AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 12011275

1705 questions total · 23pages · All types, answers revealed

Page 16

Page 17 of 23

Page 18
1201
MCQmedium

A company has a Direct Connect connection with a public VIF to access AWS public services. They notice that traffic to Amazon S3 is taking a suboptimal path via the internet instead of the Direct Connect. What is the MOST likely cause?

A.The BGP session for the public VIF is not advertising the S3 prefixes
B.The public VIF is in a 'DOWN' state
C.The on-premises router does not have a route for the S3 CIDR ranges pointing to the Direct Connect
D.The virtual private gateway is not attached to the VPC
AnswerC

Need to route S3 traffic over Direct Connect.

Why this answer

Option D is correct because you need to add a route to the on-premises router pointing to the Direct Connect for the S3 CIDR ranges. Option A is incorrect because the public VIF does not use BGP for prefixes. Option B is incorrect because the VIF is up.

Option C is incorrect because the public VIF does not use a virtual private gateway.

1202
MCQmedium

Refer to the exhibit. A network engineer runs the above command and sees this network ACL configuration. The subnet associated with this ACL contains an EC2 instance that is failing to receive inbound HTTP traffic (TCP 80) from the internet. What is the MOST likely cause?

A.The inbound deny rule is associated with the wrong subnet
B.The inbound deny rule for TCP (port range) blocks all TCP traffic
C.The outbound rule does not allow return traffic
D.The inbound allow rule is not wide enough
AnswerB

Rule number 100 denies TCP traffic (protocol 6) from 0.0.0.0/0, which includes HTTP (TCP 80). The rule is evaluated before the allow rule.

Why this answer

Option A is correct. The inbound deny rule (Rule 100) for TCP (Protocol 6) from 0.0.0.0/0 denies all TCP traffic, including HTTP. Even though there is a later allow-all rule (Rule 200), network ACLs evaluate rules in ascending order, so the deny rule is evaluated first and blocks the traffic.

Option B is wrong because the outbound rule allows all traffic. Option C is wrong because the allow rule exists but is after the deny. Option D is wrong because the deny rule applies to all CIDR blocks.

1203
Matchingmedium

Match each AWS networking feature to its use case for hybrid connectivity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central hub connecting multiple VPCs and on-premises networks

Connect multiple VPCs across regions to a single Direct Connect

Hub-and-spoke VPN topology between multiple on-premises sites

Managed OpenVPN-based service for remote users

Private access to S3 and DynamoDB without internet gateway

Why these pairings

These services enable hybrid network architectures.

1204
MCQhard

A company has a VPC with multiple subnets. They want to ensure that all outbound traffic from EC2 instances in the VPC goes through a centralized NAT device for inspection. They have deployed a NAT instance in a public subnet and configured the route tables for private subnets to point to the NAT instance. However, traffic is not being routed through the NAT instance. What is the most likely cause?

A.The source/destination check is enabled on the NAT instance.
B.The NAT instance does not have a public IP address.
C.The route table for the private subnets does not have a default route (0.0.0.0/0) pointing to the NAT instance.
D.The security group of the NAT instance blocks outbound traffic.
AnswerA

By default, EC2 instances check that the source or destination of traffic matches their own IP. This must be disabled for NAT instances.

Why this answer

Option C is correct because the NAT instance must have source/destination check disabled to forward traffic for other instances. Option A is wrong because the route table is already configured. Option B is wrong because the NAT instance itself can have its own route table for internet access.

Option D is wrong because security groups can allow traffic; the issue is routing.

1205
Multi-Selectmedium

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add IPv6 support for their internet-facing Application Load Balancer. The VPC is already associated with an IPv6 CIDR block. What additional configuration is required? (Choose two.)

Select 2 answers
A.Configure NAT64 and DNS64 on the VPC.
B.Add a route in the subnet's route table for ::/0 to the Internet Gateway.
C.Associate an IPv6 CIDR block with the public subnet where the ALB is deployed.
D.Assign an IPv6 address to the ALB's network interface.
E.Create an Egress-Only Internet Gateway for the VPC.
AnswersB, C

IPv6 traffic needs a route to the internet gateway.

Why this answer

Options A and C are correct. For an internet-facing ALB to serve IPv6 clients, the subnet must have an IPv6 CIDR and the route table must have a route for ::/0 to the internet gateway. Option B is wrong because the ALB itself does not require an IPv6 address; it uses the subnet's IPv6 CIDR.

Option D is wrong because Egress-Only Internet Gateway is for outbound-only IPv6 traffic from private subnets. Option E is wrong because a NAT64/DNS64 is not needed; ALB can handle IPv6 natively.

1206
Multi-Selectmedium

A company has a security requirement to log and monitor all DNS queries made by EC2 instances in a VPC. Which TWO AWS solutions can meet this requirement?

Select 2 answers
A.Enable Amazon Route 53 Resolver Query Logging.
B.Use AWS CloudTrail to log DNS queries.
C.Enable Amazon Route 53 Resolver DNS Firewall with logging.
D.Use Amazon CloudWatch Logs with a custom agent to capture DNS logs.
E.Enable VPC Flow Logs.
AnswersA, C

This service logs all DNS queries made by resources in the VPC.

Why this answer

Option A (Amazon Route 53 Resolver DNS Firewall) provides DNS query logging. Option D (Amazon Route 53 Resolver Query Logging) specifically logs queries. VPC Flow Logs log IP traffic, not DNS.

CloudWatch Logs can store logs but does not capture DNS queries natively. AWS CloudTrail logs API calls, not DNS queries.

1207
MCQmedium

Refer to the exhibit. A network engineer is analyzing VPC Flow Logs to troubleshoot connectivity issues. The engineer notices that traffic from 10.0.1.5 to 192.168.1.1 on port 80 is logged as ACCEPT, but the application team reports that the web request failed. What is the most likely cause?

A.The VPC Flow Logs are not capturing all packets due to sampling.
B.The network ACL is returning an ICMP unreachable message that is not logged.
C.The destination host 192.168.1.1 is not reachable or does not have a route back to the source.
D.The security group on the ENI is blocking outbound traffic to 192.168.1.1.
AnswerC

The outbound packet was accepted, but the lack of a return path or the destination being down would cause the application to fail.

Why this answer

The VPC Flow Logs record the state of the TCP handshake from the perspective of the network path, but they do not confirm that the destination host successfully processed the request or that a return path exists. If 192.168.1.1 has no route back to 10.0.1.5, the initial SYN-ACK will never reach the source, causing the application to time out even though the forward traffic was accepted by the network ACL and security group.

Exam trap

AWS often tests the misconception that an ACCEPT log entry guarantees end-to-end connectivity, when in fact it only confirms that the packet passed the hypervisor-level firewall rules, not that the destination host processed it or that a return path exists.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture all packets by default; sampling is only enabled when explicitly configured, and the question does not mention sampling. Option B is wrong because network ACLs do not generate ICMP unreachable messages; they silently drop traffic, and any ICMP unreachable would be generated by the destination host or a router, not the ACL. Option D is wrong because if the security group on the ENI were blocking outbound traffic to 192.168.1.1, the flow log entry would show REJECT or no log entry at all, not ACCEPT.

1208
MCQeasy

A network engineer needs to capture and analyze DNS query logs generated by Amazon Route 53. Which AWS service should be used to store and query these logs?

A.AWS CloudTrail
B.Amazon Kinesis Data Firehose
C.Amazon CloudWatch Logs
D.Amazon S3
AnswerC

Route 53 can publish DNS query logs to CloudWatch Logs for analysis.

Why this answer

Option A is correct because Route 53 can log DNS queries to CloudWatch Logs. Option B is wrong because Amazon S3 is an object store, not a log analysis service. Option C is wrong because Amazon Kinesis Data Firehose can stream data but not directly store for querying.

Option D is wrong because AWS CloudTrail records API calls, not DNS queries.

1209
MCQhard

A global company is designing a multi-region architecture with VPCs in us-east-1, eu-west-1, and ap-southeast-1. They are using AWS Transit Gateway with inter-region peering between all three regions. The company also has on-premises data centers in the US and Europe connected via Direct Connect to the Transit Gateways in us-east-1 and eu-west-1 respectively. The on-premises networks use BGP to advertise their CIDRs (10.0.0.0/8 for US, 172.16.0.0/12 for Europe). The Transit Gateway route tables are configured to propagate routes from all attachments. The company needs all VPCs and on-premises networks to be able to communicate with each other. After configuration, the VPC in ap-southeast-1 can communicate with the VPCs in us-east-1 and eu-west-1, but cannot communicate with either on-premises network. The VPCs in us-east-1 and eu-west-1 can communicate with all on-premises networks. What is the MOST likely cause of this issue?

A.The VPC in ap-southeast-1 has a security group that blocks traffic from on-premises IP ranges
B.The inter-region peering attachments in ap-southeast-1 do not have route propagation enabled
C.The on-premises networks are not advertising their CIDRs to the ap-southeast-1 region
D.The Direct Connect gateways are not attached to the Transit Gateways in us-east-1 and eu-west-1
AnswerB

Without propagation, the ap-southeast-1 Transit Gateway does not learn the on-premises CIDRs from the other regions.

Why this answer

The on-premises CIDRs are advertised via Direct Connect into the Transit Gateways in us-east-1 and eu-west-1. Those Transit Gateways propagate the routes to the inter-region peering attachments. However, the Transit Gateway in ap-southeast-1 needs to have routes for the on-premises CIDRs pointing to the inter-region peering attachments.

This is typically done by enabling route propagation from the inter-region peering attachment. If the route propagation is not enabled, the routes will not be added automatically. The engineer likely assumed propagation works automatically, but it must be explicitly enabled for each attachment.

Since the VPCs in us-east-1 and eu-west-1 can reach on-premises, the local Direct Connect routes are fine. The issue is that the ap-southeast-1 Transit Gateway route table does not have routes for the on-premises CIDRs via the peering attachments.

1210
MCQmedium

A network administrator is troubleshooting connectivity to a web server in subnet with network ACL 'acl-12345678'. The web server is on port 443. The administrator finds that traffic from IP 10.0.1.5 is being denied. Why is the traffic being denied?

