AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 13511425

1705 questions total · 23pages · All types, answers revealed

Page 18

Page 19 of 23

Page 20
1351
MCQeasy

A network engineer is creating an IAM policy for a DevOps team. The team needs to manage VPN connections. What is the effect of this policy?

A.Denies deletion of VPN connections.
B.Allows full management of VPN connections and associated resources.
C.Restricts access to only VPN connections.
D.Allows read-only access to VPN configurations.
AnswerB

All actions are allowed on all resources.

Why this answer

The IAM policy grants the `ec2:*` action on VPN-related resources (`*vpn*`), which includes all VPN connection operations (create, modify, delete, describe) and associated resources like VPN gateways and customer gateways. This full wildcard on VPN resources enables complete lifecycle management, making option B correct.

Exam trap

AWS often tests the misconception that a wildcard resource ARN like `*vpn*` only covers VPN connections, but it actually includes all VPN-related resources (gateways, customer gateways), and the `ec2:*` action allows all operations, not just read or limited management.

How to eliminate wrong answers

Option A is wrong because the policy does not explicitly deny deletion; it allows all actions on VPN resources, including deletion. Option C is wrong because the policy uses a wildcard (`*vpn*`) that covers VPN connections, VPN gateways, and customer gateways, not just VPN connections. Option D is wrong because the policy grants full management actions (e.g., `CreateVpnConnection`, `DeleteVpnConnection`), not just read-only access like `DescribeVpnConnections`.

1352
MCQmedium

A company has a VPC with public and private subnets. They launch an EC2 instance in a private subnet and need it to access the internet. Which combination of components is required?

A.A NAT Gateway in a public subnet and a default route (0.0.0.0/0) in the private subnet's route table pointing to the NAT Gateway
B.A NAT instance in the private subnet with a route to an Internet Gateway
C.A VPC Gateway Endpoint for S3 in the private subnet
D.An Internet Gateway (IGW) attached to the VPC and a default route (0.0.0.0/0) in the private subnet's route table pointing to the IGW
AnswerA

This allows instances in private subnets to initiate outbound internet traffic through the NAT Gateway.

Why this answer

Option D is correct because a NAT Gateway in a public subnet with a route in the private subnet's route table pointing to the NAT Gateway provides internet access. Option A is wrong because an Internet Gateway alone is not enough; it must be attached to the VPC and the route table must point to it. Option B is wrong because a NAT Instance is also a solution but the question asks for a combination.

Option C is wrong because a VPC endpoint is for accessing AWS services, not the internet.

1353
Multi-Selectmedium

A company is designing a network architecture for a critical application that must be highly available across AWS Regions. The application uses an Application Load Balancer (ALB) in each Region, and the company wants to use a global DNS name that automatically routes traffic to the healthy Region with the lowest latency. The company also needs to be able to perform planned failover for maintenance. Which THREE components are required to meet these requirements?

Select 3 answers
A.Amazon Route 53 geolocation routing policy
B.Amazon Route 53 failover routing policy
C.Amazon Route 53 weighted routing policy for each ALB endpoint
D.Amazon Route 53 latency-based routing policy
E.Amazon Route 53 health checks for each ALB endpoint
AnswersC, D, E

Weighted records allow manual traffic shifting for maintenance.

Why this answer

Route 53 latency-based routing sends traffic to the Region with lowest latency. Health checks detect Region failures. Weighted records allow shifting traffic for maintenance.

Option A is correct because latency routing is needed. Option B is correct because health checks enable failover. Option D is correct because weighted records allow manual traffic shifting.

Option C is not required because failover routing is not used. Option E is not required because Geo proximity is not needed.

1354
Multi-Selectmedium

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect and a VPN connection as a backup. The on-premises network uses BGP to advertise routes to AWS. Which of the following are best practices for this setup? (Choose TWO.)

Select 2 answers
A.Advertise the same routes over both connections with identical BGP attributes.
B.Use different BGP ASNs for the Direct Connect and VPN connections.
C.Use the VPN connection as the primary path and Direct Connect as the backup.
D.Use the same BGP ASN for both the Direct Connect and VPN connections.
E.Configure BGP attributes to ensure that the Direct Connect path is preferred over the VPN path.
AnswersB, E

Different ASNs prevent routing loops and allow proper path selection.

Why this answer

Option B is correct because using different BGP ASNs for the Direct Connect and VPN connections prevents BGP from treating the two connections as a single eBGP session, which would cause routing loops or suboptimal path selection. This separation allows AWS to distinguish between the two paths and apply independent routing policies. Option E is correct because configuring BGP attributes (such as AS path prepending or MED) on the Direct Connect path ensures it is preferred over the VPN backup, aligning with the design goal of using Direct Connect as the primary link.

Exam trap

The trap here is that candidates often think using the same BGP ASN simplifies configuration, but in a dual-connection design, it actually breaks path independence and can cause routing instability or suboptimal failover behavior.

1355
MCQeasy

A company has a VPC with multiple subnets. They want to monitor all network traffic entering and leaving the VPC for security analysis. Which AWS service should they use?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture network traffic metadata.

Why this answer

Option D is correct. VPC Flow Logs capture IP traffic information. Option A is wrong because CloudTrail logs API calls.

Option B is wrong because Config records resource changes. Option C is wrong because GuardDuty is a threat detection service that uses flow logs but does not capture traffic itself.

1356
MCQeasy

A company is deploying a hybrid network architecture with an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The on-premises network uses BGP to advertise routes to the VPN connection. After the VPN is established, the on-premises network cannot reach EC2 instances in the VPC. The VPC route table has a route for the on-premises CIDR block pointing to the VPN gateway. What is the most likely cause of this issue?

A.The VPN connection is not using the correct pre-shared key.
B.The security group attached to the EC2 instances does not allow inbound traffic from the on-premises CIDR.
C.The on-premises network is advertising a default route (0.0.0.0/0) via BGP, which is overriding the VPC's local route.
D.The VPC's network ACLs are blocking inbound traffic from the on-premises network.
AnswerC

BGP route propagation can cause the VPC route table to learn a default route from on-premises, which may cause traffic destined for the VPC CIDR to be sent back to the VPN gateway instead of staying local.

Why this answer

When the on-premises network advertises a default route (0.0.0.0/0) via BGP over the VPN connection, the VPC propagates that route into its route tables (if route propagation is enabled). This default route can override the VPC's local route for the on-premises CIDR, causing traffic destined for the on-premises network to be sent back out the VPN gateway instead of being delivered locally, effectively breaking connectivity to EC2 instances.

Exam trap

The trap here is that candidates often focus on security group or NACL misconfigurations, but the real issue is a routing conflict caused by BGP advertising a default route that overrides the VPC's local route, a classic hybrid networking pitfall.

How to eliminate wrong answers

Option A is wrong because an incorrect pre-shared key would prevent the VPN tunnel from establishing at all, but the question states the VPN is established. Option B is wrong because security groups are stateful and, by default, allow all outbound traffic; the issue is about inbound traffic not reaching the instances, but the root cause is a routing problem, not a firewall rule. Option D is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic unless explicitly modified; the question does not indicate any custom NACL changes, so they are not blocking traffic.

1357
MCQhard

A company needs to securely connect an on-premises data center to AWS using multiple VPN tunnels. The security team requires that all traffic between the VPC and on-premises be encrypted and that the tunnels use a second authentication mechanism beyond pre-shared keys. Which solution meets these requirements?

A.Use AWS Client VPN with mutual authentication
B.Use AWS Transit Gateway with VPN attachments and configure pre-shared keys
C.Use AWS VPN CloudHub with multiple VPN connections and configure certificate-based authentication for each tunnel
D.Use AWS Direct Connect with a public VIF and establish an IPsec VPN over the Direct Connect connection
AnswerC

CloudHub supports multiple tunnels and certificate-based authentication for enhanced security.

Why this answer

Option B is correct because AWS VPN CloudHub uses multiple VPN connections with BGP routing and supports certificate-based authentication with mutual TLS for enhanced security. Option A is wrong because Direct Connect does not provide encryption by default; VPN over Direct Connect adds encryption but not a second authentication factor beyond PSK. Option C is wrong because Client VPN is for individual clients, not site-to-site.

Option D is wrong because Transit Gateway with VPN attachments uses PSK by default; certificate-based authentication is not supported.

1358
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application requires multicast traffic between EC2 instances in the same VPC. Which TWO AWS services can support this requirement? (Choose TWO.)

Select 2 answers
A.AWS VPC Lattice
B.Network Load Balancer (NLB)
C.Application Load Balancer (ALB)
D.Gateway Load Balancer (GWLB)
E.AWS Transit Gateway multicast domain
AnswersA, E

VPC Lattice supports multicast.

Why this answer

Options B and D are correct. B: VPC Lattice supports multicast. D: Transit Gateway with multicast domain supports multicast.

Option A is incorrect because a Network Load Balancer does not support multicast. Option C is incorrect because a Gateway Load Balancer does not support multicast. Option E is incorrect because Application Load Balancer does not support multicast.

1359
MCQmedium

A company has a VPC with two subnets: a public subnet with a NAT Gateway and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a security group that allows all outbound traffic. The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, the instance cannot reach the internet. What is the most likely issue?

A.The security group does not allow inbound traffic from the internet.
B.The NAT Gateway is deployed in a private subnet.
C.The network ACL on the private subnet blocks outbound traffic.
D.The instance's DNS resolution is not configured correctly.
AnswerB

NAT Gateway requires a public subnet with an Internet Gateway to function.

Why this answer

The NAT Gateway must be in a public subnet with an Internet Gateway attached. If the NAT Gateway is in a private subnet, it cannot access the internet. Option A (security group) allows outbound; Option B (NACL) default allows; Option D (DNS) is not the issue.

1360
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The security team needs to implement a centralized inspection architecture where all traffic between VPCs must be inspected by a security appliance (e.g., firewall) deployed in a dedicated inspection VPC. Currently, traffic flows directly between VPCs using the Transit Gateway. Which architecture change would enforce that all inter-VPC traffic passes through the inspection VPC?

A.Create VPC peering connections between each VPC and the inspection VPC, and remove the Transit Gateway attachments.
B.Configure the Transit Gateway to use separate route tables for each VPC attachment, with a default route pointing to the inspection VPC's attachment. Then, in the inspection VPC, route traffic back to the Transit Gateway for final delivery.
C.Use AWS Direct Connect Gateway to route traffic through the inspection VPC.
D.Deploy a Network Load Balancer in each VPC and configure it to forward traffic to the inspection VPC.
AnswerB

This design forces all inter-VPC traffic to traverse the inspection VPC for firewall inspection.

Why this answer

Option B is correct. By using Transit Gateway route tables, you can create separate route tables for each VPC attachment and propagate only a default route pointing to the inspection VPC. This forces all traffic to go through the inspection VPC.

