does not have a route to VPC B's CIDR. What is the most likely cause?

A.The shared services VPC attachment is not propagating routes to the Transit Gateway route tables.
B.The security group for the firewall's untrust ENI is blocking outbound traffic.
C.The Transit Gateway route table for VPC A does not have a route for VPC B's CIDR.
D.The route table for the untrust subnet does not have a route to VPC B's CIDR pointing to the Transit Gateway.
AnswerD

The untrust subnet needs a route to return traffic to the Transit Gateway. Without it, the firewall cannot send traffic to VPC B.

Why this answer

Option D is correct because the firewall's untrust subnet route table must have a route pointing to the Transit Gateway for VPC B's CIDR. The firewall receives traffic from VPC A on its trust ENI, processes it, and then sends it out the untrust ENI. Without a route in the untrust subnet's route table directing traffic for VPC B's CIDR to the Transit Gateway, the firewall cannot forward the traffic back to the Transit Gateway for delivery to VPC B, causing the drop.

Exam trap

The trap here is that candidates often focus on Transit Gateway route tables and forget that the subnet route tables within the shared services VPC must also be configured to route traffic back to the Transit Gateway, especially when using a firewall with separate ENIs for trust and untrust subnets.

How to eliminate wrong answers

Option A is wrong because the shared services VPC attachment does not need to propagate routes to the Transit Gateway route tables; the static routes in the Transit Gateway route tables already point to the shared services VPC attachment for spoke-to-spoke traffic. Option B is wrong because the security group for the firewall's untrust ENI would block traffic at the firewall level, but the issue is that the firewall cannot send traffic due to a missing route, not that traffic is blocked by a security group. Option C is wrong because the Transit Gateway route table for VPC A does have a route for VPC B's CIDR pointing to the shared services VPC attachment, as verified by the engineer; the problem lies in the subnet route table within the shared services VPC.

963
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket. The VPC has a NAT Gateway in the public subnet. The security group for the EC2 instance allows outbound HTTPS to 0.0.0.0/0. The NACL for the private subnet allows outbound HTTPS to 0.0.0.0/0 and inbound ephemeral ports from 0.0.0.0/0. The instance still cannot reach S3. What is the most likely cause?

A.The NAT Gateway's security group does not allow outbound HTTPS traffic.
B.The NACL for the private subnet blocks inbound traffic from S3.
C.The private subnet's route table does not have a route to the NAT Gateway.
D.The S3 bucket policy denies access from the VPC.
AnswerA

NAT Gateway's security group must allow outbound traffic to S3.

Why this answer

Option B is correct because S3 requires HTTPS (443) for API calls, but the NAT Gateway's security group must allow inbound HTTPS from the private subnet and outbound to S3. If the NAT Gateway's security group does not allow outbound HTTPS to S3, traffic is dropped. Option A is wrong because the private subnet has a route to the NAT Gateway.

Option C is wrong because S3 does not have a security group in the VPC. Option D is wrong because the NACL allows inbound ephemeral ports.

964
MCQhard

A financial services company must meet PCI DSS compliance requirements. The company's VPC contains a web server in a public subnet and an application server in a private subnet. The application server must communicate with a third-party payment gateway over the internet, but the security team prohibits using an Elastic IP address or a NAT gateway due to auditing concerns. Which solution satisfies these requirements?

A.Deploy a NAT instance in the public subnet and route traffic through it
B.Configure a proxy server in the public subnet and have the application server use the proxy
C.Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service
D.Attach an Internet Gateway to the VPC and use a default route to 0.0.0.0/0 in the private subnet
AnswerC

PrivateLink enables private connectivity to services over the AWS network, avoiding public IPs and internet transit, meeting compliance requirements.

Why this answer

AWS PrivateLink allows the application server in the private subnet to connect to the third-party payment gateway via a VPC Endpoint Service without traversing the internet, using private IP addresses. This eliminates the need for an Elastic IP address or a NAT gateway, satisfying the security team's auditing concerns while meeting PCI DSS compliance requirements.

