AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 9761050

1705 questions total · 23pages · All types, answers revealed

Page 13

Page 14 of 23

Page 15
976
Multi-Selecteasy

A company wants to monitor network traffic in its VPC for security analysis and troubleshooting. Which TWO AWS services can be used to capture and analyze IP traffic information? (Choose TWO.)

Select 2 answers
A.AWS Network Firewall
B.AWS CloudTrail
C.AWS Trusted Advisor
D.Amazon GuardDuty
E.VPC Flow Logs
AnswersA, E

Captures and inspects traffic.

Why this answer

Options A and C are correct. VPC Flow Logs capture IP traffic metadata, and AWS Network Firewall can capture and inspect traffic. B is wrong because CloudTrail records API calls, not network traffic.

D is wrong because GuardDuty is a threat detection service that uses flow logs but does not capture them directly. E is wrong because AWS Trusted Advisor provides best practice checks.

977
Multi-Selectmedium

A company is designing a network for a critical application that requires maximum availability. The application will be deployed across multiple Availability Zones in a single region. Which THREE design choices improve network availability?

Select 3 answers
A.Use an Application Load Balancer with targets in multiple Availability Zones
B.Deploy EC2 instances in at least two Availability Zones
C.Use a single NAT gateway in one Availability Zone
D.Use a single subnet per Availability Zone
E.Use multiple NAT gateways, one in each Availability Zone
AnswersA, B, E

Distributes traffic across AZs.

Why this answer

An Application Load Balancer (ALB) with targets in multiple Availability Zones (AZs) improves availability by distributing incoming traffic across healthy targets in different AZs. If one AZ fails, the ALB automatically routes traffic to targets in the remaining AZs, ensuring the application remains accessible. This design eliminates a single point of failure at the load balancer level and leverages the regional nature of the ALB to provide cross-AZ fault tolerance.

Exam trap

AWS often tests the misconception that a single NAT gateway is sufficient for high availability because it can route traffic from multiple AZs, but the trap here is that the NAT gateway itself is a zonal resource—if its AZ fails, all outbound traffic is lost, making it a critical single point of failure.

978
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to use a proxy server running on an EC2 instance in the public subnet. The security group for the proxy server must allow inbound HTTP/HTTPS from the instance in the private subnet. The security group for the private instance must allow outbound HTTP/HTTPS to the proxy server. However, the private instance cannot connect to the proxy. What is the most likely cause?

A.The security group for the private instance does not allow outbound traffic to the proxy server.
B.The network ACL for the private subnet blocks inbound traffic from the proxy.
C.The route table for the private subnet has a default route pointing to a NAT gateway instead of the proxy server.
D.The security group for the proxy server does not allow inbound traffic from the private instance's security group.
AnswerC

If the default route points to a NAT gateway, traffic to the internet goes through the NAT gateway instead of the proxy.

Why this answer

Option B is correct because the route table of the private subnet likely has a default route to a NAT gateway or internet gateway, causing traffic to bypass the proxy. The private instance's security group allows outbound HTTP/HTTPS to the proxy, but the subnet route may not point to the proxy. Option A is wrong because the network ACL must allow both inbound and outbound traffic; if it blocks inbound, the proxy cannot receive requests.

Option C is wrong because the proxy's security group allows inbound from the private instance. Option D is wrong because the private instance's security group allows outbound to the proxy.

979
MCQmedium

A company is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and uses BGP for dynamic routing. The on-premises router supports BGP multipath. Which configuration ensures the highest availability for the Direct Connect connection?

A.Provision two Direct Connect connections to two different Direct Connect locations and configure BGP multipath.
B.Provision a single Direct Connect connection and a Site-to-Site VPN as a backup.
C.Provision a single Direct Connect connection with two virtual interfaces.
D.Provision a single Direct Connect connection with multiple VLANs.
AnswerA

Physical diversity ensures high availability.

Why this answer

Option A is correct because provisioning two Direct Connect connections to two different Direct Connect locations eliminates single points of failure at the physical layer and the facility level. BGP multipath allows the on-premises router to load-balance traffic across both connections, maximizing availability by ensuring that if one connection or location fails, traffic continues over the other without relying on a slower failover mechanism like VPN.

Exam trap

The trap here is that candidates often confuse logical redundancy (multiple VLANs or virtual interfaces) with physical redundancy, assuming that multiple logical constructs on a single physical connection provide high availability, when in fact a single physical failure will take down all logical constructs.

How to eliminate wrong answers

Option B is wrong because a Site-to-Site VPN over the internet introduces latency, jitter, and potential bandwidth limitations, and it is typically used as a backup only when Direct Connect is unavailable, not as a primary high-availability solution; it does not provide the same SLA or consistent performance as a second Direct Connect. Option C is wrong because a single Direct Connect connection with two virtual interfaces still shares the same physical port, fiber path, and Direct Connect location, meaning a single failure at the physical layer (e.g., fiber cut, device failure) will bring down both virtual interfaces, violating high availability. Option D is wrong because multiple VLANs on a single Direct Connect connection are used to segregate traffic (e.g., public vs. private VIFs) but do not provide redundancy; they all depend on the same physical connection and location, so a single failure disrupts all VLANs.

980
MCQeasy

A company wants to use AWS Direct Connect to establish a dedicated network connection from their on-premises data center to AWS. They need to connect to a VPC in the us-east-1 region. Which of the following is a required step in the setup process?

A.Attach a Transit Gateway to the VPC.
B.Configure CloudFront to route traffic through the Direct Connect.
C.Create a site-to-site VPN connection as a backup.
D.Create a private virtual interface and attach it to a Virtual Private Gateway.
AnswerD

This is the standard procedure for Direct Connect private VIF.

Why this answer

To establish a Direct Connect connection to a VPC, you must create a private virtual interface (VIF) and attach it to a Virtual Private Gateway (VGW) that is attached to the VPC. The private VIF carries traffic over the dedicated connection and uses BGP to exchange routes between the on-premises network and the VPC via the VGW. This is the core requirement for routing traffic from the Direct Connect link into a VPC.

Exam trap

AWS often tests the misconception that a Transit Gateway is mandatory for Direct Connect, but the correct requirement is a Virtual Private Gateway attached to the VPC, not a Transit Gateway.

How to eliminate wrong answers

Option A is wrong because a Transit Gateway is not required for a single VPC connection; it is used to interconnect multiple VPCs or VPNs, and attaching it is optional. Option B is wrong because CloudFront is a content delivery network (CDN) and does not route traffic through Direct Connect; Direct Connect is a Layer 2/3 dedicated link, not a CDN service. Option C is wrong because a site-to-site VPN is not a required step; it is an optional backup for redundancy and is not mandatory for the Direct Connect setup process.

981
MCQmedium

A company uses a VPC with multiple subnets in different Availability Zones. The VPC has a NAT Gateway in a public subnet of us-east-1a, and a second NAT Gateway in us-east-1b for high availability. Each private subnet in us-east-1a routes 0.0.0.0/0 to the NAT Gateway in us-east-1a, and private subnets in us-east-1b route to the NAT Gateway in us-east-1b. The company's EC2 instances in private subnets need to access an external service using IPv6. The VPC is not configured for IPv6. The network engineer needs to enable IPv6 connectivity for these instances. Which solution is the most cost-effective and scalable?

A.Add an IPv6 CIDR block to the VPC and configure a NAT64 gateway to translate IPv6 to IPv4.
B.Add an IPv6 CIDR block to the VPC, assign IPv6 addresses to private subnets, and add a route for ::/0 to an egress-only internet gateway.
C.Attach an internet gateway to the VPC and add a route for ::/0 to the internet gateway in the private subnets.
D.Add an IPv6 CIDR block to the VPC and use the existing NAT Gateways with IPv6.
AnswerB

Egress-only IGW allows outbound IPv6 traffic from private subnets.

Why this answer

Option C is correct because using an egress-only internet gateway (EIGW) provides IPv6 outbound connectivity for instances in private subnets when the VPC is dual-stack. Option A is wrong because NAT64 translates IPv6 to IPv4, but the service is IPv6, so not needed. Option B is wrong because adding IPv6 CIDR and using NAT64 is not necessary.

Option D is wrong because an internet gateway alone does not work for private subnets; it requires a route and instances need public IPv6 addresses.

982
MCQeasy

A company needs to establish private connectivity between two VPCs in different AWS accounts. The VPCs are in the same Region. Which AWS feature should be used?

A.AWS Transit Gateway
B.AWS Direct Connect
C.VPC peering
D.AWS Site-to-Site VPN
AnswerC

VPC peering enables private connectivity between VPCs across accounts.

Why this answer

VPC peering is the correct choice because it establishes a direct, private network connection between two VPCs in the same AWS Region, even across different AWS accounts, using the AWS backbone without requiring a transit hub or external connectivity. It leverages the existing AWS infrastructure to route traffic between the VPCs via private IPv4 or IPv6 addresses, with no bandwidth bottlenecks or single points of failure inherent in the design.

Exam trap

The trap here is that candidates often choose AWS Transit Gateway because they think it is required for cross-account connectivity, but VPC peering directly supports cross-account VPC connections in the same Region without needing a central hub.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a hub-and-spoke architecture designed for connecting many VPCs and on-premises networks, which introduces additional cost and complexity for a simple two-VPC scenario where VPC peering is more straightforward and cost-effective. Option B is wrong because AWS Direct Connect provides dedicated private connectivity from an on-premises data center to AWS, not between two VPCs within the same Region; it requires physical infrastructure and is not designed for VPC-to-VPC peering. Option D is wrong because AWS Site-to-Site VPN establishes encrypted tunnels over the public internet to connect on-premises networks to AWS, not for direct VPC-to-VPC connectivity; using it for VPC peering would introduce unnecessary latency and complexity.

983
MCQmedium

A company has a hub-and-spoke network topology using AWS Transit Gateway in us-east-1. The hub VPC hosts centralized inspection appliances from a third-party vendor. The spokes include VPCs with application workloads and a Direct Connect VIF attached to a Direct Connect gateway which is associated with the Transit Gateway. The company notices that traffic from the on-premises network to the spoke VPCs is not being inspected by the centralized appliances. They have verified that the Transit Gateway route tables are correctly configured with static routes pointing to the inspection VPC for all spoke CIDRs, and the inspection appliances are properly configured to forward traffic. What is the most likely cause of this issue?