Option A is incorrect because VPC peering does not integrate with Transit Gateway. Option C is incorrect because Network Load Balancer does not provide routing control. Option D is incorrect because Direct Connect is for on-premises connectivity, not for inter-VPC routing.

1361
MCQmedium

A company is setting up a Direct Connect connection to AWS. The on-premises router is configured with a BGP ASN of 65000. The AWS side uses a public ASN of 64512. Which configuration change is required for BGP peering to establish?

A.Increase the eBGP multihop TTL to 2.
B.Configure the BGP peer with a public ASN on the customer side.
C.Enable BGP authentication with MD5 password.
D.Change the customer ASN to a value in the 64512-65534 range.
AnswerD

Direct Connect requires private ASNs for the customer side.

Why this answer

Option D is correct because Direct Connect requires private ASNs (64512-65534) for the customer side; 65000 is private. Option A is wrong because public ASNs are not required. Option B is wrong because MD5 is optional.

Option C is wrong because eBGP multihop is not needed for directly connected routers.

1362
MCQeasy

A company wants to provide its employees with access to a set of internal web applications hosted in a VPC. The applications are accessed via an internet-facing ALB. Security requirements mandate that employees connect only from the corporate network (on-premises) and not from the public internet. Which solution meets these requirements?

A.Make the ALB internal and use a NAT gateway to provide internet access.
B.Set up an AWS Client VPN endpoint in the VPC and make the ALB internal. Employees connect via the VPN.
C.Deploy a CloudFront distribution with an origin access identity pointing to the ALB.
D.Keep the ALB internet-facing but restrict access using a security group that allows only the corporate public IP range.
AnswerB

Client VPN provides secure access to the internal ALB from on-premises.

Why this answer

Option D is correct because AWS Client VPN provides secure access from on-premises without exposing the ALB to the internet. Option A is wrong because security groups don't filter by IP of the VPN; the ALB would still be internet-facing. Option B is wrong because it still exposes the ALB to the internet.

Option C is wrong because on-premises users would need public internet access to reach the ALB.

1363
MCQhard

A network engineer ran the command shown in the exhibit to check VPC peering connections. Two peering connections are active. The engineer wants to verify that routes are correctly configured. What additional step is needed to ensure that instances in vpc-11111111 can communicate with instances in vpc-33333333?

A.Configure security groups to allow traffic between the VPCs.
B.Enable DNS resolution for the peering connection.
C.Add a route in the route table of vpc-11111111 pointing to vpc-33333333 via the peering connection, and a route in vpc-33333311 pointing to vpc-11111111 via the same peering connection.
D.Ensure that the peering connection is in the 'active' state.
AnswerC

Routes are needed in both VPCs.

Why this answer

Option B is correct because VPC peering requires route table entries in both VPCs pointing to the peering connection. Option A is wrong because the peering is active. Option C is wrong because security groups need to allow traffic, but routing is the first step.

Option D is wrong because DNS resolution is not required for IP communication.

1364
MCQhard

A network engineer is troubleshooting an issue where an on-premises server cannot reach an EC2 instance in a VPC over a Site-to-Site VPN. The VPN tunnel is up, and BGP is established. The engineer checks the route tables and sees the on-premises CIDR in the VPC route table pointing to the virtual private gateway. What is the most likely cause?

A.The VPN tunnel is not passing traffic due to a mismatch in pre-shared keys.
B.The on-premises router does not have a route back to the VPC CIDR pointing to the VPN tunnel.
C.The network ACLs in the VPC are blocking the traffic.
D.The security group attached to the EC2 instance is blocking inbound traffic from the on-premises CIDR.
AnswerB

Without a return route, the on-premises server cannot send traffic back to the EC2 instance.

Why this answer

Option C is correct because if the on-premises network has a route back to the VPC pointing to an incorrect next-hop (e.g., internet gateway), return traffic is dropped. Option A is wrong because VPN tunnel being up indicates the tunnel is fine. Option B is wrong because security group rules would affect inbound traffic from the on-premises server, but the issue is bidirectional.

Option D is wrong because NACLs are stateless and if they block traffic, it would be symmetric.

1365
MCQmedium

A company is using AWS Transit Gateway with multiple VPC attachments. They need to ensure that traffic between two specific VPCs is encrypted in transit. The VPCs are in the same AWS region. What is the SIMPLEST solution?

A.Enable encryption on the Transit Gateway route tables
B.Use AWS PrivateLink to connect the VPCs
C.Create a VPN attachment on the Transit Gateway and route traffic through it
D.Use VPC peering instead of Transit Gateway and enable encryption
AnswerC

VPN provides encryption.

Why this answer

Option B is correct because an AWS Transit Gateway supports transit gateway peering attachments with VPN encryption for traffic between VPCs. Option A is incorrect because the Transit Gateway itself does not encrypt traffic. Option C is incorrect because VPC peering does not provide encryption by default.

Option D is incorrect because AWS PrivateLink is for services, not VPC-to-VPC encryption.

1366
MCQhard

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones. The application is fronted by an Application Load Balancer (ALB). The network team recently migrated from a transit VPC to a transit gateway for inter-VPC connectivity. After the migration, users experience intermittent connectivity failures. The team checks the ALB target group and sees that health checks are passing. However, from an EC2 instance in the same VPC, they can reach the ALB but not the application. They notice that the application sends traffic to an internal DNS server that is in a different VPC, and the application depends on that DNS resolution. The transit gateway route tables are configured to propagate routes from attached VPCs. The DNS server is reachable from the application VPC over the transit gateway. What is the MOST likely cause of the intermittent failures?

A.The transit gateway route tables have a blackhole route for the DNS server's VPC.
B.The Auto Scaling group is scaling in and out frequently, causing application instances to be terminated during DNS resolution.
C.The DNS server returns different IP addresses for the same DNS name, and some IPs are not reachable due to route table misconfiguration.
D.The ALB security group does not allow traffic from the application instances on the ephemeral ports.
AnswerC

DNS changes with TTL can cause intermittent reachability to specific IPs.

Why this answer

If the DNS server returns different IP addresses for the same DNS name due to DNS round-robin or time-to-live (TTL) caching, the application may get an IP address that is not reachable (e.g., from a different VPC or a terminated instance). The health check may pass because the target group health check uses the ALB's IP, not the application's DNS resolution. Option A is plausible but less likely because the DNS server is reachable.

Option B could cause total failure, not intermittent. Option D would affect all traffic, not just intermittent.

1367
MCQhard

A multinational corporation is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect and VPN. The network team is experiencing asymmetric routing for traffic between two VPCs that both have routes to the same on-premises network. Which feature should the team implement to resolve this issue?

A.Deploy a NAT Gateway in each VPC to force symmetric traffic.
B.Use AS_PATH prepending on the BGP advertisements from the on-premises router to influence route preference.
C.Create a Transit Gateway peering attachment between the two VPCs.
D.Enable VPC Flow Logs to detect and alert on asymmetric flows.
AnswerB

AS_PATH prepending makes one path less preferred, ensuring symmetric routing.

Why this answer

AS_PATH prepending allows the on-premises router to artificially lengthen the AS_PATH for specific BGP routes, making those routes less preferred. This influences route selection in the Transit Gateway and VPC route tables, ensuring that traffic from each VPC takes a consistent path and eliminating asymmetric routing.

Exam trap

The trap here is that candidates often confuse AS_PATH prepending with a general routing policy tool, but the key is that it directly influences BGP best-path selection to break ties and enforce path preference, which is exactly what is needed to fix asymmetric routing in a multi-homed Transit Gateway design.

How to eliminate wrong answers

Option A is wrong because a NAT Gateway is used for outbound-only traffic to the internet and does not enforce symmetric routing between VPCs or between VPCs and on-premises networks; it would also break return traffic from on-premises. Option C is wrong because a Transit Gateway peering attachment connects two Transit Gateways, not two VPCs directly, and does not resolve routing asymmetry caused by equal-cost paths to the same on-premises destination. Option D is wrong because VPC Flow Logs only provide visibility into traffic flows for monitoring and troubleshooting; they do not actively influence routing decisions to fix asymmetric routing.

1368
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team wants to ensure that no IAM user or role can disable AWS Shield Advanced protections. Which SCP effect should be used?

A.Deny in the IAM policy
B.Deny
C.Allow
D.Block
AnswerB

Deny in an SCP explicitly prohibits the specified actions.

Why this answer

Option C is correct because the Deny effect in an SCP explicitly prohibits actions. Option A is wrong because Allow in an SCP does not restrict, it only permits. Option B is wrong because Deny in an IAM policy is not as effective when SCPs are present; SCPs can override IAM allows.

Option D is wrong because there is no 'Block' effect in SCPs.

1369
MCQhard

A network engineer is troubleshooting high latency on a VPN connection between an on-premises network and AWS. The VPN uses two tunnels to a virtual private gateway. The engineer notices that traffic is only using one tunnel, and the other tunnel is idle. What should the engineer do to ensure both tunnels are utilized?

A.Create two separate site-to-site VPN connections to two different virtual private gateways and enable ECMP.
B.Configure BGP MED values to prefer the idle tunnel.
C.Configure static routes with equal metrics on both tunnels.
D.Use a transit gateway with equal cost multipath routing.
AnswerA

Using ECMP across multiple VPN connections allows both tunnels to be used simultaneously.

Why this answer

Option B is correct because creating two site-to-site VPN connections to different virtual private gateways allows for active-active use through ECMP routing. Option A is incorrect because BGP metrics (MED) influence path selection but won't force both tunnels to be used if the configuration is active-passive. Option C is incorrect because a transit gateway with ECMP can utilize multiple tunnels.

Option D is incorrect because static routes do not support load balancing across tunnels without ECMP.

1370
MCQeasy

A company is setting up AWS Client VPN to allow remote employees to access resources in a VPC. The VPC has a CIDR block of 10.0.0.0/16. The Client VPN endpoint is associated with a subnet 10.0.1.0/24. The company wants to assign client IP addresses from a different CIDR range than the VPC to avoid overlap. Which client CIDR range should the company specify?

A.172.16.0.0/12
B.10.0.0.0/16
C.10.0.0.0/8
D.192.168.0.0/16
AnswerD

Non-overlapping private range.

Why this answer

Option B is correct because the client CIDR range must be different from the VPC CIDR and any connected networks. 192.168.0.0/16 is a valid private range that does not overlap with 10.0.0.0/16. Option A overlaps with the VPC CIDR. Option C is a public range, not recommended.

Option D overlaps with the VPC CIDR.

1371
Multi-Selecteasy

A company is deploying a web application that must be accessible over HTTPS only. They are using an Application Load Balancer (ALB) with an SSL certificate from AWS Certificate Manager (ACM). Which TWO configurations are necessary to ensure that only HTTPS traffic reaches the application?