Exam trap

The trap here is that candidates often assume a NAT gateway or proxy is required for outbound internet access, but PrivateLink provides a private, internet-free connection to third-party services, directly addressing the auditing and compliance constraints.

How to eliminate wrong answers

Option A is wrong because a NAT instance requires an Elastic IP address to provide outbound internet access, which is explicitly prohibited by the security team. Option B is wrong because a proxy server in the public subnet still requires an Elastic IP address or a NAT gateway for outbound connectivity, and it does not eliminate the auditing concerns. Option D is wrong because attaching an Internet Gateway and adding a default route to 0.0.0.0/0 in the private subnet would route traffic directly to the internet, but private subnets cannot route to an Internet Gateway without a NAT device or Elastic IP; this configuration would fail to provide outbound connectivity and violates the security team's requirements.

965
MCQmedium

A company has an AWS Direct Connect connection and wants to ensure that all traffic from its VPC to an S3 bucket in another region stays within the AWS network. How should this be accomplished?

A.Create a VPC Gateway Endpoint for S3 in the source VPC
B.Create a VPC Interface Endpoint for S3 in the source VPC
C.Use a NAT gateway in the VPC and route traffic through the Direct Connect public VIF
D.Establish a VPN connection to the S3 bucket
AnswerC

Using a public VIF with Direct Connect allows traffic to S3 in any region via the AWS backbone, keeping it off the public internet.

Why this answer

Option A is correct because a VPC Gateway Endpoint for S3 is regional and allows traffic to stay within the AWS network only within the same region. For cross-region access, using a Gateway Endpoint in the source region combined with a Direct Connect connection does not keep traffic on the AWS network; it goes over the public internet. The correct approach is to use a VPC Gateway Endpoint in the source region to access S3 in the same region, but for cross-region, you must use a Direct Connect Virtual Interface (public VIF) or a Direct Connect Gateway to route traffic via AWS backbone.

Option B is wrong because a VPC interface endpoint for S3 is not supported. Option C is wrong because a NAT gateway would route traffic over the internet. Option D is wrong because a VPN does not keep traffic on the AWS backbone for cross-region S3 access.

966
Multi-Selectmedium

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team wants to implement defense in depth. Which three layers of security should be configured?

Select 3 answers
A.Security groups
B.AWS WAF
C.AWS Identity and Access Management (IAM) policies
D.VPC Flow Logs
E.Network ACLs
AnswersA, B, E

Instance-level firewall.

Why this answer

Security groups act as virtual firewalls at the instance level. Network ACLs provide stateless filtering at the subnet level. AWS WAF protects web applications at the application layer.

Option A, C, and D are correct. Option B is wrong because IAM is identity and access management, not network security. Option E is wrong because VPC Flow Logs are for monitoring, not blocking traffic.

967
MCQhard

A company has a production VPC with CIDR 10.0.0.0/16. They have an internet-facing Application Load Balancer (ALB) in public subnets across two Availability Zones. The ALB distributes traffic to a fleet of EC2 instances in private subnets. The EC2 instances need to access an Amazon S3 bucket to retrieve configuration files. The company wants to minimize data transfer costs and ensure that traffic to S3 does not traverse the internet. A network engineer created a Gateway VPC Endpoint for S3 in the VPC and added a route in the public subnet route tables pointing to the endpoint. However, the EC2 instances still cannot access the S3 bucket. The security groups for the EC2 instances allow outbound HTTPS to 0.0.0.0/0. The NACLs are default (allow all). The S3 bucket policy allows access from the VPC endpoint. What is the MOST likely reason the EC2 instances cannot access S3?

A.The Gateway VPC Endpoint is in a different region than the S3 bucket
B.The security group for the EC2 instances does not allow outbound traffic to the S3 prefix list
C.The S3 bucket policy does not include a condition for the VPC endpoint
D.The route to the Gateway VPC Endpoint was added only to public subnets, not to private subnets
AnswerD

Correct; the route must be in the private subnet route table for EC2 instances to use the endpoint.

Why this answer

Option A is correct. The Gateway VPC Endpoint is only accessible from within the VPC, but the route to the endpoint must be added to the route tables of the subnets where the EC2 instances reside. The engineer added the route only to public subnet route tables, not to the private subnet route tables.