A.The Direct Connect gateway is not propagating routes to the Transit Gateway, causing the on-premises traffic to be dropped.
B.The Transit Gateway route table associated with the Direct Connect gateway attachment does not have a route that sends traffic to the inspection VPC.
C.The inspection VPC is sending traffic back to the on-premises network via a different path, causing asymmetric routing that drops packets.
D.The Transit Gateway route table for the spoke VPC attachments does not have a route to the on-premises network via the Direct Connect gateway.
AnswerB

The route table associated with the attachment determines the path. Without a specific route to the inspection VPC, traffic goes directly to the spoke.

Why this answer

Option B is correct because in a hub-and-spoke topology with AWS Transit Gateway, traffic from on-premises (via Direct Connect) to spoke VPCs must be routed through the inspection VPC. This requires the Transit Gateway route table associated with the Direct Connect gateway attachment to contain a static route pointing to the inspection VPC attachment for the spoke CIDRs. Without this route, traffic bypasses inspection entirely.

Exam trap

The trap here is that candidates assume configuring routes in the spoke VPC route tables or the inspection VPC is sufficient, but they overlook that the Transit Gateway route table associated with the Direct Connect gateway attachment must also direct traffic to the inspection VPC.

How to eliminate wrong answers

Option A is wrong because the Direct Connect gateway does not propagate routes to the Transit Gateway; instead, the Transit Gateway must have static routes or propagated routes from the Direct Connect gateway, and the issue is not about propagation but about missing inspection routes. Option C is wrong because asymmetric routing is not the primary cause; the problem is that traffic never reaches the inspection VPC in the first place, so asymmetric routing is irrelevant. Option D is wrong because the spoke VPC route tables do not need a route to on-premises via the Direct Connect gateway; the Transit Gateway handles inter-VPC routing, and the spoke attachments only need routes to the inspection VPC for return traffic, which is already configured.

984
Multi-Selectmedium

Which TWO of the following are requirements for establishing an AWS Direct Connect private virtual interface? (Choose two.)

Select 2 answers
A.Jumbo frames support (MTU 9001).
B.A public IP address for the VIF.
C.A public BGP ASN.
D.A BGP session between the customer router and the AWS device.
E.A VLAN ID that is unique within the Direct Connect connection.
AnswersD, E

BGP is used to exchange routes.

Why this answer

Options A and C are correct. A: You need a VLAN ID that matches on both sides. C: BGP session is required for routing.

B is wrong because you can use a private virtual interface without a public ASN; private ASNs are allowed. D is wrong because public virtual interfaces are for public services. E is wrong because Jumbo frames are optional.

985
MCQhard

A company is setting up a cross-account VPC peering connection between VPC A (account 1) and VPC B (account 2). The security team wants to ensure that only specific TCP ports are allowed between the VPCs. They have configured the route tables and the VPC peering connection is active. Which additional configuration is required to enforce the port restriction?

A.Modify the network ACLs in both VPCs to allow inbound traffic only on the required ports.
B.Use network ACLs with stateful filtering to allow only the required ports.
C.Update the security groups in both VPCs to allow inbound traffic only on the required ports from the peered VPC's CIDR or security group.
D.Configure the route tables to deny traffic on all ports except the allowed ones.
AnswerC

Security groups can restrict traffic based on port and protocol at the instance level.

Why this answer

Option B is correct because security groups can be used to control traffic at the instance level based on ports. Option A is wrong because VPC peering does not support security group referencing across accounts by default; you need to update the security group to reference the peered VPC's security group. Option C is wrong because network ACLs are stateless and apply at the subnet level, not at the instance level, and they cannot reference security groups.

Option D is wrong because network ACLs do not support stateful inspection like security groups.

986
MCQhard

A company has a Direct Connect connection with a private virtual interface (VIF) to a VPC. The company wants to add a second VPC in the same AWS Region using the same Direct Connect connection. Which solution meets the requirements with the least operational effort?

A.Create a Direct Connect gateway and associate both VPCs, then associate the private VIF with the Direct Connect gateway
B.Set up a VPN connection over the Direct Connect for the second VPC
C.Create a transit virtual interface and attach it to a transit gateway, then attach both VPCs
D.Create a second private virtual interface for the second VPC
AnswerA

Allows multiple VPCs to use the same private VIF via the Direct Connect gateway.

Why this answer

A Direct Connect gateway allows a single private virtual interface (VIF) to connect to multiple VPCs in the same AWS Region, eliminating the need for multiple VIFs or complex routing. By associating both VPCs with the Direct Connect gateway and attaching the private VIF to it, you achieve the goal with minimal operational overhead, as the gateway handles the routing between the on-premises network and the VPCs.

Exam trap

AWS often tests the misconception that a single private VIF can only connect to one VPC, leading candidates to choose Option D, but the Direct Connect gateway enables multi-VPC connectivity with the same VIF.

How to eliminate wrong answers

Option B is wrong because setting up a VPN over Direct Connect adds unnecessary complexity and operational effort, as it requires managing VPN tunnels and encryption, whereas a Direct Connect gateway provides a simpler native solution. Option C is wrong because a transit virtual interface is used with a transit gateway for connecting multiple VPCs or VPNs, but it requires creating a transit gateway and additional configuration, which is more effort than using a Direct Connect gateway with existing private VIF. Option D is wrong because creating a second private virtual interface would require additional Direct Connect configuration and potentially more bandwidth allocation, increasing operational effort compared to reusing the existing VIF via a Direct Connect gateway.

987
Multi-Selecteasy

A network engineer is designing a Direct Connect solution with a public VIF and a private VIF. The private VIF will connect to a VPC via a Direct Connect Gateway. Which TWO of the following statements are correct regarding this setup? (Choose 2.)

Select 2 answers
A.The private VIF can be used without a virtual interface termination device on the customer side
B.The public VIF can be used to connect to a VPC via a Direct Connect Gateway
C.The private VIF can be used to access Amazon S3 over a private IP address
D.The Direct Connect Gateway allows the private VIF to connect to multiple VPCs in different AWS Regions
E.The public VIF can be used to access AWS public services such as Amazon S3 over Direct Connect
AnswersD, E

Direct Connect Gateway enables multi-region connectivity.

Why this answer

A public VIF provides access to AWS public services (like S3) over Direct Connect, which is more consistent and lower latency than internet. A private VIF with Direct Connect Gateway allows connections to multiple VPCs in different regions. Option B is wrong because a private VIF does not access public endpoints (that's the public VIF).

Option D is wrong because a private VIF requires a virtual interface and a router. Option E is wrong because a public VIF does not connect to VPCs.

988
MCQmedium

A company is migrating from a legacy MPLS network to AWS using Direct Connect. The network team wants to ensure high availability with a backup connection. They have two Direct Connect connections from different providers, both terminating at the same AWS Direct Connect location. Which configuration provides the most resilient setup?

A.Use both connections but from the same provider to simplify management.
B.Use both connections with separate virtual interfaces, each terminating on different customer routers.
C.Use one connection with two virtual interfaces for redundancy.
D.Use both connections with a single virtual interface on each, but terminate on the same router.
AnswerB

Full redundancy with diverse paths.

Why this answer

Option D is correct. Using two different devices and separate virtual interfaces provides redundancy at both the physical and logical level. Option A is wrong because a single device is a single point of failure.

Option B is wrong because a single VIF is a single point of failure. Option C is wrong because using the same provider reduces diversity.

989
MCQhard

Refer to the exhibit. A developer created this CloudFormation template to create a public subnet. However, instances in the subnet cannot access the internet. What is the MOST likely cause?

A.The subnet does not have auto-assign public IP enabled
B.The route to the internet gateway is missing
C.The route table is not associated with the subnet
D.The internet gateway is not attached to the VPC
AnswerA

Instances need public IPs for internet access; template does not enable it.

Why this answer

Option A is correct because the CloudFormation template creates a public subnet but does not set the 'MapPublicIpOnLaunch' property to 'true'. Without this setting, EC2 instances launched in the subnet do not automatically receive a public IPv4 address, which is required for internet-bound traffic to be routed through the Internet Gateway (IGW). Even if the route table has a default route (0.0.0.0/0) pointing to the IGW, the instance lacks a public IP, so the IGW cannot perform source NAT for outbound traffic, making internet access impossible.

Exam trap

AWS often tests the misconception that a default route to an IGW alone guarantees internet access, but the trap here is that the instance must have a public IP address for the IGW to perform source NAT, and auto-assign public IP is disabled by default in CloudFormation unless explicitly enabled.

How to eliminate wrong answers

Option B is wrong because the route to the internet gateway is not missing; the template explicitly includes a route in the public route table with destination 0.0.0.0/0 and target referencing the Internet Gateway. Option C is wrong because the route table is associated with the subnet via the 'AWS::EC2::SubnetRouteTableAssociation' resource in the template. Option D is wrong because the Internet Gateway is created and attached to the VPC using the 'AWS::EC2::VPCGatewayAttachment' resource, so the attachment is present.

990
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access the internet to download software updates. The company has a NAT gateway in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the EC2 instance cannot access the internet. The network engineer verifies that the NAT gateway has an Elastic IP, the security group for the EC2 instance allows outbound HTTPS traffic, and the network ACL for the private subnet allows inbound and outbound ephemeral ports. What is the most likely cause of the issue?

A.The security group attached to the NAT gateway does not allow outbound traffic.
B.The route table for the public subnet does not have a route to an internet gateway.
C.The route table for the private subnet does not have a route to the NAT gateway.
D.The NAT gateway does not support UDP traffic.
AnswerB

The public subnet must have a default route to an internet gateway for the NAT gateway to reach the internet.

Why this answer

Option B is correct because the NAT gateway resides in the public subnet, and for it to route traffic to the internet, the public subnet's route table must have a default route pointing to an internet gateway. Without that, the NAT gateway cannot forward traffic. Option A is wrong because NAT gateways do not have security groups.

Option C is wrong because the private subnet route table is correctly configured. Option D is wrong because the NAT gateway supports UDP as well.

991
MCQeasy

A company has an S3 bucket that stores sensitive documents. They need to ensure that all objects in the bucket are encrypted at rest using server-side encryption with AWS KMS (SSE-KMS). Additionally, they want to prevent any uploads that do not specify the required KMS key. Which combination of bucket policy and default encryption should they implement?

A.Enable default encryption on the bucket with SSE-KMS using the required KMS key, and add a bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption-aws-kms-key-id header with the required key ARN.
B.Enable default encryption with SSE-S3, and add a bucket policy that denies s3:PutObject unless the request uses the required KMS key.
C.Use a bucket policy that requires the kms:Encrypt permission for the required key, but do not enable default encryption.
D.Enable default encryption with SSE-KMS using the required key, and rely on IAM policies to enforce encryption, not bucket policies.
AnswerA

Default encryption ensures objects are encrypted if no header is provided. The bucket policy enforces that uploads must use the specific KMS key.