A.The subnet is not associated with this network ACL.
B.The security group attached to the web server is blocking the traffic.
C.The network ACL rule 100 denies traffic from 10.0.0.0/8, which includes the IP 10.0.1.5.
D.The network ACL rule 100 allows traffic from 0.0.0.0/0, but rule 200 denies traffic from 10.0.0.0/8, and rule 200 is evaluated first.
AnswerC

Rule 100 matches and denies.

Why this answer

Option C is correct because network ACLs are stateless and evaluated in ascending order by rule number. Rule 100 denies traffic from 10.0.0.0/8, which includes the source IP 10.0.1.5, so any traffic from that IP is denied regardless of later allow rules. Since network ACLs do not track connection state, the deny is applied immediately upon matching rule 100.

Exam trap

The trap here is that candidates often confuse the evaluation order of network ACL rules (ascending by rule number) with the order of security group rules (all evaluated until a match), or mistakenly think that a higher-numbered allow rule overrides a lower-numbered deny rule.

How to eliminate wrong answers

Option A is wrong because if the subnet were not associated with the network ACL, the default network ACL (which allows all traffic) would apply, and traffic would not be denied. Option B is wrong because security groups are stateful and operate at the instance level, not the subnet level; the question specifies the network ACL is the cause, and security groups would not deny traffic from a specific IP unless explicitly configured, but the scenario points to the ACL. Option D is wrong because network ACL rules are evaluated in numerical order from lowest to highest; rule 100 is evaluated before rule 200, so if rule 100 denies the traffic, rule 200 is never reached.

1211
MCQhard

A company is running a latency-sensitive application in a VPC with a public subnet and a private subnet. The application in the private subnet needs to access an Amazon S3 bucket in the same region. The company wants to minimize latency and avoid using a NAT gateway. Which solution meets these requirements?

A.Use S3 Transfer Acceleration and access the bucket via the public endpoint
B.Create a VPC Gateway Endpoint for Amazon S3 and update the route table for the private subnet
C.Attach an Internet Gateway to the VPC and route the private subnet traffic through a NAT instance
D.Set up a NAT gateway in the public subnet and route traffic to the S3 bucket through it
AnswerB

A Gateway Endpoint provides private connectivity to S3 without leaving the AWS network, minimizing latency and avoiding NAT gateway costs.

Why this answer

A VPC Gateway Endpoint for Amazon S3 allows instances in a private subnet to access S3 without traversing the internet or requiring a NAT gateway. This minimizes latency by routing traffic over the AWS internal network, and it avoids the cost and complexity of NAT devices. The route table for the private subnet must be updated with a route pointing to the gateway endpoint for the S3 prefix list.

Exam trap

The trap here is that candidates often assume S3 Transfer Acceleration is always faster, but it is designed for cross-region or long-distance transfers and actually adds latency for same-region traffic due to additional routing and edge location processing.

How to eliminate wrong answers

Option A is wrong because S3 Transfer Acceleration is designed for long-distance transfers over the public internet and does not reduce latency for same-region access; it actually adds overhead. Option C is wrong because routing private subnet traffic through a NAT instance still forces traffic over the internet, increasing latency and requiring a public IP, which contradicts the requirement to avoid a NAT gateway. Option D is wrong because a NAT gateway introduces additional hop latency and cost, and is unnecessary when a VPC Gateway Endpoint provides direct, private connectivity to S3 within the same region.

1212
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via a VPN. They want to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the network?

A.Create VPC Peering connections between each VPC and the inspection VPC.
B.Configure Transit Gateway with appliance mode and route traffic through a dedicated inspection VPC.
C.Use security groups in each VPC to restrict traffic and enable VPC Flow Logs for auditing.
D.Place the security appliance in each VPC and use Network Firewall to inspect traffic.
AnswerB

Appliance mode ensures that traffic from one VPC to another is always routed via the inspection VPC.

Why this answer

Option B is correct because Transit Gateway supports appliance mode that forces traffic to be routed through a specific VPC where the security appliance resides. Option A is wrong because VPC Peering does not support transitive routing. Option C is wrong because Network Firewall can inspect traffic but does not require Transit Gateway; however, the question specifically asks for a design with Transit Gateway.

Option D is wrong because Security Groups cannot inspect traffic at the network level.

1213
MCQmedium

A company has a VPC with a public subnet for a web server and a private subnet for a database. The web server needs to make API calls to Amazon S3. Which is the most secure way to provide this access without traffic leaving the AWS network?

A.Use an AWS Site-to-Site VPN to connect to a remote network that has access to S3.
B.Create a VPC gateway endpoint for Amazon S3 and attach it to the route table of the private subnet.
C.Set up a NAT gateway in the public subnet and route the web server's traffic through it.
D.Use an internet gateway and a public IP address on the web server.
AnswerB

Gateway endpoint provides private, secure access to S3.

Why this answer

Option A is correct because a VPC gateway endpoint for S3 allows private connectivity to S3 without traversing the internet. Option B is incorrect because a NAT gateway would route traffic over the internet. Option C is incorrect because internet through an IGW is less secure.

Option D is incorrect because a VPN connection is not needed.

1214
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and an IPv6 CIDR of 2001:db8:1234::/56. The company hosts a web application on IPv4-only EC2 instances in a private subnet. The application must be accessible from the internet via IPv6. The company has an internet-facing Application Load Balancer (ALB) with dual-stack IP address type. The ALB is in a public subnet. The target group is configured with IP address type IPv4. Users report that they can access the application via IPv4 but not via IPv6. The ALB security group allows inbound HTTP/HTTPS from ::/0. What is the MOST likely cause?

A.The public subnet does not have an associated IPv6 CIDR.
B.The target group is configured with IP address type IPv4, but the ALB must use IPv6 to communicate with the targets.
C.The ALB is configured as IPv4-only instead of dual-stack.
D.The private subnet's route table does not have an IPv6 route to the NAT gateway or egress-only internet gateway.
AnswerB

ALB can communicate with IPv4 targets from IPv6 clients, but the issue might be that the ALB's security group or target group health checks fail. Actually, the correct answer is that the target group type is IPv4, which is fine. The real issue is that the private subnet needs an IPv6 route to the NAT64? Let's reconsider.

Why this answer

Option C is correct because an IPv4-only target group cannot receive IPv6 traffic; the ALB would attempt to connect to targets via IPv4, but the ALB can still accept IPv6 and translate. However, the issue is that the route table for the private subnet does not have an IPv6 route to the NAT64 or egress-only internet gateway? Actually, the most likely cause is that the private subnet lacks a route for IPv6 traffic from the ALB to reach the IPv4 targets. Option A is incorrect because the ALB can terminate IPv6 and forward to IPv4.

Option B is incorrect because the ALB does not need an IPv6 address. Option D is incorrect because the ALB does not need an EIP.

1215
MCQmedium

A company uses AWS Direct Connect to connect its on-premises network to AWS. The security team wants to encrypt all traffic traversing the Direct Connect link. Which solution should be used?

A.Enable encryption on the Direct Connect virtual interface
B.Use TLS on all applications that communicate across the link
C.Establish an IPsec VPN tunnel over the Direct Connect link
D.Use VPC endpoints for all AWS services accessed
AnswerC

Provides encryption for all traffic over the link.

Why this answer

Option D is correct because IPsec VPN over Direct Connect provides encryption while maintaining low latency. Option A is wrong because Direct Connect does not inherently encrypt. Option B is wrong because TLS is for application layer, not link.

Option C is wrong because VPC endpoints are for specific services.

1216
MCQmedium

A company is setting up a Direct Connect connection to connect its on-premises data center to AWS. The connection is established, and a private virtual interface (VIF) is configured. The on-premises router can ping the VIF's Amazon side IP address, but cannot ping an EC2 instance in the VPC. The VPC has a virtual private gateway attached, and the route tables are correctly configured. What should the company check next?

A.Verify that the on-premises router is advertising the VPC CIDR to the Direct Connect router.
B.Check that the NACLs on the EC2 instance's subnet allow inbound ICMP.
C.Confirm that the private VIF is associated with the correct virtual private gateway.
D.Ensure that BGP is established and receiving routes.
AnswerA

The on-premises router must advertise the VPC CIDR for return traffic.

Why this answer

The on-premises router can ping the VIF's Amazon side IP, confirming that Layer 2 and Layer 3 connectivity over the Direct Connect link is working, and BGP is established. However, the inability to ping the EC2 instance indicates that return traffic from the VPC is not reaching the on-premises network. For return traffic to be routed correctly, the on-premises router must advertise the VPC CIDR (or a specific prefix) to the Direct Connect router via BGP; otherwise, the AWS side will not forward traffic destined for the on-premises network over the VIF.

Exam trap

The trap here is that candidates assume BGP being established (as evidenced by a successful ping to the VIF Amazon side IP) means all routing is correct, but they overlook the requirement for the on-premises router to advertise the VPC CIDR to enable return traffic.

How to eliminate wrong answers

Option B is wrong because the issue is not about inbound ICMP to the EC2 instance; the ping fails due to missing return path routing, not because of security group or NACL filtering. Option C is wrong because the private VIF is already associated with a virtual private gateway (VGW) and the VPC route tables are correctly configured, so the VIF association is not the problem. Option D is wrong because the on-premises router can ping the VIF's Amazon side IP, which proves that BGP is established and routes are being exchanged; the problem is specifically that the on-premises router is not advertising the VPC CIDR back to AWS.

1217
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. After a network change, some VPCs cannot reach the on-premises network. The Transit Gateway route table shows the correct association and propagation. What is the most likely cause?

A.The Transit Gateway attachment is in a failed state
B.The VPN connection to the on-premises network has insufficient bandwidth
C.The BGP session between the Transit Gateway and on-premises router is down
D.The VPC route tables do not have a route pointing to the Transit Gateway
AnswerD

Without a route to the Transit Gateway, traffic from the VPC cannot reach on-premises networks.

Why this answer

Option B is correct because the VPC route table must have a static route or propagated route pointing to the Transit Gateway for traffic to flow. Option A is wrong because attachment is fine if route table shows correct association. Option C is wrong because BGP is used for on-premises routes, not for VPC routes.

Option D is wrong because VPN is one way to connect on-premises, but the issue is about VPC routing.

1218
MCQeasy

A company wants to improve the performance and availability of its application that is deployed on EC2 instances in a single Availability Zone. Which architecture should the company implement?

