AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 15011575

1705 questions total · 23pages · All types, answers revealed

Page 20

Page 21 of 23

Page 22
1501
MCQhard

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network team notices that the BGP session between the on-premises router and the AWS virtual private gateway (VGW) is flapping. The on-premises router is configured to advertise a specific prefix. Which configuration change is MOST likely to stabilize the BGP session?

A.Add ASN prepending to the advertised prefix.
B.Adjust BGP timers (keepalive and hold time) to match between the on-premises router and the VGW.
C.Enable BGP MD5 authentication on both sides.
D.Apply a route-map on the VGW to filter the prefix.
AnswerB

Mismatched timers can cause flapping.

Why this answer

Option C is correct because BGP timers mismatch can cause flapping; adjusting them to match stabilizes the session. Option A is wrong because MD5 authentication is for security, not flapping. Option B is wrong because ASN prepending affects route selection, not stability.

Option D is wrong because VGW does not support route-maps.

1502
MCQeasy

A company hosts a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The security team wants to block a list of known malicious IP addresses from accessing the application. They have already created an AWS WAF web ACL and associated it with the ALB. What is the MOST efficient way to block the IP addresses?

A.Place a CloudFront distribution in front of the ALB and use CloudFront's geo-restriction feature.
B.Add an AWS WAF rule to the web ACL that uses the 'IP reputation lists' managed rule group to block malicious IPs.
C.Configure a network ACL on the ALB's subnet to deny inbound traffic from each malicious IP.
D.Add each IP address as an inbound deny rule in the security group of the ALB.
AnswerB

Correct: Managed rule group automatically blocks known malicious IPs.

Why this answer

Option B is correct because AWS WAF has a managed rule group 'IP reputation lists' that automatically blocks known malicious IPs. Option A is wrong because updating security groups is not scalable for a large list. Option C is wrong because Network ACLs are stateless and not designed for application-layer blocking.

Option D is wrong because CloudFront is an additional layer not mentioned and would add complexity.

1503
Multi-Selecthard

A network engineer is designing a hybrid network with AWS Direct Connect and VPN backup. The goal is to maximize availability and ensure automatic failover. Which THREE steps should be taken? (Choose three.)

Select 3 answers
A.Set VPN BGP hold timer to a higher value than Direct Connect
B.Enable BGP as-prepending on the Direct Connect virtual interface
C.Configure BGP community tags to influence route preference
D.Use the same BGP ASN for both Direct Connect connections
E.Advertise more specific prefixes over the VPN than over Direct Connect
AnswersC, D, E

BGP communities can be used to lower the preference of Direct Connect routes for faster failover.

Why this answer

Option C is correct because BGP community tags allow you to influence route preference on the AWS side by tagging routes from Direct Connect with a community that reduces their local preference (e.g., 7224:7100 for lower preference) or from VPN with a community that increases preference. This enables automatic failover by ensuring Direct Connect routes are preferred over VPN routes when both are available, and VPN routes take over when Direct Connect fails.

Exam trap

AWS often tests the misconception that AS path prepending or hold timer adjustments are the primary methods for failover in hybrid Direct Connect/VPN designs, but AWS relies on BGP community tags and local preference to control route selection, making those other options ineffective or counterproductive.

1504
Multi-Selecthard

A company is connecting its on-premises data center to AWS using AWS Direct Connect. The company has two Direct Connect connections and wants to ensure high availability. The on-premises network uses BGP to advertise routes to AWS. Which combination of steps should be taken to achieve the most resilient design? (Choose TWO.)

Select 2 answers
A.Provision a single private virtual interface and use both connections for link aggregation.
B.Provision two private virtual interfaces, one over each Direct Connect connection.
C.Configure static routes instead of BGP to simplify the design.
D.Use the same BGP ASN for both connections.
E.Advertise the same prefixes from both connections with different BGP communities to influence traffic.
AnswersB, E

Separate VIFs provide redundancy at the virtual interface level.

