AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 14261500

1705 questions total · 23pages · All types, answers revealed

Page 19

Page 20 of 23

Page 21
1426
MCQeasy

A company wants to allow an EC2 instance in a private subnet to download files from an S3 bucket without traversing the internet. Which AWS service should be used?

A.Establish an AWS Direct Connect connection to the VPC.
B.Attach an internet gateway and route through a NAT gateway.
C.Create a VPC Interface Endpoint for S3.
D.Create a VPC Gateway Endpoint for S3.
AnswerD

Gateway Endpoint provides private connectivity to S3 without internet.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 allows private connectivity to S3 without internet. Option A is wrong because NAT gateway uses internet. Option B is wrong because Direct Connect is for on-premises.

Option C is wrong because S3 does not support VPC Interface Endpoint by default; Gateway Endpoint is used for S3.

1427
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and has enabled VPC Flow Logs to capture all traffic. The logs show that an EC2 instance (10.0.1.10) is sending outbound traffic to an external IP (203.0.113.50) on port 443, but the traffic is being rejected. The instance's security group allows outbound HTTPS to 0.0.0.0/0, and the subnet's NACL allows outbound traffic on port 443. The VPC has an internet gateway attached, and the route table directs 0.0.0.0/0 to the internet gateway. What is the most likely cause of the rejection?

A.The NACL inbound rules are blocking the return traffic.
B.The security group does not allow inbound HTTPS traffic.
C.The internet gateway is not attached to the VPC.
D.The route table does not have a route to the internet gateway.
AnswerA

NACLs are stateless and require explicit inbound rules for return traffic.

Why this answer

The outbound traffic from the EC2 instance is allowed by the security group and NACL outbound rules, but the return traffic (responses from 203.0.113.50:443 back to 10.0.1.10) must also be permitted by the subnet's NACL inbound rules. Since the NACL is stateless, it requires explicit inbound rules for ephemeral ports (typically 1024-65535) to allow the return traffic. If those inbound rules are missing, the return packets are dropped, causing the outbound traffic to appear as rejected in VPC Flow Logs.

Exam trap

AWS often tests the distinction between stateful security groups and stateless NACLs, specifically that NACLs require explicit inbound rules for return traffic while security groups automatically allow it.

How to eliminate wrong answers

Option B is wrong because the security group is stateful, so inbound HTTPS rules are not required for return traffic; the stateful nature of security groups automatically allows response traffic for outbound connections. Option C is wrong because the question explicitly states the VPC has an internet gateway attached. Option D is wrong because the route table directs 0.0.0.0/0 to the internet gateway, so the route is correctly configured.

1428
MCQmedium

A company has a VPC with public and private subnets. They have a NAT gateway in a public subnet. They want to provide internet access to instances in private subnets. The NAT gateway is configured with an Elastic IP. The private instances still cannot access the internet. The route table for the private subnets has a default route (0.0.0.0/0) pointing to the NAT gateway. What is missing?

A.The network ACL for the private subnet allows outbound traffic
B.The private subnet route table is missing a route to the NAT gateway
C.The security group for the instances allows outbound traffic
D.The route table for the public subnet where the NAT gateway resides does not have a default route to an internet gateway
AnswerD

The NAT gateway needs internet access itself to forward traffic.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with a route table that has a default route to an internet gateway. Option A is wrong because NACLs are usually permissive. Option B is wrong because security groups are stateful.

Option D is wrong because the default route is already set.

1429
MCQmedium

An engineer runs the command above for a subnet associated with this network ACL. The subnet's CIDR is 10.0.1.0/24. An EC2 instance in the subnet attempts to initiate an HTTPS connection to a server on the internet. What is the result?

A.The connection fails because the outbound rule does not allow HTTPS.
B.The connection succeeds because outbound traffic is allowed.
C.The connection fails because the inbound HTTPS return traffic is denied by rule 200.
D.The connection succeeds because inbound rule 100 allows HTTPS from the subnet.
AnswerC

Return traffic (SYN-ACK) from internet has source port 443, which matches inbound deny rule 200.

Why this answer

Option C is correct. The outbound rule allows ephemeral ports for return traffic. Inbound rule 100 allows HTTPS from the subnet CIDR only, not from the internet.

Rule 200 denies all other HTTPS inbound. Therefore, the outbound SYN packet is allowed by the default outbound allow (since no outbound deny), but the inbound SYN-ACK from the internet is denied by rule 200 (since it is HTTPS return traffic, source port 443, destination ephemeral port). However, the outbound rule allows traffic to any destination on ephemeral ports, but the inbound rule for return traffic must match the source port (443) and destination port (ephemeral).

The inbound rules show rule 100 allows from 10.0.1.0/24 port 443, which is not the return path. Rule 200 denies all HTTPS from anywhere. So the inbound SYN-ACK is dropped.

The connection fails.

1430
MCQhard

A company is designing a hub-and-spoke network in AWS. The security team requires that all traffic between VPCs in different spokes must be inspected by a third-party firewall deployed in the hub VPC. Which architecture meets this requirement with minimal complexity?

A.Create VPC peering connections between each spoke VPC and configure security groups to enforce inspection.
B.Use AWS PrivateLink to connect all spoke VPCs to a central service in the hub.
C.Use a Transit Gateway with separate route tables for each spoke VPC, and configure the spoke route tables to route all inter-spoke traffic through the hub VPC firewall.
D.Set up AWS Direct Connect between all VPCs and route through a central firewall.
AnswerC

This forces traffic through the inspection firewall.

Why this answer

Option A is correct because Transit Gateway with route tables in each spoke pointing default route to the hub VPC forces traffic through the firewall. Option B is wrong because VPC peering does not centralize inspection. Option C is wrong because AWS PrivateLink is for service access, not inter-VPC routing.

Option D is wrong because Direct Connect is for on-premises connectivity.

1431
Multi-Selectmedium

A company is designing a VPC with multiple subnets. They want to ensure that EC2 instances in a private subnet can access S3 buckets without going through a NAT Gateway or Internet Gateway. Which TWO methods can accomplish this?

Select 2 answers
A.Set up a VPN connection to S3
B.Create a Gateway VPC Endpoint for S3
C.Use AWS Direct Connect to access S3
D.Create an Interface VPC Endpoint for S3
E.Attach an Internet Gateway and use a NAT Gateway
AnswersB, D

Allows private subnet instances to access S3 without internet.

Why this answer

A Gateway VPC Endpoint for S3 allows EC2 instances in a private subnet to access S3 buckets privately using AWS’s internal network, without requiring an Internet Gateway or NAT Gateway. It uses prefix lists and route table entries to direct S3 traffic through the endpoint, leveraging the AWS global network for secure, low-latency access.

Exam trap

AWS often tests the misconception that only Gateway VPC Endpoints can access S3 privately, but Interface VPC Endpoints are also valid and are the correct answer when the question specifies 'multiple subnets' or 'on-premises connectivity' as a requirement.

1432
MCQmedium

A company has a VPC with multiple subnets. They want to capture and analyze network traffic between EC2 instances in the same VPC for troubleshooting. Which AWS service should be used?

A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Metrics
AnswerA

Captures network traffic metadata for analysis.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) at the VPC, subnet, or network interface level, enabling detailed analysis of traffic between EC2 instances within the same VPC. This is the correct service because it provides the network-level visibility needed for troubleshooting traffic flows without requiring agents or changes to the instances.

Exam trap

The trap here is that candidates confuse VPC Flow Logs with CloudTrail, thinking CloudTrail captures network traffic because it logs 'events,' but CloudTrail only logs AWS API calls, not the data-plane traffic between instances.

How to eliminate wrong answers

Option B (AWS CloudTrail) is wrong because it records API calls and management events, not network traffic flows; it cannot capture the actual IP packets or metadata between EC2 instances. Option C (AWS Config) is wrong because it evaluates resource configurations and compliance rules, not network traffic; it tracks changes to resources like security groups but does not log traffic flows. Option D (Amazon CloudWatch Metrics) is wrong because it collects performance metrics (e.g., CPU, network throughput) but does not capture per-flow metadata such as source/destination IPs, ports, or protocols needed for traffic analysis.

1433
MCQhard

A company has a VPC with public and private subnets. The private subnets use a NAT gateway for outbound internet access. The security team notices that some EC2 instances in the private subnets are able to reach the internet, but others are not. All instances have the same security group and are in the same private subnet. What is the most likely cause?

A.The route table associated with the private subnet is missing a default route to the NAT gateway.
B.The network ACL is blocking outbound traffic on ephemeral ports.
C.The NAT gateway's security group is blocking traffic from some instances.
D.The internet gateway is not attached to the VPC.
AnswerA

Without a default route, instances cannot reach the internet via the NAT gateway.

Why this answer

Option B is correct because if the route table for the private subnet does not have a default route to the NAT gateway, instances will not have internet access. Option A is incorrect because the NAT gateway's security group must allow inbound traffic, but by default it allows all inbound from the VPC. Option C is incorrect because the NACL is stateless and if it blocks outbound traffic, it would affect all instances equally.

Option D is incorrect because the internet gateway is for public subnets, not private.

1434
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16. They have created a VPC peering connection with another VPC (CIDR 10.1.0.0/16). They want to enable DNS resolution between the VPCs. Which TWO actions must be taken?

Select 2 answers
A.The requester must accept the peering connection with the 'Enable DNS Resolution' option checked.
B.Both VPCs must have the 'Enable DNS Resolution' attribute set to true in their VPC settings.
C.Ensure both VPCs are in the same AWS region.
D.The accepter must modify the peering connection to enable DNS resolution from their side.
E.The route tables must include a route for the peered VPC's CIDR.
AnswersA, B

The requester can enable DNS resolution when creating the peering connection.

Why this answer

Options B and D are correct. To enable DNS resolution across a VPC peering connection, the requester must accept the peering connection with DNS resolution enabled, and the accepter must update the route tables. Option A is wrong because the VPCs must be in the same region? Actually, cross-region peering is allowed.

Option C is wrong because the accepter does not need to modify the peering connection. Option E is wrong because DNS resolution settings are at the peering connection level, not the VPC level.

1435
MCQeasy

A company is deploying a new application in a VPC with public and private subnets. The application servers in the private subnets need to access the internet to download patches. Which configuration meets this requirement without allowing inbound internet traffic?

A.Attach an internet gateway to the private subnets and configure route tables accordingly.
B.Create a NAT gateway in a public subnet and add a route to the NAT gateway from the private subnets' route tables.
C.Establish a site-to-site VPN connection to an on-premises internet gateway.
D.Configure a VPC endpoint for the internet in the private subnets.
AnswerB

A NAT gateway allows outbound internet traffic from private subnets while preventing unsolicited inbound connections.