992
MCQeasy

A network engineer is troubleshooting connectivity between two EC2 instances in the same VPC but different subnets. The instances can ping each other's private IP addresses, but traffic on TCP port 443 fails. What is the most likely cause?

A.VPC Flow Logs misconfiguration.
B.Internet gateway not attached to the VPC.
C.Security group or network ACL rules blocking port 443.
D.Missing route in the route table.
AnswerC

Port 443 is likely blocked by a firewall rule.

Why this answer

Option C is correct because the security group or NACL is blocking port 443. Since ICMP works, the network layer is fine, but application layer port is blocked. Option A is wrong because route tables affect network layer, not port-specific.

Option B is wrong because VPC flow logs are for monitoring, not blocking. Option D is wrong because internet gateway is not involved.

993
MCQeasy

A company has a VPC with public and private subnets in three Availability Zones. The company hosts a web application on Amazon EC2 instances in the private subnets. The instances need to download security patches from the internet but must not be directly accessible from the internet. Which solution meets these requirements with the least operational overhead?

A.Deploy a NAT instance in a public subnet and configure the private subnet route tables to point to the NAT instance.
B.Attach an internet gateway to the VPC and add a default route to the internet gateway in the private subnet route tables.
C.Create a VPC endpoint for Amazon S3 and configure the instances to use the endpoint.
D.Deploy a NAT gateway in each public subnet and configure the private subnet route tables to point to the respective NAT gateway.
AnswerD

Managed service, highly available, minimal operational overhead.

Why this answer

Option D is correct because a NAT gateway is a fully managed AWS service that provides outbound internet connectivity for instances in private subnets while preventing inbound internet access. Deploying a NAT gateway in each public subnet across three Availability Zones ensures high availability and fault tolerance, and configuring private subnet route tables with a default route (0.0.0.0/0) pointing to the respective NAT gateway meets the requirement with minimal operational overhead, as AWS handles patching and scaling.

Exam trap

AWS often tests the distinction between managed NAT gateways and self-managed NAT instances, where candidates may choose the NAT instance option (A) due to lower cost, overlooking the 'least operational overhead' requirement, or they may incorrectly select the VPC endpoint option (C) thinking it provides general internet access.

How to eliminate wrong answers

Option A is wrong because a NAT instance is a self-managed EC2 instance that requires ongoing maintenance, patching, and scaling, which increases operational overhead compared to a managed NAT gateway. Option B is wrong because attaching an internet gateway and adding a default route to it in private subnet route tables would make the instances directly accessible from the internet, violating the requirement that instances must not be directly accessible. Option C is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general internet access for downloading security patches from arbitrary internet sources.

994
MCQmedium

A company uses AWS Certificate Manager (ACM) to provision SSL/TLS certificates for their Application Load Balancer (ALB). They want to ensure that the ALB only accepts connections using TLS 1.2 or higher. How should they configure this?

A.Use ACM to generate a certificate that only supports TLS 1.2.
B.Configure the ALB with an appropriate security policy that enforces TLS 1.2.
C.Configure the ALB to use a CloudFront distribution with a TLS policy.
D.Use AWS Route 53 to enforce TLS version at the DNS level.
AnswerB

ALB security policies allow specifying minimum TLS protocol version.

Why this answer

Option C is correct because security policies on the ALB can specify the TLS version. Option A is wrong because ACM does not control TLS version; it provides certificates. Option B is wrong because CloudFront is a different service.

Option D is wrong because Route 53 does not handle TLS version enforcement.

995
MCQeasy

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer needs to restrict access to only the company's public IP range (203.0.113.0/24). What is the correct way to modify the security group rule?

A.Edit the existing inbound rule and change the source CIDR to 203.0.113.0/24.
B.Add a new inbound rule allowing SSH from 203.0.113.0/24 and keep the existing rule.
C.Remove the security group rule and add a new rule to deny SSH from 0.0.0.0/0.
D.Create a network ACL that denies SSH from 0.0.0.0/0.
AnswerA

This restricts SSH access to the specified IP range.

Why this answer

Option A is correct because the CIDR should be changed from 0.0.0.0/0 to 203.0.113.0/24. Option B is wrong because adding a second rule does not remove the open rule. Option C is wrong because NACLs operate at the subnet level.

Option D is wrong because removing the rule and adding a new deny rule is not how security groups work; security groups are allow-only.

996
MCQeasy

A company is deploying a hybrid network with AWS Direct Connect and a VPN backup. The Direct Connect virtual interface is configured for private VIF with BGP. The VPN uses IPsec tunnels over the internet. What is the best practice to ensure symmetric routing and failover?

A.Configure ASN prepending on the VPN BGP advertisements to make them less preferred.
B.Use different BGP ASNs for Direct Connect and VPN to allow AWS to prefer the Direct Connect path.
C.Disable BGP on the Direct Connect private VIF and use static routes to force traffic through Direct Connect.
D.Use the same BGP ASN for both Direct Connect and VPN, and set a higher MED (Multi-Exit Discriminator) on the VPN routes.
AnswerD

Same ASN ensures AWS sees both as same neighbor, and MED controls preference.

Why this answer

Option B is correct. Using the same BGP ASN on the VPN side ensures that AWS treats both paths as equal, and with BGP attributes you can control active/passive behavior. Option A is wrong because ASN prepending is used to influence path selection, not to ensure symmetry.

Option C is wrong because you cannot disable BGP on Direct Connect private VIF; it requires BGP. Option D is wrong because using different ASNs would make AWS treat them as separate paths and might cause asymmetric routing.

997
MCQeasy

A company wants to ensure that all IAM users have multi-factor authentication (MFA) enabled. Which AWS service can be used to enforce this policy?

A.AWS Organizations SCP
B.AWS Config
C.IAM policy with a condition for aws:MultiFactorAuthPresent
D.AWS CloudTrail
AnswerC

An IAM policy can require MFA for all actions.

Why this answer

Option B is correct because IAM policies can require MFA for API calls. Option A is wrong because SCPs can enforce at the account level but require MFA to be set in IAM first. Option C is wrong because CloudTrail is for logging, not enforcement.

Option D is wrong because Config can detect non-compliance but cannot enforce the policy.

998
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. It has a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to ensure that traffic to S3 does not traverse the internet. Which solution should be used?

A.Create a VPC Interface Endpoint for S3 and associate it with the private subnet
B.Create a NAT Gateway in the public subnet and add a route in the private subnet route table pointing to the NAT Gateway
C.Create a VPC Gateway Endpoint for S3 and add a route in the private subnet route table pointing to the endpoint
D.Set up an AWS Direct Connect connection and use a private virtual interface
AnswerC

Gateway Endpoint provides private access to S3.

Why this answer

A VPC Gateway Endpoint for S3 allows private subnet instances to access S3 without internet. A NAT Gateway uses the internet. An Interface Endpoint is for other AWS services, not S3.

Direct Connect is not necessary for S3 access within the same region.

999
Multi-Selectmedium

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) in a VPC. They need to ensure that the application can handle a sudden increase in traffic and that the ALB can scale automatically. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Configure the target group's deregistration delay to a low value to quickly remove unhealthy targets.
B.Use a single subnet for the ALB to reduce complexity.
C.Use a Network Load Balancer instead of an ALB to improve throughput.
D.Enable cross-zone load balancing on the ALB.
E.Disable deletion protection on the ALB to allow automatic replacement.
AnswersA, D

A low deregistration delay ensures that unhealthy instances are removed quickly, preventing them from receiving traffic.

Why this answer

Option A is correct because configuring a low deregistration delay on the target group allows the ALB to quickly stop sending traffic to unhealthy targets, reducing the risk of failed requests during traffic spikes. This setting controls how long the ALB waits for in-flight requests to complete before deregistering a target, and a lower value accelerates the removal of unhealthy instances to maintain application responsiveness. Option D is correct because enabling cross-zone load balancing distributes incoming traffic evenly across all healthy targets in all Availability Zones, maximizing resource utilization and ensuring the ALB can scale automatically by leveraging capacity from multiple zones.

Exam trap

AWS often tests the misconception that enabling cross-zone load balancing is optional or unnecessary for high availability, when in fact it is a critical feature for distributing traffic evenly and supporting automatic scaling across zones.

1000
MCQmedium

A company is designing a multi-Region Active-Active architecture using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application requires sticky sessions (session affinity) and must maintain session persistence even during failover. Which configuration should be used to achieve this?

A.Enable stickiness on each ALB individually and use a single Regional endpoint group.
B.Configure Global Accelerator to use session affinity with the 'two-tuple' protocol.
C.Configure Route 53 with latency-based routing and enable stickiness on each ALB.
D.Use a custom application cookie for stickiness that is consistent across all ALBs, and set the cookie domain to the Global Accelerator DNS name.
AnswerD

A custom cookie with a shared domain allows session persistence across ALBs in different Regions.

Why this answer

Option D is correct because AWS Global Accelerator does not natively support session affinity (sticky sessions). To maintain session persistence across multi-Region ALBs during failover, you must use a custom application cookie that is consistent across all ALBs and set the cookie domain to the Global Accelerator DNS name. This ensures the client's browser sends the same cookie to any healthy ALB in any Region, preserving the session even when traffic shifts due to a failover.

Exam trap

The trap here is that candidates assume Global Accelerator can provide session affinity natively, similar to an ALB's stickiness feature, but Global Accelerator is a Layer 3/4 service and cannot maintain application-layer session state; the solution requires a custom cookie approach at the application level.

How to eliminate wrong answers

Option A is wrong because using a single Regional endpoint group defeats the purpose of a multi-Region Active-Active architecture; it would not provide cross-Region failover. Option B is wrong because Global Accelerator does not support session affinity with any tuple (two-tuple, three-tuple, or five-tuple); it is a network-layer service that does not maintain session state. Option C is wrong because Route 53 latency-based routing does not provide the fast failover and client IP preservation that Global Accelerator offers, and enabling stickiness on each ALB individually does not ensure session persistence across Regions during failover.

1001
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. The private subnets require outbound internet access for updates, but must not be directly reachable from the internet. The company has a NAT gateway in each public subnet. Security team reports that instances in private subnets cannot reach the internet. Which configuration should be verified first?