Why this answer

Option B is correct because provisioning two private virtual interfaces, one over each Direct Connect connection, ensures that if one connection or virtual interface fails, BGP can continue to route traffic over the other. This design provides redundancy at both the physical layer (connections) and the logical layer (virtual interfaces), which is essential for high availability.

Exam trap

AWS often tests the misconception that link aggregation (LAG) provides high availability, but in reality LAG is designed for bandwidth aggregation and does not offer redundancy; candidates may also incorrectly assume that using the same BGP ASN simplifies configuration, but it actually breaks the independent failover behavior required for resilience.

1505
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. They need to centrally manage VPC flow logs across all accounts and enable analysis for security incidents. The flow logs must be stored in a central S3 bucket in the management account. What is the MOST scalable and cost-effective approach?

A.Use a Lambda function in each account to copy flow logs from CloudWatch to a central S3 bucket.
B.Deliver flow logs to Kinesis Data Firehose in each account and then to a central S3 bucket.
C.Configure VPC Flow Logs in each account to deliver to a central S3 bucket using cross-account delivery.
D.Create flow logs in each account and export them to a central CloudWatch Logs destination.
AnswerC

Cross-account delivery to S3 is scalable and cost-effective.

Why this answer

Option B is correct because sending flow logs to a central S3 bucket using cross-account delivery is scalable and cost-effective. Option A is incorrect because logging to CloudWatch Logs in each account and then exporting incurs additional costs and complexity. Option C is incorrect because VPC Flow Logs cannot be sent directly to a central S3 bucket from member accounts without enabling cross-account delivery.

Option D is incorrect because VPC Flow Logs do not support Kinesis Data Firehose directly.

1506
MCQeasy

A network engineer is troubleshooting connectivity from an on-premises network to an EC2 instance in a VPC via a Site-to-Site VPN. The VPN tunnel is up, but the engineer cannot ping the EC2 instance's private IP. What should the engineer check first?

A.The VPN connection status in the AWS console.
B.Security group inbound rules for ICMP on the EC2 instance.
C.IKE version mismatch between the VPN endpoints.
D.Route propagation and route tables in the VPC and on-premises.
AnswerD

Missing routes are a common cause.

Why this answer

Option A is correct because the route tables on the on-premises router and in the VPC must have routes for the remote networks. Option B is incorrect because the VPN tunnel being up indicates Phase 1 and 2 are likely fine. Option C is incorrect because security groups are stateful and allow ICMP if outbound is allowed.

Option D is incorrect because the VPN connection is active.

1507
Multi-Selectmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that VPC A cannot communicate with VPC B, while all other VPCs communicate normally. The transit gateway route table shows routes from both VPCs. Which TWO actions should the network engineer take to diagnose the issue? (Choose TWO.)

Select 2 answers
A.Check the security groups and network ACLs in VPC A and VPC B.
B.Establish a VPN connection between VPC A and the transit gateway.
C.Create a VPC peering connection between VPC A and VPC B.
D.Verify that the VPCs are associated with the correct transit gateway route table.
E.Configure an AWS Direct Connect virtual interface between the VPCs.
AnswersA, D

Correct: Security group or NACL rules may be blocking traffic between the VPCs.

Why this answer

Option A is correct because route table association is required for a VPC to use the transit gateway's routes. Option C is correct because security groups or NACLs in the VPCs can block traffic between subnets in different VPCs even if the transit gateway routes are correct. Option B is wrong because VPC peering is not required when using Transit Gateway.

Option D is wrong because AWS Direct Connect is unrelated to inter-VPC routing. Option E is wrong because a VPN connection is not needed for VPC-to-VPC communication via Transit Gateway.

1508
MCQhard

A company has a VPC with an internet-facing Application Load Balancer (ALB) that routes traffic to EC2 instances in private subnets. The security team wants to block traffic from specific geographic regions. Which AWS service should they use?