Why this answer

Option B is correct because a NAT gateway in a public subnet provides outbound internet access for instances in private subnets while blocking unsolicited inbound connections. Option A is wrong because an internet gateway attached to the private subnet would allow inbound traffic. Option C is wrong because a VPC endpoint is for private connectivity to AWS services, not general internet.

Option D is wrong because a VPN connection is for private connectivity to a remote network, not internet access.

1436
MCQhard

A company is deploying a web application across multiple AWS Regions using an Application Load Balancer (ALB) in each Region. The company wants to use AWS Global Accelerator to provide a static IP address and accelerate traffic. The application requires that client IP addresses be preserved in the backend logs. Which configuration should the network engineer use?

A.Use Network Load Balancers as endpoints in Global Accelerator.
B.Use VPC endpoints and AWS PrivateLink to route traffic through the Global Accelerator.
C.Use Amazon CloudFront in front of the ALBs with origin protocol policy set to HTTPS.
D.Use Application Load Balancers as endpoints and enable X-Forwarded-For header logging.
AnswerA

NLB preserves source IP addresses when used as a Global Accelerator endpoint.

Why this answer

Global Accelerator preserves the client IP address when using a Network Load Balancer (NLB) as the endpoint because NLB preserves the source IP. ALB terminates the client connection, so client IP is not preserved unless using X-Forwarded-For headers. Option A is correct because NLB with Global Accelerator preserves client IP.

Option B is incorrect because ALB does not preserve client IP by default. Option C is incorrect because CloudFront does not provide static IP and adds complexity. Option D is incorrect because VPC endpoints are not for internet-facing traffic.

1437
Multi-Selectmedium

A company is implementing a network security solution for a VPC that contains a web application. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets. The company wants to protect against common web exploits and also filter outbound traffic from the instances. Which TWO services should be used together?

Select 2 answers
A.AWS Shield Advanced
B.AWS WAF
C.AWS Network Firewall
D.Network ACLs
E.Amazon GuardDuty
AnswersB, C

WAF can be associated with the ALB to filter web requests.

Why this answer

Option A (AWS WAF) protects against web exploits at the ALB. Option D (AWS Network Firewall) provides stateful inspection for outbound traffic. Option B is wrong because Shield Advanced is for DDoS protection, not web filtering.

Option C is wrong because NACLs are stateless and not suitable for content filtering. Option E is wrong because GuardDuty is a threat detection service, not a firewall.

1438
MCQhard

A company has a large VPC with multiple workloads. They need to isolate development and production environments within the same VPC, but allow limited communication between them via specific ports. Which approach meets these requirements?

A.Place dev and prod in the same subnet and use security groups to filter traffic.
B.Use a single subnet and rely on network ACLs to separate traffic.
C.Create separate subnets for dev and prod, use network ACLs to allow only specific ports between them.
D.Create two VPCs and use VPC peering to allow communication.
AnswerC

Network ACLs are stateless and can control traffic between subnets effectively.

Why this answer

Option B is correct because network ACLs are stateless and can be used to allow specific traffic between subnets while keeping subnets in separate networks. Option A is wrong because separate VPCs require peering or other connections, adding complexity. Option C is wrong because security groups are stateful and cannot be used to block return traffic easily.

Option D is wrong because NACLs on the same subnet cannot isolate environments within the same subnet.

1439
MCQhard

A company uses AWS Shield Advanced for DDoS protection. During an attack, they notice that legitimate traffic is being throttled. Which configuration change should be made to reduce false positives while maintaining protection?

A.Reduce the rate limit in the Shield Advanced configuration.
B.Increase the rate limit threshold in the associated AWS WAF rate-based rule.
C.Disable the AWS WAF rate-based rule for the duration of the attack.
D.Increase the sensitivity of the AWS WAF web ACL.
AnswerB

A higher threshold allows more legitimate traffic before throttling.

Why this answer

Option A is correct because adjusting the rate limit threshold in the AWS WAF rate-based rule associated with Shield Advanced can reduce false positives. Option B is wrong because disabling the rule removes protection. Option C is wrong because increasing the threshold on the web ACL is not a direct setting; rate limits are set per rule.

Option D is wrong because Shield Advanced does not use a separate rate limit setting.

1440
MCQmedium

A company is designing a VPC with public and private subnets. They need to allow instances in the private subnet to access the internet for software updates while preventing inbound internet traffic. Which AWS service should they use?

A.NAT Gateway
B.AWS Direct Connect
C.VPC Peering
D.Internet Gateway
AnswerA

NAT Gateway enables outbound traffic to the internet from private subnets.

Why this answer

Option B is correct because a NAT Gateway allows outbound internet traffic from private subnets while blocking inbound traffic. Option A (Internet Gateway) would allow inbound traffic. Option C (VPC Peering) does not provide internet access.

Option D (Direct Connect) is a dedicated connection, not for internet access.

1441
MCQhard

A network engineer is troubleshooting a VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA. The tunnel status shows 'UP' but no traffic passes. The engineer checks the route tables and finds the correct static routes on both sides. What should the engineer check next?

A.Review the IPsec phase 2 settings, including the traffic selectors.
B.Check the IKE phase 1 parameters (e.g., encryption, hash).
C.Verify that the pre-shared keys match.
D.Confirm that the VPC route table has a route to the on-premises subnet.
AnswerA

Phase 2 parameters or mismatched encryption domains could cause the tunnel to be UP but not pass traffic.

Why this answer

If the tunnel is up but no traffic passes, the issue is often phase 2 IPsec security associations (SAs) or mismatch in encryption domains. Unlike phase 1, phase 2 can fail silently.

1442
MCQeasy

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests from a specific IP address range. Which component should they use?

A.Security group associated with the ALB
B.IP set match condition in AWS WAF
C.AWS Shield Advanced
D.Network ACL on the ALB's subnets
AnswerB

AWS WAF uses IP sets to match IP addresses and can block them.

Why this answer

Option C is correct because AWS WAF has IP set match conditions that allow you to specify IP addresses to block or allow. Option A is wrong because security groups are stateful firewalls for EC2 instances, not for ALB. Option B is wrong because NACLs are stateless firewalls at the subnet level, not integrated with ALB.

Option D is wrong because AWS Shield Advanced is for DDoS protection, not IP-based blocking.

1443
MCQeasy

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC endpoint are allowed. Which type of policy should they use?

A.S3 bucket policy with aws:SourceVpce condition
B.S3 bucket policy with aws:SourceIp condition
C.IAM policy
D.VPC endpoint policy
AnswerA

Bucket policies can restrict access based on VPC endpoint ID.

Why this answer

Option B is correct because S3 bucket policies can use conditions like aws:SourceVpce to restrict access to a specific VPC endpoint. Option A is wrong because IAM policies are for users/roles, not network-level restrictions. Option C is wrong because bucket policies cannot use aws:SourceIp for VPC endpoint traffic.

Option D is wrong because VPC endpoint policies apply to the endpoint itself, not to the S3 bucket.

1444
MCQmedium

A security team wants to block traffic from a specific IP address (203.0.113.5) from reaching an EC2 instance. The instance is in a public subnet with a security group that allows all traffic from the internet. A network ACL is associated with the subnet. The team adds a DENY rule for the IP in the network ACL. However, traffic from that IP still reaches the instance. What is the most likely reason?

A.The network ACL has an ALLOW rule with a lower rule number that matches the IP, so the DENY rule is never evaluated.
B.The security group allows traffic from the IP, overriding the network ACL.
C.The network ACL is applied to the wrong subnet.
D.The internet gateway is ignoring the network ACL.
AnswerA

Network ACLs are processed in rule number order; the first matching rule is applied.

Why this answer

Option D is correct because network ACLs are stateless and require both inbound and outbound rules to allow return traffic. The DENY rule on inbound will block incoming traffic, but if the ACL also has an inbound ALLOW rule for the IP, the DENY rule might be evaluated after the ALLOW rule if the rule numbers are ordered incorrectly. However, the question states they added a DENY rule; if the ALLOW rule has a lower rule number, it will be evaluated first.

Option A is wrong because security groups are stateful, but they do not override network ACLs. Option B is wrong because network ACLs apply to the subnet, not the instance. Option C is wrong because the internet gateway operates at layer 3 and does not filter by IP.

1445
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have two subnets: a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). An Application Load Balancer (ALB) is deployed in the public subnet, and EC2 instances are in the private subnet. The ALB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the ALB's security group on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR (10.0.1.0/24) and allows outbound ephemeral ports. However, the ALB health checks are failing with 503 errors. The network engineer checks the ALB logs and sees that TCP connections are established but HTTP requests are timing out. What is the most likely cause?

A.The network ACL for the private subnet does not allow inbound traffic from the ALB's security group.
B.The security group for the ALB does not allow outbound traffic to the targets.
C.The ALB health check is configured to use HTTPS but the target only listens on HTTP.
D.The route table for the private subnet does not have a route to the ALB's subnet.
AnswerC

This would cause the health check to fail with a timeout or non-200 response, resulting in 503.

Why this answer

Option D is correct. The network ACL for the private subnet only allows inbound traffic from the public subnet CIDR (10.0.1.0/24). However, the ALB sends health checks from its private IP addresses, which are in the public subnet CIDR, so that should be fine.

But the real issue is that the ALB also sends traffic to the targets using its own IP addresses, which are in the public subnet CIDR, so inbound is allowed. However, the outbound rule for the private subnet's network ACL must allow outbound traffic from the targets back to the ALB. The network ACL allows outbound ephemeral ports (1024-65535), but the ALB health check response uses the source port of the ALB (which is ephemeral) and the destination port on the target is 80.

The response from the target goes back to the ALB's IP and port. The outbound rule in the network ACL should allow traffic to the ALB's subnet (10.0.1.0/24) on ephemeral ports. But the question says the network ACL allows outbound ephemeral ports without specifying destination.

Actually, the outbound rule allows all ephemeral ports to anywhere? It says 'allows outbound ephemeral ports' - typically that means outbound to 0.0.0.0/0 on ephemeral ports. That should be fine. Wait, the issue might be that the network ACL is stateless and the outbound rule must allow the return traffic.

The health check request comes from the ALB to the target on port 80. The target responds to the ALB's IP and source port. The outbound rule must allow traffic from the target to the ALB's IP on the ALB's source port (which is ephemeral).