Select 2 answers
A.Configure the security group for the ALB to allow inbound traffic on port 80 from 0.0.0.0/0.
B.Configure the ALB listener to accept traffic on port 80.
C.Configure the security group for the ALB to allow inbound traffic on port 443 from 0.0.0.0/0.
D.Configure the ALB to redirect HTTP traffic to HTTPS.
E.Configure the ALB listener to accept traffic on port 443 using the SSL certificate.
AnswersC, E

This allows HTTPS traffic from the internet.

Why this answer

Options A and D are correct. The ALB listener must be configured for HTTPS on port 443, and the security group for the ALB should only allow inbound HTTPS traffic. Option B is wrong because HTTP listener is not needed.

Option C is wrong because the security group for instances should allow traffic from the ALB, not from the internet. Option E is wrong because redirecting HTTP to HTTPS is not sufficient if the listener accepts HTTP; the listener should not accept HTTP at all.

1372
MCQeasy

A company is using AWS Organizations to manage multiple accounts. The security team wants to enforce that all S3 buckets across the organization are encrypted with SSE-S3. Which control mechanism should they use?

A.Assign an IAM policy to all users that requires SSE-S3.
B.Configure a bucket policy on each bucket to deny writes without SSE-S3.
C.Create a service control policy (SCP) that denies PutBucketEncryption if the encryption is not SSE-S3.
D.Use AWS CloudTrail to monitor and alert on non-compliant bucket creations.
AnswerC

SCPs can enforce policies across all accounts in the organization.

Why this answer

Option A is correct because SCPs can deny actions that do not comply with encryption requirements. Option B is wrong because IAM policies are account-level and cannot enforce across all accounts. Option C is wrong because bucket policies are per-bucket.

Option D is wrong because CloudTrail is logging, not enforcement.

1373
MCQmedium

A company is setting up an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The VPC has a virtual private gateway (VGW) attached, and the VPN connection uses two tunnels for redundancy. The on-premises customer gateway (CGW) is configured with the public IP address of the on-premises VPN device. The VPN tunnels are up and BGP sessions are established. However, the company cannot ping an EC2 instance in the VPC from an on-premises server. The security group for the EC2 instance allows ICMP from the on-premises network CIDR. What is the MOST likely cause of the issue?

A.The route tables of the VPC subnets do not have a route for the on-premises CIDR pointing to the virtual private gateway.
B.The customer gateway is configured with an incorrect private IP address.
C.The VPN connection's security group is blocking ICMP traffic.
D.The BGP session is not advertising the on-premises routes to the VGW.
AnswerA

Without a route, traffic from VPC to on-premises is dropped.

Why this answer

Option A is correct because the VPC subnet route tables must have a route pointing to the VGW for the on-premises CIDR. Option B is incorrect because BGP is established. Option C is incorrect because the CGW is configured correctly.

Option D is incorrect because the VPN connection does not have a security group.

1374
MCQeasy

A company monitors its VPC using VPC Flow Logs. The logs are sent to CloudWatch Logs. The security team wants to detect traffic to known malicious IP addresses. Which AWS service can be used to analyze the flow logs in near real-time?

A.AWS WAF
B.AWS CloudTrail
C.Amazon Athena
D.Amazon Kinesis Data Analytics
AnswerD

Can process streaming flow logs in real-time and detect patterns.

Why this answer

Amazon Athena can query VPC Flow Logs stored in S3, but for near real-time analysis, Amazon Kinesis Data Analytics (or Kinesis Data Firehose with Lambda) can process streaming logs. However, the simplest managed service for real-time pattern matching is Amazon Kinesis Data Analytics with SQL.

1375
MCQeasy

A company has a VPC with public and private subnets. The private subnets need internet access for software updates. The company wants to minimize costs and management overhead. Which solution should they use?

A.Use a VPC endpoint for S3 and CloudFront
B.Attach an internet gateway to the VPC and add a default route to the private subnet route table pointing to the internet gateway
C.Create a NAT gateway in a public subnet and add a route to the private subnet route table pointing to the NAT gateway
D.Launch a NAT instance on an EC2 instance in a public subnet
AnswerC

Managed service, low overhead.

Why this answer

Option A is correct because a NAT gateway provides outbound internet access for private subnets with minimal management. Option B is incorrect because a NAT instance requires management. Option C is incorrect because an internet gateway alone does not provide outbound access for private subnets.

Option D is incorrect because a VPC endpoint is for specific AWS services, not general internet.

1376
MCQmedium

A company uses AWS Direct Connect with a private virtual interface (VIF) to connect its data center to a VPC. The network team needs to ensure high availability and failover in case the primary connection fails. Which solution provides the most cost-effective high availability?

A.Use a VPN connection over the internet as a backup
B.Provision a second Direct Connect connection at a different AWS Direct Connect location and configure BGP with AS_PATH prepending
C.Use a VPN connection over the same Direct Connect connection as backup
D.Provision a second private virtual interface on the same Direct Connect connection
AnswerB

Provides diverse path and failover.

Why this answer

Option C is correct because using a second Direct Connect connection to a different AWS Direct Connect location provides geographic redundancy. Option A is wrong because it's a single point of failure. Option B is wrong because VPN over the same Direct Connect relies on the same physical connection.

Option D is wrong because adding a VPN over the internet provides a backup but is not as reliable as a second Direct Connect.

1377
MCQhard

A security engineer created the S3 bucket policy shown. After applying it, users from the 10.0.0.0/16 network (VPC CIDR) are able to access objects, but external users from 203.0.113.0/24 receive 'Access Denied' even though they are using HTTPS. What is the likely cause?

A.The VPC endpoint policy for the S3 endpoint restricts access to the bucket.
B.The policy only allows 's3:GetObject' but the users are trying to list objects.
C.The policy does not include a 'Deny' statement for non-IP ranges.
D.The S3 bucket has 'Block public access' enabled, which overrides the policy.
AnswerA

Even if the bucket policy allows, the VPC endpoint policy can deny access, especially for external IPs routed through the endpoint?

Why this answer

The policy requires both conditions: source IP from either range AND SecureTransport true. For external users, the IP condition is satisfied, but the problem states they are using HTTPS, so SecureTransport is true. However, the 'Access Denied' suggests the policy is not being evaluated as expected.

Actually, the policy allows access only if both conditions are met. For external users, both conditions are met, so they should be allowed. But the external users get denied, meaning the policy might not be the only one.

However, the most likely cause is that the policy is missing a statement to explicitly deny all other traffic, or there is a bucket policy that denies. But given options, the most plausible is that the condition 'aws:SecureTransport' requires the request to be made over HTTPS; external users might be using HTTP? The stem says they use HTTPS. So perhaps the issue is that the VPC endpoint adds a source IP that is not 10.0.0.0/16? Actually, the policy allows from 10.0.0.0/16 and 203.0.113.0/24.

The external users are from 203.0.113.0/24, which is allowed. So why denied? Maybe the policy is attached to the bucket but there is also a VPC endpoint policy that denies. Option D is most likely: the VPC endpoint policy is blocking access.

Option A is wrong because all actions are allowed. Option B is wrong because the policy allows GetObject. Option C is wrong because public access could be blocked but the policy allows.

So D is correct.

1378
MCQmedium

A network engineer is designing a hybrid network architecture that connects an on-premises data center to AWS using AWS Direct Connect. The company requires high availability and wants to minimize operational overhead. The on-premises network uses BGP to advertise routes to AWS. Which design meets these requirements?

A.Provision two Direct Connect connections to two different Direct Connect locations, each with a private VIF to the same VPC. Use BGP over the VIFs.
B.Provision one Direct Connect connection with a private VIF and a site-to-site VPN connection as a backup.
C.Provision one Direct Connect connection with two virtual interfaces (VIFs) to the same AWS device.
D.Provision two Direct Connect connections to the same Direct Connect location, both with private VIFs to the same VPC.
AnswerA

This provides physical and logical diversity, achieving high availability with minimal operational overhead.

Why this answer

Option A is correct because provisioning two Direct Connect connections to two different Direct Connect locations ensures physical and path diversity, eliminating single points of failure. Using BGP over the private VIFs allows dynamic route advertisement and automatic failover, meeting high availability requirements while minimizing operational overhead through managed BGP sessions.

Exam trap

AWS often tests the misconception that multiple VIFs on a single connection or connections to the same location provide sufficient redundancy, but true high availability requires physical and geographic diversity at the connection level.

How to eliminate wrong answers

Option B is wrong because a site-to-site VPN backup over the internet introduces higher latency, lower reliability, and additional operational overhead compared to a second Direct Connect connection, and it does not meet the requirement to minimize operational overhead. Option C is wrong because two VIFs on the same Direct Connect connection share the same physical link and AWS device, creating a single point of failure that violates high availability. Option D is wrong because two Direct Connect connections to the same location share the same facility and potential upstream failures, lacking the geographic diversity needed for true high availability.

1379
Multi-Selecthard

A company is using AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The VPC has a CIDR 10.0.0.0/16. The on-premises network uses 192.168.0.0/16. The company wants to enable communication between on-premises and the VPC, and also allow the VPC to access the internet via an internet gateway. Which TWO of the following configurations are necessary?

Select 2 answers
A.A route in the on-premises router for the VPC CIDR (10.0.0.0/16) pointing to the AWS Direct Connect router.
B.A route in the VPC route table for 0.0.0.0/0 pointing to the internet gateway.
C.A route in the VPC route table for 0.0.0.0/0 pointing to the virtual private gateway.
D.A route in the VPC route table for the on-premises CIDR (192.168.0.0/16) pointing to the internet gateway.
E.A route in the VPC route table for the on-premises CIDR (192.168.0.0/16) pointing to the virtual private gateway.
AnswersB, E

Required for VPC internet access.

Why this answer

Option A is correct because the VPC route table must have a route for 192.168.0.0/16 pointing to the virtual private gateway (VGW) to route traffic to on-premises. Option D is correct because the VPC route table must have a route for 0.0.0.0/0 pointing to the internet gateway for outbound internet access. Option B is not necessary because the VGW is automatically attached.

Option C is not necessary because the on-premises router must have routes to the VPC CIDR, not the internet gateway. Option E is not necessary because the VGW already handles routing.

1380
MCQmedium

A company is implementing a network for a three-tier application in a VPC. They need to ensure that the web tier can communicate with the application tier, but the application tier cannot initiate connections to the web tier. Which configuration should be used?

A.Use network ACLs on the application tier subnets to allow inbound from web tier and block outbound to web tier
B.Use a transit gateway with route tables to control traffic flow
C.Place a reverse proxy between the tiers
D.Use security groups on the application tier instances to allow inbound from the web tier security group, and do not allow inbound from application tier in the web tier security group
AnswerD

Stateful security groups allow responses and block unwanted initiation.

Why this answer

Option B is correct because a stateful firewall like security groups can allow inbound from web to app while blocking inbound from app to web. Option A is wrong because network ACLs are stateless and require separate rules for inbound and outbound, making it more complex. Option C is wrong because a reverse proxy is unnecessary.