A.Add more subnets in the same Availability Zone
B.Deploy EC2 instances in multiple Availability Zones
C.Use larger EC2 instances
D.Use Auto Scaling in the same Availability Zone
AnswerB

Multi-AZ deployment provides high availability.

Why this answer

Deploying instances across multiple Availability Zones improves availability. Option B is correct. Option A (larger instances) does not improve availability.

Option C (Auto Scaling in one AZ) still has a single point of failure. Option D (more subnets in one AZ) does not help.

1219
MCQmedium

A company hosts a multi-tier web application in a VPC. The web servers are in a public subnet, and the application servers are in a private subnet. The application servers need to access a third-party API over the internet. The company wants to ensure that the application servers' IP addresses are not exposed to the internet, and that all outbound traffic to the internet is logged. Additionally, the company wants to restrict outbound traffic to only the specific API endpoints. Which solution should be used?

A.Use a VPC endpoint for the third-party API service.
B.Attach an internet gateway directly to the private subnet and configure the route table to send default traffic to the internet gateway. Use security groups to restrict outbound traffic to the API endpoints. Enable VPC Flow Logs for logging.
C.Deploy a proxy server in the public subnet and configure the application servers to use the proxy. Restrict outbound traffic from the proxy using security groups. Log proxy access logs.
D.Deploy a NAT gateway in the public subnet and add a route in the private subnet's route table pointing to the NAT gateway. Use security groups on the application servers to restrict outbound traffic to the API endpoints. Enable logs on the NAT gateway using VPC Flow Logs or NAT gateway logs.
AnswerD

The NAT gateway provides outbound internet access with private IPs, and security groups control traffic. Logging can be enabled via VPC Flow Logs.

Why this answer

Option D is correct. A NAT gateway in a public subnet allows instances in private subnets to access the internet while hiding their private IPs. By controlling the outbound rules in the security group or using a network firewall, you can restrict traffic to specific API endpoints.

AWS CloudWatch Logs or VPC Flow Logs can capture the NAT gateway logs. Option A is incorrect because an internet gateway in the private subnet would expose private IPs. Option B is incorrect because a proxy server would add complexity.

Option C is incorrect because a VPC endpoint cannot be used for internet API access.

1220
MCQhard

A company has a hybrid network with multiple AWS Direct Connect connections to multiple VPCs. They want to monitor network performance and receive alerts when latency exceeds a threshold. Which combination of AWS services should be used to achieve this?

A.AWS CloudTrail and Amazon SNS
B.AWS Trusted Advisor and Amazon SES
C.Amazon CloudWatch and Amazon CloudWatch Alarms
D.VPC Flow Logs and Amazon CloudWatch Logs
AnswerC

CloudWatch provides Direct Connect metrics and alarms for thresholds.

Why this answer

The correct answer is B because CloudWatch publishes Direct Connect metrics such as latency, and CloudWatch Alarms can trigger alerts. Option A is wrong because CloudTrail does not provide performance metrics. Option C is wrong because VPC Flow Logs do not provide latency metrics.

Option D is wrong because AWS Trusted Advisor provides best-practice checks, not real-time latency monitoring.

1221
Multi-Selecteasy

A company needs to audit network traffic in a VPC for compliance. Which THREE AWS services can be used to capture and analyze network traffic?

Select 3 answers
A.AWS Config
B.Traffic Mirroring
C.VPC Flow Logs
D.AWS Network Firewall
E.AWS CloudTrail
AnswersB, C, D

Traffic Mirroring captures and inspects traffic.

Why this answer

Option A is correct because VPC Flow Logs capture IP traffic information. Option B is correct because Traffic Mirroring captures and inspects traffic. Option D is correct because AWS Network Firewall can log traffic.

Option C is wrong because CloudTrail logs API calls, not network traffic. Option E is wrong because AWS Config monitors resource configurations, not traffic.

1222
MCQeasy

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking an unexpected path. Which AWS service should be used to analyze the packet-level traffic flow and identify the path?

A.AWS CloudTrail
B.AWS X-Ray
C.AWS Config
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic metadata and can be used to trace paths.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) at the network interface level, enabling analysis of packet-level traffic flow paths through AWS Transit Gateway. By enabling flow logs on the Transit Gateway attachment or VPC subnets, you can trace the actual path traffic takes between VPCs, including whether it traverses the Transit Gateway or an unexpected route.

Exam trap

AWS often tests the misconception that CloudTrail or Config can analyze network traffic paths, but only VPC Flow Logs provide the packet-level metadata needed to trace the actual data plane flow through Transit Gateway.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API calls and management events, not packet-level traffic flows; it cannot show the data plane path of network traffic. Option B is wrong because AWS X-Ray traces application-layer requests (e.g., HTTP/SQL) and is designed for distributed application debugging, not for analyzing network-layer packet flows or routing paths. Option C is wrong because AWS Config evaluates resource configurations and compliance rules (e.g., route table settings) but does not capture or analyze live packet-level traffic flows.

1223
Multi-Selecthard

A company is designing a network architecture for a highly sensitive application that must meet strict compliance requirements. The application is deployed in a VPC with multiple subnets. The company needs to ensure that all traffic between subnets is encrypted and that no traffic can bypass the encryption. Which THREE steps should be taken?

Select 3 answers
A.Use network ACLs to block all traffic except encrypted protocols (e.g., IPSec).
B.Set up VPN connections between each subnet's route tables.
C.Deploy a VPC CNI plugin that supports encryption for pods.
D.Use security groups to allow only encrypted traffic.
E.Enable VPC Flow Logs to detect unencrypted traffic.
AnswersA, B, C

NACLs can block unencrypted traffic by blocking non-IPSec ports.

Why this answer

Option B is correct because using NACLs to block non-encrypted traffic enforces encryption at the subnet level. Option C is correct because a VPC CNI plugin can enforce encryption for Kubernetes workloads. Option E is correct because using VPNs between subnets can provide encryption.

Option A is wrong because security groups do not enforce encryption. Option D is wrong because VPC Flow Logs only monitor traffic, they do not enforce encryption.

1224
MCQmedium

A company has set up a transit gateway with attachments to VPC-A and VPC-B. The transit gateway route table shows routes to both VPCs and a blackhole for 0.0.0.0/0. VPC-A's public subnet route table sends 10.1.0.0/16 traffic to the transit gateway. However, an EC2 instance in VPC-A's public subnet cannot reach an instance in VPC-B. What is the most likely cause?

A.VPC-B's route table does not have a route to VPC-A's CIDR via the transit gateway.
B.VPC-A's route table does not have a route to the transit gateway.
C.The transit gateway route table does not have a route for 10.0.0.0/16.
D.The blackhole route in the transit gateway is blocking traffic between VPCs.
AnswerA

For bidirectional communication, VPC-B must also have a route back to VPC-A via the transit gateway.

Why this answer

Option A is correct because for traffic to flow from VPC-A to VPC-B via a transit gateway, both VPCs must have routes in their route tables pointing to the transit gateway for the other VPC's CIDR. Since VPC-A's route table sends 10.1.0.0/16 (VPC-B's CIDR) to the transit gateway, but VPC-B's route table lacks a return route to VPC-A's CIDR via the transit gateway, the return traffic from VPC-B is dropped, causing connectivity failure.

Exam trap

AWS often tests the misconception that a transit gateway route table alone ensures bidirectional connectivity, when in fact each VPC's subnet route tables must have explicit routes for the other VPC's CIDR to enable return traffic.

How to eliminate wrong answers

Option B is wrong because VPC-A's route table already has a route to the transit gateway (it sends 10.1.0.0/16 traffic to the transit gateway), so this is not the issue. Option C is wrong because the transit gateway route table shows routes to both VPCs, and the problem is about VPC-B's missing return route, not a missing route in the transit gateway for 10.0.0.0/16. Option D is wrong because the blackhole route for 0.0.0.0/0 in the transit gateway only drops traffic destined for the internet, not traffic between VPCs, which is handled by the specific VPC routes.

1225
MCQhard

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from an S3 bucket in the same AWS region. The company wants to ensure that traffic does not traverse the internet. Which solution is MOST cost-effective?

A.Attach an Internet Gateway to the VPC and route the private subnet traffic directly to S3.
B.Create a Gateway VPC Endpoint for S3 and add a route in the private subnet's route table to the endpoint.
C.Create an Interface VPC Endpoint for S3 in the private subnet.
D.Deploy a NAT Gateway in a public subnet and route the private subnet traffic through it to access S3.
AnswerB

Gateway VPC Endpoints are free and allow private access to S3 without internet.

Why this answer

Option D is correct because a Gateway VPC Endpoint for S3 allows private connectivity to S3 without cost, and it does not require a NAT Gateway or Internet Gateway. Option A is wrong because a NAT Gateway would incur hourly charges and data processing fees. Option B is wrong because an Internet Gateway is not needed and would allow internet traffic.

Option C is wrong because an Interface VPC Endpoint for S3 incurs hourly charges.

1226
MCQmedium

A company has a VPC with multiple subnets. They want to block all traffic from the internet to their private subnets, but allow outbound internet traffic from those subnets through a NAT Gateway. Which configuration should they use?

A.Route table with 0.0.0.0/0 -> NAT Gateway
B.Route table with 0.0.0.0/0 -> Virtual Private Gateway
C.Route table with 0.0.0.0/0 -> VPC Peering Connection
D.Route table with 0.0.0.0/0 -> Internet Gateway
AnswerA

This allows outbound traffic only, as NAT Gateway does not allow inbound connections from the internet.

Why this answer

Option B is correct because a route table associated with the private subnets should have a default route (0.0.0.0/0) pointing to the NAT Gateway. Option A is wrong because a public subnet route to an Internet Gateway would allow inbound traffic. Option C is wrong because a route to a Virtual Private Gateway is for VPN connections.

Option D is wrong because a route to a VPC peering connection is for peered VPCs.

1227
Multi-Selecthard

A company is designing a highly available hybrid network using two AWS Direct Connect connections from different providers. The company wants to use BGP to advertise the same on-premises prefixes to AWS. Which THREE practices should be followed to ensure high availability and optimal traffic flow? (Choose three.)

Select 3 answers
A.Advertise different on-premises prefixes on each connection
B.Advertise the same prefixes with different prefix lengths to influence route selection
C.Configure a unique private ASN for each Direct Connect connection
D.Set the same MED value for prefixes advertised on both connections
E.Use different BGP community tags for each connection to influence routing policies
AnswersB, C, E

AWS prefers more specific prefixes (longer prefix length).