If the outbound rule allows all outbound ephemeral ports to 0.0.0.0/0, it should work. So why is it failing? Perhaps the ALB is using a different source IP? Actually, ALB health checks can originate from the ALB's private IP addresses. The network ACL for the private subnet has an inbound rule allowing port 80 from 10.0.1.0/24.

That's correct. The outbound rule allows ephemeral ports to 0.0.0.0/0. That should allow the response.

But maybe the outbound rule is too restrictive? Alternatively, the security group for the EC2 instances might not allow the response? But security groups are stateful, so if inbound is allowed, outbound is automatically allowed. So security group is fine. The most likely cause is that the network ACL inbound rule only allows from the public subnet CIDR, but the ALB might be using a different IP? No.

Another possibility: the health check is sent from the ALB's nodes which are in the public subnet, but the public subnet CIDR is 10.0.1.0/24, so that's fine. Option D says 'The network ACL for the private subnet does not allow inbound traffic from the ALB's security group.' That is incorrect because network ACLs cannot reference security groups. So the correct answer is actually that the network ACL inbound rule should allow from the ALB's security group? No.

Let's re-evaluate. The most common issue is that the network ACL is stateless and the outbound rule must allow the response. But the question says the outbound rule allows ephemeral ports.

That should be fine. Perhaps the health check is using HTTPS but only port 80 is allowed? The question says port 80. Option B says 'The ALB health check is configured to use HTTPS but the target only listens on HTTP.' That could cause a timeout.

But the question says the TCP connection is established, so the port is open. However, if the health check expects a 200 OK and the target returns something else, it could cause a 503. Option A says 'The security group for the ALB does not allow outbound traffic to the targets.' But security groups are stateful, so if inbound is allowed, outbound is allowed.

Option C says 'The route table for the private subnet does not have a route to the ALB's subnet.' That would cause no connectivity at all. Actually, the most likely cause is that the health check is using a different port or protocol. But given the options, Option D is the trick: network ACLs cannot reference security groups, so that statement is false, making it a distractor.

The correct answer is not listed? Wait, the question is a PBQ with 4 options. Let's list them: A: The security group for the ALB does not allow outbound traffic to the targets. B: The ALB health check is configured to use HTTPS but the target only listens on HTTP.

C: The route table for the private subnet does not have a route to the ALB's subnet. D: The network ACL for the private subnet does not allow inbound traffic from the ALB's security group. Option D is impossible because network ACLs don't support security groups.

So D is wrong. Option A is unlikely because security groups are stateful. Option C would cause complete failure, not just health check.

Option B is plausible: if health check expects HTTPS but target only has HTTP, the health check will get a timeout or non-200 response, causing 503. So the correct answer is B.

1446
MCQmedium

A company has a VPC with public and private subnets in three Availability Zones. They want to provide outbound internet access to instances in private subnets while preventing inbound traffic from the internet. Which solution meets these requirements with the least operational overhead?

A.Deploy a NAT instance in a public subnet and configure the private subnet route table to point to it.
B.Attach an Internet Gateway to the VPC and add a default route to it in the private subnet route table.
C.Create a NAT Gateway in a public subnet and add a default route in the private subnet route table pointing to the NAT Gateway.
D.Create a VPC Gateway Endpoint for Amazon S3 and route outbound traffic through it.
AnswerC

NAT Gateway is a managed service, reduces operational overhead.

Why this answer

Option C is correct because a NAT Gateway is a fully managed AWS service that provides outbound internet access for instances in private subnets while blocking unsolicited inbound connections. By placing the NAT Gateway in a public subnet and adding a default route (0.0.0.0/0) in the private subnet route table pointing to the NAT Gateway, traffic from private instances is source NATed to the NAT Gateway's Elastic IP, ensuring inbound traffic from the internet cannot reach the private instances. This solution offers the least operational overhead as AWS handles scaling, patching, and availability, unlike a self-managed NAT instance.

Exam trap

The trap here is that candidates often confuse a NAT Gateway with a NAT instance, assuming both offer similar operational overhead, or mistakenly think that an Internet Gateway can be used directly in private subnets, ignoring that it would allow inbound traffic from the internet.

How to eliminate wrong answers

Option A is wrong because a NAT instance requires manual management (e.g., patching, scaling, failover) and introduces higher operational overhead compared to a managed NAT Gateway, contradicting the 'least operational overhead' requirement. Option B is wrong because attaching an Internet Gateway and adding a default route to it in the private subnet route table would directly expose private instances to the internet, allowing unsolicited inbound traffic and violating the requirement to prevent inbound traffic. Option D is wrong because a VPC Gateway Endpoint for Amazon S3 only provides private connectivity to S3, not general outbound internet access to other destinations (e.g., HTTP/HTTPS to the internet), so it does not meet the requirement for outbound internet access.

1447
MCQeasy

A company has a web application running on EC2 instances behind an Application Load Balancer (ALB). The application stores files in an S3 bucket. The security team wants to ensure that the EC2 instances can only access the specific S3 bucket and no other AWS services. They have created an IAM role for the EC2 instances with a policy that grants s3:PutObject and s3:GetObject on the specific bucket. They have also attached a VPC endpoint for S3 to the VPC and added a bucket policy that allows access only from the VPC endpoint. Despite this, the EC2 instances can still access other S3 buckets. What is the most likely reason?

A.The VPC endpoint does not have a route table associated with the private subnets.
B.The security group on the VPC endpoint is allowing all traffic.
C.The VPC endpoint policy does not restrict access to the specific S3 bucket.
D.The IAM role does not have a trust policy that allows EC2 to assume it.
AnswerC

Without a restrictive endpoint policy, the VPC endpoint allows access to any S3 bucket, and if the instances have any other IAM policies (even default), they could access other buckets.

Why this answer

Option D is correct because the S3 bucket policy restricting access to the VPC endpoint only applies to that bucket, but the EC2 instances can still access other buckets if the IAM policy allows it, unless a VPC endpoint policy restricts access to only the specific bucket. Option A is wrong because the IAM policy only grants access to the specific bucket, but if the instances have other IAM policies attached, they might allow broader access. However, the question implies only this policy is attached.

Option B is wrong because the route table for the private subnets must have a route to the VPC endpoint for S3; if it doesn't, traffic would go through the NAT Gateway and not use the endpoint, but that would not allow access to other buckets if the IAM policy is restrictive. Actually, the most likely reason is that the VPC endpoint policy is not set to restrict access to only the specific bucket. Option C is wrong because the security group on the endpoint controls traffic to the endpoint, not what can be accessed through it.

1448
Drag & Dropmedium

Arrange the steps to configure a site-to-site VPN connection between an AWS Virtual Private Gateway and an on-premises Cisco ASA in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, define the customer gateway, then create the VPN connection, apply the configuration, verify the tunnel, and finally configure routing.

1449
MCQeasy

A company is designing a network for a highly available application across multiple AWS regions. The application requires low-latency communication between regions and uses IP addresses that cannot change. Which AWS service should be used to connect the VPCs in different regions?

A.AWS Direct Connect
B.VPC Endpoints
C.VPC Peering
D.Internet Gateway
AnswerC

VPC peering supports inter-region connectivity.

Why this answer

Option A is correct because VPC peering provides low-latency, private connectivity between VPCs in different regions. B is intra-region only. C is for on-premises.

D is for internet-facing.

1450
MCQmedium

A company is deploying a multi-tier web application on AWS. The web tier runs on EC2 instances behind an Application Load Balancer (ALB), and the application tier runs on EC2 instances that connect to an RDS MySQL Multi-AZ DB instance. The application tier must be isolated from the internet and only accessible from the web tier. Which network implementation meets these requirements with the LEAST administrative overhead?

A.Place the web tier in a public subnet and the application tier in a private subnet, and configure security groups to allow inbound traffic to the application tier only from the web tier's security group.
B.Create two VPCs: one for the web tier with a public subnet, and one for the application tier with a private subnet, and connect them using VPC peering.
C.Place the web tier in a public subnet and the application tier in a private subnet with a NAT gateway for outbound access, and use security groups to allow traffic from the web tier.
D.Place both tiers in the same public subnet, and use a network ACL to restrict traffic from the web tier to the application tier.
AnswerA

This achieves isolation with minimal overhead.

Why this answer

Option C is correct because placing the web tier in a public subnet and the application tier in a private subnet with security groups allowing traffic only from the web tier is the standard design for multi-tier web applications with minimal overhead. Option A is wrong because using a network ACL alone would not isolate the application tier from the internet; a private subnet is needed. Option B is wrong because a NAT gateway is unnecessary for outbound access from the application tier (not required) and adds cost.

Option D is wrong because using a different VPC and VPC peering adds complexity.

1451
MCQhard

A global e-commerce company uses a hub-and-spoke network topology with a transit VPC in us-east-1. Each spoke VPC has an AWS Site-to-Site VPN connection to its respective on-premises office. Users report intermittent connectivity issues when accessing a web application hosted in a spoke VPC in eu-west-1 from an on-premises office in ap-southeast-1. The network engineer checks the VPN connection and finds it is up. Which design change would MOST likely resolve the issue?

A.Change the VPN connection from static to dynamic routing.
B.Enable jumbo frames on the transit VPC's EC2-based virtual appliances.
C.Enable BGP route propagation on the transit VPC's route tables.
D.Deploy a new transit VPC in eu-west-1.
AnswerB

Jumbo frames reduce overhead and improve throughput for large packets.

Why this answer

The issue is intermittent connectivity between an on-premises office in ap-southeast-1 and a spoke VPC in eu-west-1, traversing a transit VPC in us-east-1. The VPN is up, so the problem is likely packet fragmentation or MTU mismatch across the long-haul path. Enabling jumbo frames on the transit VPC's EC2-based virtual appliances (e.g., firewall or router instances) increases the maximum transmission unit, reducing fragmentation and improving performance for large packets, which is a common cause of intermittent issues in hub-and-spoke topologies.

Exam trap

The trap here is that candidates assume a 'VPN is up' means the issue is routing-related (e.g., BGP propagation or static vs. dynamic), but the real culprit is often subtle packet-level problems like MTU mismatch or fragmentation across a multi-region hub-and-spoke design.

How to eliminate wrong answers

Option A is wrong because changing from static to dynamic routing (e.g., BGP) addresses routing protocol convergence and failover, not intermittent connectivity caused by MTU or fragmentation; the VPN is already up, so routing is functional. Option C is wrong because enabling BGP route propagation on the transit VPC's route tables would only affect route advertisement and learning, not packet-level issues like fragmentation; the routes are already in place since the VPN is established. Option D is wrong because deploying a new transit VPC in eu-west-1 would add complexity and cost without addressing the root cause; the existing transit VPC in us-east-1 can handle cross-region traffic, and the problem is likely MTU-related, not latency or regional proximity.