Option D is wrong because a transit gateway is for inter-VPC routing, not for this requirement.

1381
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to peer with another VPC that has CIDR 10.0.0.0/16. What is the issue and how can it be resolved?

A.The VPCs can be peered if you enable DNS resolution.
B.The VPCs have overlapping CIDRs, so they cannot be directly peered. You must re-IP one VPC or use a NAT solution.
C.Use a Transit Gateway to connect the VPCs, which supports overlapping CIDRs.
D.Use a Direct Connect Gateway to connect the VPCs, which ignores CIDR overlap.
AnswerB

Correct: Overlapping CIDRs are not allowed.

Why this answer

Option C is correct because overlapping CIDRs prevent VPC Peering. Option A is wrong because VPC Peering does not require non-overlapping CIDRs for established connections but for new ones it's a limitation. Option B is wrong because Transit Gateway also does not support overlapping CIDRs without NAT.

Option D is wrong because Direct Connect also requires non-overlapping CIDRs.

1382
MCQmedium

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

A.Create VPC peering connections between each application VPC and the inspection VPC, and add routes pointing to the peering connection.
B.Attach an internet gateway to each application VPC and add a default route pointing to the inspection VPC's NAT gateway.
C.Attach an internet gateway to each application VPC and add default route pointing to it.
D.Create a TGW route table with a blackhole route for 0.0.0.0/0 and associate it with application VPC attachments; attach the inspection VPC to a different TGW route table that has a route to the internet via an egress VPC.
AnswerD

This enforces traffic flow through inspection VPC.

Why this answer

Option D is correct because it uses separate Transit Gateway route tables to enforce traffic isolation: the application VPC attachments use a route table with a blackhole for 0.0.0.0/0, preventing direct internet access, while the inspection VPC uses a different route table with a route to an egress VPC that has an internet gateway. This ensures all outbound traffic from application VPCs must first traverse the inspection VPC for security monitoring before reaching the internet.

Exam trap

The trap here is that candidates often assume VPC peering or direct internet gateway attachments can be combined with Transit Gateway for centralized inspection, but they fail to recognize that Transit Gateway route tables are required to enforce traffic isolation and prevent direct internet access from application VPCs.

How to eliminate wrong answers

Option A is wrong because VPC peering does not support transitive routing; each peering connection is a one-to-one link, so traffic from one application VPC cannot be routed through the inspection VPC to another VPC or the internet without additional complex routing. Option B is wrong because an internet gateway attached to an application VPC would allow direct outbound traffic, bypassing the inspection VPC; the default route pointing to the inspection VPC's NAT gateway is invalid because a NAT gateway cannot be reached across a Transit Gateway without proper routing and the NAT gateway itself is not a routing target for a VPC's default route. Option C is wrong because attaching an internet gateway to each application VPC and adding a default route pointing to it directly sends traffic to the internet, completely bypassing the centralized inspection VPC.

1383
MCQhard

A company is migrating its on-premises data center to AWS. The network team needs to establish a site-to-site VPN connection with dynamic routing using BGP. The on-premises router supports BGP but does not support BGP communities. The VPN connection is established, but the VPC does not learn the on-premises routes. What is the most likely cause?

A.The VPN tunnel uses pre-shared keys instead of certificates
B.The VPC route table needs a static route to the on-premises CIDR
C.The VPN tunnel is not in a UP state
D.The on-premises router is not advertising any prefixes over BGP
AnswerD

Without advertisement, no routes are learned.

Why this answer

Option B is correct because the on-premises router must advertise its routes over the BGP session. Option A is incorrect because BGP communities are not required. Option C is incorrect because the VPN connection is established.

Option D is incorrect because BGP does not require static routes.

1384
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. The VPC has three subnets: 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. An EC2 instance in subnet 10.0.1.0/24 needs to send traffic to an on-premises server at 10.0.0.5/32 via a VPN connection. The VPC route table has a route to the VPN gateway for 10.0.0.0/8. What is the expected behavior?

A.Traffic to 10.0.0.5 is sent to the internet gateway.
B.Traffic to 10.0.0.5 is routed through the VPN gateway.
C.Traffic to 10.0.0.5 stays within the VPC.
D.Traffic to 10.0.0.5 is dropped because there is no matching route.
AnswerC

The VPC's local route matches 10.0.0.5.

Why this answer

Option C is correct because the VPC has a more specific route (10.0.0.0/16) for local traffic, which takes precedence over the VPN route (10.0.0.0/8) due to longest prefix match. Traffic from the EC2 instance to 10.0.0.5 is within the VPC CIDR, so it stays local.

1385
MCQhard

A company has a Direct Connect connection with a private VIF connected to a VPC. The company wants to add a second Direct Connect connection for redundancy. They plan to use BGP AS_PATH prepending to influence traffic steering so that the primary connection is preferred for inbound traffic. The on-premises router advertises the same prefix over both connections. The company configures BGP on the primary VIF with AS_PATH prepending (prepend two AS numbers). However, after configuration, inbound traffic still uses both paths equally. What is the most likely cause?

A.The secondary VIF is not configured with BGP authentication.
B.AS_PATH prepending on the AWS side only affects outbound traffic, not inbound traffic.
C.The BGP hold time timer is set too low, causing the primary connection to flap.
D.The company did not set the MED attribute on the primary VIF.
E.The company configured the prepending on the virtual private gateway instead of the Direct Connect gateway.
AnswerB

AS_PATH prepending on AWS side makes the path longer for outbound traffic from AWS to on-premises. To affect inbound traffic, prepending must be done on the on-premises router.

Why this answer

B is correct because AS_PATH prepending on the AWS side (the VIF) affects the AS_PATH attribute of routes advertised by AWS to the on-premises router. For inbound traffic (traffic coming from on-premises into AWS), the on-premises router makes the routing decision based on the BGP attributes it receives from AWS. Prepending on the AWS side makes the path through the primary VIF look longer to the on-premises router, so the on-premises router should prefer the secondary VIF.

However, if the on-premises router is not honoring the prepended AS_PATH (e.g., due to local preference or other policies), or if the prepending is not actually being applied to the correct direction, traffic may still be balanced. The key point is that AS_PATH prepending on the AWS side influences outbound traffic from AWS, not inbound traffic to AWS; inbound traffic steering is controlled by the on-premises router's BGP decision process.

Exam trap

AWS often tests the misconception that AS_PATH prepending on the AWS side directly controls inbound traffic from on-premises, when in fact it only influences the BGP decision on the on-premises router by making the path appear longer; the actual inbound traffic flow depends on the on-premises router's BGP best path selection and any local policies applied there.

How to eliminate wrong answers

Option A is wrong because BGP authentication (MD5) does not influence path selection or traffic steering; it only secures the BGP session. Option C is wrong because a low BGP hold time timer would cause the session to reset or flap, but the question states the primary connection is stable and traffic is still using both paths equally, not that it is flapping. Option D is wrong because the MED (Multi-Exit Discriminator) attribute is used to influence inbound traffic from a neighboring AS, but it is not the standard method for path selection when AS_PATH prepending is already configured; moreover, the issue is that prepending is not affecting inbound traffic as expected, not that MED is missing.

Option E is wrong because the prepending is configured on the VIF (the BGP session), not on the virtual private gateway or Direct Connect gateway; the VIF is the correct place to apply AS_PATH prepending for the BGP session with the on-premises router.

1386
MCQeasy

A company wants to securely store and manage secrets such as database passwords and API keys. They need to automatically rotate secrets every 30 days and ensure that only specific IAM roles can access them. Which AWS service should they use?

A.AWS Systems Manager Parameter Store
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS CloudHSM
AnswerC

Secrets Manager is designed for storing secrets with built-in rotation capability and fine-grained access control using IAM policies.

Why this answer

AWS Secrets Manager is the correct choice because it is purpose-built for securely storing, managing, and automatically rotating secrets such as database passwords and API keys. It supports native rotation with AWS Lambda, enforces fine-grained access control via IAM roles, and can rotate secrets on a schedule (e.g., every 30 days) without custom scripting.

Exam trap

The trap here is that candidates often confuse AWS Systems Manager Parameter Store (which can store secrets securely but lacks native rotation) with AWS Secrets Manager, leading them to choose Parameter Store when automatic rotation is explicitly required.

How to eliminate wrong answers

Option A is wrong because AWS Systems Manager Parameter Store does not support automatic rotation of secrets; it requires custom solutions (e.g., Lambda) to rotate values and lacks native secret rotation scheduling. Option B is wrong because AWS Key Management Service (KMS) is a key management service for encryption keys, not a secret store; it does not store secrets or provide rotation capabilities for passwords or API keys. Option D is wrong because AWS CloudHSM provides dedicated hardware security modules (HSMs) for cryptographic operations and key storage, but it does not store or manage application secrets like database passwords or API keys, nor does it offer automatic rotation.

1387
MCQhard

A network engineer is troubleshooting connectivity between two VPCs that are peered. The route tables are correct, and security groups allow traffic. However, ICMP ping fails. What is the most likely cause?

A.The route tables are not propagated
B.VPC peering does not support ICMP
C.The VPCs are in different regions
D.The security groups are blocking ICMP
AnswerB

VPC peering does not support ICMP; use TCP or UDP for connectivity tests.

Why this answer

VPC peering does not support ICMP; it only supports TCP and UDP traffic.

1388
Multi-Selecthard

A company is designing a network for a global application that requires low latency between users and application servers. They plan to use multiple AWS regions and want to route users to the nearest healthy endpoint. Which THREE services should they use together? (Select THREE.)

Select 3 answers
A.Amazon CloudFront
B.Amazon Route 53 with latency-based routing
C.AWS Global Accelerator
D.AWS WAF
E.Application Load Balancer in each region
AnswersA, B, C

Correct: Caches content at edge, reducing latency.

Why this answer

Options A, C, and E are correct because Route 53 latency routing directs users to the region with lowest latency; Global Accelerator provides anycast IP and fast failover; and CloudFront caches content at edge locations for low latency. Option B is wrong because ALB is regional and not for global routing. Option D is wrong because WAF is for security, not routing.

1389
MCQeasy

A network engineer is troubleshooting connectivity from an EC2 instance in a private subnet to an S3 bucket. The VPC has a VPC endpoint for S3 configured. The instance can access the internet via a NAT Gateway. Which configuration is MOST likely causing the connection to S3 to fail?

A.The S3 VPC endpoint is in a different Availability Zone than the instance.
B.The route table for the private subnet is missing a route to the S3 VPC endpoint.
C.The S3 bucket policy does not allow access from the VPC endpoint.
D.The EC2 instance does not have a public IP address.
AnswerB

Without a route to the endpoint, traffic goes via NAT Gateway, which may be blocked.

