AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 11261200

1705 questions total · 23pages · All types, answers revealed

Page 15

Page 16 of 23

Page 17
1126
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to two on-premises locations via AWS Direct Connect. Each Direct Connect connection uses a private VIF. The company wants to use BGP to exchange routes. The on-premises routers advertise the same prefix 10.0.0.0/8 for both connections. How should the network engineer configure the VPC route tables to ensure traffic is load balanced across both Direct Connect connections?

A.Create a VPN connection over the Direct Connect and use BGP with different metrics.
B.Create two separate route tables and associate each with half the subnets.
C.Use AWS Transit Gateway with equal cost multipath routing.
D.Allow BGP to install both routes; AWS will automatically load balance across them using ECMP.
AnswerD

When identical routes are learned from two Direct Connect connections, AWS uses ECMP.

Why this answer

AWS supports equal cost multipath (ECMP) only when BGP routes are learned from different Direct Connect connections but with the same AS path length and prefix. Since both on-premises advertise the same prefix with identical AS path, AWS will install two equal-cost routes and load balance (ECMP) across them. Option A is correct.

Option B is incorrect because using a VPN would not use Direct Connect. Option C is incorrect because weight-based routing requires different weights. Option D is incorrect because AWS does not support ECMP across different prefixes.

1127
Multi-Selectmedium

A company has a VPC with multiple subnets. They want to use VPC Flow Logs to capture network traffic metadata for troubleshooting. Which TWO of the following are valid destinations for VPC Flow Logs? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Logs log group
B.Amazon Kinesis Data Firehose delivery stream
C.AWS Lambda function
D.Amazon Simple Queue Service (SQS) queue
E.Amazon S3 bucket
AnswersA, E

CloudWatch Logs is a supported destination for VPC Flow Logs.

Why this answer

Option A and Option D are correct. VPC Flow Logs can be published to Amazon S3 or Amazon CloudWatch Logs. Option B is wrong because Kinesis Data Firehose is not a direct destination; you can use CloudWatch Logs subscription filter to send to Firehose.

Option C is wrong because SQS is not a supported destination. Option E is wrong because Lambda is not a direct destination; you can use CloudWatch Logs subscription filter to invoke Lambda.

1128
MCQmedium

A company has a VPC with private subnets that use a NAT gateway for outbound internet access. The NAT gateway is in a public subnet with an Elastic IP. Users report that some applications are failing to connect to external services. Network engineers confirm that the NAT gateway is in the 'available' state and the route tables have a default route (0.0.0.0/0) pointing to the NAT gateway. What is the most likely cause?

A.The security group for the private instances is blocking outbound traffic.
B.The network ACL for the public subnet is blocking inbound traffic on ephemeral ports.
C.The NAT gateway has reached its connection limit.
D.The route table for the private subnets is missing a route to the internet gateway.
AnswerB

NACL must allow inbound traffic from the internet on ephemeral ports (1024-65535) for return traffic.

Why this answer

Option C is correct because NACLs are stateless and must allow both inbound and outbound traffic for the ephemeral ports used by the NAT gateway. If the inbound rule for ephemeral ports is missing, return traffic is blocked. Option A is wrong because the route table is correct.

Option B is wrong because NAT gateway can handle multiple connections. Option D is wrong because the problem is inbound return traffic, not outbound.

1129
MCQmedium

Refer to the exhibit. A network engineer is creating an IAM policy to allow a user to manage VPC Peering connections. The user reports that they cannot delete a VPC Peering connection. What should the engineer add to the policy?

A.ec2:DeleteVpcPeeringConnection
B.ec2:DescribeVpcPeeringConnectionRouteTables
C.ec2:ModifyVpcPeeringConnectionOptions
D.ec2:RejectVpcPeeringConnection
AnswerA

This action allows deleting peering connections.

Why this answer

The correct answer is D because the policy does not include 'ec2:DeleteVpcPeeringConnection'. Option A is wrong because 'ec2:ModifyVpcPeeringConnectionOptions' is for modifying options. Option B is wrong because 'ec2:DescribeVpcPeeringConnectionRouteTables' is not a valid action.

Option C is wrong because 'ec2:RejectVpcPeeringConnection' is for rejection, not deletion.

1130
MCQhard

A company uses AWS Direct Connect with a public VIF to access Amazon S3. They notice that traffic to S3 is taking a suboptimal path (going through the internet) instead of the Direct Connect connection. The VPC has a route table with a route for S3 prefix list via the virtual private gateway. What is the most likely cause?

A.The VPC does not have a VPC endpoint for S3
B.The public VIF is not associated with the correct Direct Connect gateway
C.The on-premises router is not advertising the S3 prefix list via BGP over the public VIF
D.The route table in the VPC does not have a route to the S3 prefix list via the virtual private gateway
AnswerC

S3 prefix must be advertised to route traffic over Direct Connect.

Why this answer

Option A is correct because Direct Connect public VIF routes are learned via BGP, and if the on-premises router does not advertise the S3 prefix, traffic may go over the internet. Option B is wrong because a private VIF is for VPC access, not public services. Option C is wrong because VPC endpoints are for private connectivity, but issue is with Direct Connect public VIF.

Option D is wrong because the route table has a route for the prefix list.

1131
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network uses BGP to advertise a specific prefix (10.0.0.0/16) to the VPC. Recently, the company deployed a new VPC with CIDR 10.0.0.0/16 in a different region and established a VPC peering connection between the two VPCs. Now, traffic from on-premises to the new VPC is being routed to the old VPC instead. How should the company resolve this issue?

A.Delete the VPC peering connection and use a VPN instead.
B.Update the on-premises router to advertise a more specific prefix for the new VPC over Direct Connect, such as 10.0.1.0/24, and ensure the new VPC's route table has a route to the on-premises network.
C.Configure the VPC peering connection to propagate routes to the Direct Connect virtual interface.
D.Disable route propagation on the VPC route tables and add static routes.
AnswerB

A more specific BGP advertisement will take precedence, directing traffic to the correct VPC.

Why this answer

Option B is correct because the BGP advertisement of 10.0.0.0/16 over Direct Connect is more specific and takes precedence over the VPC peering route. By advertising a more specific prefix (e.g., 10.0.1.0/24) for the new VPC over Direct Connect or adjusting the route propagation, traffic can be directed correctly. Option A is wrong because deleting the peering connection would break connectivity between VPCs.

Option C is wrong because VPC peering does not support transitive routing. Option D is wrong because disabling route propagation would remove all propagated routes, including the correct ones.

1132
MCQeasy

A company wants to allow its employees to securely access internal web applications hosted in a VPC without using a VPN. The solution must authenticate users against the company's Active Directory and apply fine-grained access controls. Which AWS service should be used?

A.AWS Single Sign-On (SSO)
B.AWS Verified Access
C.AWS Client VPN
D.Application Load Balancer with OIDC authentication
AnswerB

Provides secure access without VPN, integrates with AD.

Why this answer

Option C is correct because AWS Verified Access provides secure access to corporate applications without a VPN, integrating with identity providers like Active Directory. Option A is wrong because AWS Client VPN requires VPN client software. Option B is wrong because AWS SSO is for federating access to AWS accounts, not applications.

Option D is wrong because ALB with OIDC is possible but requires public exposure or VPN; Verified Access is purpose-built.

1133
Multi-Selecthard

A company is using AWS Direct Connect to connect its on-premises network to a VPC via a private virtual interface (VIF) attached to a virtual private gateway (VGW). The company wants to add redundant connectivity using a second Direct Connect connection from a different provider. The network team proposes using a Direct Connect gateway (DXGW) with two private VIFs from different connections, each attached to the DXGW. The DXGW will be associated with the VGW. Which THREE steps are required to complete this configuration? (Choose three.)

Select 3 answers
A.Add routes to the VPC subnets' route tables pointing to the Direct Connect gateway.
B.Associate both private virtual interfaces with the same Direct Connect gateway.
C.Associate the Direct Connect gateway with the virtual private gateway.
D.Advertise the on-premises prefixes over both BGP sessions to enable active-active or failover.
E.Create a separate virtual private gateway for each Direct Connect connection.
AnswersB, C, D

Both VIFs connect to the same DXGW for redundancy.

Why this answer

Option A is correct because both VIFs must be associated with the same DXGW. Option B is correct because the DXGW must be associated with the VGW. Option D is correct because the on-premises router must advertise the same BGP prefixes over both VIFs to enable active-active or failover.

Option C is incorrect because VGWs are regional, not per-AZ. Option E is incorrect because the VPC route tables must have routes pointing to the VGW, not to the DXGW directly.

1134
MCQhard

A company has a VPC with multiple security groups. An EC2 instance in security group A needs to communicate with an RDS instance in security group B on port 3306. The security team wants to minimize exposure. What should the inbound rule in security group B be?

A.Allow inbound TCP 3306 from the CIDR block of the subnet where the EC2 instance resides
B.Allow inbound TCP 3306 from 0.0.0.0/0
C.Allow inbound TCP 3306 from the private IP address of the EC2 instance
D.Allow inbound TCP 3306 from security group A
AnswerD

Precise and secure.

Why this answer

Option C is correct because referencing security group A as source allows traffic from any instance associated with security group A, which is the most specific and secure. Option A is wrong because it allows traffic from any instance in the VPC (0.0.0.0/0). Option B is wrong because it allows traffic from the entire subnet.

Option D is wrong because it allows traffic from the instance's IP, but if the instance is replaced, the IP may change.

1135
MCQeasy

A company wants to provide internet access to instances in a private subnet while ensuring that traffic is logged and inspected. The solution must be highly available within a single AWS Region. Which approach should the company use?

A.Deploy a NAT Gateway in each Availability Zone and configure the private subnet route tables to point to the NAT Gateway in the same AZ. Use Gateway Load Balancer endpoint for traffic inspection.
B.Launch a NAT instance in a public subnet and configure it as the default route for the private subnet.
C.Create a VPC endpoint for the internet and attach it to the private subnet.
D.Attach an Internet Gateway to the VPC and add a default route to it in the private subnet's route table.
AnswerA

NAT Gateways are highly available per AZ, and using one per AZ ensures availability. Gateway Load Balancer can inspect traffic.