A.AWS WAF
B.AWS Shield Advanced
C.Network ACLs
D.Security Groups
AnswerA

WAF can create geo-match conditions to block traffic from specific countries.

Why this answer

Option A is correct because AWS WAF can be associated with an ALB to filter traffic based on geographic location. Option B is wrong because Security Groups do not support geographic blocking. Option C is wrong because Network ACLs do not support geographic blocking.

Option D is wrong because AWS Shield Advanced provides DDoS protection, not geographic filtering.

1509
Multi-Selecthard

Which THREE of the following are best practices for securing a VPC? (Choose three.)

Select 3 answers
A.Enable AWS Shield Advanced for DDoS protection.
B.Use security groups to control inbound and outbound traffic at the instance level.
C.Use network ACLs as a stateless layer of defense for subnets.
D.Allow all outbound traffic from the VPC to the internet.
E.Assign a default security group that allows all traffic.
AnswersA, B, C

AWS Shield Advanced provides enhanced DDoS protection for VPC resources.

Why this answer

Options A, B, and D are correct. Using security groups as a virtual firewall is a best practice. Using network ACLs as a second layer of defense is also recommended.

AWS Shield Advanced is a managed DDoS protection service that should be enabled for VPCs with public endpoints. Option C is incorrect because allowing all outbound traffic is not a security best practice; it should be restricted. Option E is incorrect because default security group should not allow all traffic; it should be restrictive.

1510
MCQeasy

A company is migrating its on-premises data center to AWS. The network team needs to extend the on-premises network to the cloud and support IP multicast traffic between environments. Which AWS service or feature should be used?

A.AWS Direct Connect with a private virtual interface
B.Site-to-Site VPN connection
C.AWS Transit Gateway with multicast support
D.VPC peering connection
AnswerC

Transit Gateway can handle multicast traffic between VPCs and on-premises via VPN or Direct Connect.

Why this answer

AWS Transit Gateway supports multicast groups and allows multicast traffic between attached VPCs and VPN connections. VPC peering does not support multicast. AWS Direct Connect alone does not support multicast.

A VPN connection alone does not support multicast.

1511
MCQeasy

A company is designing a VPC with both IPv4 and IPv6 CIDR blocks. The VPC must support internet-facing applications accessible via IPv6. Which resource must be configured as IPv6-enabled to allow internet traffic?

A.Internet Gateway
B.VPC Peering connection
C.NAT Gateway
D.Transit Gateway
AnswerA

Internet Gateway supports both IPv4 and IPv6 traffic.

Why this answer

An Internet Gateway (IGW) is the only resource that supports both IPv4 and IPv6 traffic and provides a target in the VPC route table for IPv6 default routes (::/0) to enable direct internet access for IPv6-enabled resources. Unlike IPv4, which often requires NAT for private addressing, IPv6 globally unique addresses allow direct communication through the IGW without translation.

Exam trap

AWS often tests the misconception that a NAT Gateway can handle IPv6 traffic, but NAT is not used for IPv6 due to the abundance of globally unique addresses; the correct resource for IPv6 internet access is always the Internet Gateway.

How to eliminate wrong answers

Option B is wrong because a VPC Peering connection only enables private routing between two VPCs and does not provide internet access; it cannot route traffic to or from the internet. Option C is wrong because a NAT Gateway is designed only for IPv4 traffic to allow private IPv4 instances to initiate outbound internet connections, and it does not support IPv6 at all. Option D is wrong because a Transit Gateway is a central hub for inter-VPC and on-premises connectivity, but it does not natively provide internet access; it requires an IGW attached to a VPC to reach the internet.

1512
MCQeasy

A company is using AWS Secrets Manager to store database credentials. They want to ensure that the credentials are automatically rotated every 30 days. Which configuration is required?