Why this answer

If a VPC endpoint for S3 is configured, traffic to S3 should use the endpoint and not go through the NAT Gateway. If the route table for the private subnet does not have a route to the S3 endpoint, traffic will go through the NAT Gateway, which may have security group restrictions or other issues. Option A is wrong because S3 endpoints do not use IAM roles for network connectivity.

Option C is wrong because VPC endpoints do not require a public IP. Option D is wrong because S3 endpoints work across AZs.

1390
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway attached. The on-premises network advertises a specific route 10.0.0.0/16, but the VPC uses the same CIDR 10.0.0.0/16. The company requires connectivity to the VPC from on-premises but cannot change the VPC CIDR. What is the most cost-effective solution?

A.Use VPC peering between the on-premises network and the VPC.
B.Set up a Direct Connect Gateway and attach the VPC and on-premises networks.
C.Create a Transit Gateway with a VPN attachment to on-premises and use route table separation.
D.Create a new VPC with a different CIDR and migrate workloads.
AnswerC

Transit Gateway can manage overlapping CIDRs with multiple route tables.

Why this answer

Option C is correct because a Transit Gateway with a VPN attachment allows you to use route table separation to isolate the overlapping CIDR (10.0.0.0/16) between the on-premises network and the VPC. By creating separate route tables for the VPN attachment and the VPC attachment, you can control traffic flow and avoid routing conflicts without changing the VPC CIDR. This is the most cost-effective solution as it leverages existing VPN connectivity and avoids the expense of migrating workloads or provisioning additional infrastructure.

Exam trap

AWS often tests the misconception that Direct Connect or VPC peering can handle overlapping CIDRs, but the trap here is that only a Transit Gateway with route table separation (or a similar overlay mechanism like VPN with BGP communities) can resolve CIDR conflicts without changing the network addressing.

How to eliminate wrong answers

Option A is wrong because VPC peering requires non-overlapping CIDR blocks; overlapping CIDRs (10.0.0.0/16 on both sides) prevent VPC peering from being established. Option B is wrong because a Direct Connect Gateway does not resolve overlapping CIDR conflicts; it simply extends connectivity and would still cause routing ambiguity between the on-premises network and the VPC. Option D is wrong because creating a new VPC and migrating workloads is not cost-effective; it incurs significant operational overhead and downtime, whereas a Transit Gateway with route table separation provides a cheaper, less disruptive solution.

1391
MCQeasy

A company is deploying a multi-region Active-Active application using Amazon Route 53 latency-based routing. The application runs on EC2 instances behind Network Load Balancers (NLBs) in two AWS regions. The health checks are configured for the NLBs. What should the company do to ensure that traffic is sent only to healthy endpoints?

A.Use Route 53 latency-based routing and associate health checks.
B.Use Route 53 geolocation routing and associate health checks.
C.Use Route 53 weighted routing and associate health checks.
D.Use Route 53 failover routing with primary and secondary records.
AnswerA

Latency routing combined with health checks sends traffic only to healthy endpoints with the lowest latency.

Why this answer

Route 53 latency-based routing directs traffic to the region with the lowest latency for the user. By associating health checks with the latency records, Route 53 automatically excludes any endpoint that fails its health check (e.g., an unhealthy NLB) from DNS responses, ensuring traffic is sent only to healthy endpoints. This meets the requirement for an Active-Active multi-region setup where both regions serve traffic simultaneously.

Exam trap

The trap here is that candidates often confuse latency-based routing with failover routing, assuming failover is required for health checks, but latency-based routing with health checks supports Active-Active while failover routing is strictly Active-Passive.

How to eliminate wrong answers

Option B is wrong because geolocation routing directs traffic based on the user's geographic location, not latency, and does not inherently support Active-Active failover across regions; it can still send traffic to an unhealthy endpoint if health checks are not properly associated, but the core issue is that it doesn't optimize for latency. Option C is wrong because weighted routing distributes traffic based on assigned weights, not latency, and while it can use health checks, it does not provide the latency-based optimization required for an Active-Active multi-region application. Option D is wrong because failover routing is designed for Active-Passive setups, where only one endpoint is active at a time; it does not support Active-Active traffic distribution across multiple regions.

1392
MCQeasy

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

A.Establish an IPSec VPN connection over the Direct Connect public virtual interface using a customer gateway and a virtual private gateway.
B.Use a private virtual interface (VIF) on the Direct Connect connection and enable encryption at the physical layer.
C.Use VPC endpoints (Gateway Endpoints) for all traffic between on-premises and the VPC.
D.Attach the Direct Connect virtual interface to a Transit Gateway and enable multicast.
AnswerA

This combination provides encrypted IPSec tunnels over the Direct Connect connection.

Why this answer

Option A is correct because it establishes an IPSec VPN tunnel over a Direct Connect public virtual interface (VIF), which encrypts traffic between the on-premises network and the VPC. The customer gateway and virtual private gateway create a site-to-site VPN connection that uses IPSec to secure all data traversing the Direct Connect link, meeting the encryption requirement without relying on physical-layer security.

Exam trap

The trap here is that candidates assume a private virtual interface inherently provides encryption, but Direct Connect private VIFs are unencrypted by default, and IPSec must be explicitly layered over a public VIF or via a VPN appliance.

How to eliminate wrong answers

Option B is wrong because private virtual interfaces do not support encryption at the physical layer; Direct Connect operates at Layer 2 and does not provide native encryption, and enabling encryption at the physical layer (e.g., MACsec) is not supported on Direct Connect private VIFs. Option C is wrong because VPC Gateway Endpoints (e.g., for S3 or DynamoDB) only provide private connectivity to specific AWS services, not general IPSec encryption for all traffic between on-premises and the VPC. Option D is wrong because attaching a Direct Connect virtual interface to a Transit Gateway and enabling multicast does not provide IPSec encryption; multicast is a separate feature for one-to-many communication, not for securing traffic.

1393
Multi-Selecthard

A company is using AWS Site-to-Site VPN to connect its on-premises network to a VPC. The network team wants to ensure high availability and failover. Which three actions should they take? (Choose THREE.)

Select 3 answers
A.Configure both tunnels as active/active.
B.Enable BGP on the VPN connections.
C.Use two Customer Gateway devices in different locations.
D.Use static routes instead of BGP.
E.Configure two VPN tunnels to the same Customer Gateway.
AnswersA, B, C

Both tunnels carry traffic; if one fails, traffic shifts to the other.

Why this answer

For high availability, use two tunnels (both active/active or active/passive), use two Customer Gateway devices for redundancy, and configure BGP for dynamic routing and fast failover. Static routes require manual intervention. A single tunnel is not redundant.

1394
MCQhard

Refer to the exhibit. The IAM policy above is attached to a user in account A (123456789012). The user needs to create a VPC peering connection with account B and accept it. The user in account A can create the peering request, but the accept fails with an 'UnauthorizedOperation' error. What is the MOST likely reason?

A.The user does not have permission to create routes in the VPC
B.The 'ec2:CreateVpcPeeringConnection' action requires a specific VPC ARN
C.The user does not have permission to accept the peering connection from the other account
D.The 'ec2:AcceptVpcPeeringConnection' action is not allowed in the policy
AnswerC

The policy does not grant cross-account accept.

Why this answer

Option C is correct because the 'AcceptVpcPeeringConnection' action is allowed on all resources ('*'), but the specific ARN for the peering connection is not granted for the accept action. The second statement allows actions only on peering connections in account A, but the accept action is performed on the requester's side? Actually, the accept is done by the accepter (account B). The user in account A is trying to accept? The scenario says 'the user in account A can create the peering request, but the accept fails'.

Actually, the accept is done by account B. So the user in account A cannot accept a peering connection that belongs to account B. The policy allows accept on 'ec2:AcceptVpcPeeringConnection' with resource '*', but the accept action is performed on the resource in the accepter account.

The second statement restricts to peering connections in account A. The accept action is not covered by the second statement because it's not in the action list of the second statement. Wait, the first statement allows accept on all resources.

So why would it fail? The issue is that the accept action is called on the peering connection resource in the accepter account, which is not in account A. The policy does not have permissions for resources in other accounts. The correct answer is that the user does not have permission to accept the peering connection because the resource ARN in the second statement only covers peering connections in account A.

But the first statement allows accept on all resources. However, the 'ec2:AcceptVpcPeeringConnection' action requires permission on the resource of the peering connection in the accepter account. Since the user is in account A, they cannot accept a peering connection that is owned by account B.

The most likely reason is that the user lacks permissions to accept the peering connection in the other account. Option C captures this.

1395
MCQhard

A security engineer is configuring Network Access Control Lists (NACLs) for a VPC with multiple subnets. The engineer wants to block SSH access (port 22) from a specific IP range 10.0.0.0/8 to the entire VPC CIDR (172.16.0.0/16). What is the most effective approach?

A.Add inbound and outbound NACL rules denying SSH from 10.0.0.0/8
B.Add a security group rule to deny inbound SSH from 10.0.0.0/8
C.Add an inbound NACL rule denying SSH from 10.0.0.0/8
D.Add an outbound security group rule denying SSH to 10.0.0.0/8
AnswerA

NACL rules must be added for both directions due to stateless nature.

Why this answer

Option C is correct because NACLs are stateless, so you must add inbound and outbound rules for each direction. Option A is wrong because NACLs are subnet-level, not instance-level. Option B is wrong because a single rule cannot block both directions.

Option D is wrong because security groups are stateful and cannot block traffic based on source IP in the outbound rule easily.

1396
MCQhard

A company is deploying a multi-tier web application across multiple Availability Zones in a single Region. The web tier must be fault-tolerant and distribute traffic across EC2 instances. The application tier uses an Auto Scaling group of EC2 instances that need to be accessed by the web tier using a static IP address. Which combination of AWS services meets these requirements?

A.Classic Load Balancer for the web tier and Application Load Balancer for the application tier
B.Application Load Balancer for the web tier and Network Load Balancer for the application tier
C.AWS Global Accelerator for the web tier and Classic Load Balancer for the application tier
D.Network Load Balancer for the web tier and Application Load Balancer for the application tier
AnswerB

ALB provides content-based routing for web tier; NLB provides static IP for application tier.

Why this answer

Option B is correct because an ALB distributes traffic to web tier instances, and an NLB provides a static IP for the application tier. Option A is wrong because NLB does not support path-based routing needed for web tier. Option C is wrong because Global Accelerator is for multi-Region traffic.

Option D is wrong because CLB is legacy and does not support advanced features.

1397
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. The public subnet has a bastion host (EC2) with a security group that allows SSH from a specific IP range. The private subnet has an RDS instance. The company wants to enable the bastion host to connect to the RDS instance. Which TWO steps are required?

Select 2 answers
A.Configure the RDS instance to use a custom DB parameter group with SSL enabled.
B.Add a rule to the NACL for the private subnet to allow inbound traffic from the bastion host's IP.
C.Assign a public IP address to the RDS instance.
D.Create a route in the public subnet's route table to the RDS instance.
E.Add a rule to the RDS security group that allows inbound traffic from the bastion host's security group.
AnswersB, E

NACL must allow inbound traffic from the bastion to the RDS port.