1452
MCQmedium

A company is designing a multi-region active-active architecture with an Application Load Balancer in each region. Which service can route traffic to the closest ALB based on latency?

A.AWS Global Accelerator
B.Amazon Route 53 latency-based routing
C.Application Load Balancer cross-zone load balancing
D.Amazon CloudFront
AnswerB

Route 53 latency routing directs users to the region with lowest latency.

Why this answer

Amazon Route 53 latency-based routing directs traffic to the AWS region that provides the lowest latency for the end user, based on historical latency measurements between the user's ISP and each region. This makes it the correct choice for routing users to the closest Application Load Balancer in a multi-region active-active architecture.

Exam trap

The trap here is that candidates often confuse AWS Global Accelerator's 'nearest endpoint' behavior with latency-based routing, but Global Accelerator uses Anycast to direct traffic to the closest edge location, not to the region with the lowest application latency, making Route 53 latency-based routing the correct answer for this specific use case.

How to eliminate wrong answers

Option A is wrong because AWS Global Accelerator uses Anycast IPs and the AWS global network to route traffic to the nearest healthy endpoint, but it does not use latency measurements to select the closest ALB; it relies on edge location proximity and endpoint health. Option C is wrong because Application Load Balancer cross-zone load balancing distributes traffic evenly across targets within a single region, not across regions. Option D is wrong because Amazon CloudFront is a content delivery network that caches content at edge locations and does not route traffic to the closest ALB based on latency; it uses DNS and edge caches to serve content, not dynamic latency-based routing to origin ALBs.

1453
MCQmedium

A company's VPC has an internet gateway and a NAT Gateway in a public subnet. The private subnet route table has a default route pointing to the NAT Gateway. EC2 instances in the private subnet can access the internet, but cannot access an on-premises network connected via AWS Site-to-Site VPN. What is the most likely cause?

A.The private subnet route table does not have a route to the on-premises network via the virtual private gateway.
B.The NAT Gateway is not configured to route traffic to the VPN.
C.The internet gateway is not attached to the VPC.
D.The VPN connection is not advertising the on-premises CIDR via BGP.
AnswerA

The default route to NAT Gateway takes precedence over VPN routes.

Why this answer

The private subnet route table has a default route (0.0.0.0/0) pointing to the NAT Gateway, which allows outbound internet traffic. However, traffic destined for the on-premises network must be routed via the Virtual Private Gateway (VGW) attached to the VPC. Since the route table lacks a specific route (e.g., 10.0.0.0/8) pointing to the VGW, packets to the on-premises CIDR are instead sent to the NAT Gateway, which drops them because it has no route or interface for the on-premises network.

Exam trap

AWS often tests the misconception that a NAT Gateway can forward traffic to a VPN or that the internet gateway is responsible for VPN routing, when in fact the route table's destination-based forwarding is the sole determinant of where traffic goes.

How to eliminate wrong answers

Option B is wrong because the NAT Gateway is a Layer 3 device that forwards traffic based on route tables; it does not perform routing decisions or have a configuration to 'route traffic to the VPN' — the route table controls where traffic goes. Option C is wrong because the internet gateway is correctly attached (the private instances can access the internet), so its attachment status is not the issue. Option D is wrong because even if the VPN connection is not advertising the on-premises CIDR via BGP, the VPC route table must still have a static or propagated route to the VGW; the absence of BGP advertisement would prevent route propagation, but the core problem is the missing route in the private subnet route table.

1454
MCQeasy

A company wants to ensure that traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the network engineer do to meet this requirement?

A.Create an AWS Site-to-Site VPN between the VPCs and disable the VPC peering connection.
B.Use TLS or IPsec at the application layer between instances.
C.Replace the VPC peering connection with a Transit Gateway and enable VPN encryption.
D.Enable encryption on the VPC peering connection.
AnswerB

Application-layer encryption provides encryption over the peering connection.

Why this answer

Option B is correct because VPC peering connections do not support native encryption of traffic. To meet the requirement for encryption in transit between two VPCs connected via a VPC peering connection, you must implement encryption at the application layer using TLS or IPsec between the instances. This ensures that traffic is encrypted end-to-end, independent of the underlying network path.

Exam trap

The trap here is that candidates often assume VPC peering connections are inherently encrypted because they use the AWS private network, but AWS does not encrypt traffic over VPC peering; encryption must be implemented at the application or instance layer.

How to eliminate wrong answers

Option A is wrong because creating an AWS Site-to-Site VPN between the VPCs would require a virtual private gateway and a customer gateway in each VPC, which is not supported for VPC-to-VPC connections without a Transit Gateway or a third-party appliance; additionally, disabling the VPC peering connection is unnecessary and does not solve the encryption requirement. Option C is wrong because replacing the VPC peering connection with a Transit Gateway does not inherently enable VPN encryption; you would need to attach VPN attachments to the Transit Gateway, which adds complexity and cost, and the question specifically states the VPCs are already connected via a VPC peering connection. Option D is wrong because VPC peering connections do not support enabling encryption natively; there is no toggle or setting to encrypt traffic over a VPC peering connection.

1455
Multi-Selecthard

A company is designing a network security architecture for a multi-account environment using AWS Organizations. They need to centrally manage and enforce security policies across all accounts. Which THREE services should they consider?

Select 3 answers
A.AWS Direct Connect
B.AWS Firewall Manager
C.AWS Security Hub
D.Amazon Route 53 Resolver DNS Firewall
E.AWS CloudTrail
AnswersB, C, E

Central management of firewall rules.

Why this answer

Option A, B, and C are correct: AWS Firewall Manager centrally manages firewall rules across accounts; AWS Security Hub provides a unified view of security alerts; AWS CloudTrail logs API calls across accounts. Option D is wrong because Amazon Route 53 Resolver DNS Firewall is not a central policy enforcement service. Option E is wrong because AWS Direct Connect is for connectivity, not policy enforcement.

1456
MCQeasy

A company is setting up a Direct Connect connection between its on-premises data center and AWS. The company wants to use a single virtual interface (VIF) to access multiple VPCs in the same AWS Region. Which AWS service should be used to achieve this?

A.Direct Connect gateway
B.VPC peering connection
C.AWS VPN CloudHub
D.Transit VPC
AnswerA

A Direct Connect gateway enables a single virtual interface to connect to multiple VPCs.

Why this answer

A Direct Connect gateway allows you to associate a single virtual interface with multiple VPCs in the same region or across regions. Option A is incorrect because a VPC peering connection does not use Direct Connect. Option C is incorrect because a VPN connection is a different service.

Option D is incorrect because a Transit VPC is an architectural pattern, not a service.

1457
Multi-Selecthard

A company is designing a VPC with IPv6. Which components are required to enable IPv6 communication between instances in the VPC and the internet? (Select TWO.)

Select 2 answers
A.An egress-only internet gateway
B.A route in the subnet route table to ::/0 to the internet gateway
C.A VPC peering connection to a VPC with internet access
D.An internet gateway
E.A NAT Gateway
AnswersB, D

This route enables IPv6 traffic to and from the internet.

Why this answer

To enable IPv6 communication between instances in a VPC and the internet, you need an internet gateway (IGW) attached to the VPC, and a route in the subnet's route table that directs IPv6 traffic (destination ::/0) to that internet gateway. The IGW performs NAT for IPv6 (using eUI-64 addresses) and allows bidirectional traffic, so both components are required.

Exam trap

The trap here is that candidates often confuse the egress-only internet gateway (for outbound-only IPv6) with the internet gateway (for bidirectional IPv6), or mistakenly think a NAT Gateway supports IPv6, when in fact NAT Gateways are IPv4-only and IPv6 requires an internet gateway for full internet access.

1458
MCQmedium

Refer to the exhibit. A security engineer applies this SCP to an AWS account. What is the effect of this policy?

A.All API calls over HTTPS will be allowed
B.Only S3 API calls will be affected
C.The policy requires multi-factor authentication
D.All API calls that are not made over HTTPS will be denied
AnswerD

The condition aws:SecureTransport false triggers a Deny on all actions.

Why this answer

Option A is correct because the policy denies all actions if the request is not made over HTTPS (SecureTransport false). Option B is wrong because it denies non-HTTPS, not allows. Option C is wrong because it applies to all services.

Option D is wrong because it does not require MFA; it requires HTTPS.

1459
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The connection uses a private virtual interface (VIF) and BGP. The network team recently added a new CIDR block (10.0.3.0/24) to the VPC. They updated the VPC's route table to include a route to the on-premises network. However, the on-premises network cannot reach resources in the new subnet. The BGP session is up, and the Direct Connect gateway is configured. What should the network team do to resolve the issue?

A.Add a static route in the on-premises router pointing to the Direct Connect interface.
B.Set up a new VPN connection as a backup and route traffic over VPN.
C.Add the new CIDR block (10.0.3.0/24) to the Direct Connect gateway's allowed prefixes.
D.Create a new private VIF for the new CIDR block.
AnswerC

This allows the Direct Connect gateway to advertise the new prefix to the on-premises network via BGP.

Why this answer

When adding a new CIDR to a VPC, the Direct Connect gateway does not automatically advertise the new prefix to the on-premises router. The team needs to ensure that the VPC's CIDR is allowed in the Direct Connect gateway's allowed prefixes. Option A is correct because the new CIDR must be added to the allowed prefixes list for the Direct Connect gateway to advertise it via BGP.

Option D is incorrect as it would cause traffic to be routed through VPN, not Direct Connect.

1460
Multi-Selecthard

A network engineer is diagnosing a connectivity issue between two VPCs connected via VPC peering. The engineer has confirmed that the route tables in both VPCs have appropriate routes and the security groups allow traffic. However, traffic from VPC A to VPC B fails. Which TWO steps should the engineer take to troubleshoot? (Select TWO.)

Select 2 answers
A.Check the network ACL of the subnet in VPC B where the target instance resides.
B.Confirm that both VPCs are in the same AWS account.
C.Verify the VPC peering connection status is active.
D.Check the operating system firewall on the target instance.
E.Enable VPC Flow Logs on both VPCs to analyze traffic.
AnswersA, D

NACLs are stateless and may block inbound traffic.

Why this answer

Option B is correct because checking the NACL of the subnet in VPC B where the target instance resides can reveal if inbound traffic is blocked. Option D is correct because verifying the OS-level firewall on the target instance in VPC B can block traffic even if AWS network is open. Option A is wrong because the peering connection status is active; if it were pending or deleted, it would be obvious.