A.Enable automatic rotation in the secret configuration and provide a Lambda rotation function.
B.Store the secret in AWS Systems Manager Parameter Store and configure a rotation schedule.
C.Store the secret in AWS CloudHSM and use a scheduled Lambda to rotate.
D.Use IAM Access Analyzer to rotate the credentials periodically.
AnswerA

Secrets Manager supports automatic rotation using Lambda functions.

Why this answer

Option A is correct because Secrets Manager can automatically rotate secrets with a Lambda function. Option B is wrong because Systems Manager Parameter Store does not have built-in rotation. Option C is wrong because IAM Access Analyzer does not rotate credentials.

Option D is wrong because CloudHSM is for hardware security modules, not automated rotation.

1513
Multi-Selectmedium

A company is designing a network for a critical application that requires high availability across multiple Availability Zones. Which TWO design choices ensure that the application remains available if an entire AZ fails?

Select 2 answers
A.Deploy resources in a single Availability Zone.
B.Deploy resources in at least two Availability Zones.
C.Use a Network Load Balancer in a single AZ.
D.Use an Application Load Balancer that spans multiple AZs.
E.Use a single EC2 instance with an Elastic IP address.
AnswersB, D

Multi-AZ deployment provides fault tolerance.

Why this answer

Options B and D are correct. Deploying resources across at least two AZs (B) ensures that if one AZ fails, the other continues to operate. Using an Application Load Balancer (D) distributes traffic across healthy targets in multiple AZs, automatically rerouting traffic away from failed AZs.

Option A is wrong because a single AZ is a single point of failure. Option C is wrong because a Network Load Balancer can also provide high availability, but the question asks for TWO choices; B and D are the most common design. Option E is wrong because a single EC2 instance cannot provide high availability.

1514
MCQmedium

A company has a VPC with a public subnet and a private subnet. They have a web server in the public subnet and a database in the private subnet. The web server needs to communicate with the database on port 3306. Security groups are configured as follows: Web server SG allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to database SG on port 3306. Database SG allows inbound from web server SG on port 3306. However, the web server cannot connect. Network ACLs are default. What is the issue?

A.The network ACL on the private subnet denies inbound traffic on port 3306.
B.Security groups are stateful, so no outbound rule is needed; the issue is something else.
C.The web server security group does not allow outbound traffic to the database.
D.The database security group inbound rule is not correctly referencing the web server security group ID.
AnswerD

Correct: The rule must reference the security group ID, not the instance ID.

Why this answer

Option C is correct because the web server's security group outbound rule explicitly allows traffic to the database SG, which is correct. The issue is likely that the database SG inbound rule is not referencing the correct web server SG, or the web server SG is not attached to the web server. Option A is wrong because NACLs are default allow.

Option B is wrong because the web server SG outbound is correctly configured. Option D is wrong because stateful nature means inbound allows outbound responses, but the issue is the inbound rule on the database SG.

1515
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company wants to minimize data transfer costs and avoid exposing the private instance to inbound traffic from the internet. Which solution meets these requirements?

A.Create a VPC Gateway Endpoint for Amazon S3 and ensure the patches are hosted in S3. Route private subnet traffic to the endpoint.
B.Attach an internet gateway to the VPC and route the private subnet's default route to a NAT gateway in the public subnet.
C.Launch a NAT instance in the public subnet and route the private subnet's default route to it.
D.Attach an internet gateway to the VPC and assign a public IP to the EC2 instance.
AnswerA

No NAT cost, no inbound exposure, and uses AWS private network.

Why this answer

Option D is correct because a VPC Gateway Endpoint for S3 allows private access to S3 for patches without NAT costs. Option A is wrong because a NAT gateway incurs costs and allows inbound traffic. Option B is wrong because a NAT instance similarly costs and allows inbound.

Option C is wrong because an internet gateway would expose the instance.

1516
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The company also has a Site-to-Site VPN connection to the same VPC as a backup. During a failover test, traffic from on-premises to the VPC continues to use the Direct Connect even after it is intentionally failed. The BGP timers are set to default values. What is the most likely cause?