Why this answer

The bastion host needs network-level access to the RDS instance. The RDS security group must allow inbound from the bastion's security group, and the bastion must be in the same VPC or have network connectivity. The NACL must allow the traffic.

1398
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. The bucket policy should deny requests that do not originate from the VPC. Which condition key should be used in the bucket policy?

A.aws:SourceVpc
B.aws:VpcSourceIp
C.aws:Referer
D.aws:SourceIp
AnswerA

This condition key restricts access to a specific VPC.

Why this answer

The correct condition key is `aws:SourceVpc`, which allows you to restrict access to an S3 bucket based on the VPC from which the request originates. When used in a bucket policy with a Deny effect, it ensures that only requests coming from the specified VPC ID are allowed, and all other requests are denied. This key is specifically designed for VPC-based access control in S3 bucket policies.

Exam trap

AWS often tests the distinction between `aws:SourceVpc` and `aws:SourceIp` — the trap here is that candidates mistakenly choose `aws:SourceIp` thinking they can restrict by VPC by using the VPC's CIDR range, but this fails because requests from within the VPC may have different source IPs (e.g., private IPs or NAT public IPs) and cannot reliably identify the VPC.

How to eliminate wrong answers

Option B (`aws:VpcSourceIp`) is wrong because this condition key does not exist in AWS IAM; the correct key for VPC-based IP restrictions is `aws:VpcSourceIp` is not a valid condition key, and AWS uses `aws:SourceIp` for IP address-based restrictions, not VPC-level control. Option C (`aws:Referer`) is wrong because it is used to restrict access based on the HTTP Referer header, typically for preventing hotlinking from unauthorized websites, not for VPC-based access control. Option D (`aws:SourceIp`) is wrong because it restricts access based on the source IP address of the requester, which is not VPC-specific and cannot enforce that the request originates from a particular VPC, especially when traffic may come through NAT gateways or VPNs.

1399
MCQmedium

A company is designing a hybrid network architecture that requires a dedicated, private, and consistent connection between its on-premises data center and AWS. The connection must support multiple VLANs and provide a service-level agreement (SLA) of 99.99% availability. Which AWS service should be used to meet these requirements?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Client VPN
D.AWS Site-to-Site VPN
AnswerA

Correct; AWS Direct Connect provides a dedicated, private, high-bandwidth connection with support for multiple VLANs and an SLA.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private, and consistent network connection from an on-premises data center to AWS, bypassing the public internet. It supports multiple VLANs via 802.1Q tagging over a single physical connection, and offers a 99.99% service-level agreement (SLA) when configured with redundant connections at separate Direct Connect locations.

Exam trap

AWS often tests the misconception that AWS Transit Gateway itself provides the dedicated connection, but it is only a logical aggregation point and requires Direct Connect or VPN as the underlying transport to meet the physical connectivity and SLA requirements.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it is a network transit hub that interconnects VPCs and on-premises networks, but it does not provide the physical dedicated connection itself; it relies on an underlying transport like Direct Connect or VPN. Option C (AWS Client VPN) is wrong because it is a managed remote access VPN solution for individual clients, not a dedicated site-to-site connection, and it does not support multiple VLANs or offer a 99.99% SLA. Option D (AWS Site-to-Site VPN) is wrong because it uses the public internet and IPsec tunnels, which cannot guarantee a 99.99% SLA and does not provide a dedicated, private connection with consistent latency.

1400
MCQmedium

A company has deployed a web application across multiple AWS Regions using Application Load Balancers (ALBs) and EC2 instances. They want to use AWS Global Accelerator to improve performance and provide a fixed entry point. The Global Accelerator is configured with endpoints pointing to the ALBs. However, users are experiencing intermittent failures. What is the most likely cause?

A.Client IP address preservation is enabled on the Global Accelerator for cross-Region endpoints.
B.Global Accelerator does not support multiple endpoints in different Regions.
C.The ALBs are not configured with health checks.
D.The Global Accelerator is not configured for IPv6 traffic.
AnswerA

When using cross-region endpoints, client IP address preservation must be disabled, otherwise traffic fails.

Why this answer

When client IP address preservation is enabled on Global Accelerator for cross-Region endpoints, the accelerator preserves the original client IP address in the packets sent to the Application Load Balancers. However, ALBs are layer-7 load balancers that require traffic to originate from the Global Accelerator's static IP addresses, not the client's IP, for proper routing and health check responses. This mismatch causes the ALBs to reject or mishandle traffic, leading to intermittent failures.

Exam trap

AWS often tests the misconception that client IP preservation is always beneficial, but the trap here is that enabling it for ALB endpoints in cross-Region setups breaks the expected traffic flow because ALBs require the source IP to be the Global Accelerator's IPs, not the client's.

How to eliminate wrong answers

Option B is wrong because Global Accelerator explicitly supports multiple endpoints in different Regions, allowing traffic to be routed to the closest healthy endpoint. Option C is wrong because health checks are configured on the Global Accelerator itself, not on the ALBs; ALBs have their own health checks, but the absence of ALB health checks would not cause intermittent failures from Global Accelerator. Option D is wrong because Global Accelerator supports both IPv4 and IPv6 traffic, and the question does not indicate any IPv6-related issue; the failure is unrelated to IP version support.

1401
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. The VPC has a public subnet 10.0.1.0/24 and a private subnet 10.0.2.0/24. An EC2 instance in the private subnet needs to download patches from the internet. Which configuration is required to provide outbound internet access to the private instance while preventing inbound internet traffic?

A.Attach an Internet Gateway to the private subnet and add a default route to the Internet Gateway in the private route table
B.Assign an Elastic IP to the private instance and update the security group to allow outbound traffic
C.Add an Internet Gateway to the VPC and create a route in the private subnet to 0.0.0.0/0 via the Internet Gateway
D.Deploy a NAT Gateway in the public subnet and add a default route in the private subnet route table pointing to the NAT Gateway
AnswerD

NAT Gateway enables outbound-only internet access for private instances.

Why this answer

Option C is correct because a NAT Gateway in the public subnet with a route in the private subnet route table pointing to the NAT Gateway provides outbound internet access. Option A is wrong because an Internet Gateway attached to the private subnet would allow inbound traffic. Option B is wrong because an EIP on the private instance directly exposes it.

Option D is wrong because an Internet Gateway alone does not provide outbound access without a route to it.

1402
Multi-Selecthard

Which TWO options are valid methods to connect a VPC to an on-premises network? (Choose two.)

Select 2 answers
A.AWS Site-to-Site VPN
B.Internet Gateway
C.AWS Direct Connect
D.VPC endpoint
E.VPC peering
AnswersA, C

Creates a secure VPN tunnel over the internet.

Why this answer

Options A and C are correct. AWS Direct Connect is a dedicated private connection, and AWS Site-to-Site VPN is a VPN over the internet. VPC peering (B) is for VPC-to-VPC.

Internet Gateway (D) is for internet access. VPC endpoint (E) is for private access to AWS services.

1403
Multi-Selectmedium

A company is designing a VPC with the following requirements: (1) Ability to connect to on-premises via AWS Direct Connect with BGP, (2) Ability to route traffic between multiple VPCs, (3) Centralized inspection of traffic between VPCs. Which AWS services should the company use? (Choose TWO.)

Select 2 answers
A.VPC peering connections
B.VPC endpoints
C.AWS Transit Gateway
D.Direct Connect Gateway
E.AWS Site-to-Site VPN
AnswersC, D

Central hub for inter-VPC routing and inspection.

Why this answer

AWS Transit Gateway (C) is correct because it acts as a central hub to interconnect multiple VPCs and on-premises networks, enabling transitive routing between all attached networks. It supports centralized traffic inspection by routing VPC-to-VPC traffic through a shared inspection VPC (e.g., with a firewall appliance) using route tables and attachments.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing or centralized inspection, but peering is non-transitive and requires full-mesh connectivity, making Transit Gateway the correct hub solution.

1404
Multi-Selecthard

A company is configuring a site-to-site VPN connection between its on-premises network and AWS. The VPN tunnel is up, but traffic is not passing. The company has verified that routes are correct on both sides. Which TWO actions should the company take to troubleshoot the issue?

Select 2 answers
A.Verify that the virtual private gateway is attached to the VPC.
B.Ensure that the on-premises firewall is configured to allow IPSec traffic.
C.Check the security group rules for the EC2 instances in the VPC.
D.Verify that the VPN tunnel is using the correct encryption algorithm.
E.Check the network ACLs for the subnets.
AnswersC, E

Security groups can block traffic.

Why this answer

Options A and D are correct because checking security group and NACL rules is essential for traffic flow. B is irrelevant as tunnel is up. C is not applicable.

E is already done.

1405
MCQmedium

A company is using AWS Direct Connect to connect its on-premises network to VPCs in multiple AWS accounts. The company wants to ensure that traffic from the on-premises network can only access specific VPCs based on the source IP address. Which AWS service should be used to enforce this segmentation?

A.VPC Peering
B.AWS Transit Gateway
C.AWS PrivateLink
D.Security Groups
AnswerB

Transit Gateway with route tables can enforce segmentation based on source IP.

Why this answer

Option B is correct because AWS Transit Gateway can use route tables to segment traffic between Direct Connect and multiple VPCs based on source IP. Option A is wrong because VPC Peering does not support source IP filtering. Option C is wrong because AWS PrivateLink is for accessing services within a VPC, not for routing.

Option D is wrong because Security Groups apply at the instance level, not to traffic from Direct Connect.

1406
MCQmedium

A company is deploying a multi-tier web application across three Availability Zones in a single AWS Region. The web tier must be fault-tolerant and scale horizontally. Which network design provides the highest availability and scalability?

A.Deploy a single EC2 instance in one Availability Zone with an Elastic IP address.
B.Use an Application Load Balancer in front of an Auto Scaling group spanning three Availability Zones.
C.Deploy EC2 instances in a single Availability Zone and use Route 53 weighted routing.
D.Use a Network Load Balancer with a single EC2 instance in each AZ.
AnswerB

ALB distributes traffic across multiple AZs and instances, providing fault tolerance and scalability.

Why this answer

Option B is correct because an Application Load Balancer distributes traffic across multiple AZs and instances, providing high availability and scalability. Option A is wrong because a single instance in one AZ is not fault-tolerant. Option C is wrong because Network Load Balancer operates at layer 4 and does not support path-based routing for web applications.

Option D is wrong because using only one AZ reduces fault tolerance.

1407
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The company wants to ensure that traffic to the VPC uses the Direct Connect connection instead of the internet. Which configuration is required?

A.Create a VPC peering connection to the on-premises network.
B.Add a route in the VPC route table pointing to the on-premises CIDR via the virtual private gateway.
C.Use a NAT gateway in the VPC.
D.Add a route in the VPC route table pointing to the on-premises CIDR via the internet gateway.
AnswerB

This directs traffic to the Direct Connect connection.