Why this answer

Option A is correct because using different ASNs prevents BGP loop prevention from discarding routes. Option B is correct because using different BGP communities can influence routing policies. Option D is correct because using different prefix lengths allows AWS to prefer the more specific prefix.

Option C is wrong because using the same MED value would not help in path selection. Option E is wrong because advertising the same prefixes on both connections is necessary for redundancy.

1228
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises network advertises the prefix 10.0.0.0/8 to AWS. The VPC has a CIDR of 10.0.0.0/16. A network engineer wants to ensure that traffic from on-premises to a specific subnet 10.0.1.0/24 in the VPC is routed via a dedicated VPN connection instead of Direct Connect for testing purposes. Which TWO actions should the engineer take?

Select 2 answers
A.Prepend the AS path on the Direct Connect BGP advertisement.
B.Advertise the specific prefix 10.0.1.0/24 from the VPN connection to the VPC.
C.Disable route propagation on the VPN connection's route table.
D.Use a BGP community to tag the Direct Connect route as no-export.
E.Set a lower MED value on the VPN route advertisement compared to Direct Connect.
AnswersB, E

A more specific prefix will be preferred over the less specific 10.0.0.0/8.

Why this answer

Option A and Option D are correct. A more specific route (10.0.1.0/24) will be preferred over the less specific 10.0.0.0/8. Additionally, setting a lower MED on the VPN route (lower is better) can influence the path selection.

Option B is wrong because disabling route propagation on the VPN would remove the VPN route. Option C is wrong because changing AS path prepend on Direct Connect would make it less preferred, but the Direct Connect may still be used. Option E is wrong because BGP communities do not apply in this context.

1229
MCQmedium

A company is designing a VPC with subnets in multiple Availability Zones (AZs) for a web application. The application must be fault-tolerant and highly available. Which design should the network engineer implement?

A.Deploy all application instances in a single AZ behind an Application Load Balancer.
B.Place one instance in each of two AZs and use an internet gateway for load balancing.
C.Deploy application instances in two AZs behind an Application Load Balancer that spans both AZs.
D.Use a Network Load Balancer in a single AZ with instances in multiple AZs.
AnswerC

This provides fault tolerance and high availability across AZs.

Why this answer

Option C is correct because deploying application instances in two Availability Zones (AZs) behind an Application Load Balancer (ALB) that spans both AZs provides fault tolerance and high availability. If one AZ fails, the ALB automatically routes traffic to healthy instances in the remaining AZ, ensuring continuous service. This design leverages cross-zone load balancing, which is enabled by default for ALBs, to distribute traffic evenly across instances in multiple AZs.

Exam trap

The trap here is that candidates often assume a single load balancer in one AZ is sufficient if instances are in multiple AZs, but they overlook that the load balancer itself must be deployed across multiple AZs to avoid being a single point of failure.

How to eliminate wrong answers

Option A is wrong because deploying all application instances in a single AZ creates a single point of failure; if that AZ experiences an outage, the entire application becomes unavailable, violating fault-tolerance requirements. Option B is wrong because an internet gateway is a VPC component for internet connectivity, not a load balancer; it cannot perform health checks or distribute traffic across instances, so it provides no load balancing or high availability. Option D is wrong because a Network Load Balancer (NLB) in a single AZ cannot route traffic to instances in other AZs unless cross-zone load balancing is explicitly enabled, and even then, the NLB itself is a single point of failure if that AZ fails; the design does not meet high availability standards.

1230
MCQhard

A company has a VPC with a VPN connection to an on-premises network. The network team reports that the VPN tunnel is flapping intermittently. You need to identify the cause. Which AWS service provides logs that can help troubleshoot the VPN tunnel status?

A.VPC Flow Logs
B.Amazon CloudWatch
C.AWS CloudTrail
D.AWS Health Dashboard
AnswerB

CloudWatch provides VPN tunnel metrics and logs.

Why this answer

The correct answer is A because VPN tunnel metrics are available in CloudWatch, including tunnel state and data in/out. Option B is wrong because CloudTrail does not provide tunnel status logs. Option C is wrong because VPC Flow Logs capture traffic, not tunnel status.

Option D is wrong because AWS Health Dashboard provides service health, not specific VPN tunnel logs.

1231
MCQmedium

An e-commerce company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. During a flash sale, the application experiences high latency. The network team notices that the ALB is receiving more traffic than expected. What is the most likely cause?

A.The ALB is configured to terminate HTTPS, which increases CPU load on the ALB.
B.The Auto Scaling group's scaling policies are too aggressive, causing frequent instance launches.
C.The ALB health checks are too frequent, consuming resources.
D.The ALB is not protected by AWS WAF, allowing a DDoS attack or excessive traffic to reach the backend.
AnswerD

Without WAF, the ALB can be targeted by attacks that consume its capacity.

Why this answer

Option D is correct because the sudden spike in traffic reaching the ALB beyond expected levels, combined with high latency, strongly indicates that the ALB is being overwhelmed by malicious or excessive traffic. Without AWS WAF protection, the ALB cannot filter out DDoS attacks or unwanted requests at Layer 7, so all traffic passes through to the backend instances, causing resource exhaustion and latency. AWS WAF integrates directly with ALBs to inspect and block malicious traffic before it reaches the application.

Exam trap

The trap here is that candidates may assume high latency is always caused by backend scaling issues (Option B) or health check overhead (Option C), but the key clue is 'ALB is receiving more traffic than expected,' which points directly to an external traffic source, not internal configuration problems.

How to eliminate wrong answers

Option A is wrong because HTTPS termination at the ALB does increase CPU usage on the ALB node, but this is a normal, expected operation and would not cause the ALB to receive 'more traffic than expected' — it only processes the traffic it receives. Option B is wrong because aggressive Auto Scaling policies cause more frequent instance launches, which could temporarily increase load on the ALB during scale-up events, but this does not explain why the ALB itself is receiving more traffic than expected; scaling policies respond to traffic, they don't generate it. Option C is wrong because ALB health checks are lightweight HTTP/HTTPS requests sent to the target group instances, not to the ALB itself, and they consume negligible resources on the ALB; they do not increase the traffic volume reaching the ALB.

1232
Matchingmedium

Match each AWS networking feature to its purpose for high availability or fault tolerance.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Static public IP that can be remapped to another instance

DNS-based routing to healthy endpoints

Distributes traffic evenly across all registered targets in all AZs

Improves availability and performance using Anycast IPs

Captures IP traffic information for troubleshooting

Why these pairings

These features help ensure resilience and observability.

1233
MCQmedium

A company is deploying a critical application on AWS and needs to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet the encryption requirement?

A.No additional configuration is needed; VPC peering traffic is automatically encrypted.
B.Create a VPN connection between the two VPCs using the VPC peering connection.
C.Use AWS Transit Gateway with VPN attachments between the VPCs.
D.Configure IPsec on the EC2 instances to encrypt traffic over the VPC peering connection.
AnswerA

AWS encrypts inter-region VPC peering traffic automatically.

Why this answer

VPC peering traffic within the same region is automatically encrypted at the physical layer using AWS's infrastructure, and no additional configuration is required. AWS uses a transit encryption mechanism that encrypts all traffic between VPC peering connections at the network layer, ensuring data confidentiality in transit without the need for VPN or IPsec configurations.

Exam trap

The trap here is that candidates often assume VPC peering traffic is unencrypted by default and reach for VPN or IPsec solutions, but AWS automatically encrypts all traffic within the same region over VPC peering connections.

How to eliminate wrong answers

Option B is wrong because a VPN connection cannot be established over a VPC peering connection; VPN connections require a virtual private gateway or transit gateway and are not supported on peering connections. Option C is wrong because AWS Transit Gateway with VPN attachments is an alternative connectivity method, but it is unnecessary and more complex when a VPC peering connection already exists and automatically encrypts traffic in the same region. Option D is wrong because configuring IPsec on EC2 instances would add unnecessary overhead and complexity, as VPC peering traffic is already encrypted by AWS, and IPsec is not required.

1234
Multi-Selectmedium

A security engineer is designing a network security solution for a multi-tier application. The web tier must be accessible from the internet on ports 80 and 443. The application tier must only accept traffic from the web tier. The database tier must only accept traffic from the application tier on port 3306. Which THREE network access control mechanisms should be used?

Select 3 answers
A.Security groups that allow traffic from specific security groups for the database tier.
B.AWS WAF to filter traffic to the database tier.
C.IAM policies to restrict access to the database.
D.Network ACLs to provide stateless filtering at the subnet level.
E.Security groups that reference other security groups as sources.
AnswersA, D, E

Database security groups should allow inbound traffic from the application security group.

Why this answer

Option A is correct because security groups can be used to allow traffic between tiers based on security group IDs. Option C is correct because network ACLs provide stateless filtering at the subnet level. Option E is correct because security groups for the database tier can reference the application tier security group.

Option B is wrong because IAM is for identity management, not network filtering. Option D is wrong because AWS WAF is for web application firewall at the application layer, not for network-level access between tiers.

1235
Multi-Selecteasy

Which TWO AWS services can be used to centrally manage and enforce security policies across multiple accounts? (Choose two.)

Select 2 answers
A.AWS Config
B.Amazon VPC Flow Logs
C.AWS CloudTrail
D.AWS Identity and Access Management (IAM)
E.AWS Organizations
AnswersA, E

Can evaluate resource configurations against desired policies across accounts.

Why this answer

Options B and C are correct. AWS Organizations allows you to centrally manage accounts and apply service control policies (SCPs). AWS Config can enforce rules across accounts.

Option A is wrong because IAM is per-account. Option D is wrong because CloudTrail is for logging, not policy enforcement. Option E is wrong because VPC Flow Logs are for network monitoring.

1236
Multi-Selectmedium

Which TWO of the following are valid methods to connect a VPC to an on-premises network? (Choose 2.)

Select 2 answers
A.AWS Site-to-Site VPN
B.Internet gateway
C.NAT gateway
D.VPC peering
E.AWS Direct Connect
AnswersA, E

Valid method.

Why this answer

AWS Site-to-Site VPN creates an encrypted tunnel between a VPC and an on-premises network using IPsec. It uses a virtual private gateway or transit gateway on the AWS side and a customer gateway device on-premises, enabling secure communication over the public internet.