A.The Direct Connect route is more specific than the VPN route.
B.The VPN BGP route has a longer AS path than the Direct Connect route.
C.The VPN route has a lower local preference than the Direct Connect route.
D.The BGP session with the Direct Connect router is still established because the physical link is up, but the link is not forwarding traffic.
AnswerD

If the BGP session remains established, routes are still advertised and the Direct Connect route remains in the routing table, causing traffic to still be sent.

Why this answer

Option C is correct because even if the Direct Connect fails, the BGP session may remain established if there is still layer 2 connectivity (e.g., the physical link is up but degraded). The route will remain in the routing table until the BGP hold timer expires. Option A is wrong because longer AS path actually makes the route less preferred.

Option B is wrong because the VPN route may have a longer AS path or a different prefix length. Option D is wrong because local preference is typically set to favor Direct Connect over VPN.

1517
MCQmedium

A company has a VPC with a public subnet containing a NAT gateway and a private subnet containing Amazon EC2 instances. The instances in the private subnet need to download patches from the internet. The NAT gateway is in the public subnet and has an Elastic IP address. The private subnet's route table has a default route pointing to the NAT gateway. However, the instances cannot reach the internet. What is the MOST likely cause?

A.The public subnet's route table does not have a route to an internet gateway.
B.The NAT gateway does not have a route back to the private subnet.
C.The NAT gateway is not associated with a security group that allows inbound internet traffic.
D.The security group attached to the EC2 instances does not allow outbound traffic to the internet.
AnswerA

The public subnet must have a route to an internet gateway for the NAT gateway to reach the internet.

Why this answer

Option D is correct. For a NAT gateway to work, it must be in a public subnet with a route to an internet gateway. If the public subnet does not have a route to the internet gateway, the NAT gateway cannot forward traffic to the internet.

Option A is incorrect because security groups for instances in private subnets should allow outbound traffic, but that is not the most likely cause. Option B is incorrect because the NAT gateway automatically replies to traffic; no route back is needed for responses. Option C is incorrect because the NAT gateway does not need a security group; it uses network ACLs and route tables.

1518
MCQmedium

A financial services company is designing a hybrid network architecture using AWS Direct Connect. They have a Direct Connect connection with a public VIF and a private VIF. The private VIF is associated with a Direct Connect gateway that is attached to a Transit Gateway in us-east-1. The Transit Gateway has attachments to a production VPC and a shared services VPC. The company wants to ensure that all traffic from the on-premises network to the production VPC flows through a centralized inspection appliance in the shared services VPC for security compliance. Additionally, traffic from the production VPC to the internet must use a NAT gateway in the shared services VPC. The inspection appliance in the shared services VPC performs stateful inspection and must see both directions of traffic. The network engineer configured the following route tables: In the Transit Gateway route table associated with the Direct Connect gateway attachment, a static route for 0.0.0.0/0 points to the shared services VPC attachment. In the Transit Gateway route table associated with the production VPC attachment, a static route for the on-premises CIDR (10.0.0.0/8) points to the shared services VPC attachment. In the Transit Gateway route table associated with the shared services VPC attachment, a static route for the on-premises CIDR points to the Direct Connect gateway attachment, and a static route for 0.0.0.0/0 points to the Direct Connect gateway attachment (for outbound internet traffic, the shared services VPC has its own internet gateway and NAT gateway). The production VPC has a default route (0.0.0.0/0) pointing to the Transit Gateway. The shared services VPC has a default route pointing to the NAT gateway. However, traffic from on-premises to the production VPC is not being inspected; it goes directly to the production VPC. What is the most likely reason?