A.Verify that the route table for the public subnets has a default route pointing to an internet gateway, and the private subnets' route table has a default route pointing to the NAT gateway
B.Verify that the VPC has a VPC endpoint for S3 configured
C.Verify that the network ACLs for the private subnets allow outbound traffic to 0.0.0.0/0
D.Verify that the security groups attached to the instances allow outbound HTTPS traffic
AnswerA

NAT gateway must be in a public subnet with a route to an internet gateway, and private subnets must route 0.0.0.0/0 to the NAT gateway.

Why this answer

Option C is correct because NAT gateway requires a route to an internet gateway in the route table of the public subnet where it resides, and the private subnet route table must have a default route pointing to the NAT gateway. Option A is wrong because NACLs are stateless and default NACLs allow all traffic; they are not the most likely cause. Option B is wrong because security groups are stateful and outbound traffic is allowed by default.

Option D is wrong because VPC endpoints are for specific AWS services, not general internet access.

1002
MCQmedium

A company is deploying a critical application across multiple Availability Zones in a single AWS Region. They need a network design that provides the lowest possible latency between application tiers and supports automatic failover if an AZ becomes unavailable. Which design meets these requirements?

A.Use Amazon Route 53 weighted routing to distribute traffic to each AZ
B.Deploy an internal NLB per Availability Zone, with each NLB only registering targets in its own AZ, and an internet-facing Application Load Balancer (ALB) with targets in all AZs
C.Use a single internal Classic Load Balancer across all AZs
D.Deploy an internal Network Load Balancer (NLB) in a single AZ and route traffic from other AZs through it
AnswerB

This keeps traffic within the AZ for lowest latency, and the ALB provides failover across AZs.

Why this answer

Using an internal Network Load Balancer (NLB) in each AZ with cross-zone load balancing disabled ensures traffic stays within the AZ for lowest latency, and using an Application Load Balancer (ALB) for the front end with targets in each AZ provides failover. A single NLB across AZs adds cross-AZ latency. Classic Load Balancer is legacy.

Route 53 weighted routing is not automatic failover.

1003
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. After adding a new VPC attachment, traffic from the on-premises network cannot reach the new VPC. The on-premises BGP route table shows the prefixes of the new VPC as received. What should the engineer check?

A.Verify that the on-premises router is advertising the correct prefix to AWS.
B.Verify that the new VPC has a route to the Transit Gateway in its route table.
C.Verify that the new VPC attachment is associated with the Transit Gateway route table that has the on-premises routes.
D.Verify that the new VPC's DNS resolution is enabled.
AnswerC

Transit Gateway route tables control connectivity between attachments.

Why this answer

Option B is correct because Transit Gateway route tables control inter-VPC and on-premises connectivity; the new VPC attachment must be associated with the correct route table. Option A is wrong because the on-premises already has the routes. Option C is wrong because there is no implied propagation.

Option D is wrong because subdomain is irrelevant.

1004
MCQhard

A company uses AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have block public access enabled. Which approach should be used?

A.Use AWS CloudTrail to monitor bucket creation and alert.
B.Use AWS Config rules to detect and remediate noncompliant buckets.
C.Apply a service control policy (SCP) that denies bucket creation without block public access.
D.Create an IAM role in each account that restricts bucket permissions.
AnswerC

SCPs can centrally enforce policies across all accounts.

Why this answer

Option C is correct because a service control policy (SCP) can deny the s3:PutBucketPublicAccessBlock action or enforce the block public access settings. Option A is wrong because IAM roles in each account would require manual management. Option B is wrong because CloudTrail only logs, does not enforce.

Option D is wrong because AWS Config can detect noncompliance but not enforce automatically in real-time.

1005
Multi-Selectmedium

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC contains a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to use a VPC endpoint for S3. Which TWO configurations are required?

Select 2 answers
A.Assign a public IP address to the EC2 instance.
B.Create an endpoint policy that allows access to the S3 bucket.
C.Deploy a NAT gateway in the public subnet.
D.Add a route in the private subnet's route table pointing to the gateway endpoint.
E.Attach a security group to the gateway endpoint.
AnswersB, D

The endpoint policy controls which resources can be accessed via the endpoint.

Why this answer

Option A is correct because a gateway endpoint for S3 must have a route in the private subnet's route table pointing to the endpoint. Option C is correct because the endpoint policy must allow the instance to access the specific bucket. Option B is wrong because gateway endpoints do not use ENIs or security groups.

Option D is wrong because gateway endpoints are free; no need to assign a public IP. Option E is wrong because NAT gateway is not needed when using a VPC endpoint.

1006
MCQmedium

A company has a multi-tier web application running on EC2 instances in a VPC. The web tier must be accessible from the internet, but the application tier should only be accessible from the web tier. Which network design configuration meets these requirements?

A.Use a VPN connection from the web tier to the application tier, and place both tiers in private subnets.
B.Place both tiers in public subnets and use security groups to restrict traffic from the web tier to the application tier.
C.Place web servers in a public subnet with a NAT gateway, and application servers in a private subnet with a default route to the NAT gateway.
D.Place web servers in a public subnet with an internet gateway, and application servers in a private subnet with a route to the web subnet via a VPC peering connection.
AnswerD

Correct design for inbound internet access to web tier and internal access to app tier.

Why this answer

Option A is correct because public subnets with internet gateways allow internet access, and private subnets without direct internet access ensure the application tier is only reachable from the web tier via internal routing. Option B is wrong because NAT gateways are for outbound internet access from private subnets, not for inbound. Option C is wrong because VPC peering does not provide internet access.

Option D is wrong because a VPN connection is for on-premises connectivity, not internet access.

1007
Multi-Selecthard

A company's security team is designing a solution to restrict S3 bucket access based on the requester's network. The company has a set of on-premises IP ranges and wants to ensure that only requests originating from those IPs can access the bucket. Which combination of actions should be taken? (Choose TWO.)

Select 2 answers
A.Configure the EC2 instances in the VPC to use Elastic IPs and allow those IPs in the bucket policy
B.Create a VPC endpoint for S3 and attach a VPC endpoint policy that restricts access to the specific bucket
C.Use AWS WAF to inspect HTTP requests to the bucket
D.Enable S3 Block Public Access on the bucket
E.Create an S3 bucket policy that uses the aws:SourceIp condition to allow access only from the on-premises IP ranges
AnswersB, E

This ensures that even if requests originate from the VPC, they must go through the endpoint and be subject to the policy.

Why this answer

Options A and C are correct. A bucket policy with a source IP condition restricts access to requests from specified IPs. A VPC endpoint with a VPC endpoint policy restricting to the bucket ensures that requests from within the VPC (which may have different IPs due to NAT) are only allowed if they come through the endpoint and meet the policy.

Option B is wrong because EC2 instance IPs are dynamic. Option D is wrong because it does not restrict IPs. Option E is wrong because AWS WAF is for web traffic, not S3 access control.

1008
MCQmedium

A network engineer is configuring an AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network advertises a prefix 10.0.0.0/8. One of the VPCs has a CIDR of 10.0.0.0/16. What will happen to traffic destined to 10.0.0.5 from another VPC attached to the Transit Gateway?

A.Traffic is routed to the VPC because of a more specific route
B.Traffic is dropped due to conflicting routes
C.Traffic is routed to the on-premises network because it is learned via Direct Connect
D.Traffic is load-balanced between the VPC and on-premises
AnswerA

Correct; Transit Gateway uses longest prefix match, and /16 is more specific than /8.

Why this answer

Option B is correct because Transit Gateway uses the most specific route (longest prefix match). The VPC's 10.0.0.0/16 is more specific than the on-premises 10.0.0.0/8, so traffic to 10.0.0.5 will be routed to the VPC. Option A is wrong because route propagation is not the issue; the more specific route is preferred.

Option C is wrong because the route is not dropped; it uses the VPC route. Option D is wrong because the on-premises route is less specific, so it will not be used.

1009
Multi-Selecthard

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). The network team notices that traffic to a specific VPC is intermittently failing. The team suspects an issue with BGP routing. Which THREE steps should the team take to troubleshoot the BGP session? (Choose THREE.)

Select 3 answers
A.View the BGP route advertisements received by the on-premises router from AWS.
B.Check the Direct Connect endpoint health in the AWS Management Console.
C.Verify the allowed prefixes configuration on the virtual interface in the AWS console.
D.Examine VPC Flow Logs for dropped packets on the virtual interface.
E.Check the BGP session status using the 'bgp session' command on the on-premises router.
AnswersA, C, E

This helps identify if AWS is advertising the expected routes.

Why this answer

Option A is correct because viewing the BGP route advertisements received by the on-premises router from AWS directly reveals whether the expected prefixes are being advertised. If the routes are missing or incorrect, the VPC traffic will fail intermittently, making this a primary troubleshooting step for BGP routing issues.

Exam trap

AWS often tests the distinction between physical connectivity checks (like endpoint health) and BGP-specific troubleshooting steps, leading candidates to select options that address layer 1/2 issues instead of the BGP routing layer.

1010
Multi-Selecthard

A company needs to ensure that all outbound traffic from a VPC goes through a centralized inspection appliance in a different VPC. Which TWO actions must be taken to achieve this?

Select 2 answers
A.Deploy VPC endpoints for all AWS services used.
B.Use AWS Direct Connect Gateway to route traffic between VPCs.
C.Create VPC peering connections between all VPCs.
D.Use AWS Transit Gateway with appropriate route tables to direct traffic to the inspection VPC.
E.Configure the inspection VPC to forward traffic to its destination after inspection.
AnswersD, E

Transit Gateway supports transitive routing through route tables.

Why this answer

Option A is correct: Transit Gateway with route tables can direct traffic to the inspection VPC. Option C is correct: The inspection VPC must have routes to forward traffic back. Option B is wrong: VPC peering does not support transitive routing.

Option D is wrong: Direct Connect is for on-premises. Option E is wrong: VPC endpoints do not route general internet traffic.

1011
MCQeasy

A company wants to improve disaster recovery by replicating data between two AWS Regions. Which AWS service provides a managed solution for cross-Region network connectivity?

A.AWS Direct Connect
B.VPC Peering
C.AWS Site-to-Site VPN
D.AWS Global Accelerator
AnswerD

Global Accelerator improves performance and availability across Regions using the AWS global network.

Why this answer

Option D is correct because AWS Global Accelerator uses the AWS global network to route traffic to optimal endpoints, improving performance and availability for cross-Region replication. Option A is wrong because VPC Peering does not support cross-Region. Option B is wrong because Direct Connect is for on-premises connections.

Option C is wrong because AWS VPN is not managed for cross-Region replication.