Exam trap

The trap here is that candidates often confuse internet-facing connectivity options (internet gateway, NAT gateway) with hybrid connectivity methods, or mistakenly think VPC peering can extend to on-premises networks, when it is strictly limited to inter-VPC communication within AWS.

1237
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to add a second CIDR block of 10.1.0.0/16 for additional subnets. After adding the CIDR, the existing subnets cannot communicate with the new subnets. What is the most likely cause?

A.Security groups are blocking traffic between the old and new subnets.
B.The VPC CIDR cannot be extended; a new VPC must be created.
C.Route tables for the existing subnets do not have routes to the new CIDR.
D.Network ACLs are blocking traffic by default.
AnswerC

Route tables must include routes for the new CIDR to enable communication.

Why this answer

Option C is correct because route tables must be updated to include routes for the new CIDR block. Option A is wrong because adding a CIDR does not require a new VPC. Option B is wrong because security groups are not the cause of connectivity issues between subnets.

Option D is wrong because NACLs are not the issue unless they are blocking traffic.

1238
Multi-Selecteasy

Which TWO are valid methods to monitor and troubleshoot AWS Direct Connect connections?

Select 2 answers
A.Use CloudFront to monitor Direct Connect utilization.
B.Enable AWS CloudTrail to log Direct Connect API calls.
C.Enable Direct Connect Connection and Virtual Interface metrics in CloudWatch.
D.Use AWS Direct Connect Connection tests to verify connectivity and performance.
E.Enable VPC Flow Logs on the VIF.
AnswersC, D

CloudWatch provides metrics for Direct Connect, such as connection state and BGP status.

Why this answer

Options A and B are correct. Option C is incorrect because VPC Flow Logs do not capture Direct Connect traffic. Option D is incorrect because CloudFront is not related to Direct Connect monitoring.

Option E is incorrect because CloudTrail does not provide real-time connection monitoring.

1239
MCQeasy

A company has a VPC with a CIDR block of 192.168.0.0/16. They have two subnets: Subnet A (192.168.1.0/24) and Subnet B (192.168.2.0/24). They launch an EC2 instance in Subnet A and another EC2 instance in Subnet B. They want to ensure that both instances can communicate with each other. The instances are in the same VPC. What is the simplest way to enable communication between these instances?

A.Create a VPC Peering connection between Subnet A and Subnet B
B.No additional configuration is needed; instances in the same VPC can communicate by default
C.Create a NAT Gateway in each subnet
D.Attach an internet gateway to the VPC
AnswerB

Default VPC routing allows communication between subnets.

Why this answer

By default, all instances within the same VPC can communicate with each other using private IP addresses, regardless of which subnet they reside in. The VPC's implicit router enables this layer-3 connectivity as long as the subnets' route tables do not explicitly block traffic and the instances' security groups or network ACLs permit the traffic. Since both subnets are within the same VPC (192.168.0.0/16), no additional configuration is required for basic IP-level communication.

Exam trap

The trap here is that candidates may overthink the scenario and assume that different subnets require explicit routing or peering, when in fact the VPC's implicit local route already handles all intra-VPC traffic by default.

How to eliminate wrong answers

Option A is wrong because VPC peering connects entire VPCs, not subnets, and is unnecessary when instances are already in the same VPC. Option C is wrong because a NAT Gateway is used to enable outbound internet access for instances in private subnets, not to enable communication between instances within the same VPC. Option D is wrong because an internet gateway provides internet connectivity, not internal VPC communication, and attaching it does not affect intra-VPC routing.

1240
MCQhard

A company has a VPC with a public subnet and a private subnet. The private subnet instances need to make outbound internet requests. A NAT Gateway is deployed in the public subnet. The network engineer notices that instances in the private subnet cannot reach the internet, but the NAT Gateway's Elastic IP is reachable from the internet. Which of the following is the most likely cause?

A.The network ACL on the private subnet blocks outbound traffic.
B.The route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT Gateway.
C.The NAT Gateway is not associated with an Elastic IP.
D.The security group attached to the NAT Gateway blocks outbound traffic.
AnswerB

Without this route, outbound traffic cannot reach the NAT Gateway.

Why this answer

Option C is correct because the private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. Option A is wrong because the NAT Gateway is in a public subnet with a route to IGW. Option B is wrong because security groups are not applicable to NAT Gateway.

Option D is wrong because NACL on private subnet would affect inbound/outbound traffic, but the issue is routing.

1241
MCQmedium

A network engineer created a VPC interface endpoint for a third-party SaaS service using AWS PrivateLink. The endpoint shows 'available' state, but on-premises clients cannot connect to the service via the private endpoint DNS name. What is the MOST likely reason?

A.The endpoint is not in the 'available' state.
B.Private DNS is not enabled for the endpoint.
C.The endpoint is not associated with any subnet.
D.The endpoint type is Gateway, not Interface.
AnswerB

Private DNS must be enabled for the private hosted zone to resolve the endpoint DNS name.

Why this answer

Option B is correct because Private DNS for the endpoint must be enabled for the private DNS name to resolve correctly from on-premises. Option A is incorrect because the endpoint is in 'available' state. Option C is incorrect because the subnet IDs are present.

Option D is incorrect because the endpoint type is Interface, not Gateway.

1242
MCQhard

A security engineer is troubleshooting an issue where Amazon Inspector is not finding any vulnerabilities in an EC2 instance. The instance has the AWS Systems Manager Agent (SSM Agent) installed and is managed by AWS Systems Manager. What is the most likely reason for Inspector not reporting findings?

A.The EC2 instance does not have an IAM role that allows Inspector to scan it.
B.The EC2 instance is in a private subnet without a NAT gateway.
C.The EC2 instance's security group blocks outbound traffic to the Inspector service.
D.The EC2 instance is not managed by AWS Systems Manager.
AnswerD

Inspector requires SSM Agent and instance managed by Systems Manager to perform assessments.

Why this answer

Inspector requires the SSM Agent to be installed and the instance to be properly registered with Systems Manager. If the instance is not managed by Systems Manager, Inspector cannot perform assessments. Missing IAM role, Security Groups, or Subnet would not prevent Inspector from running; they affect other aspects.

1243
MCQeasy

A company uses AWS Direct Connect to connect its data center to a VPC. The VIF is up, and the BGP session is established. However, the on-premises router cannot ping the VPC's private IP addresses. Which configuration is most likely missing?

A.The Direct Connect virtual interface is in the wrong VLAN.
B.The BGP password is incorrect.
C.The on-premises router is not advertising the VPC CIDR via BGP.
D.The VPC route table does not have a route pointing to the Virtual Private Gateway for the on-premises CIDR.
AnswerD

Without this route, the VPC does not know to send traffic to the Direct Connect via the VGW.

Why this answer

For traffic to reach VPC private IPs, the VPC route table must have a route pointing to the Virtual Private Gateway (VGW) for the on-premises CIDR. Even with BGP up, without this route, traffic won't be sent to the VGW.

1244
MCQmedium

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The connection uses a private virtual interface (VIF) to access the VPC. The network team is monitoring the link and notices that the BGP session goes down intermittently. The team has checked the physical layer and found no issues. The BGP keepalive timer is set to 30 seconds on both sides. The network engineer suspects that the issue might be related to the BGP hold timer. What should the engineer do to stabilize the BGP session?

A.Configure a static route on the on-premises router for the VPC CIDR.
B.Decrease the BGP hold timer to 10 seconds on the on-premises router.
C.Increase the BGP hold timer to 90 seconds on both the on-premises router and the AWS side.
D.Change the virtual interface to a public VIF to improve BGP stability.
AnswerC

Correct: A higher hold timer reduces the chance of BGP session flapping due to intermittent connectivity.

Why this answer

Option A is correct because increasing the BGP hold timer allows more time to receive keepalives, reducing flapping due to transient issues. Option B is wrong because decreasing the hold timer would make the session more sensitive. Option C is wrong because a static route would bypass BGP and not provide redundancy.

Option D is wrong because moving to a public VIF is unrelated to BGP stability.

1245
MCQhard

A company uses AWS Direct Connect to connect their on-premises network to AWS. They have a VPC with a virtual private gateway (VGW) and a private VIF attached to it. They recently added a second Direct Connect connection for redundancy. Both connections are active and advertised via BGP. The on-premises network uses BGP with the same AS number. After configuration, they notice that traffic is not load-balanced as expected; instead, all traffic flows through one connection. What is the most likely cause?

A.The on-premises router has a static route pointing to the primary connection, overriding BGP learned routes.
B.Both Direct Connect connections are in the same AWS region and use the same VGW, so traffic cannot be load-balanced.
C.The on-premises router is configured with a higher local preference for one of the BGP sessions, causing it to prefer that path.
D.The Direct Connect connections are using different VLANs, causing asymmetric routing.
AnswerC

BGP path selection can be influenced by local preference. If one session has a higher local preference, all traffic will use that path.

1246
MCQhard

Refer to the exhibit. A company applies this bucket policy to an S3 bucket. Users in a different VPC with IP range 10.0.0.0/16 are able to access objects, but users in a different VPC with IP range 10.1.0.0/16 cannot. What is the most likely cause?

A.The bucket policy uses the wrong condition key
B.The users are accessing the bucket through a NAT Gateway, which changes the source IP
C.The bucket policy specifies the wrong resource ARN
D.The bucket policy does not specify a principal
AnswerB

NAT changes private IP to public IP, which does not match the condition.

Why this answer

The condition 'aws:SourceIp' checks the source IP address. If the users in 10.1.0.0/16 are accessing via a NAT, the source IP will be the NAT's public IP, not the private IP, and will not match the condition. Option A is wrong because the policy allows all principals.

Option B is wrong because the resource is correct. Option C is wrong because the action is correct.

1247
MCQeasy

A solutions architect is designing a VPC with public and private subnets in two Availability Zones. The private subnets require outbound internet access for software updates, but inbound internet access must be blocked. Which solution meets these requirements?

A.Attach an internet gateway to the VPC and add a default route to the internet gateway in the private subnet route tables.
B.Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet route tables.
C.Launch an EC2 instance in a public subnet with a proxy software and route private subnet traffic through it.
D.Create a VPC endpoint for Amazon S3 and add a route to the endpoint in the private subnet route tables.
AnswerB

NAT Gateway provides outbound-only internet access.