Therefore, traffic from the EC2 instances destined to S3 uses the default route (0.0.0.0/0) which goes through the NAT Gateway or Internet Gateway, not through the endpoint. Option B is incorrect because the security group rule allows outbound HTTPS to all destinations. Option C is incorrect because the S3 bucket policy allows the VPC endpoint.

Option D is incorrect because the endpoint is in the same region as the bucket.

968
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have an on-premises network with CIDR 172.16.0.0/12 connected via AWS Site-to-Site VPN. The company also has a second VPC (VPC B) with CIDR 10.1.0.0/16 peered with the first VPC. They notice that instances in VPC B cannot reach the on-premises network. What is the most likely cause?

A.Route propagation is disabled in VPC B.
B.The VPN connection is not compatible with VPC peering.
C.The VPN tunnel is down.
D.VPC peering does not support transitive routing.
AnswerD

Transitive routing is not supported; on-premises cannot reach VPC B through VPC peering.

Why this answer

VPC peering does not support transitive routing. This means that if VPC A is peered with VPC B and also connected to an on-premises network via VPN, traffic from VPC B cannot use VPC A as a transit point to reach the on-premises network. Each VPC must have its own direct connection to the on-premises network, or a transit gateway must be used to enable transitive routing.

Exam trap

The trap here is that candidates often assume VPC peering works like a router or a hub-and-spoke model, not realizing that AWS explicitly disables transitive routing across VPC peering connections to prevent unintended network loops and complexity.

How to eliminate wrong answers

Option A is wrong because route propagation in VPC B is irrelevant; even if VPC B had propagated routes from the VPN, the VPC peering connection itself does not allow traffic to be forwarded from VPC B through VPC A to the on-premises network due to the lack of transitive routing. Option B is wrong because the VPN connection is fully compatible with VPC peering; the issue is not compatibility but the architectural limitation that VPC peering does not support transitive routing. Option C is wrong because if the VPN tunnel were down, instances in VPC A would also be unable to reach the on-premises network, but the problem is specific to VPC B, indicating the VPN is operational.

969
MCQeasy

A company needs to audit all changes to security groups in a VPC. Which AWS service should be used?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch
D.AWS CloudTrail
AnswerD

CloudTrail records all API calls made in the account, including security group modifications.

Why this answer

Option C is correct because AWS CloudTrail records API calls, including changes to security groups, and can be used for auditing. Option A is wrong because CloudWatch is for monitoring metrics and logs, not API activity. Option B is wrong because VPC Flow Logs capture network traffic, not API changes.

Option D is wrong because AWS Config can track resource changes but is not primarily for auditing API calls; it focuses on resource configuration.

970
MCQmedium

A company wants to audit all changes to security group rules in their AWS account. Which AWS service should be used to record these changes?

A.AWS CloudTrail
B.AWS Config
C.VPC Flow Logs
D.Amazon Inspector
AnswerA

CloudTrail records all API calls, including security group modifications.

Why this answer

Option B is correct: AWS CloudTrail records API calls, including changes to security group rules. Option A is wrong because AWS Config records resource configurations and changes, but CloudTrail is more direct for API auditing. However, for auditing changes, CloudTrail is the primary service.

Option C is wrong because VPC Flow Logs capture network traffic, not configuration changes. Option D is wrong because Amazon Inspector assesses vulnerabilities.

971
MCQmedium

A company has a VPC with a CIDR block of 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private). They launch an EC2 instance in the private subnet and an Application Load Balancer (ALB) in the public subnet. The ALB needs to forward traffic to the EC2 instance on port 80. The security group for the EC2 instance allows inbound traffic on port 80 from the security group of the ALB. The ALB health checks are failing. What is the most likely cause?

A.The ALB cannot route traffic to a private subnet
B.The private subnet does not have a route to a NAT gateway
C.The ALB is in a different VPC than the EC2 instance
D.The security group for the EC2 instance does not allow inbound traffic from the ALB's security group
AnswerD

Health checks come from the ALB's security group, so it must be allowed.