Why this answer

Option C is correct because a NAT Gateway in each AZ is managed by AWS, provides high availability, and can be combined with a Gateway Load Balancer and third-party appliances for inspection and logging. Option A is wrong because a single NAT instance is not highly available. Option B is wrong because an Internet Gateway allows inbound traffic.

Option D is wrong because VPC endpoints are for private connectivity to AWS services, not internet access.

1136
Multi-Selecthard

A company is setting up AWS Transit Gateway with multiple VPC attachments and an AWS Direct Connect Gateway. The company wants to control which VPCs can communicate with each other and with the on-premises network. Which THREE actions should the company take to implement this?

Select 2 answers
A.Associate the Direct Connect Gateway with the Transit Gateway.
B.Establish VPC peering connections between VPCs that need to communicate.
C.Use security groups to control traffic between VPCs.
D.Configure Transit Gateway peering attachments for inter-region connectivity.
E.Create separate Transit Gateway route tables for different groups of VPCs.
AnswersA, E

This enables on-premises connectivity through the transit gateway.

Why this answer

Option A is correct because route tables define how traffic is routed between attachments. Option C is correct because transit gateway peering attachments are used for inter-region connectivity, not intra-region. Option D is correct because the Direct Connect Gateway can be associated with the transit gateway to enable on-premises connectivity.

Option B is wrong because VPC peering is not needed with Transit Gateway. Option E is wrong because Security Groups are not used to control traffic between VPCs in Transit Gateway.

1137
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. The company wants to use AWS Site-to-Site VPN. What configuration change is required to avoid routing conflicts?

A.Create a more specific route in the VPC route table for the on-premises CIDR.
B.Enable route propagation on the VPC route tables.
C.Use a VPN connection with static routes instead of BGP.
D.Change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16.
AnswerD

Eliminates the overlap.

Why this answer

The VPC CIDR 10.0.0.0/16 is a subset of the on-premises CIDR 10.0.0.0/8. AWS Site-to-Site VPN cannot route traffic correctly when the VPC and on-premises networks have overlapping IP ranges because the VPN connection relies on distinct destination prefixes. The only way to eliminate the conflict is to change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16, ensuring no IP address overlap between the two networks.

Exam trap

The trap here is that candidates think they can override the conflict with a more specific route or by switching to static routes, but they overlook that the VPC's local route is always more specific than any VPN route for overlapping prefixes, making the conflict unresolvable without changing the VPC CIDR.

How to eliminate wrong answers

Option A is wrong because creating a more specific route (e.g., 10.0.0.0/16) in the VPC route table for the on-premises CIDR would still result in overlapping IP space; the VPC itself uses 10.0.0.0/16, so traffic destined for the on-premises 10.0.0.0/8 would be ambiguous and could be routed locally instead of over the VPN. Option B is wrong because enabling route propagation on VPC route tables only imports routes from the VPN connection (via BGP or static), but it does not resolve the fundamental IP overlap; the VPC and on-premises networks still share the same address space, causing routing conflicts. Option C is wrong because using static routes instead of BGP does not address the overlapping CIDR issue; whether routes are learned dynamically or statically, the VPC and on-premises networks cannot have overlapping IP ranges for the VPN to function correctly.

1138
Multi-Selectmedium

A company is designing a network security architecture for a multi-tier application. The web tier must be accessible from the internet, but the application and database tiers must not. Which TWO design choices meet these requirements? (Choose two.)

Select 2 answers
A.Use a VPC Gateway Endpoint for the web tier to access the internet.
B.Use a NAT gateway in a public subnet to provide internet access to the app and database tiers for updates.
C.Use a security group on the web tier to allow HTTP/HTTPS from 0.0.0.0/0, and security groups on the app and database tiers that only allow traffic from the web tier security group.
D.Place all tiers in a public subnet with a security group that restricts access to the app and database tiers.
E.Place the web tier in a public subnet with an internet gateway in the route table, and the app and database tiers in private subnets.
AnswersC, E

Security groups provide granular control; web tier allows internet, app and database only accept traffic from web.

Why this answer

Options B and C are correct because public subnets for the web tier with a security group that allows HTTP/HTTPS from the internet, and private subnets for app and database tiers with no internet gateway route, ensure the required access. Option A is wrong because a single public subnet for all tiers exposes app and database. Option D is wrong because a NAT gateway is for outbound traffic, not inbound.

Option E is wrong because a VPC endpoint does not provide internet access to the web tier.

1139
MCQmedium

A company is designing a network for a critical application that requires low latency and high throughput between EC2 instances in the same AWS Region. Which network design should the company use?

A.Launch the instances in a Cluster Placement Group.
B.Launch the instances in a Spread Placement Group.
C.Launch the instances as larger instance types with enhanced networking.
D.Launch the instances in different Availability Zones.
AnswerA

Cluster Placement Groups provide low-latency, high-throughput networking.

Why this answer

A Cluster Placement Group is the correct choice because it provides the lowest possible latency and highest throughput between EC2 instances by placing them in a single Availability Zone with non-blocking, high-bandwidth networking. This design is ideal for tightly coupled, high-performance computing (HPC) or latency-sensitive applications that require consistent, low-latency communication within the same AWS Region.

Exam trap

The trap here is that candidates often confuse 'enhanced networking' (Option C) as a standalone solution for low latency, overlooking that placement group optimization is required to achieve the lowest possible latency and highest throughput, even with enhanced networking enabled.

How to eliminate wrong answers

Option B is wrong because a Spread Placement Group spreads instances across distinct hardware racks or Availability Zones to maximize fault tolerance, which increases network latency and reduces throughput due to physical separation, making it unsuitable for low-latency, high-throughput requirements. Option C is wrong because while larger instance types with enhanced networking (e.g., ENA, SR-IOV) improve network performance, they do not guarantee the same low-latency, non-blocking connectivity as a Cluster Placement Group, which also leverages these features but adds the critical placement optimization. Option D is wrong because launching instances in different Availability Zones introduces cross-AZ network latency and bandwidth constraints (e.g., inter-AZ data transfer costs and higher jitter), which directly contradicts the need for low latency and high throughput.

1140
MCQmedium

A company has multiple VPCs in the same AWS region that need to communicate with each other and with an on-premises data center. The company currently uses VPC peering connections between each VPC pair, which has become difficult to manage as the number of VPCs grows. The company wants to simplify the network architecture and implement a hub-and-spoke model using AWS Transit Gateway. The on-premises data center is connected to AWS via a Direct Connect connection with a private VIF. The company has already created a Transit Gateway and attached all VPCs to it. They have also created a Direct Connect gateway and associated it with the Transit Gateway. The on-premises router is advertising the on-premises CIDR (10.0.0.0/8) over BGP. However, after the migration, the VPCs cannot communicate with each other, and the on-premises network cannot reach the VPCs. The VPC route tables have been updated to route all traffic to the Transit Gateway. The Transit Gateway route table has propagation enabled for all VPC attachments and the Direct Connect gateway attachment. What is the most likely missing configuration?

A.The Direct Connect gateway is not associated with the Transit Gateway.
B.The Transit Gateway route table does not have propagation enabled for the VPC attachments.
C.The VPC route tables do not have routes for the other VPCs' CIDRs and the on-premises CIDR pointing to the Transit Gateway.
D.The on-premises router is not advertising the on-premises CIDR over BGP.
AnswerC

Without explicit routes in each VPC's route table for the other VPCs and on-premises CIDRs, traffic will not be forwarded to the Transit Gateway.

Why this answer

Even though the Transit Gateway route table has propagation enabled, the VPCs might not have routes that point to the Transit Gateway for the other VPCs' CIDRs and the on-premises CIDR. The VPC route tables need explicit routes for the other VPCs' CIDRs (e.g., 10.2.0.0/16) pointing to the Transit Gateway. Alternatively, the Transit Gateway route table might not have routes for the on-premises CIDR because the Direct Connect gateway propagation might not be working if the on-premises prefixes are not being advertised correctly.

The most common issue is that the VPC route tables do not have routes for the other VPCs' CIDRs. Option A is correct. Option B is incorrect because the Transit Gateway route table has propagation enabled.

Option C is incorrect because the Direct Connect gateway association is in place. Option D is incorrect because the on-premises router is advertising the CIDR.

1141
MCQeasy

A network engineer is setting up an AWS Site-to-Site VPN connection. The customer gateway device is behind a NAT device that performs PAT. The VPN tunnel fails to come up. What is the most likely cause?

A.The tunnel options (DPD, encryption algorithms) must match exactly.
B.Dead peer detection (DPD) is disabled.
C.The VPN connection does not have route propagation enabled.
D.The NAT device is not forwarding UDP 500 and UDP 4500 traffic.
AnswerD

IPsec requires these ports for IKE and NAT traversal.

Why this answer

Option D is correct because IPsec requires UDP ports 500 and 4500, which must be forwarded through NAT. Option A is incorrect because route propagation does not affect tunnel establishment. Option B is incorrect because tunnel options are not required to be identical.

Option C is incorrect because dead peer detection does not prevent tunnel establishment.

1142
Multi-Selecteasy

A security team needs to block outbound traffic from an EC2 instance to known malicious IP addresses while allowing all other outbound traffic. Which THREE steps should be taken? (Choose three.)

Select 3 answers
A.Configure network ACLs to deny outbound traffic to the malicious IPs.
B.Update the VPC route table to send traffic for the malicious IPs to a network firewall appliance.
C.Deploy AWS Network Firewall in the VPC to perform stateful inspection.
D.Create a firewall rule in AWS Network Firewall that denies traffic to the malicious IPs.
E.Modify the security group for the EC2 instance to deny outbound traffic to the malicious IPs.
AnswersB, C, D

Correct: Route traffic to firewall for inspection.