Why this answer

Option B is correct because a NAT Gateway, deployed in a public subnet with an Elastic IP and a route to an Internet Gateway, enables outbound traffic from private subnets to the internet while blocking unsolicited inbound connections. The private subnet route table directs default traffic (0.0.0.0/0) to the NAT Gateway, which performs source network address translation (SNAT) on outbound packets, ensuring responses return to the NAT Gateway without exposing private instances directly.

Exam trap

The trap here is that candidates may confuse a NAT Gateway with an Internet Gateway, thinking that a default route to an Internet Gateway in a private subnet is acceptable, but an Internet Gateway allows bidirectional traffic, which would expose private instances to inbound internet connections.

How to eliminate wrong answers

Option A is wrong because adding a default route to an internet gateway in a private subnet route table would make the private subnet effectively public, allowing inbound internet traffic to reach instances directly, violating the requirement to block inbound access. Option C is wrong because while an EC2 instance with proxy software could provide outbound access, it introduces a single point of failure, requires ongoing management (patching, scaling), and is less reliable and cost-effective than a managed NAT Gateway, which is the recommended AWS solution. Option D is wrong because a VPC endpoint for Amazon S3 only provides private connectivity to S3, not general outbound internet access for software updates from arbitrary sources on the internet.

1248
MCQeasy

A company uses AWS Site-to-Site VPN to connect its on-premises network to a VPC. The VPN connection uses static routes. Recently, the on-premises network administrator added a new subnet (10.0.3.0/24) and needs to ensure that traffic to this subnet is routed through the VPN tunnel. What must be done in the AWS VPC to enable this connectivity?

A.Update the customer gateway configuration
B.Enable route propagation on the VPN connection
C.Create a new VPN connection for the new subnet
D.Add a static route for 10.0.3.0/24 in the VPN connection's route table
AnswerD

Static routes specify which subnets are reachable via the VPN tunnel.

Why this answer

Option C is correct because static routes for the VPN connection must be updated to include the new subnet. Option A is incorrect because route propagation is for dynamic routing. Option B is incorrect because the VPN connection itself does not need to be recreated.

Option D is incorrect because the customer gateway represents the on-premises device and only needs to be updated if the device's IP or BGP ASN changes.

1249
MCQeasy

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to an on-premises network with CIDR 10.0.0.0/8. They plan to use AWS Direct Connect with a private virtual interface. What should they do to resolve the overlapping CIDR conflict?

A.Create a VPN connection with dynamic routing and use BGP to advertise the VPC CIDR.
B.Create a VPC peering connection between the VPC and the on-premises network.
C.Change the VPC CIDR to a non-overlapping range, such as 172.16.0.0/16, and re-create the VPC with the new CIDR.
D.Use a NAT Gateway in the VPC to translate the on-premises IP addresses.
AnswerC

The only solution is to use non-overlapping IP address ranges.

Why this answer

Option C is correct because AWS does not support network address translation (NAT) for overlapping CIDRs on a Direct Connect private virtual interface. The only way to resolve the conflict is to change the VPC CIDR to a non-overlapping range (e.g., 172.16.0.0/16) and recreate the VPC, as the VPC CIDR cannot be modified after creation. This ensures that routes between the VPC and on-premises network do not conflict.

Exam trap

The trap here is that candidates assume NAT or VPN can magically resolve overlapping IP ranges, but AWS Direct Connect private VIFs require non-overlapping CIDRs for proper routing, and no AWS service (including NAT Gateway or VPN) can translate on-premises IPs in this context.

How to eliminate wrong answers

Option A is wrong because a VPN connection with dynamic routing does not resolve overlapping CIDRs; BGP would still advertise the conflicting 10.0.0.0/16 into the on-premises network, causing routing loops or blackholing. Option B is wrong because VPC peering does not support overlapping CIDRs and cannot connect a VPC to an on-premises network; it only connects VPCs within AWS. Option D is wrong because a NAT Gateway translates traffic from private instances to the internet, not from the VPC to on-premises; it cannot translate on-premises IP addresses and does not resolve overlapping CIDR conflicts in a Direct Connect private VIF.

1250
MCQmedium

A company is deploying a web application across multiple Availability Zones in a single region. They want to distribute incoming traffic evenly across all healthy EC2 instances. Which AWS service should be used as the entry point?

A.Application Load Balancer (ALB)
B.Amazon CloudFront
C.Network Load Balancer (NLB)
D.Amazon Route 53 with simple routing
AnswerA

Layer 7 load balancer with health checks.

Why this answer

Option B is correct because an Application Load Balancer distributes traffic across targets in multiple AZs and performs health checks. Option A is wrong because NLB is for TCP/UDP, not HTTP. Option C is wrong because Route 53 with simple routing does not load balance across instances.

Option D is wrong because CloudFront distributes content, not application traffic.

1251
MCQhard

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?

A.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"*","Condition":{"StringNotEquals":{"aws:RequestTag/Approved":"true"}}}]}
B.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"*"}]}
C.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:CreateRole","Resource":"arn:aws:iam::*:role/*","Condition":{"StringNotLike":{"iam:RoleName":"approved-*"}}}]}
D.{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"iam:PassRole","Resource":"*"}]}
AnswerA

This SCP denies CreateRole unless the request includes a tag 'Approved' with value 'true', enforcing the requirement.

Why this answer

Option A is correct because it uses a Deny effect with a condition that only blocks IAM role creation when the request does not include a tag with key 'Approved' set to 'true'. This enforces that every new IAM role must have an approved custom trust policy by requiring the tag as a proxy for approval, while still allowing role creation when the tag is present. The SCP is attached to the root OU to apply globally across all accounts in the organization.

Exam trap

AWS often tests the distinction between using tags versus naming conventions or resource-based conditions to enforce governance, and candidates mistakenly choose naming-based conditions (Option C) thinking they can enforce policy approval, but tags are the only reliable way to pass metadata at creation time that can be evaluated by SCPs.

How to eliminate wrong answers

Option B is wrong because it denies all iam:CreateRole actions unconditionally, which would prevent any IAM role from being created at all, even those with an approved trust policy, thus violating the requirement to allow approved roles. Option C is wrong because it uses a condition on the role name pattern 'approved-*', which is a naming convention and does not enforce an approved custom trust policy; roles could be named 'approved-*' without having an approved trust policy, and roles with a different name but an approved policy would be blocked. Option D is wrong because it denies iam:PassRole, which controls the ability to pass an existing role to an AWS service, not the creation of a new role; this does not address the requirement to restrict role creation based on trust policy approval.

1252
Multi-Selecthard

A company wants to use AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to centrally manage and enforce security policies. Which THREE components are required?

Select 3 answers
A.Transit Gateway route tables
B.VPC Gateway Endpoints
C.AWS Resource Access Manager (RAM)
D.AWS Direct Connect Gateway
E.AWS Network Firewall
AnswersA, C, E

Route tables control how traffic is routed between attachments.

Why this answer

Options A, C, and D are correct. Transit Gateway route tables control traffic flow. Network Firewall provides centralized inspection and policy enforcement.

Resource shares via AWS RAM allow sharing the Transit Gateway across accounts. Option B is wrong because VPC endpoints are not needed for Transit Gateway connectivity. Option E is wrong because Direct Connect gateway is optional for on-premises but not strictly required for security policy enforcement.

1253
MCQeasy

A company has a VPC with public and private subnets. The private subnets need outbound internet access for software updates. Which design will meet this requirement most securely?

A.Deploy a NAT Gateway in a public subnet and add a route to it from the private subnets.
B.Add a default route to the IGW from the private subnet route table.
C.Place the instances in a public subnet with a route to an Internet Gateway (IGW).
D.Deploy a NAT instance in a private subnet and configure routes to it.
AnswerA

NAT Gateway allows outbound traffic from private subnets while blocking inbound traffic.

Why this answer

A NAT Gateway deployed in a public subnet with an Elastic IP allows private subnet instances to initiate outbound connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections. The private subnet route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway, which then forwards traffic to the Internet Gateway (IGW) in the public subnet. This design is the most secure because it avoids exposing private instances directly to the internet and uses a managed, highly available service.

Exam trap

AWS often tests the misconception that a NAT instance can be placed in a private subnet and still provide outbound internet access, but in reality, a NAT device must reside in a public subnet with a route to an IGW to translate and forward traffic.

How to eliminate wrong answers

Option B is wrong because adding a default route to the IGW from the private subnet route table would directly expose private instances to the internet, allowing unsolicited inbound traffic and bypassing any NAT functionality, which violates security best practices. Option C is wrong because placing instances in a public subnet with a route to an IGW gives them public IP addresses and direct internet access, making them vulnerable to inbound attacks and defeating the purpose of using private subnets for security. Option D is wrong because deploying a NAT instance in a private subnet would require a route to an IGW or another NAT device for outbound traffic, creating a circular dependency; NAT instances must be in a public subnet to reach the IGW, and using a NAT instance also introduces single points of failure and management overhead compared to a managed NAT Gateway.

1254
MCQhard

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. They need to ensure that traffic is distributed evenly across regions and that failover happens automatically. Which configuration should they use?

A.Use Route 53 latency-based routing with health checks
B.Configure Global Accelerator with a single endpoint group containing both ALBs
C.Configure Global Accelerator with two endpoints (one per region) and set equal weights
D.Use a Network Load Balancer in each region and Route 53 weighted routing
AnswerC

Global Accelerator supports endpoint weights for traffic distribution and health checks for failover.

Why this answer

Global Accelerator uses endpoint weights to distribute traffic. Setting equal weights for both regional endpoints ensures even distribution, and health checks automatically route traffic away from unhealthy regions.

1255
MCQmedium

A company has set up a Direct Connect connection with a private VIF to its VPC. The BGP session is up, but traffic is not passing between the on-premises network and the VPC. Which configuration should be verified?

A.Ensure jumbo frames are enabled on the Direct Connect interface
B.Verify that the VIF is a public VIF
C.Review the Direct Connect virtual interface metrics in CloudWatch
D.Check the BGP advertised routes and the VPC route tables
AnswerD

Routes must be properly advertised and propagated to the VPC route table.

Why this answer

Option C is correct because the on-premises network must advertise routes to the VPC via BGP, and the VPC must have routes pointing to the virtual private gateway. Option A is wrong because jumbo frames are not required. Option B is wrong because VIF type (private vs public) is not the issue if BGP is up.