1012
Multi-Selectmedium

A company wants to inspect traffic between VPCs in the same region using a third-party security appliance. Which THREE components are needed? (Choose 3)

Select 3 answers
A.VPC Peering connections between all VPCs
B.NAT Gateways in each VPC
C.AWS Transit Gateway
D.Route tables in the inspection VPC directing traffic through the appliance
E.A dedicated inspection VPC for the security appliance
AnswersC, D, E

Transit Gateway enables hub-and-spoke connectivity.

Why this answer

Options A, C, and D are correct. A Transit Gateway is needed to interconnect VPCs. The security appliance must be in a dedicated VPC.

Appliance VPC route tables must route traffic through the appliance. Option B is wrong because VPC Peering cannot do centralized inspection. Option E is wrong because NAT Gateway is for outbound internet, not inter-VPC inspection.

1013
Multi-Selecthard

A network engineer is troubleshooting a VPN connection that is not passing traffic. The tunnel status shows as 'UP'. Which THREE steps should the engineer take to diagnose the issue?

Select 3 answers
A.Ensure that the security groups for instances allow inbound traffic from the on-premises network
B.Confirm that the on-premises router is advertising the correct routes via BGP
C.Check the IKE and IPSEC settings on the customer gateway
D.Verify that the VPC route table has a route to the on-premises network via the virtual private gateway
E.Check the internet gateway route table for the VPC
AnswersA, B, D

Security groups can block traffic even if the VPN is up.

Why this answer

Option A is correct because security groups act as a virtual firewall for instances, controlling inbound and outbound traffic at the instance level. Even if the VPN tunnel is up, traffic will be dropped if the security group does not explicitly allow inbound traffic from the on-premises network's IP range. This is a common misconfiguration that prevents traffic flow despite a healthy tunnel.

Exam trap

The trap here is that candidates assume a 'UP' tunnel guarantees traffic flow, but AWS often tests that Layer 3 routing and security group rules are separate from tunnel status and must be verified independently.

1014
MCQmedium

A company is using AWS Client VPN to provide remote access to their VPC. They want to ensure that only authenticated users from their corporate Active Directory can access the VPN. Which authentication method should they use?

A.IAM authorization
B.SAML-based federated authentication
C.Certificate-based authentication using AWS Certificate Manager
D.Mutual authentication
AnswerB

SAML allows integration with Active Directory for user authentication.

Why this answer

Option C is correct because AWS Client VPN supports SAML-based federated authentication with Active Directory. Option A is wrong because certificate-based authentication does not tie to Active Directory users. Option B is wrong because mutual authentication still uses certificates.

Option D is wrong because IAM authorization is for AWS API access, not VPN authentication.

1015
MCQhard

A company is deploying a latency-sensitive application across multiple AWS Regions. They want to use the AWS global network to route traffic to the nearest edge location for fast content delivery. Which service should they use?

A.AWS Global Accelerator
B.Amazon Route 53
C.AWS Direct Connect
D.Amazon CloudFront
AnswerA

Global Accelerator improves performance by routing traffic over the AWS backbone to the nearest edge.

Why this answer

The correct answer is A because AWS Global Accelerator uses the AWS global network to direct traffic to the optimal endpoint, improving latency. Option B (CloudFront) is a CDN for caching static content. Option C (Route 53) is a DNS service.

Option D (Direct Connect) is for dedicated connections.

1016
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). They launch an EC2 instance in subnet A and another in subnet B. The security groups for both instances allow all traffic from the other instance's private IP. However, the instances cannot communicate. What is the most likely cause?

A.The instances are in different Availability Zones
B.The network ACLs are blocking the traffic
C.The security groups are stateful and block return traffic
D.The route tables do not have a local route
AnswerB

NACLs are stateless and need to allow both outbound and inbound traffic for each direction.

Why this answer

The most likely cause is that the network ACLs (NACLs) are blocking the traffic. Security groups are stateful and allow return traffic automatically, but NACLs are stateless and require explicit inbound and outbound rules for both directions. By default, custom NACLs deny all traffic, so even though the security groups permit communication, the NACLs on subnets A and B must allow the traffic.

The correct answer is B.

Exam trap

The trap here is that candidates often assume security groups are the only firewall layer or forget that NACLs are stateless and require explicit rules for both directions, leading them to overlook NACL misconfigurations when security groups appear permissive.

How to eliminate wrong answers

Option A is wrong because instances in different Availability Zones can communicate within the same VPC as long as routing and security rules permit; AZ placement does not inherently block traffic. Option C is wrong because security groups are stateful, meaning they automatically allow return traffic for permitted outbound connections, so they do not block return traffic. Option D is wrong because VPCs automatically have a local route in the main route table for the VPC CIDR (10.0.0.0/16), enabling communication between subnets without additional routes.

1017
Multi-Selectmedium

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. The VPN uses two tunnels for high availability. The network engineer needs to ensure that if one tunnel goes down, traffic automatically fails over to the other tunnel. Which THREE steps should the engineer perform? (Choose THREE.)

Select 3 answers
A.Configure static routes pointing to the VPN connection.
B.Configure BGP on both VPN tunnels.
C.Use a single customer gateway device with multiple BGP sessions.
D.Configure two customer gateway devices on-premises, each with a separate BGP session.
E.Enable route propagation on the VPC route table for the virtual private gateway.
AnswersB, D, E

BGP provides automatic failover between tunnels.

Why this answer

Options A, B, and D are correct. Using BGP allows dynamic routing and failover. Two customer gateway devices provide physical redundancy.

Enabling route propagation on the VPC route table ensures BGP routes are added. Option C is wrong because static routes do not provide automatic failover. Option E is wrong because a single customer gateway device is a single point of failure.

1018
MCQhard

A company designs a multi-account AWS environment using AWS Organizations. The networking team wants a centralized inspection VPC for traffic between VPCs and on-premises. Which architecture ensures that all inter-VPC traffic passes through the inspection VPC?

A.VPC peering between all VPCs and the inspection VPC.
B.AWS Network Firewall deployed in each VPC.
C.AWS Transit Gateway with centralized routing to the inspection VPC.
D.AWS Direct Connect Gateway with virtual interfaces.
AnswerC

Centralized routing enforces inspection.

Why this answer

Option C is correct because AWS Transit Gateway enables centralized routing by attaching all VPCs and the on-premises network to a single transit gateway, then configuring route tables to force all inter-VPC traffic through a dedicated inspection VPC appliance (e.g., firewall or NGFW). This ensures traffic flows via the inspection VPC without requiring full-mesh peering or per-VPC firewalls.

Exam trap

The trap here is that candidates often confuse VPC peering with transitive routing, assuming that peering multiple VPCs to a central VPC automatically routes traffic through it, but VPC peering does not support transitive routing—each peering connection is non-transitive, so traffic between two spoke VPCs would not go through the central VPC unless explicit routing is configured, which is complex and not natively supported.

How to eliminate wrong answers

Option A is wrong because VPC peering creates direct, one-to-one connections between VPCs; traffic between peered VPCs does not traverse a central inspection point unless explicitly routed through an intermediate VPC, which would require complex transitive routing that VPC peering does not support (no transitive peering). Option B is wrong because AWS Network Firewall deployed in each VPC only inspects traffic entering or leaving that specific VPC; it does not force inter-VPC traffic to pass through a centralized inspection VPC, as traffic can still flow directly via peering or transit gateway without being routed through the inspection VPC. Option D is wrong because AWS Direct Connect Gateway is used to connect on-premises networks to multiple VPCs via Direct Connect, but it does not provide centralized routing or inspection for inter-VPC traffic; it only extends connectivity from on-premises to VPCs, not between VPCs.

1019
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs. They notice that traffic between two VPCs in different Availability Zones is taking a suboptimal path, resulting in cross-AZ data transfer costs. How can they optimize the path and reduce costs?

A.Replace Transit Gateway with VPC Peering between the VPCs.
B.Use Availability Zone affinity by launching resources in the same AZ and using Transit Gateway to route within the same AZ.
C.Enable Transit Gateway multicast to replicate traffic across AZs.
D.Configure the Transit Gateway to use a single Availability Zone for all attachments.
AnswerB

Correct: Keeps traffic within AZ, avoiding cross-AZ charges.

Why this answer

Option C is correct because ensuring traffic stays within the same AZ avoids cross-AZ data transfer costs. Option A is wrong because Transit Gateway does not have AZ awareness. Option B is wrong because VPC Peering still incurs cross-AZ costs if traffic crosses AZs.

Option D is wrong because moving instances to single AZ reduces availability.

1020
MCQmedium

A company has a VPC with CIDR 172.16.0.0/16. They have two subnets: 172.16.1.0/24 (public) and 172.16.2.0/24 (private) in us-west-2a. They have an EC2 instance in the private subnet that needs to access an S3 bucket for log uploads. The company wants to avoid using a NAT Gateway to reduce costs. The S3 bucket is in the same region. Which solution should the network engineer implement?

A.Assign an IAM instance profile to the EC2 instance that allows S3 access.
B.Set up a VPN connection from the VPC to the S3 bucket.
C.Create a VPC Gateway Endpoint for S3 and add a route from the private subnet to the endpoint.
D.Create an S3 access point and configure the VPC to use it.
AnswerC

A gateway endpoint provides private connectivity to S3 without a NAT.

Why this answer

Option C is correct because a VPC Gateway Endpoint for S3 allows private subnet resources to access S3 without traversing the internet or requiring a NAT Gateway. The endpoint uses AWS PrivateLink to route traffic directly to S3 over the AWS network, and you must add a route in the private subnet's route table pointing to the endpoint (prefix list ID) to enable connectivity.

Exam trap

AWS often tests the misconception that an IAM role alone provides network access, but the trap here is that private subnets require a route to S3, and without a NAT Gateway or VPC endpoint, traffic cannot leave the subnet even with correct IAM permissions.

How to eliminate wrong answers

Option A is wrong because an IAM instance profile grants permissions but does not provide network connectivity; the EC2 instance still needs a route to reach S3, and without a NAT Gateway or VPC endpoint, traffic from a private subnet cannot reach S3. Option B is wrong because a VPN connection is used to connect on-premises networks to a VPC, not to access AWS services like S3; S3 does not support VPN termination. Option D is wrong because an S3 access point is a feature for managing data access with specific policies and network controls, but it does not create a network path; you still need a VPC endpoint or other connectivity to route traffic from the private subnet to the access point.

1021
MCQeasy

A company wants to monitor network traffic to and from an EC2 instance to detect anomalous outbound traffic. Which AWS service should they use to capture and analyze the traffic?