Why this answer

Option A is correct because the VPC route table directs traffic; the malicious IPs must be routed to a network firewall appliance. Option B is correct because a network firewall (like AWS Network Firewall) can inspect and block traffic to specific IPs. Option D is correct because the firewall rule should explicitly deny traffic to the malicious IPs.

Option C is wrong because Security Groups are stateful and can only allow/deny inbound/outbound based on source/destination, not specific IPs in a scalable way; they are not designed for blocklists. Option E is wrong because NACLs are stateless and do not support stateful inspection or application-layer filtering.

1143
MCQmedium

A company wants to restrict access to an S3 bucket so that only requests originating from a specific AWS account can read objects. Which bucket policy condition should be used?

A.aws:Referer
B.aws:PrincipalAccount
C.aws:SourceAccount
D.aws:SourceArn
AnswerC

This condition key is used to restrict access based on the account that owns the resource making the request.

Why this answer

Option A is correct because aws:SourceAccount is the condition key for specifying the source account. Option B is wrong because aws:SourceArn is for services like SNS. Option C is wrong because aws:PrincipalAccount is not a valid condition key.

Option D is wrong because aws:Referer is for HTTP referer header.

1144
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. The network team notices intermittent packet loss on the link. CloudWatch metrics show no errors on the connection. What should the team do next to isolate the issue?

A.Run a traceroute from an on-premises device to an EC2 instance in the VPC.
B.Check the BGP session status on the customer router.
C.Enable VPC Flow Logs on the VPC.
D.Increase the bandwidth of the Direct Connect connection.
AnswerA

Traceroute helps pinpoint where packet loss occurs along the path.

Why this answer

Option D is correct because running traceroute from an on-premises device to an instance in the VPC helps identify where packets are being dropped. Option A is wrong because increasing bandwidth does not fix packet loss. Option B is wrong because BGP status shows routing adjacency but not packet loss.

Option C is wrong because VPC Flow Logs show traffic metadata but not packet loss on the Direct Connect link.

1145
MCQmedium

A company has an AWS Site-to-Site VPN connection between an on-premises network and a VPC. The VPN uses virtual private gateways and static routes. The network team reports that the VPN tunnel is up, but traffic from the on-premises network cannot reach some EC2 instances in the VPC. The EC2 instances have security groups that allow inbound traffic from the on-premises network. The VPC route table has a route pointing to the virtual private gateway for the on-premises CIDR. The tunnel status shows 'UP' from both sides. What is the MOST likely cause of the connectivity issue?

A.The VPC route table does not have a route for the on-premises subnet that the traffic originates from, but only for a larger CIDR.
B.The VPC has a network ACL that denies inbound traffic from the on-premises CIDR.
C.The customer gateway device is using a different pre-shared key than configured in AWS.
D.The virtual private gateway is not attached to the correct VPC.
AnswerA

If the route is for a different CIDR, traffic may not be routed correctly.

Why this answer

The security group may be allowing traffic from the on-premises CIDR but not from the tunnel endpoint IP. However, the more common issue is that the on-premises network's source IP is being translated or the VPC route table is missing a route for the specific subnet. Option A is a typical cause: if the on-premises CIDR is not exactly matched, the VPC may not route traffic back.

Option C could cause issues if the VPN is not in the main route table. Option D would cause tunnel issues.

1146
Multi-Selectmedium

A company is designing a Direct Connect solution for high availability. Which of the following are best practices? (Select THREE.)

Select 3 answers
A.Use the same Direct Connect provider for both connections to simplify management.
B.Provision two Direct Connect connections at different locations.
C.Configure Bidirectional Forwarding Detection (BFD) on the virtual interfaces.
D.Use a single Direct Connect connection with multiple virtual interfaces.
E.Use separate BGP sessions for each connection with different AS numbers if needed.
AnswersB, C, E

Diverse locations provide physical redundancy.

Why this answer

Provisioning two Direct Connect connections at different locations ensures physical diversity, which is a fundamental requirement for high availability. If one data center or fiber path fails, the other connection can continue to carry traffic, preventing a single point of failure. This aligns with the AWS Well-Architected Framework's recommendation for redundant network paths.

Exam trap

The trap here is that candidates often confuse logical redundancy (multiple virtual interfaces on one connection) with physical redundancy (multiple connections at different locations), leading them to select Option D as a valid high-availability solution.

1147
MCQmedium

A company has a VPC with public and private subnets. The public subnet has a NAT Gateway, and the private subnet has EC2 instances that need internet access. The private instances can reach the internet, but cannot access an S3 bucket in the same region using the S3 gateway endpoint. What is the most likely cause?

A.The S3 gateway endpoint is not in the same VPC.
B.The S3 bucket policy does not allow access from the VPC.
C.The NAT Gateway is in a different availability zone than the private instances.
D.The private subnet's route table does not have a route to the S3 gateway endpoint.
AnswerD

Without a route to the endpoint, traffic to S3 goes through the NAT Gateway or is dropped.

Why this answer

For private instances to use a gateway endpoint, the route table for the private subnet must have a route pointing to the S3 endpoint. Additionally, the endpoint's policy must allow the traffic. The NAT Gateway is not used for gateway endpoints.

1148
MCQhard

A company has a multi-account AWS environment using AWS Transit Gateway. The network team wants to centralize network logging from all accounts into a single account for analysis. Which combination of services should be used to achieve this?

A.AWS CloudTrail and Amazon CloudWatch Logs
B.Amazon Kinesis Data Streams and Amazon Redshift
C.Amazon S3 and Amazon Athena
D.AWS Config and Amazon DynamoDB
AnswerC

VPC Flow Logs can be published to a central S3 bucket, and Athena can query them.

Why this answer

Option D is correct because VPC Flow Logs can be published to a central S3 bucket using cross-account permissions, and then Amazon Athena can analyze the logs. Option A is wrong because CloudWatch Logs cross-account subscription is possible but not as straightforward for central analysis. Option B is wrong because Amazon Kinesis can stream data but requires additional setup.

Option C is wrong because AWS Config records configuration changes, not network traffic.

1149
MCQmedium

Refer to the exhibit. An EC2 instance in the PrivateSubnet is unable to download patches from the internet. What is the most likely cause?

A.The private subnet is not associated with any route table.
B.The NAT gateway does not support IPv6 traffic.
C.The private subnet does not have MapPublicIpOnLaunch set to true.
D.The PrivateRoute resource references the NAT gateway before it is created.
AnswerD

Missing DependsOn causes a dependency issue.

Why this answer

Option C is correct. The PrivateRoute uses a NatGatewayId but the NAT gateway is defined after the route in the template, and the route has no DependsOn to ensure the NAT gateway is created first. This can cause a dependency error or the route to reference a non-existent resource.

Option A is wrong because the private subnet does not need MapPublicIpOnLaunch. Option B is wrong because NAT gateways do not support IPv6, but the question is about internet access (IPv4). Option D is wrong because the route table is associated with the private subnet.

1150
MCQeasy

A startup wants to design a cost-effective network for a new application. They expect low traffic initially but need to handle sudden spikes. They plan to use Amazon EC2 instances behind an Application Load Balancer (ALB) in a single VPC. The application must be highly available within the region. The network engineer has proposed using two public subnets in two Availability Zones for the ALB, and two private subnets for the EC2 instances. The EC2 instances need to access the internet for updates. What is the MOST cost-effective and highly available design?

A.Use a single NAT instance in one public subnet
B.Use a NAT gateway in each public subnet (one per AZ)
C.Use a NAT instance in each public subnet (one per AZ)
D.Use a single NAT gateway in one public subnet
AnswerB

Highly available and managed.

Why this answer

Option C is correct. A NAT gateway in each AZ provides high availability and is managed, reducing operational overhead. Option A is wrong because a NAT instance in one AZ is a single point of failure.

Option B is wrong because a single NAT gateway is a single point of failure. Option D is wrong because although a NAT instance in each AZ is highly available, it requires more management than NAT gateways.

1151
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is behind a NAT gateway in the public subnet. The security team wants to allow only outbound HTTPS traffic from the instance. Which configuration should be used?

A.Security group on the instance with outbound rule allowing HTTPS
B.VPC gateway endpoint for S3
C.Network ACL on the private subnet with outbound rule allowing HTTPS and inbound rule allowing return traffic
D.Security group on the NAT gateway with outbound rule allowing HTTPS
AnswerC

NACLs are stateless and require explicit inbound rules for return traffic.

Why this answer

A NACL on the private subnet can control inbound and outbound traffic. For outbound HTTPS, allow outbound ephemeral ports and inbound port 443 for return traffic. Option B is wrong because security groups are stateful and automatically allow return traffic, but they do not filter by destination port in the inbound direction for stateful traffic.

However, the question asks for a configuration that allows only outbound HTTPS; a security group with outbound rule for HTTPS works, but NACLs are also commonly used. But the best answer is NACL because it provides stateless filtering. Option C is wrong because the NAT gateway's security group (if it had one) would not apply to traffic from the private instance.

Option D is wrong because VPC endpoints are for AWS services, not internet.

1152
MCQmedium

A company is designing a VPC with private subnets for databases and public subnets for web servers. They need to allow the web servers to make outbound internet requests for software updates but prevent inbound traffic from the internet. Which configuration should they use?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway.
B.Deploy a NAT Gateway in the private subnet and route the private subnet traffic through it.
C.Attach an Internet Gateway to the VPC and route the private subnet traffic through it.
D.Deploy a proxy server in the private subnet and configure the web servers to use it.
AnswerA

This allows outbound internet traffic from the private subnet while blocking inbound unsolicited traffic.

Why this answer

Option C is correct because a NAT Gateway in a public subnet allows outbound internet traffic from private subnets while blocking unsolicited inbound traffic. Option A is wrong because an Internet Gateway alone would allow inbound traffic. Option B is wrong because a NAT Gateway in a private subnet cannot access the internet.

Option D is wrong because a proxy in a public subnet could work but is more complex and not the simplest solution.