A.The Transit Gateway route table associated with the Direct Connect gateway attachment has propagation enabled, which installs a more specific route for the production VPC CIDR directly to the production VPC attachment, bypassing the shared services VPC.
B.The shared services VPC has a default route pointing to the NAT gateway, which is not a valid next hop for traffic coming from the Transit Gateway.
C.The production VPC route table has a default route pointing to the Transit Gateway, but the NAT gateway is in the shared services VPC, causing asymmetric routing.
D.The Transit Gateway route table associated with the shared services VPC attachment does not have a route for the production VPC CIDR pointing to the production VPC attachment, so return traffic cannot reach production.
AnswerA

Propagation from the production VPC attachment installs a route for the production VPC CIDR pointing to the production VPC attachment, which is more specific than the 0.0.0.0/0 route to shared services. This causes traffic to bypass inspection.

Why this answer

Option A is correct because when propagation is enabled on the Transit Gateway route table associated with the Direct Connect gateway attachment, the production VPC CIDR is automatically learned as a more specific route (e.g., 10.1.0.0/16) pointing directly to the production VPC attachment. This more specific route overrides the static 0.0.0.0/0 route that was intended to force traffic through the shared services VPC, causing on-premises traffic to bypass the inspection appliance.

Exam trap

AWS often tests the misconception that static routes always take precedence over propagated routes in Transit Gateway route tables, but in reality, prefix length (specificity) determines priority, not whether the route is static or propagated.

How to eliminate wrong answers

Option B is wrong because the shared services VPC's default route pointing to the NAT gateway is correct for outbound internet traffic from the shared services VPC itself; it does not affect traffic arriving from the Transit Gateway, as the Transit Gateway handles routing independently. Option C is wrong because the production VPC's default route pointing to the Transit Gateway is appropriate for sending traffic to the Transit Gateway; asymmetric routing is not caused by this route but rather by the Transit Gateway route table misconfiguration described in Option A. Option D is wrong because the Transit Gateway route table associated with the shared services VPC attachment does not need a route for the production VPC CIDR pointing to the production VPC attachment; return traffic from the shared services VPC to the production VPC is handled by the Transit Gateway's default behavior of using the most specific route, and the issue is about forward traffic bypassing inspection, not return traffic.

1519
Multi-Selecthard

A company is implementing a network segmentation strategy using AWS Transit Gateway. They have three VPCs: production, development, and shared services. They need to ensure that production and development VPCs can both access shared services, but cannot communicate with each other. Which THREE configurations are required?

Select 3 answers
A.Create a route table for the shared services VPC that allows routes to both production and development
B.Attach each VPC to the transit gateway
C.Create a separate route table for the production and development VPCs that allows only routes to shared services
D.Create a VPC peering connection between production and development
E.Use a single transit gateway route table for all attachments
AnswersA, B, C

Shared services must be able to send traffic back.

Why this answer

Option A is correct because each VPC must be attached to the transit gateway. Option B is correct because route tables must be created to control routing. Option C is correct because the shared services VPC needs a route table that allows traffic from both production and development.

Option D is wrong because VPC peering is not needed. Option E is wrong because a single route table would allow all-to-all communication.

1520
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from an S3 bucket. The company wants to minimize data transfer costs and avoid traversing the internet. Which solution should be implemented?

A.Use an Interface VPC Endpoint for S3
B.Use AWS Direct Connect
C.Set up a NAT Gateway in the public subnet and route traffic through it
D.Create a Gateway VPC Endpoint for S3
AnswerD

Gateway endpoint provides private, low-cost access to S3.

Why this answer

Option C is correct because a Gateway VPC Endpoint for S3 provides private connectivity to S3 without internet access, reducing costs. Option A would use internet. Option B is for other AWS services.

Option D is for dedicated connectivity.

1521
MCQmedium

A network engineer notices that traffic from an EC2 instance in a public subnet to the internet is not working. The instance has a public IP assigned and is in a public subnet with a route to an internet gateway. The security group allows outbound traffic. What should the engineer check next?

A.Ensure the network ACL allows outbound traffic.
B.Verify that the route table for the subnet has a 0.0.0.0/0 route pointing to the internet gateway.
C.Confirm that the internet gateway is attached to the VPC.
D.Check if the instance has a public IP assigned.
AnswerB

Without this route, traffic cannot reach the internet.