A.Amazon GuardDuty
B.Amazon CloudWatch Logs
C.AWS Config
D.VPC Traffic Mirroring
AnswerD

Traffic Mirroring captures and copies traffic for analysis.

Why this answer

Option C is correct because VPC Traffic Mirroring captures and copies traffic for analysis. Option A is wrong because AWS Config records configuration changes. Option B is wrong because CloudWatch Logs can capture logs but not full packet traffic.

Option D is wrong because GuardDuty is a threat detection service that analyzes findings but does not capture raw traffic.

1022
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets must access an S3 bucket without traversing the internet. Which TWO methods can achieve this? (Choose TWO.)

Select 2 answers
A.Attach an internet gateway to the VPC and route traffic through it.
B.Create a VPC gateway endpoint for S3 and associate it with the private subnet route tables.
C.Set up a VPN connection to the on-premises network and access S3 from there.
D.Use AWS PrivateLink to create a VPC endpoint for the S3 bucket.
E.Place a NAT gateway in the public subnet and route traffic through it.
AnswersB, D

Gateway endpoint provides private access to S3.

Why this answer

Option A is correct: A VPC gateway endpoint for S3 allows private subnet instances to access S3 privately. Option B is correct: AWS PrivateLink (VPC endpoint services) can also provide private access to S3 if the bucket is configured as an endpoint service. Option C is wrong because NAT gateway routes through the internet.

Option D is wrong because a VPN does not provide private S3 access. Option E is wrong because an internet gateway exposes traffic to the internet.

1023
MCQeasy

A company wants to enable DNS resolution for hybrid network using Route 53 Resolver. The on-premises DNS servers are reachable via Direct Connect. The company wants to forward queries for a custom domain (example.corp) from VPC to on-premises. Which resource should be created in the VPC?

A.A VPC endpoint for Route 53 Resolver service.
B.Route 53 Resolver rule that forwards example.corp to on-premises DNS servers.
C.Route 53 Resolver inbound endpoint.
D.Route 53 Resolver outbound endpoint and associate a resolver rule.
AnswerD

An outbound endpoint forwards DNS queries from VPC to on-premises, and a rule specifies the domain.

Why this answer

Option C is correct because a Route 53 Resolver outbound endpoint forwards DNS queries from VPC to on-premises DNS servers. Option A is wrong because an inbound endpoint allows on-premises to query VPC DNS. Option B is wrong because a resolver rule is used to specify which domains to forward, but it must be associated with an endpoint.

Option D is wrong because a VPC endpoint for Route 53 Resolver is not a service; you create endpoints for the resolver service.

1024
MCQhard

A company is setting up AWS Direct Connect with a 1 Gbps dedicated connection. They want redundant connectivity with automatic failover. What is the most cost-effective way to achieve this?

A.Use a single connection with multiple VLANs.
B.Use a single connection with a VPN over the same connection for redundancy.
C.Provision a second Direct Connect connection at a different location and configure BGP.
D.Provision a single Direct Connect connection and use a VPN over the internet as backup.
AnswerC

Two physical connections provide high availability with automatic failover via BGP.

Why this answer

Option B is correct because a second Direct Connect connection at a different location provides true redundancy. Option A is wrong because a single connection is a single point of failure. Option C is wrong because it adds cost without redundancy.

Option D is wrong because VPN over the same connection doesn't help if the connection fails.

1025
MCQhard

A company has multiple AWS accounts and wants to centrally manage network resources using AWS Transit Gateway. Which feature allows sharing the Transit Gateway across accounts?

A.VPC peering
B.AWS Resource Access Manager (RAM)
C.AWS Organizations
D.AWS Service Catalog
AnswerB

RAM enables sharing Transit Gateways across accounts.

Why this answer

Option C is correct because AWS Resource Access Manager (RAM) allows sharing Transit Gateways across accounts. Option A is wrong because AWS Organizations manages accounts but not resource sharing directly. Option B is wrong because VPC peering is a separate feature.

Option D is wrong because AWS Service Catalog is for creating standardized products.

1026
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team wants to ensure that traffic between VPCs is inspected by a centralized security appliance running in a security VPC. Which configuration should be used?

A.Configure network ACLs in each VPC to deny traffic directly between VPCs.
B.Attach the VPCs to the Transit Gateway and configure route tables to send inter-VPC traffic to the security VPC via a blackhole route.
C.Create VPC peering connections between each VPC and the security VPC, then update route tables.
D.Use NAT gateways in each VPC to route traffic through the security VPC.
AnswerB

Forces traffic through the security VPC for inspection.

Why this answer

Option A is correct because Transit Gateway route tables with route propagation and blackhole routes enable inspection. Option B is wrong because VPC peering is not centralized. Option C is wrong because NAT gateways are for outbound only.

Option D is wrong because Network ACLs are stateless and not designed for traffic inspection routing.

1027
MCQmedium

A company is designing a network for a containerized microservices application running on Amazon ECS. The application consists of several microservices that need to communicate with each other. The company wants to use service discovery so that services can find each other by name. They also want to ensure that traffic between services is encrypted in transit. The microservices are deployed across multiple Availability Zones. Which combination of services should the company use?

A.Use AWS Cloud Map for service discovery and AWS App Mesh for encryption in transit
B.Use an Application Load Balancer for each service and configure HTTPS listeners
C.Use VPC peering between each service's VPC
D.Use Amazon Route 53 private hosted zones for service discovery and enable encryption at the application layer
AnswerA

Cloud Map provides service discovery; App Mesh provides encryption.

Why this answer

AWS Cloud Map provides service discovery by registering microservices with DNS names and health checks, allowing ECS tasks to resolve each other by name. AWS App Mesh uses Envoy sidecar proxies to enforce mutual TLS (mTLS) encryption between services, ensuring traffic is encrypted in transit without requiring changes to application code. This combination meets the requirements for name-based discovery and encrypted inter-service communication across multiple Availability Zones.

Exam trap

The trap here is that candidates often confuse service discovery with load balancing or assume that a private hosted zone alone provides encryption, when in fact DNS-based discovery (Route 53) only resolves names and requires a separate mechanism like App Mesh or mTLS to encrypt traffic in transit.

How to eliminate wrong answers

Option B is wrong because using an Application Load Balancer for each service introduces unnecessary complexity and cost, and ALBs operate at the application layer (HTTP/HTTPS), which does not provide encryption for all inter-service traffic (e.g., gRPC or TCP-based services) and does not natively provide service discovery by name without additional DNS integration. Option C is wrong because VPC peering connects entire VPCs, not individual services, and does not provide service discovery or encryption; it only enables network-layer connectivity between VPCs. Option D is wrong because Amazon Route 53 private hosted zones can provide DNS-based service discovery, but they do not encrypt traffic; encryption at the application layer must be implemented separately by the application code, which violates the requirement for transparent encryption in transit.

1028
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT Gateway in the public subnet. The download is failing. Which configuration should the network engineer check FIRST?

A.The network ACL for the private subnet allows inbound HTTP/HTTPS traffic.
B.The EC2 instance has a public IP address assigned.
C.The Internet Gateway is attached to the private subnet.
D.The route table associated with the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway.
AnswerD

Correct: Without this route, traffic cannot reach the NAT Gateway.

Why this answer

Option D is correct because for an EC2 instance in a private subnet to reach the internet via a NAT Gateway, the private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. Without this route, traffic from the instance destined for the internet has no path to the NAT Gateway, causing the download to fail.

Exam trap

AWS often tests the misconception that a private instance needs a public IP or that NACLs are the primary cause of outbound internet failures, when in fact the missing default route to the NAT Gateway is the most common misconfiguration.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and must allow both inbound and outbound traffic; however, the default NACL already allows all traffic, and the failure is more likely due to routing, not ACLs. Option B is wrong because an EC2 instance in a private subnet does not need a public IP address to access the internet through a NAT Gateway; the NAT Gateway itself uses an Elastic IP, and the instance uses the NAT's public IP for outbound traffic. Option C is wrong because an Internet Gateway is attached to the VPC, not to a subnet, and it is used by public subnets; private subnets route through the NAT Gateway, not directly through the Internet Gateway.

1029
MCQeasy

A network engineer is troubleshooting an issue where an EC2 instance in a public subnet cannot reach the internet. The instance has a public IP, and the route table has a default route to an internet gateway. What is the most likely cause?

A.The network ACL is blocking outbound traffic
B.The internet gateway is not attached to the VPC
C.The security group does not allow outbound HTTP traffic
D.The instance does not have a public IP
AnswerA

Network ACLs are stateless and must explicitly allow outbound traffic and inbound return traffic.

Why this answer

Even with correct routes, if the subnet's network ACL does not allow outbound traffic, the instance cannot reach the internet. Network ACLs are stateless and must allow both outbound and inbound ephemeral ports.

1030
MCQmedium

A company wants to restrict access to an Amazon S3 bucket so that only traffic from a specific AWS Direct Connect virtual interface (VIF) can access it. Which combination of steps should the company take?

A.Attach an S3 bucket policy that denies access unless the source IP is the public IP address of the Direct Connect VIF.
B.Create a VPC endpoint for S3 with a VPC endpoint policy that allows access only from the VPC, and configure the VPC route table to route S3 traffic through the Direct Connect VIF.
C.Create a network ACL that allows S3 traffic only from the Direct Connect CIDR block and associate it with the VPC subnet connected to the VIF.
D.Configure the Direct Connect VIF with a public IP address and use an S3 bucket policy that allows access only from that IP address.
AnswerB

This ensures that S3 traffic must traverse the VPC endpoint, and the route table forces traffic through the Direct Connect VIF, restricting access to that path.

Why this answer

Option C is correct because using a VPC endpoint with a VPC endpoint policy and a VPC route table that routes traffic through the Direct Connect VIF ensures that only traffic from that VIF can access the S3 bucket. Option A is wrong because network ACLs are stateless and not appropriate for this use case. Option B is wrong because a bucket policy with an IP address condition does not enforce the path through the Direct Connect VIF.

Option D is wrong because Direct Connect does not assign public IP addresses to VIFs.

1031
Multi-Selectmedium

Which THREE factors should be considered when designing a highly available AWS Site-to-Site VPN connection?

Select 3 answers
A.Use two VPN tunnels with the same customer gateway IP
B.Enable BGP for dynamic route propagation
C.Use two VPN tunnels each with a different customer gateway IP
D.Use a single VPN tunnel with a static route
E.Configure redundant customer gateways
AnswersB, C, E

BGP provides automatic failover and route propagation.