Option C is wrong because cross-account configuration is not mentioned. Option E is wrong because VPC Flow Logs are useful but not the first step for a basic connectivity check.

1461
MCQhard

A network engineer is designing a VPC with private subnets for workloads that must not have direct internet access. However, the workloads need to download patches from a specific third-party vendor's IP range. Which solution minimizes the attack surface?

A.Create a managed prefix list for the vendor's IPs and add a route in the private subnet route table to a NAT gateway, with the prefix list as destination
B.Configure a VPC endpoint for the vendor's service
C.Deploy a proxy server in a public subnet and configure the workloads to use it for all internet traffic
D.Establish a VPN connection to the vendor's network and route all traffic to the vendor through the VPN
AnswerA

Restricts egress to only vendor IPs.

Why this answer

Option C is correct because a managed prefix list in the route table for the private subnets allows traffic only to the vendor's IPs via a NAT gateway. Option A is wrong because a VPN to the vendor introduces unnecessary complexity and trust. Option B is wrong because a proxy server sends all traffic, not just to vendor.

Option D is wrong because a VPC endpoint is for AWS services only.

1462
MCQeasy

A company has a VPC with CIDR 10.0.0.0/16 and needs to connect to an on-premises network using AWS Direct Connect. The on-premises CIDR is 10.1.0.0/16. To enable communication between the VPC and on-premises, which component must be configured?

A.Attach an Internet Gateway to the VPC and configure a NAT gateway
B.Create a VPC peering connection between the VPC and the on-premises network
C.Attach a Virtual Private Gateway to the VPC and update route tables
D.Create a Transit Gateway and attach the VPC and Direct Connect
AnswerC

A Virtual Private Gateway is required for Direct Connect connectivity, and appropriate routes must be added in the VPC route tables to route traffic to the on-premises network via the VGW.

Why this answer

To connect a VPC to an on-premises network over AWS Direct Connect, you must attach a Virtual Private Gateway (VGW) to the VPC. The VGW serves as the VPN concentrator on the AWS side, terminating the Direct Connect virtual interface (VIF) and enabling BGP peering for route exchange. You then update the VPC route tables to point the on-premises CIDR (10.1.0.0/16) to the VGW, allowing traffic to flow between the VPC and the on-premises network.

Exam trap

AWS often tests the misconception that a Transit Gateway is always required for Direct Connect, but the exam trap here is that a Virtual Private Gateway is the fundamental component for terminating a Direct Connect private VIF to a single VPC.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway (IGW) and NAT gateway are used for internet-bound traffic, not for private connectivity to on-premises networks via Direct Connect. Option B is wrong because VPC peering connects two VPCs within AWS, not a VPC to an on-premises network; it cannot extend beyond the AWS cloud. Option D is wrong because while a Transit Gateway can simplify multi-VPC and Direct Connect attachments, it is not strictly required for a single VPC connection; the question asks for the component that must be configured, and a VGW is the mandatory component for Direct Connect private VIF connectivity.

1463
Multi-Selecthard

Which TWO of the following are best practices for securing a VPC with AWS Network Firewall? (Choose two.)

Select 2 answers
A.Deploy firewall endpoints in at least two Availability Zones for high availability.
B.Use only stateless rules to minimize processing overhead.
C.Configure stateful rule groups to inspect traffic at the application layer.
D.Use Network Firewall only for outbound traffic filtering.
E.Deploy the firewall in the same subnet as the workload for low latency.
AnswersA, C

Ensures resilience.

Why this answer

Correct: B (deploy in multiple AZs for HA) and D (use stateful rules for traffic inspection). A is wrong because it should be in a dedicated subnet. C is wrong because stateless rules are not the primary use case.

E is wrong because Network Firewall supports both stateful and stateless.

1464
MCQmedium

A company is deploying a multi-tier web application in a VPC with public and private subnets. The web servers in the public subnets must be able to initiate outbound connections to the internet for software updates, but must not be directly accessible from the internet. Which configuration meets these requirements?

A.Deploy a NAT instance in a private subnet and add a default route to the NAT instance in the private subnet's route table.
B.Deploy an Application Load Balancer (ALB) in a public subnet and route outbound traffic through the ALB.
C.Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the public subnet's route table.
D.Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet's route table.
AnswerD

A NAT Gateway in a public subnet enables instances in private subnets to initiate outbound traffic to the internet while remaining inaccessible from the internet.

Why this answer

Option D is correct because a NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while remaining unreachable from the internet. Option A is wrong because an Internet Gateway alone would allow inbound traffic. Option B is wrong because a NAT Instance in a private subnet cannot reach the internet.

Option C is wrong because an ALB does not provide outbound internet access.

1465
MCQmedium

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all Amazon S3 buckets in the organization are encrypted at rest. Which policy should be attached to the root organizational unit to enforce this requirement?

A.Configure AWS Config rules to mark non-compliant buckets and trigger a Lambda function to add encryption.
B.Create an IAM role in each account that requires encryption for any S3 operation.
C.Use an S3 bucket policy on every existing and future bucket to deny unencrypted uploads.
D.Attach a service control policy (SCP) that denies s3:CreateBucket unless the bucket has default encryption enabled.
AnswerD

SCPs can enforce encryption at the organizational level.

Why this answer

A service control policy (SCP) attached to the root OU can deny creation of S3 buckets without default encryption, enforcing encryption across all accounts. Option A is correct because SCPs allow you to centrally control permissions. Option B is wrong because IAM roles are per-account.

Option C is wrong because bucket policies are per-bucket, not organization-wide. Option D is wrong because AWS Config rules can detect but not enforce in real time.

1466
MCQeasy

A company is designing a multi-region application with active-active configuration. They need a global DNS service that can route users to the nearest healthy endpoint and automatically failover to another region if an endpoint becomes unhealthy. Which AWS service should be used?

A.Amazon CloudFront
B.Elastic Load Balancer
C.Amazon Route 53 with latency-based routing and health checks
D.AWS Global Accelerator
AnswerC

Route 53 latency routing directs traffic to the region with the lowest latency, and health checks enable failover.

Why this answer

Option A is correct because Amazon Route 53 with latency-based routing can route to the region with the lowest latency, and health checks can failover. Option B is wrong because AWS Global Accelerator provides static IP addresses and improves performance, but it does not provide DNS-level routing with health-based failover. Option C is wrong because CloudFront is a CDN.

Option D is wrong because ELB is regional.

1467
MCQmedium

An application running on EC2 instances needs to access a DynamoDB table. The security team requires that traffic does not traverse the internet. Which solution should be used?

A.Create a VPC Gateway Endpoint for DynamoDB.
B.Create a VPC Interface Endpoint for DynamoDB.
C.Attach an Internet Gateway to the VPC.
D.Deploy a NAT gateway and update the route table.
AnswerA

Provides private connectivity to DynamoDB.

Why this answer

Option B is correct because a VPC Gateway Endpoint for DynamoDB provides private access. Option A is wrong because a NAT gateway routes to the internet. Option C is wrong because an Internet Gateway provides internet access.

Option D is wrong because a VPC Interface Endpoint is for services like API Gateway, but DynamoDB uses Gateway Endpoint.

1468
Matchingmedium

Match each BGP attribute to its role in route selection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cisco-proprietary attribute, highest weight preferred

Used to influence outbound traffic from an AS

Shorter path is preferred

Used to influence inbound traffic to an AS

IP address of the next router to reach the destination

Why these pairings

These BGP attributes are important for route selection in hybrid networking.

1469
MCQhard

A company is deploying an AWS Network Firewall in a centralized inspection VPC and needs to send traffic from multiple VPCs through it. The VPCs are attached to a Transit Gateway. What configuration is required to route traffic to the firewall?

A.Create a Transit Gateway route table with a route to the Network Firewall endpoint and attach the VPCs to it.
B.Create a VPC Gateway Endpoint for the firewall service.
C.Add a route in each VPC's subnet routing table pointing to the firewall's elastic network interface.
D.Configure a NAT gateway in each VPC and route traffic through it.
AnswerA

This ensures traffic is routed through the firewall.

Why this answer

Option D is correct because the Transit Gateway route table must have a route pointing to the firewall's endpoint, and the firewall must be configured with the appropriate rules. Option A is wrong because NAT gateways do not route traffic to firewalls. Option B is wrong because VPC endpoints are for accessing AWS services.

Option C is wrong because subnet routes cannot point to the firewall directly without an endpoint.

1470
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to extend connectivity to an on-premises data center that does not support BGP. What is the simplest way to achieve this?

A.Use AWS Site-to-Site VPN with static routing to a Transit Gateway
B.Create a VPC peering connection between the VPC and the on-premises network
C.Create a Direct Connect Gateway and attach the VPC
D.Set up a VPN CloudHub with multiple VPN connections
AnswerA

Transit Gateway supports VPN attachments with static routes, which does not require BGP on the on-premises side.

Why this answer

A Transit Gateway with a VPN attachment can connect to the on-premises network over the internet using static routes if BGP is not supported. Direct Connect Gateway only works with BGP. VPC peering is not for on-premises.

VPN CloudHub requires multiple VPN connections. The simplest is to use a VPN connection to the Transit Gateway with static routing.

1471
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance has a NAT Gateway in the public subnet. However, the instance cannot reach the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause?

A.The NAT Gateway does not have an Elastic IP address attached.
B.The security group for the EC2 instance blocks outbound traffic.
C.The network ACL for the private subnet blocks outbound traffic.
D.The private subnet route table does not have a route to the internet gateway.
AnswerA

Without EIP, NAT Gateway cannot communicate with internet.

Why this answer

Option B is correct. The NAT Gateway's Elastic IP must be associated, otherwise traffic cannot be translated. Option A is wrong because the route is already present.

Option C is wrong because NACLs are stateless but would affect both directions if misconfigured. Option D is wrong because security groups are stateful and allow return traffic.

1472
MCQeasy

A network engineer runs the above command and sees that VPC Flow Logs are configured for a VPC. The engineer wants to analyze rejected traffic to troubleshoot a connectivity issue. Which field in the flow log records should they examine?

A.protocol
B.action
C.srcaddr
D.dstport
AnswerB

Shows whether traffic was accepted or rejected.

Why this answer

Option B is correct because the 'action' field in VPC Flow Logs indicates ACCEPT or REJECT. Option A is wrong because 'srcaddr' is source IP. Option C is wrong because 'dstport' is destination port.