1153
Multi-Selectmedium

A company wants to monitor and log all network traffic within a VPC for security analysis. Which THREE services can be used to achieve this?

Select 3 answers
A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS Network Firewall
D.AWS Traffic Mirroring
E.Amazon S3
AnswersA, C, D

VPC Flow Logs capture metadata about IP traffic.

Why this answer

VPC Flow Logs capture IP traffic information. AWS Network Firewall provides stateful inspection and logs. AWS Traffic Mirroring replicates network traffic for analysis.

Option D is wrong because CloudWatch is for monitoring, not capturing traffic. Option E is wrong because S3 is storage.

1154
MCQhard

A network engineer has created a VPC endpoint for a VPC endpoint service. The endpoint is 'available' but the application cannot connect to the service using the private DNS name. The engineer checks the Route 53 private hosted zone and finds that no record exists for the endpoint. What is the most likely cause?

A.The VPC endpoint service is not accepting connections
B.The VPC endpoint policy is blocking connectivity
C.The security group for the endpoint does not allow inbound traffic
D.The 'PrivateDnsEnabled' flag is set to false on the VPC endpoint
AnswerD

If private DNS is not enabled, Route 53 does not automatically create records for the endpoint.

Why this answer

When 'VpcEndpointPolicyEnabled' is true, the endpoint has a policy that may restrict access. However, the issue is that the private DNS name is not resolving. For VPC endpoints, AWS automatically creates a Route 53 private hosted zone for the endpoint if 'PrivateDnsEnabled' is true.

If it's false, no automatic DNS record is created. Option C is correct. Options A, B, and D are plausible but not the most likely given the lack of DNS record.

1155
MCQmedium

A company is deploying a multi-tier web application on AWS. The application consists of an Application Load Balancer (ALB), a fleet of EC2 instances in an Auto Scaling group across three Availability Zones, and an Amazon RDS for MySQL database. The ALB has a target group that routes traffic to the EC2 instances on TCP port 8080. The security group for the EC2 instances allows inbound traffic from the ALB's security group on port 8080. Users report intermittent connectivity issues to the application. A network engineer reviews the VPC Flow Logs and notices that traffic from the ALB to the EC2 instances is being recorded as 'REJECT' for some requests. What is the most likely cause of this issue?

A.The network ACL associated with the EC2 instances' subnet does not have an outbound rule to allow traffic from the EC2 instances to the ALB on ephemeral ports.
B.The ALB's security group is blocking inbound traffic from the EC2 instances on the response path.
C.The ALB's target group health check is misconfigured, causing the ALB to mark instances as unhealthy and stop sending traffic.
D.The security group on the EC2 instances is stateful and automatically allows return traffic; the issue cannot be security group related.
AnswerA

The network ACL is stateless and must allow return traffic. Missing outbound rules cause REJECT.

Why this answer

Option A is correct because the network ACL is stateless and must allow both inbound and outbound traffic for ephemeral ports. If the outbound rule is missing, SYN-ACK packets from the EC2 instance to the ALB will be dropped, causing the ALB to see a timeout or reject. Option B is incorrect because target group health checks use the same security group rules; if health checks succeed, connectivity should work.

Option C is incorrect because the ALB itself does not have a security group that affects traffic to targets; it uses the target group's security group. Option D is incorrect because network ACLs are stateless and require explicit rules for return traffic; the security group stateful behavior does not override ACL rules.

1156
Multi-Selectmedium

A company is troubleshooting a slow network connection between two EC2 instances in the same VPC but different Availability Zones. Which TWO tools can be used to measure throughput and diagnose performance issues?

Select 2 answers
A.iperf
B.tcpdump
C.traceroute
D.nslookup
E.ping
AnswersA, C

iperf measures network throughput.

Why this answer

Option A and Option D are correct. iperf measures network throughput, and traceroute shows the path and latency. Option B is wrong because nslookup does not measure throughput. Option C is wrong because tcpdump captures packets but does not measure throughput.

Option E is wrong because ping measures latency but not throughput.

1157
MCQeasy

A network engineer is setting up a Direct Connect connection from an on-premises data center to AWS. The connection uses a private VIF to connect to a VPC via a Direct Connect gateway. The on-premises network is advertising a BGP prefix 10.0.0.0/16, which overlaps with the VPC CIDR 10.0.0.0/16. What is the expected behavior?

A.The VPC will automatically reassign a new CIDR to avoid the conflict.
B.The BGP session will fail to establish due to the prefix conflict.
C.The BGP session will be established, but the overlapping prefix will be ignored and not programmed into the VPC route tables.
D.The on-premises prefix will take precedence and override the VPC route.
AnswerC

AWS does not allow overlapping prefixes to be injected into VPC route tables to prevent routing conflicts.

Why this answer

Option A is correct because AWS Direct Connect with a private VIF will not accept BGP prefixes that overlap with the VPC CIDR. Option B, C, and D are incorrect as they describe behaviors that do not occur in this scenario.

1158
MCQhard

A company uses AWS Shield Advanced for DDoS protection. During an attack, the security team notices that legitimate traffic is being throttled. They want to allow certain known IP addresses to bypass Shield Advanced rate-based rules. What should they do?

A.Disable rate-based rules during the attack
B.Use Shield Advanced automatic application layer DDoS mitigation
C.Create an AWS WAF rule with an IP set that allows the known IPs, and place it before the rate-based rule
D.Create an allow list in AWS Shield Advanced to exempt the IPs from all protections
AnswerC

This allows legitimate IPs to bypass rate-based restrictions.

Why this answer

Option C is correct because AWS WAF rules can be configured with IP sets to allow traffic from specific IPs before applying rate-based rules. Option A is wrong because Shield Advanced does not support custom allow lists directly; it works with WAF. Option B is wrong because disabling rate-based rules would remove protection for all traffic.

Option D is wrong because Shield Advanced does not have a bypass feature; it uses WAF for custom rules.

1159
MCQmedium

A company is implementing a hybrid network using AWS Direct Connect. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect gateway (DXGW) with a private virtual interface (VIF) to their on-premises router. They have established a BGP session between the on-premises router and the VGW. The on-premises network can reach EC2 instances in the VPC, but the VPC instances cannot reach on-premises resources. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC
B.The VPC has a VPC endpoint for S3 that is causing a routing conflict
C.The VPC route tables lack a route for the on-premises CIDR pointing to the virtual private gateway
D.The BGP session is not advertising the on-premises CIDR to the VGW
AnswerC

Without a route, VPC instances do not know to send traffic to the VGW for on-premises destinations.

Why this answer

Option B is correct because the VPC route table must have a route for the on-premises CIDR pointing to the virtual private gateway. Option A is wrong because the VGW is already attached. Option C is wrong because BGP is established.

Option D is wrong because VPC endpoints are not relevant.

1160
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the public subnet is configured as a NAT instance. The company wants to replace the NAT instance with a NAT gateway for better availability and maintenance. After creating a NAT gateway in the public subnet and updating the route table of the private subnet, traffic from the private subnet cannot reach the internet. What is the MOST likely cause?

A.The public subnet's route table still points to the NAT instance for internet traffic.
B.The security group attached to the NAT gateway is blocking outbound traffic.
C.The private subnet's route table has a route for 0.0.0.0/0 pointing to the NAT instance instead of the NAT gateway.
D.The NAT gateway does not have an Elastic IP address associated with it.
AnswerD

A NAT gateway requires an Elastic IP for outbound traffic.

Why this answer

The NAT gateway must have an Elastic IP to work. Option A is wrong because the route table should point to the NAT gateway. Option B is wrong because the private subnet's route table destination for 0.0.0.0/0 should be the NAT gateway.

Option D is wrong because security groups on the NAT gateway are not applicable (NAT gateway is managed).

1161
Multi-Selecthard

A company is migrating a legacy application to AWS. The application uses multicast for service discovery. Which THREE AWS services or features can be used to support multicast traffic within a VPC?

Select 3 answers
A.AWS Direct Connect with multicast
B.AWS Transit Gateway with multicast domain
C.VPC multicast groups using network interfaces
D.Internet Gateway (IGW)
E.VPC Peering
AnswersA, B, C

Direct Connect can extend on-premises multicast to AWS.

Why this answer

Options B, C, and D are correct. AWS Transit Gateway supports multicast domains for multicast traffic. VPC has limited multicast support via network interfaces, and AWS PrivateLink does not.

Direct Connect can extend on-premises multicast. Option A is incorrect because Internet Gateway does not support multicast. Option E is incorrect because VPC Peering does not support multicast.

1162
Multi-Selectmedium

A company is designing a highly available Direct Connect connection. Which THREE components should be deployed to meet this requirement? (Select THREE.)

Select 3 answers
A.A single BGP session over one of the virtual interfaces.
B.Two Direct Connect connections to two different AWS Direct Connect locations.
C.A VPN connection as a backup to Direct Connect.
D.Two customer routers (or one router with two physical interfaces) connecting to the two Direct Connect connections.
E.Two virtual interfaces (VIFs) configured on the Direct Connect connections.
AnswersB, D, E

Provides physical diversity.

Why this answer

For high availability, you need at least two Direct Connect connections (preferably to different AWS locations), two customer routers (or one router with two interfaces), and two virtual interfaces (VIFs) to provide redundancy. Using BGP with multiple sessions ensures automatic failover.

1163
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They also have a site-to-site VPN as a backup. The on-premises network advertises the same prefix via BGP over both connections. The company wants to prefer the Direct Connect path. What configuration achieves this?

A.Set the Multi-Exit Discriminator (MED) on the VPN advertisement to a lower value.
B.Prepend the AS path on the Direct Connect advertisement to make it longer.
C.Configure the Direct Connect BGP session with a higher local preference (e.g., 200) than the VPN BGP session.
D.Configure the VPN BGP session with a higher local preference than the Direct Connect session.
AnswerC

Higher local preference makes Direct Connect preferred.