Why this answer

BGP (Border Gateway Protocol) enables dynamic route propagation across the VPN tunnels, allowing automatic failover and route convergence if one tunnel goes down. This is critical for high availability because it eliminates the need for manual route updates and supports path selection based on BGP attributes, ensuring traffic is rerouted through the remaining healthy tunnel.

Exam trap

AWS often tests the misconception that using two tunnels with the same customer gateway IP (Option A) provides redundancy, but the trap is that this still creates a single point of failure at the customer gateway device itself, whereas true high availability requires separate customer gateway IPs (Option C) and redundant gateways (Option E).

1032
MCQhard

A company runs a multi-tier web application on AWS. The web servers in public subnets need to send traffic to the application servers in private subnets. The application servers must only accept traffic from the web servers. Both tiers are in the same VPC. Which design meets these requirements without introducing a single point of failure or unnecessary complexity?

A.Place the web servers in a public subnet with a security group that allows inbound from 0.0.0.0/0 on port 443. Place the app servers in a private subnet with a security group that allows inbound from the web server security group on the application port.
B.Place the web servers and app servers in the same private subnet behind an internal Network Load Balancer. Route web traffic through the NLB.
C.Place the web servers in a public subnet with an Internet Gateway. Place the app servers in a private subnet with a NAT Gateway for outbound traffic. Use NACLs to allow inbound from the web subnet CIDR.
D.Place the web servers in a public subnet with a NACL allowing inbound on port 443. Place the app servers in a private subnet with a NACL allowing inbound from the web subnet CIDR on the application port.
AnswerA

This is correct because it uses security group references for fine-grained, stateful filtering without introducing a single point of failure.

Why this answer

Option A is correct because it uses security group referencing, which allows the app servers' security group to dynamically allow traffic from any instance associated with the web servers' security group, regardless of IP address changes. This design avoids a single point of failure by not introducing any load balancer or gateway, and it minimizes complexity by leveraging native VPC security group behavior within the same VPC.

Exam trap

The trap here is that candidates often overcomplicate the solution by introducing load balancers or NAT gateways, or they incorrectly choose NACLs over security groups, not realizing that security group referencing provides a simpler, more dynamic, and more secure solution without single points of failure.

How to eliminate wrong answers

Option B is wrong because placing both tiers in the same private subnet behind an internal Network Load Balancer introduces a single point of failure (the NLB) and unnecessary complexity, as the requirement can be met with simple security group rules without a load balancer. Option C is wrong because using a NAT Gateway for outbound traffic is irrelevant to the requirement of allowing inbound traffic from web servers to app servers; it also introduces a single point of failure and unnecessary complexity. Option D is wrong because using NACLs to allow inbound from the web subnet CIDR is less secure and less dynamic than security group referencing, and NACLs are stateless, requiring separate rules for return traffic, which adds complexity and potential misconfiguration.

1033
MCQeasy

A company has a VPC with public and private subnets in two Availability Zones. The company hosts a web application on EC2 instances in the private subnets. The application needs to access an S3 bucket. What is the MOST cost-effective and secure way to provide this access?

A.Deploy a NAT Gateway in each public subnet and route traffic from private subnets through it.
B.Use AWS Transit Gateway to route traffic to S3 via a centralized VPN.
C.Attach an Internet Gateway to the VPC and assign public IPs to the EC2 instances.
D.Create a VPC Gateway Endpoint for S3 and attach it to the private subnet route tables.
AnswerD

Cost-effective and secure; no data transfer costs.

Why this answer

Option A is correct because a VPC Gateway Endpoint for S3 provides private connectivity without traversing the internet, and it is free of charge (no data transfer costs). Option B is wrong because a NAT Gateway incurs hourly charges and data processing fees. Option C is wrong because a Transit Gateway is not needed for a single VPC.

Option D is wrong because an Internet Gateway exposes traffic to the internet and would require public IPs or NAT, increasing cost and risk.

1034
MCQeasy

A company needs to securely connect multiple VPCs across different AWS Regions using AWS backbone network infrastructure without traversing the public internet. The solution must be managed centrally and support transitive routing between VPCs. Which service should the company use?

A.VPC peering connections in a full mesh.
B.AWS PrivateLink and VPC Endpoints.
C.AWS Transit Gateway with inter-region peering.
D.AWS ClassicLink.
AnswerC

Transit Gateway supports transitive routing across VPCs and regions using inter-region peering.

Why this answer

Option D is correct because AWS Transit Gateway supports transitive routing between VPCs across regions and uses the AWS backbone. Option A is wrong because VPC peering does not support transitive routing. Option B is wrong because VPC endpoints are for service access.

Option C is wrong because ClassicLink is obsolete and does not support transitive routing.

1035
MCQhard

A financial services company is required to encrypt all data at rest and in transit. They have an Amazon S3 bucket with server-side encryption enabled (SSE-S3) and are using HTTPS for all API calls. During an audit, the auditor points out that the bucket policy does not explicitly deny requests that do not use HTTPS. Which of the following should the company add to the bucket policy to enforce HTTPS?

A.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
B.{"Effect":"Allow","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
C.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"true"}}}
D.{"Effect":"Deny","Principal":"*","Action":"s3:*","Resource":"arn:aws:s3:::bucketname/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}
AnswerD

This denies requests when SecureTransport is false, effectively requiring HTTPS.

Why this answer

Option B is correct because the condition block with aws:SecureTransport false and a Deny effect ensures that any request not using HTTPS is denied. Option A is wrong because using Bool with true would allow only HTTPS, but the condition should be false to deny non-HTTPS. Option C is wrong because it allows HTTPS requests but does not deny non-HTTPS.

Option D is wrong because it denies when SecureTransport is true, which would block HTTPS requests.

1036
Multi-Selecthard

Which THREE of the following are benefits of using AWS Transit Gateway over VPC peering for inter-VPC connectivity? (Choose three.)

Select 3 answers
A.Transitive routing between all attached VPCs
B.Lower latency than VPC peering
C.Support for connecting to on-premises networks via Direct Connect and VPN
D.No additional cost compared to VPC peering
E.Centralized management of network connections
AnswersA, C, E

Transit Gateway supports transitive routing; VPC peering does not.

Why this answer

Transit Gateway simplifies connectivity by acting as a hub, supports transitive routing, and can connect multiple VPCs and on-premises networks via a single gateway.

1037
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. Network engineers report intermittent connectivity issues between VPC A and the on-premises network. The transit gateway route table shows the on-premises CIDR (10.0.0.0/8) propagated from the VPN attachment. VPC A has a subnet route pointing to the transit gateway for 10.0.0.0/8. Which step should the engineer take FIRST to diagnose the issue?

A.Verify that the VPN tunnel status shows as UP on both sides.
B.Enable VPC Flow Logs on VPC A to verify traffic reaching the transit gateway.
C.In the transit gateway route table, verify that the VPN attachment is correctly associated and that the 10.0.0.0/8 route is propagated and has the correct attachment.
D.Check the security group rules on the EC2 instances in VPC A for outbound traffic.
AnswerC

This directly checks whether the transit gateway is correctly routing traffic to the VPN attachment for the on-premises CIDR.

Why this answer

Option C is correct because the first diagnostic step for intermittent connectivity through a transit gateway is to verify the route table configuration. The engineer must confirm that the VPN attachment is correctly associated with the transit gateway route table and that the 10.0.0.0/8 route is propagated from the VPN attachment, as a missing or misassociated route would cause traffic to be dropped even if the VPN tunnel is up.

Exam trap

The trap here is that candidates often jump to checking the VPN tunnel status (Option A) first, assuming the tunnel is the root cause, but the question specifically describes intermittent connectivity that is more likely due to a routing misconfiguration in the transit gateway route table rather than a tunnel flap.

How to eliminate wrong answers

Option A is wrong because verifying the VPN tunnel status is a later step; the tunnel can be UP but traffic may still fail if the transit gateway route table lacks the correct route or association. Option B is wrong because enabling VPC Flow Logs on VPC A would confirm traffic reaching the transit gateway, but it does not diagnose whether the transit gateway is correctly routing the traffic to the VPN attachment, which is the core issue. Option D is wrong because security group rules on EC2 instances control host-level filtering, not the transit gateway routing path; the issue is at the network layer, not the instance firewall.

1038
MCQmedium

A company wants to restrict access to an S3 bucket so that only traffic from a specific AWS account is allowed. Which S3 bucket policy condition key should be used to achieve this?

A.aws:PrincipalAccount
B.aws:Referer
C.aws:SourceAccount
D.aws:SourceArn
AnswerC

'aws:SourceAccount' ensures the request comes from a specific AWS account.

Why this answer

Using the 'aws:SourceAccount' condition key ensures that only requests originating from the specified AWS account are allowed. Option A is wrong because 'aws:PrincipalAccount' checks the principal's account, not the source account. Option B is wrong because 'aws:SourceArn' checks the ARN of the source resource.

Option D is wrong because 'aws:Referer' checks the HTTP referer header.

1039
MCQhard

A financial services company uses AWS Direct Connect to connect its data center to multiple VPCs via a transit gateway. They need to meet PCI DSS compliance requirements by encrypting all traffic between the data center and AWS. What solution meets this requirement with the least operational overhead?

A.Enable MACsec on the Direct Connect connection.
B.Use TLS for all application traffic between data center and VPC.
C.Use private VIFs without additional encryption.
D.Create an IPsec VPN tunnel over the Direct Connect VIF to encrypt traffic.
AnswerA

MACsec provides Layer 2 encryption with minimal overhead.

Why this answer

Option D is correct because MACsec provides encryption at Layer 2 without requiring VPN tunnels or additional configuration. Option A is incorrect because IPsec over Direct Connect adds overhead and complexity. Option B is incorrect because TLS is for application-level traffic, not all traffic.

Option C is incorrect because private VIFs do not encrypt traffic by default.

1040
MCQeasy

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while preventing inbound traffic from the internet. Which AWS service should they use?

A.VPC Peering
B.NAT Gateway
C.Internet Gateway
D.VPN Connection
AnswerB

A NAT Gateway enables outbound internet from private subnets.

Why this answer

A NAT Gateway allows outbound internet traffic from private subnets while blocking inbound traffic. Option A is wrong because an Internet Gateway allows inbound traffic. Option B is wrong because a VPC Peering connection does not provide internet access.

Option D is wrong because a VPN connection does not provide internet access.

1041
Multi-Selecthard

A company has multiple VPCs connected via a Transit Gateway. They want to implement network segmentation so that only specific VPCs can communicate with each other. Which TWO methods can achieve this? (Choose two.)