Why this answer

Option D is correct because the EC2 instance's security group must have an inbound rule allowing traffic from the ALB's security group. If this rule is missing or misconfigured, the ALB's health check requests (which originate from the ALB's private IP addresses) will be blocked, causing health checks to fail. The scenario states the rule 'allows inbound traffic on port 80 from the security group of the ALB,' but if the rule is not properly associated or the ALB's security group ID is incorrect, traffic will be denied.

Exam trap

The trap here is that candidates often assume health check failures are due to routing or NAT issues, but the most common cause is a missing or misconfigured inbound security group rule on the target instance that does not explicitly allow traffic from the ALB's security group.

How to eliminate wrong answers

Option A is wrong because an ALB can route traffic to targets in private subnets as long as the ALB itself is in public subnets and the targets are reachable via the VPC's internal routing. Option B is wrong because health checks do not require a NAT gateway; the ALB sends health check requests from its own IP addresses within the VPC, and the EC2 instance only needs a route back to the ALB (which exists via the VPC's local route). Option C is wrong because the question explicitly states the ALB and EC2 instance are in the same VPC, so cross-VPC routing is not an issue.

972
MCQhard

A network engineer is configuring VPC Flow Logs to deliver to an S3 bucket in a different account. The bucket policy is shown. The flow logs are not being delivered. What is the most likely reason?

A.The Action should be s3:PutObjectAcl instead of s3:PutObject
B.The Principal must be the destination account's log delivery service
C.The aws:SourceArn condition restricts access to a specific account, but the flow logs are from a different account
D.The Resource does not include the bucket ARN itself
AnswerC

The condition limits access to logs from account 123456789012 only.

Why this answer

Option C is correct because the bucket policy uses the log delivery service principal from account 123456789012, but the flow logs are from a different account. The policy needs to allow access for the source account's log delivery service. Option A is incorrect because the action is correct.

Option B is incorrect because the resource includes the full path. Option D is incorrect because the Principal is correct for cross-account delivery.

973
Multi-Selecteasy

Which TWO of the following are true about AWS VPC endpoints? (Choose two.)

Select 2 answers
A.Gateway Endpoints can be used to access Amazon S3 and DynamoDB.
B.Interface Endpoints are free of charge.
C.Gateway Endpoints use AWS PrivateLink.
D.Both Gateway and Interface Endpoints require a NAT gateway.
E.Interface Endpoints are powered by AWS PrivateLink.
AnswersA, E

Only S3 and DynamoDB have Gateway Endpoints.

Why this answer

Options B and D are correct. A is wrong because Gateway Endpoint does not use PrivateLink; it uses route table entries. C is wrong because Interface Endpoints are not free; you pay per hour and per GB processed.

B: Gateway Endpoints support S3 and DynamoDB. D: Interface Endpoints are powered by PrivateLink.

974
MCQeasy

A company is using AWS WAF to protect a web application. They want to block requests that originate from known malicious IP addresses. Which WAF rule type should be used?

A.String match condition
B.Regex match condition
C.SQL injection match condition
D.IP set match condition
AnswerD

IP set match condition allows blocking or allowing requests based on source IP.

Why this answer

IP set match conditions are used to match the source IP address of a request against a list of IP addresses. Regex, string match, and SQL injection are for other attack types.

975
MCQmedium

A company is designing a multi-region architecture with an active-active setup. They need to route traffic to the nearest healthy endpoint. Which AWS service should they use?

A.Application Load Balancer (ALB)
B.Amazon Route 53 latency-based routing
C.AWS Global Accelerator
D.Amazon CloudFront
AnswerB

Route 53 latency-based routing directs traffic to the region with the lowest latency for the user.

Why this answer

Option B is correct because Amazon Route 53 latency-based routing directs traffic based on the lowest latency to the nearest healthy endpoint. Option A is wrong because Application Load Balancer is regional. Option C is wrong because Global Accelerator uses Anycast IPs but does not use latency-based routing by default.

Option D is wrong because CloudFront is a CDN, not for routing to application endpoints.

Page 12

Page 13 of 23

Page 14