Option D is wrong because 'protocol' is the protocol number.

1473
Multi-Selectmedium

A company is designing a highly available network in AWS. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to use BGP as the routing protocol. Which TWO actions should be taken to ensure high availability?

Select 2 answers
A.Use the same BGP community values for both connections
B.Advertise the same on-premises prefixes over both connections with different AS_PATH prepend values
C.Enable jumbo frames on both connections
D.Configure multiple virtual interfaces on a single Direct Connect connection
E.Configure separate BGP sessions for each Direct Connect connection
AnswersB, E

Allows path selection and failover.

Why this answer

Options A and B are correct because using separate BGP sessions and advertising the same prefixes with different AS_PATH prepending provides path selection and redundancy. Option C is wrong because same community values do not help with path selection. Option D is wrong because only one VIF per connection is needed.

Option E is wrong because jumbo frames do not affect availability.

1474
MCQhard

A company is deploying a multi-region application using two AWS Regions. They want to use an AWS Transit Gateway to interconnect VPCs within each region, and they need to interconnect the Transit Gateways across regions. Which is the most scalable and reliable approach?

A.Use Transit Gateway peering attachments between the Transit Gateways in each region.
B.Create a VPC peering connection between VPCs in different regions and attach them to the Transit Gateways.
C.Use AWS Site-to-Site VPN connections between the Transit Gateways in each region.
D.Set up a Direct Connect gateway with virtual interfaces in each region and propagate routes.
AnswerA

Transit Gateway peering is the native, scalable, and reliable method to interconnect Transit Gateways across regions.

Why this answer

AWS Transit Gateway supports inter-region peering, which is the recommended method for connecting Transit Gateways across regions. Option A is correct. Option B is incorrect because VPC peering does not natively interconnect Transit Gateways.

Option C is incorrect because Direct Connect can connect on-premises to multiple regions but is not designed primarily for interconnecting Transit Gateways. Option D is incorrect because VPN connections add complexity and lower throughput compared to Transit Gateway peering.

1475
MCQhard

Based on the VPC Flow Logs entry, which of the following statements is correct?

A.The destination port is 443
B.The protocol used is UDP
C.The source IP address is 10.0.2.10
D.The traffic originated from a web server (port 443) and was sent to a client (port 80)
AnswerD

Source port 443 indicates the server is sending data to a client on port 80.

Why this answer

Option B is correct because the source port is 443 (HTTPS) and destination port is 80 (HTTP). The protocol number 6 indicates TCP. The ACCEPT shows the traffic was allowed.

Option A is wrong because the source is 10.0.1.5. Option C is wrong because the destination port is 80. Option D is wrong because the protocol is TCP (6).

1476
MCQeasy

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via Direct Connect. The on-premises network can reach some VPCs but not others. All VPCs are attached to the same Transit Gateway. What should the engineer check first?

A.The VPC flow logs for the unreachable VPCs.
B.The Transit Gateway route tables and associations.
C.The Direct Connect virtual interface status.
D.The BGP session between the on-premises router and the Direct Connect router.
AnswerB

Route tables determine the connectivity between attachments; misconfiguration is the likely cause.

Why this answer

The Transit Gateway route tables control which VPCs and attachments can communicate. If some VPCs are in a different route table or if propagation is not configured, traffic may not be routed correctly.

1477
MCQhard

A company has a Direct Connect connection with a private VIF and a public VIF. The private VIF is used to access VPC resources, and the public VIF is used to access AWS public services. Recently, the company enabled AWS Global Accelerator for its application. The network team notices that traffic to the application via Global Accelerator is not using the Direct Connect connection but is going over the internet. What should the team do to ensure traffic uses the Direct Connect public VIF?

A.Configure a VPN connection over the Direct Connect public VIF to route Global Accelerator traffic
B.Advertise the Global Accelerator IP addresses on the on-premises router to route traffic via the public VIF
C.Attach a Direct Connect gateway to the Global Accelerator
D.Create a private VIF for Global Accelerator traffic
AnswerA

Use a VPN over the public VIF to control routing, but Global Accelerator traffic typically goes over internet; however, using a VPN can force traffic via Direct Connect.

Why this answer

Option A is correct because Global Accelerator uses anycast IPs that are advertised over the public internet; to route traffic via Direct Connect, the on-premises routes must point to the public VIF. Option B is wrong because private VIF is for VPC access, not public services. Option C is wrong because the Direct Connect gateway is for private VIFs.

Option D is wrong because VPN is not required.

1478
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. The network team notices that traffic between two VPCs in different regions is being dropped intermittently. What is the most likely cause?

A.Transit Gateway cannot route traffic between VPCs in different regions without inter-region peering
B.Security groups in the source VPC are blocking traffic
C.Route tables in the Transit Gateway are not propagating routes correctly
D.NAT Gateway in the source VPC is causing asymmetric routing
AnswerA

Transit Gateway is regional; inter-region connectivity requires explicit peering.

Why this answer

Option B is correct because Transit Gateway is a regional resource and does not support inter-region peering natively; traffic between VPCs in different regions must go through a VPN or Direct Connect, or use Transit Gateway inter-region peering (which must be explicitly configured). Option A is incorrect because security groups are stateful and would not drop traffic intermittently. Option C is incorrect because route propagation does not cause intermittent drops.

Option D is incorrect because NAT Gateway is used for outbound traffic to the internet, not for inter-VPC traffic.

1479
MCQhard

An EC2 instance with the attached IAM role is unable to download objects from an S3 bucket. The instance is in a VPC with CIDR 10.0.0.0/16. The S3 bucket policy allows access from the VPC. What is the most likely reason for the failure?

A.The IAM policy does not include an Allow for the s3:GetObject action.
B.The condition aws:SourceIp does not match the source IP of the request because the traffic is routed through a VPC Gateway Endpoint.
C.The S3 bucket policy has an explicit deny for the IAM role.
D.The IAM role does not have permission to list the bucket, which is required for the download operation.
AnswerD

Many SDK clients perform a ListObjects call first, which is not allowed by the policy, causing the download to fail.

Why this answer

Option B is correct because the condition aws:SourceIp compares the source IP of the request, but when using a VPC Gateway Endpoint, the source IP is the private IP of the instance, which is within 10.0.0.0/16, so that should work. However, the condition is problematic because the aws:SourceIp condition is not effective when the request comes through a VPC endpoint; the source IP is the endpoint's private IP, not the instance's IP. Actually, the correct answer is that the condition is not met because the source IP is the endpoint's IP, not the instance's.

But wait, for Gateway Endpoint, the source IP is the instance's private IP. Let me reconsider: For Gateway Endpoints, the source IP is preserved as the instance's private IP. So the condition should be met.

The issue might be that the bucket policy also needs to allow access. However, the question states the bucket policy allows access from the VPC. Possibly the IAM policy's condition is using aws:SourceIp which works, but maybe the instance is not using the endpoint? Actually, the most likely reason is that the IAM policy does not authorize the s3:ListBucket action, but the error is about download, which is GetObject.

Let me think: The policy allows GetObject, but the condition requires source IP in 10.0.0.0/16. If the instance is using a Gateway Endpoint, the source IP is the instance's private IP, so it should match. However, if the S3 bucket policy denies access from outside the VPC, or if the instance does not have a route to the endpoint, it might fail.

But the exhibit shows IAM policy, so the issue is likely the IAM policy itself. Option D is correct because the IAM policy lacks permission for s3:ListBucket, but that is not needed for downloading a specific object if you know the key. However, many S3 operations require ListBucket for the console or SDK.

But the question says 'unable to download objects', which could be due to the condition not matching. Actually, I think the correct answer is that the aws:SourceIp condition is not effective because the traffic goes through the VPC endpoint, and the source IP seen by S3 is the endpoint's private IP, which is not the instance's IP. For Gateway Endpoints, the source IP is the instance's private IP.

So that should work. Wait, there is a nuance: For Gateway Endpoints, the source IP is the instance's private IP, so the condition should work. But if the VPC endpoint is not used, the traffic goes through the internet and the source IP is the public IP, which would not match.

However, the question implies the instance is in the VPC. I think the most plausible cause is that the IAM role does not have permission to access the bucket because the condition is not satisfied. But since the instance is in the VPC, its private IP is within the range.

So maybe the issue is that the S3 bucket policy is not allowing the IAM role. Option A is incorrect because the bucket policy is not shown. Option C is incorrect because there is no explicit deny.

Option B is the most likely: the condition does not match because the source IP is not the instance's IP when using a VPC endpoint? Actually, I recall that for Gateway Endpoints, the source IP is the instance's private IP. So the condition should work. Let me think again: The correct answer is D because the IAM policy only allows GetObject, but the SDK might first call ListObjects, which is denied.

That is a common issue. So Option D.

1480
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. It needs to add an additional non-overlapping CIDR for new workloads. Which CIDR should be used?

A.10.0.0.0/24
B.10.1.0.0/16
C.10.0.1.0/24
D.10.0.0.0/8
AnswerB

This CIDR is outside the existing 10.0.0.0/16 range.

Why this answer

Option B (10.1.0.0/16) is correct because it provides a non-overlapping CIDR block that does not conflict with the existing VPC CIDR of 10.0.0.0/16. In AWS, when adding a secondary CIDR to a VPC, the new block must not overlap with the existing VPC CIDR or any of its subnets. The 10.1.0.0/16 range is entirely separate from 10.0.0.0/16, satisfying this requirement.

Exam trap

The trap here is that candidates often assume any non-overlapping private IP range is acceptable, but they overlook that the new CIDR must also be from the same RFC 1918 address space and not conflict with any existing subnets, not just the VPC CIDR itself.

How to eliminate wrong answers

Option A is wrong because 10.0.0.0/24 is a subnet of the existing 10.0.0.0/16 CIDR, which would cause an overlap and is not allowed when adding a secondary CIDR to a VPC. Option C is wrong because 10.0.1.0/24 is also a subnet within the existing 10.0.0.0/16 range, resulting in an overlap. Option D is wrong because 10.0.0.0/8 is a supernet that contains the existing 10.0.0.0/16 CIDR, causing an overlap and violating the non-overlapping requirement for VPC CIDR blocks.

1481
MCQhard

A company is designing a network architecture for a critical application that requires high availability and low latency. The application will be deployed on EC2 instances in an Auto Scaling group across three Availability Zones in a single region. The instances will communicate with an Amazon RDS database. Which configuration will provide the MOST resilient and performant network connectivity?