Why this answer

Option A is correct because AWS assigns a local preference of 100 by default to Direct Connect routes, while VPN routes have a lower local preference (e.g., 0 or lower). Option B is wrong because AS path prepending on the Direct Connect side would make it less preferred. Option C is wrong because the MED is not commonly used in this scenario; local preference is standard.

Option D is wrong because the VPN should have higher AS path prepending to be less preferred.

1164
MCQeasy

A company wants to encrypt data in transit between an Application Load Balancer (ALB) and its backend targets. Which AWS service should be used to terminate TLS at the ALB and re-encrypt traffic to the targets?

A.AWS Certificate Manager (ACM)
B.AWS Shield
C.Application Load Balancer with HTTPS listeners
D.AWS WAF
AnswerC

ALB can terminate TLS and re-encrypt to targets.

Why this answer

An ALB can terminate TLS and optionally re-encrypt traffic to targets using HTTPS. Option A is wrong because AWS Certificate Manager provides certificates, not encryption. Option B is wrong because AWS WAF is for web application firewall.

Option D is wrong because AWS Shield is for DDoS protection.

1165
MCQmedium

A security team needs to log all rejected traffic to an internet-facing Network Load Balancer (NLB) for compliance. Which configuration should they use?

A.Enable VPC Flow Logs on the NLB subnets
B.Enable AWS CloudTrail for the NLB
C.Enable access logs on an Application Load Balancer in front of the NLB
D.Enable access logs on the NLB
AnswerD

NLB access logs capture information about rejected traffic.

Why this answer

Option D is correct because NLB access logs capture information about rejected traffic when enabled. Option A is wrong because VPC Flow Logs do not capture traffic that is rejected by the NLB itself before reaching the target. Option B is wrong because CloudTrail logs API calls, not network traffic.

Option C is wrong because ALB is a different load balancer type and does not apply to NLB.

1166
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They have set up a VPC peering connection with another VPC (CIDR 172.16.0.0/16). The route tables are configured correctly. However, instances in the first VPC cannot communicate with instances in the peered VPC. The security groups and network ACLs are configured to allow all traffic. What is the most likely cause?

A.The DNS resolution settings for the VPC peering connection are not enabled.
B.The route tables in the VPCs are not propagated to the subnets.
C.The instances do not have ICMP traffic allowed.
D.The VPC CIDR ranges overlap.
AnswerA

When VPC peering is created, DNS resolution must be enabled to allow DNS hostnames to resolve across the peering connection.

Why this answer

Option B is correct because DNS resolution settings for VPC peering must be enabled for instances to resolve DNS hostnames across the peering connection. Option A is wrong because route tables are already configured correctly. Option C is wrong because the CIDRs are different and non-overlapping.

Option D is wrong because ICMP is not required for basic connectivity.

1167
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region but different accounts. The engineer verifies that the route tables and security group rules are correctly configured. However, instances in VPC A cannot ping instances in VPC B. What is the most likely cause?

A.Network ACLs are not configured to allow inbound ICMP
B.The route tables in VPC A point to a VPN gateway instead of the VPC peering connection
C.Security groups are stateful and block return traffic
D.The VPC peering connection is in the 'failed' state
AnswerB

Transitive routing is not supported; routes must point directly to the peering connection.

Why this answer

Option D is correct because VPC peering does not support transitive routing; if traffic goes through a VPN or another VPC, it will not work. Option A is wrong because security groups are stateful and return traffic is allowed. Option B is wrong because NACLs are stateless but can be checked; however, if correctly configured, they would not block.

Option C is wrong because the VPC peering connection is established.

1168
Multi-Selecteasy

A company has a VPC with a public subnet and a private subnet. They want to allow instances in the private subnet to download patches from the internet. Which THREE components are required? (Select THREE.)

Select 3 answers
A.AWS Direct Connect connection
B.Internet Gateway attached to the VPC
C.Elastic IP address assigned to the NAT Gateway
D.Route in the private subnet's route table pointing 0.0.0.0/0 to the NAT Gateway
E.NAT Gateway deployed in the public subnet
AnswersB, D, E

The NAT Gateway uses the Internet Gateway to reach the internet.

Why this answer

For private subnet internet access, you need a NAT Gateway (or NAT instance) in a public subnet, an Internet Gateway attached to the VPC, and a route in the private subnet's route table pointing to the NAT Gateway. Option D (Elastic IP) is needed for the NAT Gateway but is part of the NAT Gateway configuration. Option E (Direct Connect) is not required.

1169
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. They also have a Site-to-Site VPN connection to the same VPC as a backup. The on-premises router is advertising the same prefixes over both connections. The company wants to ensure that traffic uses Direct Connect when available and fails over to VPN if Direct Connect goes down. Which configuration should be applied?

A.Set a higher MED value on the Direct Connect BGP advertisements.
B.Disable BGP on the VPN connection to force traffic to Direct Connect.
C.Prepend AS path on the BGP advertisements over the VPN connection to make the path less preferred.
D.Set a higher local preference on the VPN BGP advertisements.
AnswerC

AS path prepending makes the VPN path longer, so Direct Connect path (shorter AS path) is preferred.

Why this answer

To prefer Direct Connect over VPN, you should adjust the BGP attributes on the on-premises router. One common method is to prepend AS path on the VPN BGP advertisements to make the path longer, so the Direct Connect path is preferred. Option A is correct.

Option B is incorrect because decreasing the MED on Direct Connect would make it more preferred, but the question asks for a method that can be applied on-premises. Option C is incorrect because local preference is usually set on the AWS side. Option D is incorrect because disabling BGP on the VPN would remove the backup.

1170
MCQeasy

A network engineer needs to troubleshoot high latency between two EC2 instances in the same VPC but in different Availability Zones. Which tool should be used to measure network performance?

A.Use traceroute to identify the path
B.Use ping to test connectivity
C.Use iperf to measure throughput and latency
D.Use netstat to check network statistics
AnswerC

iperf is designed for active network performance measurement.

Why this answer

Option A is correct because iperf is a common tool for measuring network throughput and latency. Option B is wrong because traceroute shows the path but not detailed performance. Option C is wrong because netstat shows connections and statistics but not active measurements.

Option D is wrong because ping measures round-trip time but not throughput.

1171
MCQmedium

A company is designing a VPC with multiple subnets across three Availability Zones. The application requires that all traffic between subnets within the same AZ stay within that AZ to minimize latency and data transfer costs. Which configuration achieves this?

A.Use a single route table for all subnets and add specific routes for each AZ.
B.Use an AWS Transit Gateway with separate attachments for each AZ.
C.Create a VPC peering connection between subnets in the same AZ.
D.Create a route table for each AZ and associate the subnets in that AZ with the route table. Ensure the route tables have only local routes for the VPC CIDR.
AnswerD

Local routing within the same AZ is used.

Why this answer

Option A is correct. By creating separate route tables for each AZ and ensuring that routes for other AZs use the local route (which keeps traffic within the VPC), traffic between subnets in the same AZ will stay within the AZ because AWS uses local routing within the same AZ by default. Option B is wrong because a single route table would not segregate traffic by AZ.

Option C is wrong because VPC peering is for cross-VPC. Option D is wrong because a transit gateway would route traffic centrally, not necessarily keep it within the AZ.

1172
MCQmedium

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over a Direct Connect connection. The engineer has verified that the VPC route tables, Direct Connect virtual interface, and on-premises routing are correctly configured. Which tool should be used to verify the path MTU and identify fragmentation issues?

A.Use the netstat command
B.Use the ping command with the DF flag set to test MTU
C.Use the nslookup command
D.Use the traceroute command
AnswerB

ping with 'do not fragment' flag can detect MTU issues.

Why this answer

The ping command with the Don't Fragment (DF) flag set (e.g., `ping -M do -s <size>` on Linux) is the correct tool to verify path MTU because it forces the packet not to be fragmented. If the packet size exceeds the MTU of any link along the path, the router will drop the packet and send an ICMP Fragmentation Needed message back, allowing the engineer to pinpoint the maximum supported MTU and identify fragmentation issues.

Exam trap

The trap here is that candidates often choose traceroute (option D) thinking it shows MTU along the path, but traceroute does not set the DF flag or control payload size to test fragmentation; it only measures hop latency and path, not MTU boundaries.

How to eliminate wrong answers

Option A is wrong because netstat displays network connections, routing tables, and interface statistics, but it cannot test path MTU or detect fragmentation. Option C is wrong because nslookup is a DNS resolution tool that queries name servers and has no relevance to MTU or fragmentation testing. Option D is wrong because traceroute shows the hop-by-hop path and latency but does not allow you to set the DF flag or control packet size to specifically test MTU thresholds; it can indicate path changes but not fragmentation boundaries.

1173
MCQeasy

A company is deploying a web application that must be accessible over the internet from specific IP addresses only. The application runs behind an Application Load Balancer (ALB) in a VPC. Which AWS service should be used to restrict access to the ALB based on source IP addresses?

A.Security groups attached to the ALB
B.AWS WAF with IP set rules
C.Network ACLs on the ALB's subnets
D.AWS Shield Advanced
AnswerA

Security groups can be associated with an ALB to allow inbound traffic from specific CIDR blocks.

Why this answer

Option A is correct because security groups are stateful firewalls that can be attached to ALBs to allow traffic from specific IP addresses. Option B is wrong because network ACLs are stateless and operate at the subnet level, not directly on the ALB. Option C is wrong because AWS WAF is a web application firewall that inspects HTTP requests, not simply IP filtering.

Option D is wrong because AWS Shield Advanced is a DDoS protection service, not for IP-based access control.

1174
MCQmedium

A company is deploying a multi-tier web application in a VPC. The web tier must be accessible from the internet, while the application tier must only be accessible from the web tier. The database tier must only be accessible from the application tier. Which design best meets these requirements?