Why this answer

To ensure traffic uses Direct Connect, the route table in the VPC must have a route to the on-premises CIDR via the virtual private gateway (VGW) attached to the Direct Connect. Additionally, on the on-premises side, routes must point to the Direct Connect. The VPC route table should have a more specific route or a default route pointing to the VGW.

1408
MCQhard

A global company is designing a multi-region Active-Active application using Amazon Route 53 latency-based routing. Each region has an Application Load Balancer (ALB) fronting Auto Scaling groups. The application requires sticky sessions based on the user's source IP. The network team notices that users are frequently switched to a different region mid-session, causing errors. What should the team do to resolve this issue?

A.Configure Route 53 health checks with a low threshold to quickly detect failures
B.Enable stickiness on each ALB using a cookie generated by the ALB
C.Use a custom origin header in the Route 53 latency policy to route based on the user's IP address and enable ALB stickiness
D.Switch to geolocation routing policy with a bias to maintain sessions
AnswerC

Custom origin header and ALB stickiness provide session persistence.

Why this answer

Option C is correct because Route 53 latency-based routing does not natively support sticky sessions; using a custom origin header with ALB stickiness ensures users stick to the correct regional endpoint. Option A is wrong because enabling ALB stickiness alone does not prevent Route 53 from switching regions. Option B is wrong because health checks do not affect routing decisions during a session.

Option D is wrong because geolocation routing would not adapt to latency and may cause incorrect routing.

1409
MCQmedium

A company is using Amazon VPC with a public subnet and a private subnet. The public subnet has a NAT gateway. The private subnet has an Amazon RDS for MySQL database. The security team wants to ensure that the database is not accessible from the internet, but they need to allow a specific on-premises network (IP range 203.0.113.0/24) to connect to the database for maintenance. The company also wants to restrict outbound traffic from the database to only necessary AWS services (e.g., S3 for backups) and deny all other outbound traffic. Which configuration should the security team implement?

A.Create a security group for the database that allows inbound from the on-premises network using a prefix list for 203.0.113.0/24. Create a VPC endpoint for S3 and allow outbound traffic to the endpoint. Keep the private subnet's network ACL default (allow all outbound).
B.Set up a Site-to-Site VPN between the on-premises network and the VPC. Modify the route tables to route 203.0.113.0/24 through the VPN. Place the database in a private subnet and allow inbound from the VPN CIDR. Use an internet gateway for outbound traffic to S3.
C.Modify the database security group to allow inbound TCP 3306 from 203.0.113.0/24. Create a VPC endpoint for S3. Update the private subnet's network ACL to deny all outbound traffic except to the S3 VPC endpoint prefix list.
D.Place the database in a public subnet and use a security group that allows inbound from 203.0.113.0/24. Use the NAT gateway for outbound traffic to S3. Configure the public subnet's network ACL to deny all outbound traffic except to S3.
AnswerC

This directly permits the required on-premises access and restricts outbound traffic to only S3 via VPC endpoint, which is secure and efficient.

Why this answer

Option A is correct because modifying the database security group to allow inbound from the on-premises CIDR directly is the simplest and most secure way. Using a VPC endpoint for S3 allows private connectivity. A custom network ACL on the private subnet can deny all outbound traffic except to the VPC endpoint.

Option B is wrong because a security group cannot reference another region's CIDR; also, allowing all outbound traffic to the VPC endpoint defeats the purpose. Option C is wrong because the NAT gateway is not needed for on-premises access; also, a security group cannot reference a prefix list for on-premises IPs. Option D is wrong because an internet gateway is not needed for on-premises access via VPN; also, allowing all outbound traffic to 0.0.0.0/0 is insecure.

1410
Multi-Selectmedium

A company is designing a network security solution for a VPC that hosts a multi-tier web application. The web servers are in a public subnet, and the application servers are in a private subnet. The company wants to ensure that the web servers can only be accessed on port 443 from the internet, and the application servers can only be accessed from the web servers on port 3306. Which THREE components should be configured?

Select 3 answers
A.Network ACL on the public subnet allowing inbound 443 from 0.0.0.0/0
B.Network ACL on the public subnet allowing inbound 443 from 0.0.0.0/0 and outbound ephemeral ports
C.Network ACL on the private subnet allowing inbound 3306 from the public subnet CIDR
D.Security group for application servers allowing inbound 3306 from the web server security group
E.Security group for web servers allowing inbound 443 from 0.0.0.0/0
AnswersB, D, E

NACL on public subnet provides stateless filtering for inbound HTTPS and outbound responses.

Why this answer

Option A (Security group for web servers) allows inbound 443 from internet. Option D (Security group for application servers) allows inbound 3306 from web server security group. Option E (Network ACL on public subnet) can add a layer of stateless filtering.

Option B is wrong because a NACL on private subnet would allow all traffic unless explicitly denied, but the security group is the primary control. Option C is wrong because a NACL on the public subnet is acceptable, but for the private subnet, the security group is sufficient, and NACL is not required.

1411
Multi-Selectmedium

A company is deploying a new application across multiple Availability Zones in a single region. The application requires low-latency communication between instances in different AZs. Which THREE design choices help achieve high availability and low latency? (Select THREE.)

Select 3 answers
A.Use a spread placement group for the instances.
B.Use larger instance sizes to handle traffic spikes.
C.Launch EC2 instances in at least two Availability Zones.
D.Use a single NAT Gateway to provide internet access.
E.Use an Application Load Balancer to distribute traffic across AZs.
AnswersA, C, E

Spread placement groups reduce risk of simultaneous failures.

Why this answer

Option A is correct because an Application Load Balancer distributes traffic across AZs and provides health checks. Option B is correct because placing instances in multiple AZs ensures availability if one AZ fails. Option C is incorrect because a single NAT Gateway in one AZ creates a single point of failure.

Option D is correct because using EC2 instances in a spread placement group reduces correlated failures. Option E is incorrect because increasing instance size does not improve availability or latency.

1412
MCQeasy

A network engineer is designing a hybrid network using AWS Direct Connect. The company requires high availability and wants to use a single AWS Direct Connect location with two connections from different customer routers. Which solution meets the high availability requirement?

A.Use a single AWS Direct Connect connection with multiple VLANs
B.Use a single AWS Direct Connect connection with two BGP sessions
C.Use two AWS Direct Connect connections from the same location, each connected to a different customer router, and configure BGP sessions over both connections
D.Use a single AWS Direct Connect connection with Bidirectional Forwarding Detection (BFD) enabled
AnswerC

Two connections from different routers provide router-level redundancy.

Why this answer

Option A is correct because using two connections (primary and backup) from different customer routers to the same Direct Connect location provides redundancy at the router level. Option B is wrong because a single connection is a single point of failure. Option C is wrong because multiple VLANs on one connection do not provide physical redundancy.

Option D is wrong because BFD does not provide physical redundancy.

1413
Multi-Selectmedium

A network engineer is troubleshooting connectivity issues between an EC2 instance and an RDS database in the same VPC. The EC2 instance can connect to the database, but the connection is slow. Which TWO actions should the engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Verify the route table for the database subnet to ensure there is a default route to the internet.
B.Check the network ACL for the database subnet to ensure it is stateful.
C.Verify that the security group for the EC2 instance allows outbound traffic on the database port, and the database security group allows inbound from the EC2 instance.
D.Check VPC Flow Logs to analyze traffic patterns and identify drops or latency.
E.Check the route propagation settings on the VPC.
AnswersC, D

Security group misconfigurations can cause slow connections.

Why this answer

Options A and B are correct. Checking security group rules (A) ensures proper allow rules. Reviewing VPC Flow Logs (B) can reveal dropped packets or latency.

Option C is wrong because NACLs are stateless and may drop return traffic. Option D is wrong because the default route is not relevant to internal traffic. Option E is wrong because route propagation is for VPN/Direct Connect.

1414
Multi-Selectmedium

A company is designing a hybrid network using AWS Direct Connect. They want to ensure high availability and minimize downtime. Which TWO actions should they take?

Select 2 answers
A.Set up a site-to-site VPN as a backup for the Direct Connect connection
B.Use a single customer router for both connections
C.Provision a single Direct Connect connection with two virtual interfaces
D.Provision Direct Connect connections at two different Direct Connect locations
E.Use the same BGP ASN on both Direct Connect connections
AnswersA, D

VPN provides a backup path if Direct Connect fails.

Why this answer

Options B and D are correct. Using two separate Direct Connect locations provides geographic redundancy. Having a VPN backup provides failover if Direct Connect fails.

Option A is wrong because a single connection is a single point of failure. Option C is wrong because a single router is a SPOF. Option E is wrong because using the same ASN on both connections is fine, but not specifically for HA.

1415
Multi-Selecthard

A network engineer is designing a highly available VPN connectivity between an on-premises data center and AWS. The company has two AWS Direct Connect connections terminated on two different AWS Direct Connect locations for redundancy. The company wants to use AWS Site-to-Site VPN as a backup for Direct Connect. The VPN connections will terminate on a single Virtual Private Gateway (VGW) attached to a VPC. The on-premises network has two customer gateways (CGWs) each with a unique BGP ASN. Which TWO actions should the engineer take to ensure automatic failover and load balancing? (Choose two.)

Select 2 answers
A.Configure the VPN connections to use BGP dynamic routing.
B.Set up a CloudWatch alarm to trigger an AWS Lambda function that changes route table entries upon VPN failure.
C.Configure the VPN connections to use static routes with equal cost multipath (ECMP).
D.Use a single customer gateway with two separate tunnels to the virtual private gateway.
E.Create two VPN connections, each from a different customer gateway to the same virtual private gateway.
AnswersA, E

BGP allows automatic route propagation and failover.

Why this answer

Option A is correct because using BGP dynamic routing on both VPN tunnels allows automatic failover and load balancing. Option C is correct because creating a VPN connection from each CGW to the same VGW provides two separate tunnels. Option B is incorrect because static routes do not provide automatic failover.

Option D is incorrect because a single CGW creates a single point of failure. Option E is incorrect because the VPN is backup; using BGP on both tunnels handles failover without cloudwatch alarms.

1416
Multi-Selecteasy

A company wants to protect its web application running on Amazon EC2 behind an Application Load Balancer (ALB) from common web exploits like SQL injection and cross-site scripting (XSS). Which THREE AWS services should be used together to provide comprehensive protection?

Select 3 answers
A.AWS WAF
B.Amazon Route 53
C.AWS Shield
D.Amazon CloudFront
E.Application Load Balancer (ALB)
AnswersA, C, E

WAF helps protect against SQL injection, XSS, and other web exploits.

Why this answer

Option A (AWS WAF) protects against web exploits. Option B (ALB) is the endpoint. Option D (AWS Shield) provides DDoS protection.