Option D is wrong because CloudWatch metrics are for monitoring, not routing.

1256
Multi-Selectmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team needs to monitor the BGP session status for each VPN attachment. Which TWO services can be used to monitor BGP status and receive alerts if a session goes down?

Select 2 answers
A.Amazon CloudWatch Alarms on the BGP status metric.
B.AWS Config rules.
C.VPC Flow Logs.
D.AWS CloudTrail logs.
E.Amazon CloudWatch metrics for VPN tunnels.
AnswersA, E

Alarms can notify when BGP goes down.

Why this answer

Options A and D are correct. CloudWatch can monitor VPN tunnel metrics including BGP status, and CloudWatch Alarms can trigger alerts. Option B is wrong because VPC Flow Logs do not include BGP status.

Option C is wrong because AWS Config does not monitor BGP. Option E is wrong because CloudTrail does not monitor BGP.

1257
Drag & Dropmedium

Order the steps to troubleshoot an inter-Region VPC peering connection that is not working:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First verify peering status, then check routes, then security groups/ACLs, then test, then use flow logs.

1258
MCQeasy

A company has a VPC with public and private subnets. The security team wants to allow instances in a private subnet to download software updates from the internet but prevent inbound internet traffic. Which AWS service should be used?

A.Internet gateway
B.AWS Site-to-Site VPN
C.VPC peering connection
D.NAT gateway
AnswerD

NAT gateway enables outbound internet traffic from private subnets.

Why this answer

A NAT gateway allows outbound internet traffic from private subnets while blocking unsolicited inbound traffic. Option C is correct. Option A is wrong because internet gateway allows bidirectional traffic.

Option B is wrong because VPC peering is for VPC-to-VPC. Option D is wrong because VPN is for hybrid connectivity.

1259
MCQeasy

A company has an AWS Direct Connect connection and wants to use it to access Amazon S3 buckets without traversing the public internet. Which virtual interface type should be used?

A.Transit virtual interface
B.Hosted virtual interface
C.Private virtual interface
D.Public virtual interface
AnswerD

Public VIF provides access to public AWS services over Direct Connect.

Why this answer

A public virtual interface (VIF) allows access to public AWS services, including S3, over Direct Connect. A private VIF is for accessing resources in a VPC. A transit VIF is for connecting to a transit gateway.

A hosted VIF is provided by an AWS partner.

1260
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in us-east-1 and a Network Load Balancer (NLB) in eu-west-1. They need to route traffic from the ALB to the NLB using a fixed IP address. Which AWS service should be used to provide a static IP for the NLB and enable cross-region load balancing?

A.AWS WAF
B.Amazon CloudFront
C.AWS Transit Gateway
D.AWS Global Accelerator
AnswerD

Global Accelerator provides static IPs and can route to NLB across regions.

Why this answer

AWS Global Accelerator provides two static anycast IP addresses that serve as a fixed entry point for traffic. It can route traffic from the ALB in us-east-1 to the NLB in eu-west-1 by using an endpoint group that includes the NLB's IP address, enabling cross-region load balancing with a static IP. This allows the ALB to forward traffic to the Global Accelerator's static IP, which then optimally routes to the NLB in the other region.

Exam trap

The trap here is that candidates often confuse Amazon CloudFront's ability to serve content with a static IP (via custom origins) with the need for a fixed IP that routes traffic from an ALB to an NLB across regions, overlooking that Global Accelerator is specifically designed for this use case with TCP/UDP traffic and static anycast IPs.

How to eliminate wrong answers

Option A is wrong because AWS WAF is a web application firewall that protects against common web exploits, not a service for providing static IP addresses or cross-region routing. Option B is wrong because Amazon CloudFront is a content delivery network (CDN) that uses edge locations and can have static IPs via custom origins, but it is designed for HTTP/HTTPS traffic and does not natively support routing traffic from an ALB to an NLB with a fixed IP for cross-region load balancing; it also does not provide a static IP for the NLB itself. Option C is wrong because AWS Transit Gateway is a network transit hub to connect VPCs and on-premises networks within a region or across regions using peering attachments, but it does not provide static IP addresses for load balancers and is not designed to route traffic from an ALB to an NLB with a fixed IP endpoint.

1261
MCQhard

A company is designing a multi-Region architecture using AWS Transit Gateway and Direct Connect. They have VPCs in us-east-1 and eu-west-1, each with an attached Transit Gateway. The Direct Connect gateway is associated with the Transit Gateway in us-east-1. They need to enable communication between VPCs across Regions using the Direct Connect gateway. What is the correct design to achieve this?

A.Create a single Transit Gateway that spans both Regions and attach VPCs in both Regions.
B.Use VPC peering between the VPCs and route Direct Connect traffic through the VPC peering connection.
C.Create a Transit Gateway peering attachment between the Transit Gateways in us-east-1 and eu-west-1, and route traffic over the Direct Connect gateway via the peering.
D.Associate the Direct Connect gateway with both Transit Gateways in us-east-1 and eu-west-1.
AnswerC

Transit Gateway peering enables inter-Region connectivity. The Direct Connect gateway remains associated with the Transit Gateway in us-east-1, and routes can be propagated to allow traffic to flow across the peering.

Why this answer

Option C is correct because Transit Gateway peering attachments allow transitive routing between Transit Gateways in different AWS Regions. By establishing a peering attachment between the Transit Gateways in us-east-1 and eu-west-1, traffic from the VPC in eu-west-1 can be routed through its local Transit Gateway, across the peering attachment to the Transit Gateway in us-east-1, and then over the Direct Connect gateway to on-premises networks. This design enables cross-region VPC communication via Direct Connect without requiring a single Transit Gateway or direct VPC peering.

Exam trap

The trap here is that candidates often assume a Direct Connect gateway can be associated with multiple Transit Gateways across regions, but AWS only supports a one-to-one association between a Direct Connect gateway and a Transit Gateway at a time, requiring Transit Gateway peering for cross-region connectivity.

How to eliminate wrong answers

Option A is wrong because a single Transit Gateway cannot span multiple AWS Regions; Transit Gateways are regional resources and cannot be shared across regions. Option B is wrong because VPC peering does not support transitive routing through a Direct Connect gateway; traffic would need to traverse the peering connection, but Direct Connect traffic cannot be routed through a VPC peering connection to reach another VPC without additional complex routing and potential asymmetric routing issues. Option D is wrong because a Direct Connect gateway can only be associated with a single Transit Gateway in one Region at a time; associating it with both Transit Gateways is not supported and would cause routing conflicts.

1262
MCQmedium

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The network team notices increased latency and packet loss during peak hours. The Direct Connect virtual interface (VIF) is configured as a private VIF to a VPC. What is the MOST likely cause of the issue?

A.Jumbo frames are not enabled on the VIF.
B.The VIF bandwidth is insufficient for the traffic volume.
C.The BGP keepalive timer is set too low.
D.The MTU size of the VIF is set to 1500 bytes.
AnswerB

Bursty traffic can exceed the provisioned bandwidth, causing congestion.

Why this answer

Option C is correct because bursty traffic can exceed the VIF bandwidth and cause congestion, leading to latency and packet loss. Option A is incorrect because BGP timers affect routing convergence, not bandwidth. Option B is incorrect because jumbo frames would improve throughput, not cause packet loss.

Option D is incorrect because the issue is during peak hours, not a persistent MTU mismatch.

1263
MCQhard

A company is implementing a multi-region architecture with VPCs in us-east-1 and eu-west-1. They want to connect these VPCs using a Transit Gateway and ensure that traffic between regions can be inspected by a firewall in us-east-1. Which configuration is required?

A.Establish a VPN connection between the two VPCs and route traffic through the firewall.
B.Create a Transit Gateway in each region, peer them, and configure route tables to send inter-region traffic through the inspection VPC in us-east-1.
C.Create a VPC peering connection between the two VPCs and update route tables.
D.Use a Direct Connect gateway to connect the two VPCs directly.
AnswerB

Transit Gateway peering enables cross-region connectivity, and route tables can steer traffic for inspection.

Why this answer

Option B is correct because Transit Gateway peering attachments between regions allow cross-region connectivity. To route traffic through the inspection VPC in us-east-1, the route tables in both regions must be configured accordingly. Option A is incorrect because VPC peering does not support transitive routing across regions.

Option C is incorrect because Direct Connect gateway is not designed for inter-region VPC connectivity. Option D is incorrect because VPN connections do not inherently provide inspection capability.

1264
MCQmedium

A security engineer must ensure that all traffic between an application running on Amazon EC2 and an Amazon RDS database is encrypted in transit. The VPC has a public subnet for the EC2 instance and a private subnet for the RDS database. What is the MOST secure way to enforce encryption for this traffic?

A.Enable IAM database authentication for the RDS instance.
B.Use a security group rule that allows traffic only on port 443.
C.Configure the RDS DB instance to require SSL/TLS connections and configure the application to connect using SSL.
D.Place both the EC2 instance and the RDS database in the same subnet and use a network ACL to enforce encryption.
AnswerC

Enabling SSL/TLS on RDS ensures that all connections to the database are encrypted in transit.

Why this answer

Option D is correct because enabling IAM database authentication does not enforce encryption in transit; it only controls access. Option A is incorrect because requiring SSL/TLS for the database connection ensures encryption between the client and the database. Option B is incorrect because a security group cannot enforce encryption; it only controls traffic at the network layer.

Option C is incorrect because a network ACL is stateless and cannot enforce encryption.

1265
MCQmedium

A company is using AWS Organizations to manage multiple accounts. The network team needs to allow a centralized inspection VPC to inspect all traffic between VPCs in different accounts. Which AWS service should be used to route traffic through the inspection VPC?

A.AWS Transit Gateway
B.VPC peering connections
C.AWS PrivateLink
D.AWS Site-to-Site VPN
AnswerA

Transit Gateway supports transitive routing and central inspection.

Why this answer

Option C is correct because a Transit Gateway with route tables can route traffic between VPCs and send it to a network appliance in the inspection VPC. Option A is wrong because VPC peering is a simple point-to-point connection and does not support transitive routing. Option B is wrong because a VPN is for hybrid connectivity, not inter-VPC routing.

Option D is wrong because PrivateLink is for accessing services privately, not for routing traffic.