Select 2 answers
A.Deploy AWS Network Firewall in a centralized inspection VPC
B.Use Transit Gateway route tables with specific associations and propagations
C.Assign instances to different security groups
D.Configure network ACLs on each subnet
E.Create separate VPC peering connections
AnswersA, B

Network Firewall can filter traffic between VPCs.

Why this answer

AWS Network Firewall can be deployed in a centralized inspection VPC to filter traffic between VPCs attached to a Transit Gateway. By routing inter-VPC traffic through the firewall appliance, you can enforce stateful inspection and allow or deny traffic based on source/destination VPCs, achieving network segmentation.

Exam trap

AWS often tests the misconception that security groups or network ACLs can control inter-VPC traffic across a Transit Gateway, but these constructs are limited to within a single VPC and do not affect transit routing.

1042
MCQmedium

A company uses AWS Shield Advanced to protect their web application against DDoS attacks. They have configured automatic application layer DDoS mitigation with AWS WAF. During a recent attack, the application experienced increased latency, and some legitimate users were blocked. The security team reviews the WAF logs and finds that many requests from legitimate IPs were rate-limited. The team had set a rate-based rule with a threshold of 100 requests per 5 minutes. What is the most likely reason legitimate users were blocked?

A.The rate-based rule is set to block requests for 24 hours after the threshold is exceeded, and once triggered, all requests from that IP are blocked indefinitely.
B.The WAF web ACL is associated with an Application Load Balancer that is not configured for sticky sessions, causing requests from the same user to be distributed across multiple IPs.
C.The rate-based rule uses the source IP address as the aggregation key, and legitimate users behind a NAT gateway share the same public IP, causing the aggregate rate to exceed the threshold.
D.The rate-based rule is evaluating requests before the WAF allows them, and the threshold is too low, but the rule action is set to 'count' instead of 'block', so it should not block traffic.
AnswerC

When multiple legitimate users share a single public IP (e.g., via NAT), their combined requests can exceed the rate limit, causing blocking of all users behind that IP.

1043
MCQmedium

A media company is designing a network for a new AWS environment. They have a VPC with public and private subnets in three Availability Zones. In the private subnets, they run a fleet of Amazon EC2 instances that process video files from an Amazon S3 bucket. The S3 bucket is in the same region. The company wants to ensure that all traffic to S3 stays within the AWS network and does not traverse the internet. They also need to allow the EC2 instances to access the internet for software updates, but only through a centralized NAT gateway. Currently, there is one NAT gateway in AZ1. The network engineer has created a VPC endpoint for S3 (Gateway type) and associated it with the route tables for the private subnets. However, the EC2 instances in AZ2 and AZ3 cannot reach the NAT gateway for internet access. What is the most likely cause?

A.The route table for private subnets now has a more specific route for S3 that overrides the default route to the NAT gateway
B.The VPC endpoint needs to be created in each Availability Zone
C.The NAT gateway is only available in the AZ where it is deployed
D.The S3 VPC endpoint is only accessible from the AZ where it was created
AnswerA

The endpoint adds a route for the S3 prefix list, but if the prefix list includes 0.0.0.0/0 erroneously, or if the endpoint route is not properly scoped, it can cause issues. More commonly, the endpoint adds a route for the S3 service (e.g., com.amazonaws.<region>.s3) which does not affect the default route. However, in some configurations, if the endpoint is added with a policy that allows all traffic, it might still work. The most likely issue is that the NAT gateway route is missing or the route table does not have a default route to the NAT gateway. But among the options, B is the closest because misconfiguration can lead to the endpoint route overriding the default route.

Why this answer

Option B is correct. The Gateway VPC Endpoint for S3 adds a route in the private subnet route tables that points 0.0.0.0/0 to the endpoint, which overrides the default route to the NAT gateway. This prevents traffic destined for the internet from reaching the NAT gateway.

Option A is wrong because the VPC endpoint is in the same region and works across AZs. Option C is wrong because the NAT gateway is in AZ1, but instances in other AZs can still route to it if the route table has a 0.0.0.0/0 route pointing to the NAT gateway. Option D is wrong because the S3 endpoint does not need to be in every AZ; Gateway endpoints are regional.

1044
MCQhard

A company has a hybrid network with multiple AWS Direct Connect connections to different VPCs. The on-premises network uses BGP to advertise prefixes to AWS. The network team notices that some on-premises prefixes are not being received by the VPCs. What is the MOST likely cause?

A.The on-premises router is advertising more than 100 prefixes over the BGP session
B.The on-premises router is not using BGP communities
C.The on-premises router is using AS_PATH prepending
D.The on-premises router is not setting the MED attribute
AnswerA

AWS limits the number of prefixes per BGP session to 100 by default. Exceeding this causes rejection.

Why this answer

Option A is correct because the maximum number of routes advertised over a Direct Connect virtual interface is 100 by default, and exceeding this limit causes BGP to reject additional routes. Option B is wrong because AS_PATH prepending would affect route preference, not advertisement. Option C is wrong because the MED attribute affects path selection, not advertisement.

Option D is wrong because BGP communities are optional and not required for prefix advertisement.

1045
MCQeasy

A company wants to monitor network traffic between its EC2 instances and determine which IP addresses are generating the most traffic. Which AWS service should be used to capture and analyze this traffic?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS Config
D.VPC Flow Logs
AnswerD

Flow Logs capture IP traffic metadata.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information and can be published to CloudWatch Logs or S3 for analysis. Option A is wrong because CloudTrail records API calls, not network traffic. Option B is wrong because AWS Config records resource configuration changes.

Option D is wrong because Trusted Advisor provides best-practice checks, not traffic analysis.

1046
MCQhard

A company uses AWS Direct Connect with a private VIF and a virtual private gateway (VGW) to connect its on-premises data center to a VPC. The on-premises network uses BGP to advertise routes to AWS. The VPC has multiple subnets. The company wants to ensure that only traffic destined for the VPC CIDR (10.0.0.0/16) is sent over Direct Connect, and all other traffic uses the internet. However, after configuration, on-premises users can access the internet through the Direct Connect link, which is unintended. What change should be made to restrict traffic?

A.Add a static route in the VPC route table to send all traffic to the internet gateway.
B.Disable route propagation for the private subnet route table.
C.Configure the on-premises router to only accept the VPC CIDR route from AWS and not a default route.
D.Remove the virtual private gateway and use a VPN connection instead.
AnswerC

This prevents the on-premises network from using Direct Connect for internet traffic.

Why this answer

Option B is correct. On-premises routers should only advertise the VPC CIDR (10.0.0.0/16) to AWS, and AWS should not advertise a default route to on-premises. By default, Direct Connect private VIF can propagate a default route if configured.

To prevent on-premises from using Direct Connect for internet, ensure that the on-premises router does not accept a default route from AWS or that AWS does not advertise one. Option A is incorrect because removing the VGW disconnects the VPC. Option C is incorrect because adding a static route would not fix the issue.

Option D is incorrect because disabling route propagation for the specific subnet does not affect BGP advertisements.

1047
MCQhard

A financial services company is designing a multi-region architecture for disaster recovery. They have a primary VPC in us-east-1 and a standby VPC in us-west-2. Each VPC has its own CIDR block (10.0.0.0/16 and 10.1.0.0/16). They want to use an inter-region VPC peering connection for replication traffic. Which of the following is a required step to establish this peering connection?

A.Ensure the VPC CIDR blocks do not overlap.
B.Create a VPN attachment between the two VPCs using AWS Site-to-Site VPN.
C.The owner of each VPC must accept the peering connection request.
D.Create two separate peering connections, one for each direction of traffic.
AnswerC

Both sides must accept the peering request for it to be active.

Why this answer

For inter-region VPC peering, the owner of each VPC must accept the peering request. Option A is wrong because VPC peering does not use a VPN connection. Option B is wrong because the CIDR blocks are already non-overlapping.

Option D is wrong because the peering connection is a single entity; you do not create two separate connections.

1048
MCQmedium

A company is deploying a multi-tier web application across two AWS Regions with an active-passive failover architecture. The application uses Application Load Balancers (ALBs) in each Region, and traffic must be directed to the active Region using DNS. Which routing policy should be used for the Amazon Route 53 record set to achieve this?

A.Geolocation routing policy
B.Failover routing policy
C.Weighted routing policy
D.Latency routing policy
AnswerB

Failover routing policy is designed for active-passive failover configurations.

Why this answer

Option B is correct because a failover routing policy is used for active-passive configurations where one resource is primary and the other is secondary, allowing Route 53 to direct traffic to the active region and fail over to the passive region if the primary becomes unhealthy. Option A (weighted) distributes traffic across multiple resources. Option C (latency) routes based on lowest latency.

Option D (geolocation) routes based on user location.

1049
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to inspect all traffic between VPCs and on-premises using a centralized firewall appliance. Which architecture meets this requirement?

A.Deploy AWS Network Firewall in each VPC and route all traffic through it.
B.Connect all VPCs to on-premises via AWS Direct Connect and inspect traffic on-premises.
C.Create VPC peering connections between each VPC and the firewall VPC.
D.Use Transit Gateway with a central inspection VPC that hosts the firewall appliance.
AnswerD

Centralized inspection via Transit Gateway route tables.

Why this answer

Option B is correct because a Transit Gateway with a centralized inspection VPC allows routing traffic through firewall appliances. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because Direct Connect alone does not provide inspection.

Option D is wrong because AWS Network Firewall can be deployed in a VPC, but the question asks for architecture; inspection VPC is the best design pattern.

1050
MCQmedium

A company has deployed a VPC with a public subnet and a private subnet in each of two Availability Zones. They have an Application Load Balancer (ALB) in the public subnets and EC2 instances in the private subnets. The EC2 instances need to access an external API over HTTPS. What is the MOST secure way to provide this access?

A.Deploy a NAT Gateway in each public subnet and add a default route in the private subnet route tables pointing to the NAT Gateway.
B.Create a VPC endpoint for the external API service.
C.Assign public IP addresses to the EC2 instances and allow outbound traffic in the security group.
D.Set up a VPN connection to an on-premises network that has internet access.
AnswerA

NAT Gateway provides outbound-only internet access securely.

Why this answer

A NAT Gateway in a public subnet allows outbound HTTPS traffic from private instances while preventing inbound traffic. Option A is wrong because a public IP on the instances exposes them. Option C is wrong because a VPN is for private connectivity, not internet.

Option D is wrong because VPC endpoint is for specific AWS services, not external APIs.

Page 13

Page 14 of 23

Page 15