Route 53 is DNS, not security. CloudFront can be used with WAF but is not a service for protection against web exploits itself.

1417
MCQeasy

A company wants to ensure that traffic between two VPCs in the same region is encrypted and does not traverse the public internet. Which solution meets these requirements?

A.Configure VPC Peering between the two VPCs
B.Create VPC Endpoints in each VPC for the other VPC's CIDR
C.Use an AWS Transit Gateway to route traffic between the VPCs
D.Establish an AWS Site-to-Site VPN connection between the VPCs
AnswerA

Correct; VPC Peering uses the AWS private network and ensures traffic does not traverse the internet.

Why this answer

VPC Peering (Option A) is correct because it establishes a direct, private network connection between two VPCs using AWS's internal infrastructure, ensuring traffic never traverses the public internet. All inter-VPC traffic over a VPC peering connection remains within the AWS global network, and encryption is inherently provided by the underlying physical layer security of AWS data centers, meeting both requirements without additional configuration.

Exam trap

AWS often tests the misconception that Transit Gateway inherently encrypts traffic, but it only provides routing; candidates must remember that encryption requires explicit IPsec or VPN configuration, whereas VPC Peering meets the 'encrypted and no public internet' requirement by default through AWS's private network.

How to eliminate wrong answers

Option B is wrong because VPC Endpoints (Gateway or Interface endpoints) are used to privately connect a VPC to AWS services (like S3 or DynamoDB) or to other VPCs via PrivateLink, not to route traffic between two VPCs' CIDR blocks; they cannot replace a peering or transit routing function. Option C is wrong because AWS Transit Gateway provides centralized routing between VPCs but does not inherently encrypt traffic; it only routes traffic over the AWS backbone, and encryption would require an additional VPN attachment or IPsec configuration. Option D is wrong because an AWS Site-to-Site VPN connection is designed to connect an on-premises network to a VPC, not to connect two VPCs directly; using it for VPC-to-VPC connectivity would require complex, non-standard configurations and still relies on internet gateways or virtual private gateways, potentially exposing traffic to the public internet.

1418
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to download patches from the internet. The company wants to ensure that all outbound traffic is logged and that only specific destinations are allowed. Which solution meets these requirements?

A.Deploy a NAT gateway in a public subnet and enable VPC Flow Logs
B.Deploy a proxy server in a public subnet and configure the EC2 instance to use it
C.Deploy a NAT instance in a public subnet and enable VPC Flow Logs
D.Attach an internet gateway to the VPC and assign a public IP to the EC2 instance
AnswerA

NAT gateway provides outbound internet access and VPC Flow Logs capture traffic metadata for logging.

Why this answer

Option C is correct because a NAT gateway in a public subnet allows outbound internet access from private instances, and VPC Flow Logs can capture traffic metadata. Option A is wrong because a NAT instance can also work but requires manual management and does not inherently provide logging; Flow Logs still need to be enabled. Option B is wrong because a proxy in a public subnet would require additional configuration and is not the default AWS solution.

Option D is wrong because an internet gateway alone does not provide private subnet access.

1419
MCQeasy

A company has a VPC with a CIDR block of 10.0.0.0/16. They have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They have an internet gateway attached to the public subnet. They deploy a web server on an EC2 instance in the public subnet and a database on an EC2 instance in the private subnet. The database should only be accessible from the web server. The company wants to secure the database by not assigning a public IP address to it. Which configuration will allow the web server to connect to the database?

A.Create a VPC Peering connection between the public and private subnets
B.Assign a public IP address to the database instance and configure the security group to allow inbound traffic from the web server's public IP
C.Keep the database instance in the private subnet with no public IP, and configure the security group of the database to allow inbound traffic from the web server's security group on the database port
D.Set up a VPN connection between the web server and the database
AnswerC

Instances can communicate via private IPs within the same VPC.

Why this answer

Option C is correct because security groups in AWS can reference other security groups as a source, allowing traffic from any instance associated with the source security group. By configuring the database's security group to allow inbound traffic on the database port from the web server's security group, the web server can connect to the database without the database needing a public IP address. This leverages AWS's built-in security group chaining, which works across subnets within the same VPC.

Exam trap

AWS often tests the misconception that subnets in the same VPC need explicit routing or peering to communicate, but in reality, all subnets within a VPC are implicitly routable via the VPC's main route table, so security group configuration is the correct approach for access control.

How to eliminate wrong answers

Option A is wrong because VPC Peering connects separate VPCs, not subnets within the same VPC; subnets in the same VPC are already routable via the VPC's route tables. Option B is wrong because assigning a public IP to the database violates the requirement to not assign a public IP, and it exposes the database to the internet unnecessarily, increasing the attack surface. Option D is wrong because a VPN connection is used to connect on-premises networks or remote clients to a VPC, not to connect two instances within the same VPC, and it adds unnecessary complexity and latency.

1420
MCQhard

A network engineer is designing a hybrid network using AWS Transit Gateway with multiple VPCs and an on-premises data center connected via AWS Direct Connect. The VPCs need to communicate with each other and with on-premises, but must isolate development VPCs from production VPCs. What is the MOST scalable and cost-effective approach?

A.Use a single Transit Gateway with one route table for all VPCs and on-premises, and use network ACLs for isolation.
B.Create VPC peering connections between all VPCs and a Direct Connect gateway for on-premises connectivity.
C.Use a VPN connection from each VPC to on-premises over Direct Connect, and allow VPC communication via VPN.
D.Use a single Transit Gateway with separate route tables for development and production VPCs, and a shared route table for on-premises attachment.
AnswerD

Separate route tables enforce isolation; shared table allows on-premises access.

Why this answer

Option A is correct because Transit Gateway route tables allow isolation between VPCs while sharing connectivity to on-premises. Option B is wrong because VPC peering does not scale and requires full mesh. Option C is wrong because a single route table would not isolate development and production.

Option D is wrong because VPN over Direct Connect adds complexity and cost without benefit.

1421
MCQmedium

A network engineer is troubleshooting high latency between two EC2 instances in the same VPC but in different Availability Zones. The instances are in the same security group and have proper rules. Which configuration is most likely causing the latency?

A.The instances are using jumbo frames.
B.The instances are in a cluster placement group.
C.The instances have Enhanced Networking enabled.
D.The instances are in different Availability Zones.
AnswerD

Inter-AZ traffic has higher latency.

Why this answer

The primary cause of higher latency between EC2 instances in different Availability Zones is the physical distance and the additional network hops required to traverse the AZ boundary. Even within the same VPC, traffic between AZs must pass through AWS's regional network infrastructure, which introduces a baseline latency of 1-2 milliseconds, whereas instances in the same AZ can communicate with sub-millisecond latency. The question explicitly states the instances are in different AZs, making this the most likely source of the latency issue.

Exam trap

The trap here is that candidates often assume all instances in the same VPC have identical latency regardless of AZ placement, overlooking the fundamental physical and network architecture differences between intra-AZ and inter-AZ communication.

How to eliminate wrong answers

Option A is wrong because jumbo frames (MTU 9001) reduce latency by enabling larger payloads per packet, decreasing overhead and improving throughput; they do not cause high latency. Option B is wrong because a cluster placement group is designed to provide the lowest possible latency and maximum packet-per-second performance by placing instances in a single AZ, so using it would reduce, not cause, latency. Option C is wrong because Enhanced Networking (using SR-IOV or ENA) provides higher bandwidth, lower jitter, and lower per-packet latency; it is a performance optimization, not a source of latency.

1422
MCQmedium

A company is designing a multi-region active-active architecture for a web application using Application Load Balancers (ALBs) and AWS Global Accelerator. The application must provide low-latency access to users worldwide and automatically route traffic to healthy endpoints. Which design should be used?

A.Use Amazon CloudFront with multiple origins pointing to ALBs in each region and configure origin failover.
B.Use Amazon Route 53 latency-based routing with health checks to route traffic to ALBs in each region.
C.Deploy a single ALB with multiple target groups across regions using cross-zone load balancing.
D.Deploy Global Accelerator with endpoints in each region (ALBs) and configure health checks to route traffic to healthy endpoints.
AnswerD

Global Accelerator uses anycast IPs and health checks for optimal routing to healthy endpoints.

Why this answer

Option B is correct because Global Accelerator uses anycast IPs and health checks to route traffic to the closest healthy endpoint. Option A is wrong because Route 53 latency routing with health checks can work but does not use anycast and may not provide the same performance. Option C is wrong because multiple ALBs in a single region would not provide multi-region failover.

Option D is wrong because CloudFront with ALB origins can provide low latency but does not support active-active multi-region traffic routing by default.

1423
MCQmedium

A company has multiple AWS accounts and wants to centralize VPC flow logs for analysis. The flow logs are published to Amazon S3 in each account. A central account needs to access these logs. Which solution meets the requirements with the least operational overhead?

A.Set up AWS Glue jobs to copy logs to a central S3 bucket
B.Use AWS Transit Gateway to centralize network traffic and capture logs
C.Use VPC peering to connect the accounts and access the S3 buckets directly
D.Use S3 bucket policies in each account to grant the central account access
AnswerD

Simplest and most scalable.

Why this answer

Option C is correct because cross-account bucket policies allow the central account to access logs without additional infrastructure. Option A is wrong because VPC peering does not grant S3 access. Option B is wrong because Transit Gateway does not provide S3 access.

Option D is wrong because it adds complexity.

1424
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs connected via a VPC peering connection. The VPCs are in different AWS accounts and regions. The engineer can ping the private IP of an instance in the peered VPC from one side, but not from the other. What is the most likely cause?

A.Route tables in one VPC do not have a route to the peered VPC CIDR
B.The security group in the peered VPC is blocking ICMP traffic
C.The VPC CIDR blocks overlap
D.The VPC peering connection is in a 'pending-acceptance' state
AnswerA

A missing route in one VPC prevents return traffic, causing one-way connectivity.

Why this answer

Option D is correct because VPC peering connections must have matching route tables in both VPCs to allow bidirectional traffic. The ability to ping from one side but not the other indicates a missing route in one VPC's route table. Options A and B are irrelevant because the peering connection exists and works in one direction.

Option C is for security groups, which would affect both directions equally.

1425
MCQeasy

A company wants to block inbound traffic from a specific IP address range (203.0.113.0/24) at the VPC level using AWS WAF. Which resource should the AWS WAF web ACL be associated with?

A.Application Load Balancer
B.Network Load Balancer
C.VPC peering connection
D.Security group
AnswerA

AWS WAF can be associated with ALB to filter web traffic.

Why this answer

Option A is correct because AWS WAF can be associated with an Application Load Balancer to filter HTTP/HTTPS traffic. Option B is wrong because NLB does not support AWS WAF. Option C is wrong because VPC peering does not have a web ACL.

Option D is wrong because a security group is used for stateful filtering, but AWS WAF is a separate service for web traffic.

Page 18

Page 19 of 23

Page 20