Why this answer

Even if the instance has a public IP, if the subnet's route table does not have a default route (0.0.0.0/0) pointing to the internet gateway, traffic to the internet will fail. This is a common misconfiguration.

1522
MCQmedium

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB). The application is experiencing intermittent timeouts. CloudWatch metrics show that the ALB's RequestCount is within normal limits, but TargetResponseTime occasionally spikes to 10 seconds. What is the most likely cause?

A.The ALB is configured with an incorrect idle timeout value.
B.The ALB's cross-zone load balancing is disabled.
C.The EC2 instances are experiencing high CPU utilization during peak periods.
D.The security group for the EC2 instances is blocking traffic from the ALB.
AnswerC

High CPU leads to slow responses, matching the symptom of occasional spikes in TargetResponseTime.

Why this answer

High CPU utilization on the EC2 instances can cause slow response times, leading to timeouts. The ALB distributes requests, so RequestCount may appear normal while individual instances struggle.

1523
MCQeasy

A company has deployed a VPC with public and private subnets. They have an Internet Gateway attached to the VPC and a NAT Gateway in the public subnet. The private subnet instances need to download patches from the internet. Which configuration ensures that the private instances can reach the internet while preventing inbound traffic from the internet?

A.Add a VPC Gateway Endpoint for Amazon S3 to the private subnet route table.
B.Add a route in the private subnet route table pointing 0.0.0.0/0 to the Internet Gateway.
C.Add a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway.
D.Create a VPC Peering connection to a public VPC and route traffic through it.
AnswerC

NAT Gateway allows outbound traffic to the internet and blocks unsolicited inbound traffic.

Why this answer

Option A is correct because a route to the NAT Gateway allows outbound traffic to the internet, and the NAT Gateway does not allow inbound traffic initiated from the internet. Option B is wrong because an Internet Gateway would allow inbound traffic. Option C is wrong because a VPC Gateway Endpoint is for specific AWS services like S3 and DynamoDB, not general internet access.

Option D is wrong because a VPC Peering connection does not provide internet access.

1524
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. The company wants to use private virtual interfaces (VIFs) to access multiple VPCs in the same AWS Region. Which AWS service should be used to simplify this connectivity?

A.Direct Connect gateway
B.Transit VPC solution with EC2-based VPN appliances
C.AWS Site-to-Site VPN
D.VPC peering connection
AnswerA

Direct Connect gateway enables connectivity to multiple VPCs.

Why this answer

Option B is correct because a Direct Connect gateway allows a single private VIF to connect to multiple VPCs in the same or different Regions. Option A is incorrect because a transit VPC solution is more complex and not needed. Option C is incorrect because a VPN connection is not required.

Option D is incorrect because VPC peering is not used with Direct Connect.

1525
MCQhard

A company is migrating to AWS and needs to connect its on-premises data center to multiple VPCs across several AWS regions. The on-premises network uses BGP and requires high availability with sub-second failover. The solution must be cost-effective and support traffic segmentation. Which design meets these requirements?

A.Set up a Site-to-Site VPN connection between on-premises and each VPC using a VPN appliance on AWS.
B.Order an AWS Direct Connect connection and create multiple virtual interfaces, each connecting to a different VPC in different regions. Use BGP with Bidirectional Forwarding Detection (BFD) for fast failover.
C.Use AWS Transit Gateway with inter-region peering and attach VPN connections from on-premises to a central Transit Gateway.
D.Use a combination of Direct Connect and VPN as a backup, and route all traffic through a single VPC that acts as a transit hub.
AnswerB

Correct: Direct Connect provides stable latency, and BFD enables sub-second failover.

Why this answer

Option C is correct because Direct Connect with multiple virtual interfaces (one per VPC) provides segmentation, and BGP fast failover can be achieved. Option A is wrong because VPN over the internet cannot guarantee sub-second failover. Option B is wrong because Transit Gateway inter-region peering is for VPC-to-VPC, not on-premises.