A.Place all tiers in public subnets and use security groups to control traffic between tiers.
B.Place the web tier in public subnets with an internet gateway, and the application and database tiers in private subnets. Use security groups to allow traffic from the web tier to the application tier, and from the application tier to the database tier.
C.Place all tiers in the same subnet and use network ACLs to restrict traffic between tiers.
D.Place the web tier in a private subnet and use a NAT gateway for outbound internet access. Place the application and database tiers in public subnets.
AnswerB

Correct design: public subnet with IGW for web, private subnets for app and DB, security groups restrict traffic.

Why this answer

Option A is correct because using public subnets for the web tier with an internet gateway and private subnets for the application and database tiers with security groups restricting traffic between tiers is the standard design. Option B is wrong because placing all tiers in public subnets exposes the application and database tiers to the internet. Option C is wrong because placement of tiers does not depend on CIDR blocks but on subnet types and route tables.

Option D is wrong because using a single security group for all tiers cannot enforce tier-to-tier access restrictions.

1175
MCQeasy

A company needs to connect its on-premises network to a VPC using AWS Direct Connect. The company wants to use a single Direct Connect connection to connect to multiple VPCs in the same region. Which configuration should be used?

A.Create a private VIF for each VPC
B.Use a VPN connection to extend the Direct Connect to other VPCs
C.Use a Transit Gateway to connect the Direct Connect to multiple VPCs
D.Create a Direct Connect Gateway and associate it with multiple VPCs
AnswerD

A Direct Connect Gateway can be associated with up to 10 VPCs per region.

Why this answer

Option C is correct because a Direct Connect Gateway can be associated with multiple VPCs, allowing a single Direct Connect connection to connect to multiple VPCs. Option A is incorrect because a single VIF can only connect to a single VPC (unless using a Direct Connect Gateway). Option B is incorrect because Transit Gateway is for inter-VPC routing, not Direct Connect.

Option D is incorrect because a VPN connection is a separate service.

1176
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to use a single NAT Gateway for all private subnets to reduce costs, but the NAT Gateway is in a single Availability Zone (AZ). The network architect is concerned about single points of failure. Which design best addresses high availability while still using the minimum number of NAT Gateways?

A.Deploy a single NAT Gateway in one AZ and use a VPN to an on-premises internet gateway as backup.
B.Deploy one NAT Gateway in each AZ that contains private subnets, and update the route tables accordingly.
C.Use a NAT instance in an Auto Scaling group across multiple AZs instead of a NAT Gateway.
D.Create a second VPC with a NAT Gateway and peer the VPCs to share the NAT Gateway.
AnswerB

This ensures each AZ is independent; if one NAT Gateway fails, only that AZ loses internet access.

Why this answer

Using one NAT Gateway per AZ that has private subnets provides high availability. The minimum is 2 if there are at least 2 AZs with private subnets. Option B is incorrect because a single NAT Gateway is a single point of failure.

Option C is incorrect because NAT instances are less reliable and require management. Option D is incorrect because multiple VPCs add complexity and cost.

1177
MCQeasy

A company has deployed a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which service should be used to provide this access without exposing the instances to inbound traffic?

A.Attach an Internet Gateway to the VPC and add a default route to it from the private subnets.
B.Set up a VPN connection to an on-premises network that has internet access.
C.Use a Direct Connect connection to route traffic through an on-premises internet gateway.
D.Deploy a NAT Gateway in a public subnet and add a default route to it from the private subnets.
AnswerD

NAT Gateway provides outbound-only internet access.

Why this answer

A NAT Gateway allows instances in private subnets to initiate outbound traffic to the internet but prevents inbound traffic from the internet. Option A is wrong because an Internet Gateway alone would expose instances to inbound traffic. Option C is wrong because a VPN connection is for private connectivity.

Option D is wrong because a Direct Connect connection is for dedicated private connectivity.

1178
Multi-Selectmedium

A company is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates, but must not be directly reachable from the internet. Which two components are required for this design? (Choose two.)

Select 2 answers
A.NAT Gateway in a public subnet
B.Security Group allowing outbound HTTPS
C.Internet Gateway attached to the VPC
D.AWS Site-to-Site VPN connection
E.Route table for private subnets with 0.0.0.0/0 pointing to the NAT Gateway
AnswersA, E

NAT Gateway enables outbound internet access for private instances.

Why this answer

Options B and E are correct. A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet, while the private subnets route 0.0.0.0/0 traffic to the NAT Gateway. Option A is wrong because an Internet Gateway alone does not provide outbound-only access; instances would need public IPs.

Option C is wrong because Security Groups are firewalls, not for internet access. Option D is wrong because a VPN connection is for private connectivity, not internet access.

1179
MCQmedium

An application running on EC2 instances in a VPC needs to access an Amazon S3 bucket to read configuration files. The VPC has an S3 VPC endpoint configured. The instances are in a private subnet and have a security group that allows all outbound traffic. The bucket policy allows access from the VPC endpoint. However, the application fails to access the S3 bucket. What is the most likely cause?

A.The network ACL for the private subnet is blocking outbound HTTPS traffic.
B.The VPC endpoint's route table does not include the subnet's route table, so traffic to S3 is not routed through the endpoint.
C.The security group for the EC2 instances has an outbound rule that blocks HTTPS traffic to S3.
D.The S3 bucket policy does not grant access to the VPC endpoint's ID.
AnswerB

VPC endpoints require route table association to route traffic.

Why this answer

Option A is correct. The VPC endpoint must be associated with a route table that includes the subnet's route table. If not, traffic from the subnet to S3 will not use the endpoint.

Option B is incorrect because security group outbound is all traffic. Option C is incorrect because the bucket policy allows access from the endpoint. Option D is incorrect because there is no NACL mentioned, and if NACL blocks, it would block all traffic.

1180
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. Which configuration will allow this without exposing the instance to inbound internet traffic?

A.Use VPC Gateway Endpoints for S3 and DynamoDB.
B.Attach an Internet Gateway to the VPC and assign a public IP to the instance.
C.Deploy a NAT Gateway in a public subnet and update the private subnet's route table to point default route to the NAT Gateway.
D.Configure a VPN connection from the VPC to an on-premises network that has internet access.
AnswerC

NAT Gateway provides outbound internet access without inbound access.

Why this answer

Option B is correct. A NAT Gateway in a public subnet allows outbound internet traffic from private instances while preventing inbound traffic from the internet. Option A is wrong because an Internet Gateway alone does not provide outbound-only access; it would require a public IP and could allow inbound traffic.

Option C is wrong because a VPN does not provide internet access. Option D is wrong because VPC endpoints are for AWS services, not general internet.

1181
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They want to limit traffic between specific VPCs for security purposes. Which feature should they use?

A.Security groups attached to the Transit Gateway.
B.Transit Gateway route tables.
C.VPC Flow Logs.
D.Network ACLs in each VPC.
AnswerB

Route tables control which attachments can communicate.

Why this answer

Option C is correct because Transit Gateway route tables can be used to control traffic between attachments by creating separate route tables and associating attachments accordingly. Option A is wrong because Network ACLs are per-subnet, not per-VPC. Option B is wrong because security groups are instance-level.

Option D is wrong because VPC Flow Logs are for monitoring, not control.

1182
MCQeasy

A network engineer is troubleshooting connectivity between an EC2 instance in a VPC and an on-premises server connected via AWS Site-to-Site VPN. The ping from the EC2 instance to the on-premises server fails. The VPN tunnel status shows 'UP'. Which configuration should the engineer check first?

A.Ensure the customer gateway device is configured with the correct public IP address
B.Check that the pre-shared key matches on both sides
C.Check the route table associated with the EC2 instance's subnet for a route to the on-premises network
D.Verify that the VPN tunnel is using the correct encryption algorithms
AnswerC

Without a route pointing traffic to the virtual private gateway, the VPN cannot forward packets.

Why this answer

Option C is correct because the VPN is up, so the most likely issue is that the route table for the subnet containing the EC2 instance does not have a route to the on-premises network via the virtual private gateway. Option A is wrong because the tunnel is up. Option B is wrong because the VPN is up, so the pre-shared key is correct.

Option D is wrong because the customer gateway device is on-premises, not in AWS.

1183
MCQhard

A global company is deploying a multi-Region application on AWS. The application requires low-latency access to a shared dataset that is updated frequently in multiple Regions. The company wants to use Amazon Route 53 latency-based routing to direct users to the closest Region. Which data store provides the best combination of low-latency reads and cross-Region consistency for this use case?

A.Amazon S3 with cross-Region replication
B.Amazon Aurora Global Database
C.Amazon ElastiCache for Redis Global Datastore
D.Amazon DynamoDB global tables with eventually consistent reads
AnswerC

Redis Global Datastore provides sub-millisecond reads and cross-Region replication.

Why this answer

Option C is correct because Amazon ElastiCache for Redis offers sub-millisecond latency and can be used as a global datastore with cross-Region replication using Global Datastore. Option A is incorrect because DynamoDB global tables offer eventual consistency, but with higher latency for strongly consistent reads. Option B is incorrect because S3 is object storage and not suitable for frequently updated shared dataset requires sub-millisecond latency.

Option D is incorrect because Aurora Global Database provides low-latency reads but with a lag of typically 1 second, not sub-millisecond.

1184
MCQhard

A large e-commerce company is redesigning its global network architecture. They have three VPCs in us-east-1: production (10.0.0.0/16), staging (10.1.0.0/16), and development (10.2.0.0/16). They also have two VPCs in eu-west-1: production (10.10.0.0/16) and staging (10.11.0.0/16). All VPCs are connected via a Transit Gateway with inter-region peering. The company wants to allow the staging VPCs in both regions to communicate with each other for data replication, but no other cross-region traffic should be allowed. Additionally, the production VPC in us-east-1 must be able to send traffic to the production VPC in eu-west-1 for a disaster recovery pilot. The security team has configured Network ACLs and security groups appropriately. However, after implementation, the staging VPCs can communicate, but the production VPCs cannot. A network engineer checks the Transit Gateway route tables and finds that both production VPC attachments are associated with the same route table, which has a static route for the 10.0.0.0/16 and 10.10.0.0/16 prefixes. What is the MOST likely reason for the failure?