A.Launch a single RDS instance in a public subnet and use Route 53 latency-based routing to direct traffic.
B.Use a Network Load Balancer in front of the RDS instance to distribute connections across Availability Zones.
C.Place the RDS instance in a single Availability Zone and use a read replica in another AZ for failover.
D.Create an RDS Multi-AZ cluster with one writer and two reader instances in different AZs, and use the cluster endpoint for writes and reader endpoint for reads.
AnswerD

Multi-AZ cluster provides automatic failover and low-latency reads across AZs.

Why this answer

Placing RDS in a database subnet group across multiple AZs and using a cluster with Multi-AZ provides high availability and low latency by ensuring the database endpoint is always in the same AZ as the application instance when possible. Option A is wrong because a single AZ creates a single point of failure. Option B is wrong because a Network Load Balancer for RDS is not standard.

Option D is wrong because a single RDS instance in one AZ is not highly available.

1482
MCQmedium

A company has a Direct Connect connection with a private virtual interface (VIF) attached to a Virtual Private Gateway (VGW) that is associated with a single VPC (10.0.0.0/16). The on-premises network uses BGP to exchange routes. The company has recently acquired another company and needs to connect to their VPC (172.16.0.0/16) in the same region. They want to use the existing Direct Connect connection to access both VPCs. The network engineer creates a Transit Gateway, attaches both VPCs, and creates a transit virtual interface (VIF) to the Transit Gateway. The engineer also deletes the private VIF. However, after the change, on-premises users cannot reach either VPC. What should the engineer do to restore connectivity?

A.Configure BGP on the on-premises router to peer with the Transit Gateway over the transit VIF.
B.Attach the VPCs to the Transit Gateway with different route tables.
C.Create a new private VIF to each VPC.
D.Enable route propagation on the Transit Gateway route tables.
AnswerA

BGP must be configured for route exchange.

Why this answer

Option D is correct because the on-premises router must be configured to establish BGP peering with the Transit Gateway over the transit VIF. Option A is incorrect because a new VPN connection is unnecessary. Option B is incorrect because the VPCs are already attached.

Option C is incorrect because route propagation must be enabled in the TGW route tables.

1483
MCQhard

A company is designing a hybrid network with multiple AWS Direct Connect connections to multiple on-premises data centers. They want to maximize availability and use all available bandwidth. They have two Direct Connect connections terminated at two different Direct Connect locations. They plan to use a single Virtual Private Gateway (VGW) for each VPC. Which configuration should be used to meet these requirements?

A.Create two VGWs and attach each to a separate Direct Connect connection. Use a Transit Gateway to connect the VGWs to the VPC.
B.Create a Direct Connect Gateway. Attach both Direct Connect connections to the Direct Connect Gateway. Associate the Direct Connect Gateway with the VGW. Configure the on-premises routers to use BGP with equal-cost multipath (ECMP).
C.Create two Virtual Private Gateways, one for each Direct Connect connection. Attach each VGW to the VPC. Configure BGP on both connections for active-active.
D.Create a single virtual interface and associate it with both Direct Connect connections. Attach the virtual interface to the VGW.
AnswerB

This configuration allows both connections to be active-active, using all bandwidth and providing redundancy.

Why this answer

Option A is correct because using a Direct Connect Gateway with multiple virtual interfaces (VIFs) to the same VGW enables active-active traffic and failover across the two connections. Option B is wrong because two separate VGWs cannot be associated with the same VPC. Option C is wrong because a single VIF cannot use multiple connections.

Option D is wrong because two separate VGWs are not supported for a single VPC.

1484
MCQmedium

A company has deployed a Network Load Balancer (NLB) in front of a fleet of EC2 instances in a VPC. The NLB is configured with a TCP listener on port 443. Clients are experiencing timeouts. The target group health checks are passing. What is the most likely cause?

A.Cross-zone load balancing is disabled.
B.Deletion protection is enabled on the NLB.
C.The security group for the EC2 instances does not allow traffic from the NLB.
D.The target group is using an incorrect health check path.
AnswerC

NLB uses its own IP addresses; security group must allow them.

Why this answer

Option C is correct because security groups must allow traffic from the NLB's private IP addresses. Option A is incorrect because cross-zone load balancing affects distribution, not timeouts. Option B is incorrect because health checks passing means targets are healthy.

Option D is incorrect because deletion protection prevents accidental deletion, not timeouts.

1485
MCQmedium

A company has an AWS Lambda function that needs to access an S3 bucket in the same AWS account. The Lambda function is configured to use the VPC default execution role. The S3 bucket policy denies all principals except those explicitly allowed. The Lambda function cannot access the bucket. What should be done to resolve this issue?

A.Add an IAM policy to the Lambda execution role that allows s3:GetObject on the bucket
B.Remove the bucket policy that denies all principals
C.Attach an internet gateway to the VPC and a public IP to the Lambda function
D.Create a VPC endpoint for S3 and attach it to the Lambda function's VPC
AnswerA

The Lambda execution role must have the necessary S3 permissions to access the bucket.

Why this answer

Option A is correct because the Lambda function's execution role needs an IAM policy allowing s3:GetObject (or appropriate actions) on the bucket. The bucket policy must also grant access to the Lambda execution role. Option B is wrong because VPC endpoints do not grant access; IAM permissions are still needed.

Option C is wrong because a VPC endpoint is not required for Lambda to access S3 in the same account if the bucket policy allows the role. Option D is wrong because the Lambda function does not need an internet gateway if it uses a VPC endpoint or if the bucket policy allows the role.

1486
MCQmedium

A company has deployed a web application using an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. The application experiences intermittent high latency. The network team suspects that the ALB is being overwhelmed by traffic. Which metrics should be analyzed in Amazon CloudWatch to determine if the ALB is the bottleneck?

A.ActiveConnectionCount and NewConnectionCount
B.SurgeQueueLength and SpilloverCount
C.RequestCount and TargetResponseTime
D.HealthyHostCount and UnhealthyHostCount
AnswerB

SurgeQueueLength shows pending requests, and SpilloverCount shows dropped requests when the ALB is overloaded.

Why this answer

Option B is correct because SurgeQueueLength and SpilloverCount indicate when the ALB is unable to handle incoming requests. SurgeQueueLength shows the number of requests queued, and SpilloverCount shows requests that were rejected. Option A is wrong because RequestCount and TargetResponseTime do not directly show ALB capacity issues.

Option C is wrong because HealthyHostCount and UnhealthyHostCount indicate backend health, not ALB load. Option D is wrong because ActiveConnectionCount and NewConnectionCount are normal metrics.

1487
Multi-Selectmedium

A company wants to monitor network traffic between its VPC and on-premises data center over a Direct Connect private VIF. The network team needs to capture the source and destination IP addresses, protocols, and packet counts. Which THREE AWS services or features should they use together? (Choose three.)

Select 3 answers
A.Amazon CloudWatch Logs
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Config
E.Amazon CloudWatch Contributor Insights
AnswersA, B, E

Can store and query flow logs.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic metadata. Option D is correct because CloudWatch Logs can store and analyze flow logs. Option E is correct because CloudWatch Contributor Insights can analyze flow log data to identify top talkers etc.

Option A is wrong because CloudTrail records API calls. Option C is wrong because AWS Config tracks configuration.

1488
Multi-Selecteasy

A security engineer needs to capture and analyze network traffic between two EC2 instances in the same VPC for troubleshooting. The engineer wants to capture full packets and store them for later analysis. Which TWO AWS services can be used together to accomplish this? (Choose TWO.)

Select 2 answers
A.Amazon S3
B.AWS Config
C.VPC Flow Logs
D.Traffic Mirroring
E.Amazon CloudWatch Logs
AnswersA, D

Can store the mirrored traffic for analysis.

Why this answer

Options A and C are correct. Traffic Mirroring (A) captures full packets and sends them to a target. Amazon S3 (C) can store the captured traffic.

Option B is wrong because VPC Flow Logs capture metadata only. Option D is wrong because CloudWatch Logs is not designed for packet storage. Option E is wrong because AWS Config does not capture traffic.

1489
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to inspect traffic between VPCs using a centralized network virtual appliance (NVA) in a security VPC. What is the most scalable and highly available design to achieve this?

A.Place a single NVA in the Transit Gateway and route all inter-VPC traffic through it.
B.Create VPC peering connections between each VPC and the security VPC, then configure the NVAs to route traffic.
C.Attach all VPCs to a Transit Gateway, use separate route tables for inspection, and deploy NVAs behind a Gateway Load Balancer in the security VPC.
D.Use Direct Connect to connect all VPCs to a central location and route through NVAs there.
AnswerC

Transit Gateway provides transitive routing; GWLB provides HA and scale for NVAs.

Why this answer

Option B is correct because Transit Gateway route tables can be used to direct traffic to the inspection VPC for east-west traffic. Using a Gateway Load Balancer (GWLB) provides high availability and scaling for the NVAs. Option A is wrong because VPC peering does not support transitive routing.

Option C is wrong because Direct Connect is for on-premises, not VPC-to-VPC. Option D is wrong because a single NVA is a single point of failure.

1490
Multi-Selecteasy

A company wants to monitor network traffic between two VPCs connected via a Transit Gateway. Which THREE AWS services can be used to capture and analyze this traffic?

Select 3 answers
A.VPC Flow Logs
B.AWS Config
C.Third-party network monitoring appliance deployed in a VPC
D.Transit Gateway Flow Logs
E.AWS CloudTrail
AnswersA, C, D

Captures IP traffic for VPCs.

Why this answer

Options A, B, and E are correct because VPC Flow Logs, Transit Gateway Flow Logs, and third-party appliances can capture traffic. Option C is incorrect because CloudTrail logs API calls. Option D is incorrect because AWS Config records configuration changes.

1491
MCQmedium

A company is using AWS Direct Connect to connect its on-premises data center to AWS. The connection is up, but the network team cannot reach resources in a VPC. The virtual interface is in the 'available' state, and BGP session is established. What should the team check next?

A.Check the on-premises firewall rules
B.Check the BGP authentication
C.Check the VPC route tables for propagated routes
D.Check the Direct Connect physical link status
AnswerC

The Direct Connect virtual interface routes must be propagated to the VPC route tables.

Why this answer

Since the Direct Connect physical link is up, the virtual interface is available, and the BGP session is established, the issue lies in the routing of traffic within AWS. The most likely cause is that the VPC route tables do not contain the necessary routes (either static or propagated from the Direct Connect virtual private gateway) to direct traffic back to the on-premises network. Checking the VPC route tables for propagated routes is the correct next step to ensure the on-premises CIDR is being advertised and accepted.