1266
MCQeasy

A security team requires that all traffic between Amazon EC2 instances in different subnets of a VPC be logged. Which AWS service should be used to capture and log the traffic?

A.VPC Flow Logs
B.AWS CloudTrail
C.VPC Traffic Mirroring
D.AWS Config
AnswerA

VPC Flow Logs capture network traffic metadata and can be logged to CloudWatch Logs or S3.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information and can be published to CloudWatch Logs or S3. Option A is wrong because AWS CloudTrail logs API calls, not network traffic. Option C is wrong because VPC Traffic Mirroring captures traffic for analysis but is not primarily for logging.

Option D is wrong because AWS Config tracks resource configuration changes.

1267
MCQmedium

A company has a Direct Connect connection with a single private virtual interface (VIF) to a virtual private gateway (VGW) attached to a VPC. The VPC CIDR is 10.0.0.0/16. The on-premises CIDR is 172.16.0.0/12. The BGP session is established, and the on-premises router is advertising the 172.16.0.0/12 route to the VGW. The VGW is configured to propagate routes to the VPC route tables. However, instances in the VPC cannot reach on-premises resources. The VPC route table shows a propagated route for 172.16.0.0/12 with a target of the VGW. What is the most likely issue?

A.The security groups for the VPC instances do not allow outbound traffic to the on-premises network
B.The VPC route table does not have a route for the on-premises CIDR
C.The on-premises router does not have a route to the VPC CIDR via the Direct Connect interface
D.The BGP session is not advertising the VPC CIDR to the on-premises router
AnswerC

Without a return route, traffic cannot reach the VPC.

Why this answer

Option C is correct because the on-premises router must also have a route back to the VPC CIDR via the Direct Connect interface. Option A is wrong because the VPC route table has the route. Option B is wrong because the BGP session is established.

Option D is wrong because security groups are stateful and outbound traffic is allowed by default.

1268
MCQmedium

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

A.The ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet.
B.The network ACL is stateless and requires separate inbound and outbound rules for return traffic.
C.The subnet's network ACL allows inbound HTTP/HTTPS traffic from 0.0.0.0/0.
D.The EC2 instances' security group allows inbound traffic from 0.0.0.0/0.
AnswerA

If the ALB security group does not restrict inbound traffic, traffic can bypass the Client VPN.

Why this answer

Option A is correct because the ALB security group is configured to allow inbound traffic from the Client VPN CIDR range, but if the ALB itself is internet-facing (i.e., it has public IP addresses and is deployed in public subnets), traffic can bypass the security group rules if the security group is not actually applied to the ALB's network interfaces. The most likely cause is that the ALB security group is not set as the source for inbound traffic; instead, traffic reaches the ALB directly from the internet, meaning the security group rules are not being enforced on the ALB's listener. This allows users outside the VPN to access the application because the ALB accepts traffic from any source unless the security group explicitly restricts it.

Exam trap

The trap here is that candidates assume the ALB security group is automatically enforced, but Cisco tests the nuance that an internet-facing ALB can still receive traffic from the internet if the security group is not properly applied or if the ALB is not configured to restrict traffic to the VPN CIDR.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and require separate inbound and outbound rules, but this does not explain why users outside the VPN can access the application; network ACLs operate at the subnet level and would affect all traffic, not just VPN traffic. Option C is wrong because even if the subnet's network ACL allows inbound HTTP/HTTPS traffic from 0.0.0.0/0, the ALB security group should still block non-VPN traffic; the security group is the primary control for the ALB, and a permissive NACL does not override a restrictive security group. Option D is wrong because the EC2 instances' security group allowing inbound traffic from 0.0.0.0/0 is irrelevant if the ALB is the entry point; the ALB terminates the client connection and forwards traffic to the instances, so the instances' security group only needs to allow traffic from the ALB's security group, not from the internet.

1269
MCQhard

A company is troubleshooting connectivity between two VPCs (VPC-A and VPC-B) that are peered together. Both VPCs are in the same region. VPC-A has a CIDR of 10.0.0.0/16 and VPC-B has a CIDR of 10.0.0.0/16. The peering connection is established and the route tables are updated. However, EC2 instances in VPC-A cannot ping EC2 instances in VPC-B. What is the most likely cause?

A.The route tables do not have routes to the private IP addresses of the instances.
B.The VPCs have overlapping CIDR blocks.
C.The security groups in VPC-B do not allow inbound ICMP traffic from VPC-A.
D.The VPCs are in different regions and peering does not work across regions.
AnswerB

Overlapping CIDRs prevent proper routing in VPC peering.

Why this answer

Option C is correct. VPC peering does not support overlapping CIDR blocks. The routes cannot distinguish between the two VPCs.

Option A is wrong because security groups can allow ICMP. Option B is wrong because private IP addresses are reachable if routes exist. Option D is wrong because same region peering works.

1270
MCQeasy

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The network team notices intermittent packet loss on the Direct Connect virtual interface (VIF). Which AWS service should be used to monitor the latency and packet loss on the VIF?

A.AWS Health Dashboard
B.VPC Flow Logs
C.AWS CloudWatch
D.AWS Transit Gateway Network Manager
AnswerC

CloudWatch provides Direct Connect metrics including packet loss and latency.

Why this answer

CloudWatch provides metrics for Direct Connect including packet loss and latency. VPC Flow Logs capture IP traffic metadata but not latency. AWS Health Dashboard shows service health.

Transit Gateway is a network transit hub but not a monitoring service.

1271
MCQmedium

Refer to the exhibit. A network engineer has established a VPC peering connection between VPC A (10.0.0.0/16) in account 111111111111 and VPC B (192.168.0.0/16) in account 222222222222. The peering connection status is 'active'. However, instances in VPC A cannot reach instances in VPC B. What is the MOST likely cause?

A.The peering connection is not in the 'active' state
B.Route tables in one or both VPCs do not have routes to the peer CIDR
C.Security groups in VPC B are blocking traffic
D.The CIDR blocks overlap
AnswerB

Missing routes prevent communication.

Why this answer

Option D is correct because the route tables in both VPCs need routes to the peer CIDR via the peering connection. Option A is incorrect because the status is active. Option B is incorrect because the CIDRs are non-overlapping.

Option C is incorrect because there is no indication of security groups blocking, though they could; but the most common cause is missing routes.

1272
MCQhard

A company is designing a multi-account architecture. They need to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the security account. The logs must be encrypted at rest using a customer-managed KMS key in the security account. Which combination of steps is required?

A.Configure the S3 bucket policy to allow the log accounts to write; encryption is automatic with SSE-S3.
B.Create a KMS key in each account and configure the S3 bucket to use each key.
C.Configure the KMS key policy to allow the log-producing accounts to use the key, and the S3 bucket policy to allow those accounts to write.
D.Create a KMS key in the security account with no key policy changes; use bucket policies to allow cross-account writes.
AnswerC

Cross-account KMS requires key policy; bucket policy allows writes.

Why this answer

Option D is correct because cross-account KMS access requires a KMS key policy that grants the log-producing accounts permission to use the key, and the S3 bucket policy must allow cross-account writes. Option A is wrong because using a single KMS key with cross-account access requires key policy. Option B is wrong because a CMK in each account would not be centralized.

Option C is wrong because S3 bucket policy alone does not handle encryption permissions.

1273
MCQmedium

A network engineer is troubleshooting why an EC2 instance (with the above security group) is not responding to HTTP requests from the internet. The instance is in a public subnet with an Internet Gateway attached. The route table has a default route to the Internet Gateway. What is the most likely cause?

A.The security group only allows traffic from the 10.0.0.0/8 range
B.The security group does not allow inbound ICMP traffic
C.The route table does not have a route for the internet
D.The network ACL is blocking inbound HTTP
AnswerA

The security group rule only permits HTTP from the private 10.0.0.0/8 CIDR, not from the internet.

Why this answer

The security group allows HTTP from 10.0.0.0/8 only, which is a private IP range. It does not allow traffic from 0.0.0.0/0 (the internet). Option B is correct.

Options A, C, and D are not the issue.

1274
MCQeasy

A company wants to provide secure access to an S3 bucket from a VPC without using an internet gateway or NAT device. Which AWS feature should be used?

A.Internet gateway
B.NAT gateway
C.AWS Site-to-Site VPN connection
D.VPC endpoint (Gateway type) for S3
AnswerD

A Gateway VPC endpoint provides private access to S3.

Why this answer

A VPC endpoint (Gateway type) for S3 allows instances within a VPC to access S3 buckets privately using the AWS network, without requiring an internet gateway or NAT device. This is achieved by adding an endpoint route in the VPC route table that directs S3 traffic through the AWS backbone, ensuring data never traverses the public internet.

Exam trap

AWS often tests the misconception that a NAT gateway alone provides private S3 access, but candidates must remember that NAT gateways still require an internet gateway and do not eliminate internet transit for S3 traffic.

How to eliminate wrong answers

Option A is wrong because an internet gateway provides direct internet access, which is explicitly not allowed per the requirement to avoid internet gateways or NAT devices. Option B is wrong because a NAT gateway enables outbound internet traffic from private subnets, but it still relies on an internet gateway and public IPs, violating the no-internet-gateway condition. Option C is wrong because an AWS Site-to-Site VPN connection extends an on-premises network to the VPC over the internet, but it does not provide direct private access to S3 from within the VPC without additional routing and still uses the internet for the VPN tunnel.

1275
MCQmedium

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its on-premises network to its VPC. The on-premises network team reports that they can ping the private IP address of an EC2 instance in the VPC, but cannot establish a TCP connection to a web server running on that instance. The network security group allows inbound TCP port 80 from the on-premises CIDR. What should the network engineer check next?

A.Review the network ACL associated with the subnet to ensure it allows inbound TCP 80.
B.Check the operating system firewall and web server configuration on the EC2 instance.
C.Check the BGP session status on the Direct Connect virtual interface.
D.Verify the route table on the VPC has a route back to the on-premises network.
AnswerB

The OS firewall or application may block TCP despite security group allowing it.

Why this answer

Option C is correct because the instance's OS firewall or web server configuration may be blocking the connection. Option A is wrong because ping works, indicating routing is fine. Option B is wrong because the BGP session status is unrelated to connectivity to the instance.

Option D is wrong because the NACL is stateless and would affect ping as well.

Page 16

Page 17 of 23

Page 18