A.The security groups in the production VPCs are blocking the traffic
B.The production VPCs are attached to the same Transit Gateway route table, causing asymmetric routing
C.The production VPCs have overlapping CIDR ranges, causing a routing conflict
D.The Transit Gateway route table for the production VPCs does not have a route for the remote production CIDR
AnswerB

If both production VPCs are in the same route table, the route for the remote production CIDR might be incorrectly propagated or cause a loop. They should be in separate route tables to control routing direction.

Why this answer

Transit Gateway route tables propagate routes from VPC attachments. If both production VPCs are in the same route table, the routes for their CIDRs will be propagated. However, if there is a propagated route for the local VPC, it may override the static route or cause a conflict.

The issue is likely that the static routes are being ignored because a more specific or conflicting propagated route exists, or the route table lacks a route for the remote production CIDR if the attachment is not associated correctly. Actually, the most common issue is that the production VPC attachments are in the same route table, but the static route for the remote production CIDR might be pointing to the VPC attachment itself, causing a loop. But the key point: Transit Gateway route tables do not allow overlapping CIDRs.

Since both production VPCs have overlapping CIDRs (10.0.0.0/16 and 10.10.0.0/16 are different), that's not the issue. The issue is likely that the route table has a static route for the remote production CIDR, but the propagation from the local production VPC attachment might be creating a route that is not correct. The best answer is that the production VPC attachments need to be in separate route tables to avoid conflicting routes.

1185
MCQmedium

A company is designing a multi-Region application with an Application Load Balancer (ALB) in each Region fronting an Auto Scaling group of EC2 instances. The application must be accessible via a single DNS name, and traffic should be routed to the closest healthy Region using a latency-based routing policy. Which AWS service should be used as the DNS endpoint to achieve this?

A.Amazon Route 53
B.Amazon CloudFront
C.AWS Global Accelerator
D.AWS Network Load Balancer
AnswerA

Route 53 latency-based routing sends traffic to the AWS endpoint with the lowest latency.

Why this answer

Amazon Route 53 with latency-based routing directs traffic to the Region with the lowest latency. The ALB in each Region is registered as a latency alias record. Option A is incorrect because Global Accelerator uses Anycast IPs and does not use latency-based routing via DNS.

Option C is incorrect because CloudFront uses edge locations and does not route based on latency to origins in the same way. Option D is incorrect because Network Load Balancer does not provide DNS-level routing policies.

1186
MCQhard

A company has an AWS Direct Connect connection with a private VIF to a VPC. The VPC has multiple subnets across two Availability Zones. The company wants to use the Direct Connect connection as the primary path for all traffic from on-premises to the VPC, and use a Site-to-Site VPN as a backup. The on-premises router is configured to advertise a default route via BGP over the Direct Connect, and the VPN also advertises a default route. Which configuration ensures that the Direct Connect path is preferred over the VPN?

A.Disable route propagation from the VPN in the VPC route tables to ensure Direct Connect routes take precedence.
B.Set a higher local preference on the Direct Connect BGP session on the on-premises router.
C.Decrease the Multi-Exit Discriminator (MED) value on the Direct Connect BGP advertisements from AWS.
D.Configure AS_PATH prepending on the VPN BGP advertisements from the on-premises router to make the VPN path longer.
AnswerD

Longer AS_PATH makes the route less preferred.

Why this answer

Option C is correct because by default, BGP routes from Direct Connect have a lower MED if not set, but the VPN may also have lower metrics. The most reliable way is to prepend AS_PATH on the VPN BGP advertisements to make them less preferred. Option A is wrong because local preference is typically set on the router, not in AWS.

Option B is wrong because decreasing the MED on the Direct Connect side would make it more preferred, but it's not a standard approach; AS_PATH prepending is more straightforward. Option D is wrong because disabling route propagation on the VPN route table would prevent the VPN routes from being used at all, but does not affect the BGP path selection.

1187
MCQmedium

A company is setting up a new AWS environment for a project. The network architect decides to use a hub-and-spoke model with a central inspection VPC for east-west traffic inspection. The inspection VPC (VPC-Hub) contains a firewall appliance that inspects traffic between spoke VPCs. All VPCs are attached to an AWS Transit Gateway. The architect creates a route table in the Transit Gateway for the inspection VPC and another route table for the spoke VPCs. The inspection VPC route table has a default route (0.0.0.0/0) pointing to the firewall appliance. The spoke VPCs have route tables that point to the inspection VPC for traffic to other spoke VPCs. The firewall appliance is configured to forward traffic after inspection. However, traffic between spoke VPCs is not being routed through the inspection VPC. Which configuration change should the architect make to ensure traffic between spoke VPCs is inspected?

A.Use VPC Peering between the spoke VPCs instead of Transit Gateway
B.Create a static route in the inspection VPC route table for each spoke VPC CIDR
C.Remove the default route from the spoke VPC route tables
D.Enable route propagation on the inspection VPC attachment for the inspection route table
AnswerD

Correct; propagation allows the inspection VPC to learn the spoke CIDRs.

Why this answer

Option D is correct because the inspection VPC route table needs to learn the spoke VPC CIDRs dynamically via route propagation from the Transit Gateway attachment. Without propagation, the inspection VPC route table only has a default route pointing to the firewall appliance, but no specific routes for the spoke VPCs. When the firewall appliance forwards traffic after inspection, it needs to know how to reach the destination spoke VPC; enabling route propagation on the inspection VPC attachment for the inspection route table allows the Transit Gateway to inject the spoke VPC routes into that route table, enabling proper return traffic flow.

Exam trap

The trap here is that candidates often focus on the spoke VPC route tables (thinking they need to remove the default route or add static routes) instead of recognizing that the inspection VPC route table must have routes to the spoke VPCs via route propagation to allow the firewall to forward inspected traffic back to the Transit Gateway.

How to eliminate wrong answers

Option A is wrong because using VPC Peering instead of Transit Gateway would bypass the central inspection VPC entirely, defeating the purpose of the hub-and-spoke model for east-west traffic inspection. Option B is wrong because creating a static route in the inspection VPC route table for each spoke VPC CIDR is unnecessary and less scalable; the Transit Gateway can dynamically propagate routes, and static routes would require manual updates as spoke VPCs change. Option C is wrong because removing the default route from the spoke VPC route tables would break all outbound traffic from the spoke VPCs, not just inter-spoke traffic; the default route is needed for internet-bound traffic or other destinations, and the issue is about the inspection VPC route table lacking spoke routes, not the spoke route tables.

1188
Multi-Selecthard

A company is using AWS Direct Connect to connect on-premises to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which TWO options can achieve this?

Select 2 answers
A.Establish an IPsec VPN tunnel over the Direct Connect virtual interface
B.Enable MACsec on the Direct Connect dedicated connection
C.Use TLS on all applications
D.Use VPC gateway endpoints for S3
E.Rely on Direct Connect's physical security
AnswersA, B

IPsec provides encryption at the network layer.

Why this answer

Option A is correct because IPsec VPN over Direct Connect can encrypt traffic. Option D is correct because MACsec provides encryption at Layer 2 for dedicated connections. Option B is wrong because TLS is for application-level encryption, not link-level.

Option C is wrong because VPC endpoints do not encrypt the Direct Connect link. Option E is wrong because Direct Connect by itself does not provide encryption.

1189
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to connect their on-premises data center to AWS using AWS Direct Connect. The data center uses RFC 1918 addresses from the 10.0.0.0/8 range, overlapping with the VPC CIDR. The company cannot change the on-premises IP addresses. Which design allows connectivity without IP conflicts?

A.Configure Direct Connect Gateway with network address translation
B.Use AWS Transit Gateway with route table separation
C.Deploy a Private NAT Gateway in the VPC and configure routes to send on-premises traffic through it
D.Set up VPC Peering between the VPC and on-premises network over Direct Connect
AnswerC

Private NAT Gateway translates VPC IPs to a different range, allowing communication with overlapping on-premises addresses.

Why this answer

Option B is correct because Private NAT Gateway can translate overlapping VPC IPs to a different CIDR for communication with on-premises. Option A is wrong because VPC Peering does not support overlapping CIDRs. Option C is wrong because Transit Gateway also cannot handle overlapping CIDRs without NAT.

Option D is wrong because Direct Connect Gateway alone does not resolve overlapping IPs.

1190
Multi-Selectmedium

A network engineer is troubleshooting high latency on a Direct Connect connection. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Check the BGP session status
B.Enable VPC Flow Logs on the VPC
C.Run a continuous 'mtr' from on-premises to an AWS resource
D.Review CloudWatch metrics for the Direct Connect virtual interface
E.Run a traceroute from on-premises to an AWS IP address
AnswersC, D

Identifies latency at each hop.

Why this answer

Option A and D are correct because CloudWatch metrics can show latency and packet loss, and 'mtr' can trace the path and identify hops. Option B is incorrect because traceroute may not work over Direct Connect due to ICMP filtering. Option C is incorrect because BGP session status does not directly indicate latency.

Option E is incorrect because VPC Flow Logs show traffic metadata, not latency.

1191
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. The company wants to use the same Direct Connect connection to access both VPC resources and public AWS services (such as S3 and DynamoDB) from its on-premises network. Which THREE components are required to meet this goal? (Choose three.)

Select 3 answers
A.AWS Transit Gateway
B.Private virtual interface (VIF)
C.Direct Connect Gateway
D.AWS Site-to-Site VPN connection
E.Public virtual interface (VIF)
AnswersB, C, E

Correct; private VIF connects to VPCs.

Why this answer

Option B is correct because a private virtual interface (VIF) is required to connect your on-premises network to a VPC via Direct Connect. However, to also access public AWS services like S3 and DynamoDB over the same Direct Connect connection, you need a public VIF (Option E) for public endpoint connectivity and a Direct Connect Gateway (Option C) to enable transitive routing between the private VIF and multiple VPCs or to simplify the architecture. Together, these three components allow a single Direct Connect connection to serve both private VPC resources and public AWS services.