Exam trap

The trap here is that candidates assume a working BGP session guarantees end-to-end connectivity, but BGP only ensures the routing protocol is exchanging prefixes; the VPC route table must still have the propagated routes or a static route to direct traffic to the virtual private gateway.

How to eliminate wrong answers

Option A is wrong because on-premises firewall rules would affect outbound traffic from the data center, but the question states the network team cannot reach resources in a VPC, implying the issue is on the AWS side or the routing path; the BGP session is established, so the underlying connectivity is fine. Option B is wrong because BGP authentication is already verified as the BGP session is established; if authentication were misconfigured, the session would not reach the established state. Option D is wrong because the Direct Connect physical link status is already confirmed as up, and the virtual interface is available, so the physical layer is not the problem.

1492
MCQmedium

A company wants to restrict access to its S3 bucket so that only objects uploaded with server-side encryption using AWS KMS (SSE-KMS) are allowed. Which bucket policy condition should be used?

A.s3:x-amz-server-side-encryption-aws-kms-key-id
B.s3:x-amz-server-side-encryption
C.kms:ViaService
D.kms:EncryptionContext
AnswerA

This condition key allows you to enforce that a specific KMS key is used for encryption.

Why this answer

Option C is correct because the s3:x-amz-server-side-encryption-aws-kms-key-id condition key ensures objects are encrypted with a specific KMS key, enforcing SSE-KMS. Option A is wrong because s3:x-amz-server-side-encryption only checks for encryption, not the specific key. Option B is wrong because kms:EncryptionContext is not an S3 condition key.

Option D is wrong because kms:ViaService is used for KMS policy, not S3 bucket policy.

1493
MCQhard

A company is using AWS Direct Connect to connect their on-premises network to AWS. They have a virtual private gateway (VGW) attached to their VPC and a Direct Connect virtual interface (VIF) configured. They want to use AWS Site-to-Site VPN as a backup connection. Which configuration ensures that traffic automatically uses the VPN if the Direct Connect connection fails?

A.Configure the VPN connection but attach it to a separate VGW, and use a transit gateway with failover routing.
B.Configure the VPN connection and propagate routes from both the Direct Connect and VPN. Create a static route in the route table for the on-premises CIDR pointing to the VPN.
C.Configure the VPN connection but do not propagate routes; use static routes in the route table.
D.Configure the VPN connection and propagate routes from both the Direct Connect and VPN. Create a static route in the route table for the on-premises CIDR pointing to the Direct Connect VIF with a higher metric.
AnswerD

The static route with a higher metric serves as a backup; if Direct Connect fails, the propagated VPN route takes over.

Why this answer

Option D is correct because propagating BGP routes from both the Direct Connect VIF and the VPN, and creating a static route with a higher metric (less preferred) for the Direct Connect route, allows automatic failover. Option A is wrong because the VPN must be configured to handle failover. Option B is wrong because the VPN alone does not provide automatic failover without route propagation.

Option C is wrong because the VPN must be attached to the VGW.

1494
MCQmedium

A company uses AWS Organizations with SCPs to restrict access. The security team needs to prevent users in the 'Developers' OU from disabling AWS Config or modifying its rules. Which SCP effect should be used?

A.Block
B.Deny
C.Allow
D.NotAction
AnswerB

Deny explicitly prohibits specified actions.

Why this answer

Option B is correct because a Deny effect explicitly blocks the action, overriding any Allow. Option A is wrong because Allow would not prevent the action. Option C is wrong because SCPs don't have a Block effect.

Option D is wrong because NotAction is a condition element, not an effect.

1495
MCQhard

A company is deploying a critical application across multiple AWS accounts. The network team wants to simplify IP address management and ensure that VPCs in different accounts can communicate securely. The company has a centralized network account with a transit gateway. Which architecture should the company use?

A.Use AWS Resource Access Manager to share the transit gateway in the network account with other accounts and attach their VPCs.
B.Create VPC peering connections between each VPC in different accounts.
C.Configure VPC endpoints in each account to communicate through the network account.
D.Set up AWS Direct Connect between accounts and route through the network account.
AnswerA

RAM enables cross-account sharing of transit gateways.

Why this answer

Option A is correct because AWS Resource Access Manager (RAM) allows you to share a transit gateway from a centralized network account with other AWS accounts, enabling VPCs in those accounts to attach to the shared transit gateway. This simplifies IP address management by providing a single hub for inter-VPC routing and avoids the complexity of managing multiple VPC peering connections. The transit gateway supports transitive routing, so VPCs in different accounts can communicate securely through the centralized gateway without needing direct peering.

Exam trap

The trap here is that candidates often confuse VPC peering (which requires full mesh for transitive routing) with transit gateway (which provides transitive routing natively), or mistakenly think VPC endpoints can be used for inter-VPC communication instead of their intended purpose of private access to AWS services.

How to eliminate wrong answers

Option B is wrong because VPC peering connections do not support transitive routing; each pair of VPCs requires a separate peering connection, which does not scale well and complicates IP address management for multiple accounts. Option C is wrong because VPC endpoints (Gateway Endpoints or Interface Endpoints) are designed for private connectivity to AWS services (e.g., S3, DynamoDB) and do not provide inter-VPC routing or communication between VPCs in different accounts. Option D is wrong because AWS Direct Connect provides dedicated private connectivity from on-premises to AWS, not between VPCs in different accounts; routing through the network account would require additional complex configurations and does not inherently enable secure VPC-to-VPC communication.

1496
Multi-Selecthard

A company has a VPC with multiple subnets across three Availability Zones. They deploy an Amazon RDS for MySQL Multi-AZ DB instance. The application tier consists of EC2 instances in private subnets. To improve read performance, the company wants to add read replicas. Which THREE design considerations are important for network connectivity? (Choose THREE.)

Select 3 answers
A.Read replicas can be placed in different Availability Zones than the primary DB instance
B.The application EC2 instances must be in the same VPC as the RDS instance
C.A security group rule must allow inbound traffic from the application subnets on port 3306
D.Read replicas must be in public subnets with public IP addresses
E.Read replicas must be in the same Region as the primary DB instance
AnswersA, B, C

Read replicas can be in different AZs to improve availability and fault tolerance.

Why this answer

Options B, C, and D are correct. Option B is correct because EC2 instances must be in the same VPC to connect via private IP. Option C is correct because read replicas can be in different AZs for high availability.

Option D is correct because a security group for the RDS must allow inbound MySQL traffic from the application tier. Option A is wrong because read replicas do not require public IPs. Option E is wrong because read replicas can be in the same or different Regions.

1497
MCQhard

A company has a VPC with public and private subnets across two Availability Zones. They have a Network Load Balancer (NLB) in the public subnets. The NLB has a target group of EC2 instances in the private subnets. The NLB is configured with TLS listeners and uses a certificate from AWS Certificate Manager (ACM). Clients connect to the NLB over the internet. Some clients report connection timeouts. The NLB access logs show that the connections are established but then hang. The target instances are healthy. The security groups for the instances allow inbound TCP/443 from the NLB's private IPs. What is the most likely cause?

A.The target group is configured with protocol TLS instead of TCP
B.Cross-zone load balancing is disabled, causing uneven distribution
C.The security group for the NLB is blocking traffic from clients
D.The NLB idle timeout is set too low
AnswerA

NLB terminates TLS and expects TCP targets.

Why this answer

NLB with TLS termination requires that the target group uses TCP protocol (not TLS) because NLB terminates TLS and forwards plain TCP to targets. If the target group is configured with TLS protocol, the NLB will attempt to initiate a TLS handshake with the targets, which may fail if targets are not expecting TLS (or if certificates mismatch). This can cause connections to hang.

Option B (cross-zone load balancing) would not cause hang. Option C (idle timeout) would cause disconnects, not hang. Option D (security group) is correct as described.

1498
MCQhard

A company has a Direct Connect connection with multiple virtual interfaces (VIFs). They notice that traffic from on-premises to a VPC is being dropped. The VPC is associated with a private VIF. The on-premises router has a BGP route to the VPC's CIDR. The VPC's route table has a route to the virtual private gateway. What is the MOST likely cause of the dropped traffic?

A.The VPC route table does not have a route pointing to the virtual private gateway for the on-premises CIDR
B.The MTU size on the Direct Connect connection is too small
C.The BGP session is not established
D.The allowed prefixes on the virtual private gateway do not include the on-premises CIDR
AnswerA

Return traffic is dropped without a route.

Why this answer

Option B is correct because if the VPC's route table does not have a route back to the on-premises CIDR, return traffic will be dropped, causing connectivity issues. Option A is incorrect because the VIF is up and BGP is established. Option C is incorrect because allowed prefixes are for advertisement, not return traffic.

Option D is incorrect because MTU issues would not cause drops.

1499
MCQhard

Refer to the exhibit. A network engineer created a NAT gateway in a public subnet, but its state shows 'failed'. What is the most likely cause?

A.The subnet does not have a route to an internet gateway
B.The subnet is private
C.The NAT gateway is still being created
D.The Elastic IP is already associated with another instance
AnswerD

A NAT gateway requires an unassociated Elastic IP.

Why this answer

The correct answer is B because the NAT gateway address has a public IP but the allocation ID is present; a common reason for failure is that the Elastic IP is already associated with another resource. Option A is wrong because the subnet is public (has route to IGW). Option C is wrong because the state is 'failed', not 'pending'.

Option D is wrong because the NAT gateway is in a public subnet; it should have a route to IGW.

1500
MCQmedium

A company has a VPC with public and private subnets. An Amazon EC2 instance in a private subnet needs to download patches from the internet. The company wants to ensure that the instance cannot be directly initiated from the internet. Which design should be used?

A.Attach a NAT Gateway to the public subnet and add a route to the NAT Gateway in the private subnet's route table
B.Launch a NAT instance in the public subnet and add a route in the private subnet's route table
C.Use a VPC endpoint for Amazon S3 and route patch traffic through it
D.Add a route to the internet gateway in the private subnet's route table
AnswerA

NAT Gateway enables outbound internet access from private subnets and does not allow inbound connections.

Why this answer

Option D is correct because a NAT Gateway in a public subnet allows outbound internet access from private subnets while preventing inbound connections from the internet. Option A is wrong because an Internet Gateway alone does not provide outbound-only access; it requires public IPs. Option B is wrong because a NAT Instance also works but is less managed; however, the question asks for a design, and NAT Gateway is the recommended AWS managed service.

Option C is wrong because a VPC endpoint for S3 is for accessing S3, not general internet patches.

Page 19

Page 20 of 23

Page 21