Exam trap

The trap here is that candidates often think a Transit Gateway is required for multi-VPC or hybrid access, but for a single Direct Connect connection to access both VPCs and public services, the essential components are the private VIF, public VIF, and Direct Connect Gateway, not the Transit Gateway.

1192
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to establish a site-to-site VPN connection to an on-premises network with a CIDR of 192.168.0.0/16. The VPN tunnel is up, but traffic from the VPC to on-premises is not flowing. Which of the following is the most likely cause?

A.The security groups do not allow outbound traffic.
B.The NACLs are blocking outbound traffic.
C.The VPC route table does not have a route for 192.168.0.0/16 pointing to the virtual private gateway.
D.The VPN connection is in the wrong AWS region.
AnswerC

Missing route prevents traffic from leaving VPC.

Why this answer

Option A is correct because the VPC route table must have a route pointing to the virtual private gateway for the on-premises CIDR. Without it, traffic is dropped. B, C, D are possible but less likely initial checks.

1193
MCQhard

A financial company has a multi-account AWS environment using AWS Organizations. They have deployed a centralized inspection VPC with a third-party firewall appliance. All VPCs are attached to a Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by the firewall. The firewall is deployed in an Auto Scaling group behind a Network Load Balancer (NLB). What is the BEST way to route traffic to the firewall?

A.Use a Gateway Load Balancer (GWLB) endpoint in each VPC to route traffic to the firewall.
B.Use VPC peering between each VPC and the inspection VPC.
C.Deploy a firewall appliance in each VPC and route traffic locally.
D.Create a Transit Gateway attachment in the inspection VPC and point the NLB as the target. Route traffic through the Transit Gateway route tables to the inspection VPC.
AnswerD

ECMP distributes traffic across firewall instances.

Why this answer

Option A is correct because Transit Gateway supports equal-cost multi-path (ECMP) routing, allowing traffic to be distributed across multiple firewall instances via the NLB. Option B is incorrect because VPC peering bypasses the Transit Gateway. Option C is incorrect because the firewall should be in the inspection VPC, not in each VPC.

Option D is incorrect because the GWLB is not used here; the NLB is the correct choice.

1194
Multi-Selectmedium

Which TWO of the following are valid methods to connect multiple VPCs in the same AWS Region? (Choose TWO.)

Select 2 answers
A.Internet gateway
B.AWS Site-to-Site VPN
C.VPC peering
D.AWS Transit Gateway
E.AWS Direct Connect
AnswersC, D

Direct connection between two VPCs.

Why this answer

Option A (VPC Peering) and Option C (Transit Gateway) are correct. VPC Peering allows direct connectivity, and Transit Gateway supports transitive routing. Option B (VPN) is for on-premises.

Option D (Direct Connect) is for on-premises. Option E (Internet Gateway) is for internet access, not VPC to VPC.

1195
Multi-Selecthard

A company has a VPC with multiple subnets and is using Network Access Analyzer to identify unintended network access. It reports that an EC2 instance in a private subnet has a route to an internet gateway. Which two actions should be taken to remediate this?

Select 2 answers
A.Ensure the EC2 instance does not have a public IP address
B.Remove the route to the internet gateway from the subnet's route table
C.Assign a public IP address to the instance
D.Update the security group to deny outbound traffic to 0.0.0.0/0
E.Attach a NAT gateway to the private subnet
AnswersA, B

Without a public IP, internet traffic is not possible even with route.

Why this answer

The instance should not have a route to the internet. Removing the route from the subnet's route table and ensuring the instance does not have a public IP are correct. Option A and D are correct.

Option B is wrong because a NAT gateway would still allow outbound internet. Option C is wrong because security groups do not affect routing. Option E is wrong because the instance may not have a public IP already.

1196
MCQmedium

A company has deployed a web application behind an Application Load Balancer (ALB) in a VPC. The security team wants to block a list of known malicious IP addresses from accessing the application. Which service should they use to implement this protection?

A.Network ACLs on the ALB subnet with deny rules
B.AWS WAF with an IP set rule that blocks the malicious IPs
C.AWS Shield Advanced with automatic IP blocking
D.Security Groups for the ALB with deny rules
AnswerB

WAF integrates with ALB and can block IPs.

Why this answer

Option A is correct because AWS WAF with IP set rules can block malicious IPs. Option B is wrong because Shield Advanced provides DDoS protection, not IP blocking. Option C is wrong because Network ACLs are stateless and less efficient for this use case.

Option D is wrong because Security Groups are stateful but not designed for IP blocking at the ALB level.

1197
MCQhard

A company is designing a network for a critical application that requires low latency between EC2 instances. The instances are in the same AWS Region but different Availability Zones. Which configuration will provide the lowest latency?

A.Use an Application Load Balancer to distribute traffic
B.Launch instances in the same placement group within a single Availability Zone
C.Use Direct Connect to connect the VPCs
D.Use VPC peering to connect the VPCs
AnswerB

Placement groups provide low latency by placing instances close together.

Why this answer

Option B is correct because placing EC2 instances within the same placement group in a single Availability Zone ensures they are in close physical proximity, often on the same rack or within the same cluster, which minimizes network hops and achieves the lowest possible latency (typically under 1 ms). This configuration is specifically designed for low-latency, high-throughput workloads like HPC or real-time data processing.

Exam trap

The trap here is that candidates often assume inter-AZ latency is negligible or that services like ALB or VPC peering are designed for low-latency scenarios, but the question specifically asks for the lowest latency, which requires physical co-location within a single AZ using a placement group.

How to eliminate wrong answers

Option A is wrong because an Application Load Balancer operates at Layer 7 and introduces additional network hops and processing overhead, which increases latency compared to direct instance-to-instance communication. Option C is wrong because Direct Connect is a dedicated network connection between on-premises and AWS, not between VPCs or instances within the same Region, and it does not reduce inter-AZ latency. Option D is wrong because VPC peering connects VPCs across different networks and does not optimize physical proximity; instances in different VPCs still communicate over the AWS backbone, which has higher latency than instances in the same placement group.

1198
Multi-Selectmedium

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to enforce that all VPCs use a specific set of security group rules for inbound SSH access. Which TWO steps should the team take? (Choose two.)

Select 2 answers
A.Use AWS Config rules to detect non-compliant security groups and trigger automatic remediation.
B.Enable AWS CloudTrail to log all security group changes and send alerts.
C.Enable Amazon GuardDuty to monitor for malicious traffic.
D.Use a service control policy (SCP) to deny the ec2:AuthorizeSecurityGroupIngress action if the rule does not comply with the standard.
E.Create an IAM role in each account that only allows creation of compliant security groups.
AnswersA, D

Config can detect and remediate.

Why this answer

SCPs can deny creation of security groups that don't meet rules, and AWS Config can detect non-compliant groups. Options B and D are correct. Option A is wrong because IAM roles don't enforce across accounts.

Option C is wrong because CloudTrail logs but doesn't enforce. Option E is wrong because GuardDuty is for threats.

1199
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. Which policy should they use?

A.Create an IAM policy that restricts access to the VPC and attach it to all users.
B.Attach a security group to the S3 bucket that allows traffic from the VPC.
C.Add a bucket policy with a condition that requires aws:SourceVpc to be the VPC ID.
D.Create a VPC Endpoint policy that allows access only from the VPC.
AnswerC

This condition ensures requests originate from the specified VPC.

Why this answer

Option D is correct because S3 bucket policies can use aws:SourceVpc condition key to restrict access to a specific VPC. Option A is wrong because security groups are not used for S3. Option B is wrong because VPC Endpoint policies control actions but not source VPC.

Option C is wrong because IAM policies are attached to users/roles, not to the bucket.

1200
MCQeasy

A company has deployed a web application in a VPC with public subnets for the web servers and private subnets for the database servers. The web servers need to access the internet for software updates. The network engineer configured a NAT Gateway in the public subnet and added a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway. However, the web servers cannot reach the internet. What is the most likely cause?

A.The private subnet route table does not have a route to the NAT Gateway for 0.0.0.0/0.
B.The security group of the web servers is blocking outbound traffic to the internet.
C.The web servers are in a public subnet, but the route table for the public subnet points 0.0.0.0/0 to the NAT Gateway instead of the Internet Gateway.
D.The NAT Gateway does not have a route to the Internet Gateway in its route table.
AnswerC

Public subnets should route internet traffic to an Internet Gateway, not a NAT Gateway. The NAT Gateway is for private subnets.

Why this answer

Option C is correct because the web servers are deployed in a public subnet, which requires a route table entry pointing 0.0.0.0/0 to an Internet Gateway (IGW) for direct internet access. Instead, the engineer configured the route to point to a NAT Gateway, which is intended for private subnets. A public subnet must have a direct IGW route; using a NAT Gateway in a public subnet breaks outbound connectivity because the NAT Gateway itself relies on the IGW for internet access, but the web servers' traffic is sent to the NAT Gateway instead of the IGW, causing a routing loop or failure.

Exam trap

The trap here is that candidates often confuse the purpose of a NAT Gateway (for private subnets) with an Internet Gateway (for public subnets), and assume that placing a NAT Gateway in a public subnet automatically provides internet access to instances in that subnet, when in fact the route table must point to the IGW for public subnets.

How to eliminate wrong answers

Option A is wrong because the private subnet route table does have a route to the NAT Gateway for 0.0.0.0/0 as stated in the scenario, so this is not the issue. Option B is wrong because security groups are stateful and by default allow all outbound traffic; unless explicitly modified to block outbound traffic, they would not prevent internet access. Option D is wrong because a NAT Gateway does not have its own route table; it is an AWS-managed service that uses an Elastic IP and relies on the route table of the subnet it resides in to route traffic to the Internet Gateway, but the problem is with the web servers' subnet route table, not the NAT Gateway's.

Page 15

Page 16 of 23

Page 17