Option D is wrong because it adds unnecessary complexity and cost.

1526
MCQeasy

A company is designing a network for a three-tier application that must be PCI DSS compliant. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers are in the same VPC. What is the MOST secure way to implement this?

A.Use a VPN between the web and application tiers and between application and database tiers.
B.Place all tiers in the same private subnet and use security groups for isolation.
C.Place web tier in public subnets, application and database tiers in private subnets. Use security groups to allow only necessary traffic between tiers.
D.Place all tiers in public subnets and use network ACLs to restrict traffic.
AnswerC

Security groups provide stateful filtering and are best practice for tier isolation.

Why this answer

Option A is correct because separate public and private subnets with security groups restricting traffic between tiers provide the required isolation. Option B is wrong because network ACLs are stateless and harder to manage for this use case. Option C is wrong because a single subnet does not provide isolation.

Option D is wrong because a VPN is unnecessary for intra-VPC traffic.

1527
MCQmedium

A company is migrating an on-premises application to AWS. The application uses multicast for discovery. Which AWS service supports multicast traffic within a VPC?

A.AWS Transit Gateway
B.VPC peering
C.Application Load Balancer
D.Amazon CloudFront
AnswerA

Supports multicast groups and routing.

Why this answer

Option B is correct because AWS Transit Gateway supports multicast routing. Option A is wrong because VPC peering does not support multicast. Option C is wrong because Application Load Balancer is layer 7, not multicast.

Option D is wrong because CloudFront is for content delivery, not multicast within VPC.

1528
MCQhard

A company has a VPC with a transit gateway (TGW) connected to multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises a specific prefix 10.0.0.0/16. A VPC attachment in the same region also advertises the same prefix. The TGW route table has the on-premises route as static and the VPC route as propagated. Which route will be used for traffic destined to 10.0.0.5?

A.The propagated route from VPC
B.The static route to on-premises
C.Both routes will be used with ECMP
D.The route with the shortest AS_PATH
AnswerB

Static routes have higher precedence than propagated.

Why this answer

Option A is correct because static routes take precedence over propagated routes in a transit gateway route table. Option B is wrong because TGW does not use AS_PATH for static vs propagated. Option C is wrong because there is no longest prefix match difference.

Option D is wrong because equal-cost multipath is not applied when static and propagated routes exist.

1529
Multi-Selectmedium

A company is designing a VPC with a public subnet and a private subnet. The private subnet instances need to access the internet for software updates. Which TWO options allow outbound internet access while preventing inbound connections? (Choose two.)

Select 2 answers
A.NAT Gateway in the public subnet
B.Egress-only Internet Gateway
C.Internet Gateway attached to the VPC
D.AWS Site-to-Site VPN connection to on-premises
E.VPC Peering connection to a VPC with internet access
AnswersA, B

Allows outbound IPv4 traffic from private subnet.

Why this answer

A NAT Gateway in the public subnet allows instances in the private subnet to initiate outbound connections to the internet (e.g., for software updates) while preventing any unsolicited inbound connections from the internet. The NAT Gateway translates the private IP addresses of the instances to its own Elastic IP address, and because it does not maintain state for inbound traffic that was not initiated from within the VPC, it blocks all inbound connection attempts.

Exam trap

The trap here is that candidates often confuse an Egress-Only Internet Gateway with a NAT Gateway, not realizing that the Egress-Only Internet Gateway is exclusively for IPv6 traffic and does not support IPv4, which is the typical protocol for software updates.

1530
Multi-Selecthard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Direct Connect and a Site-to-Site VPN. The on-premises network advertises 10.0.0.0/8 over BGP. The company wants to ensure that traffic to the VPC's specific subnet 10.0.1.0/24 is routed via the VPN, while all other traffic to 10.0.0.0/8 uses Direct Connect. Which THREE actions should the network engineer take?

Select 3 answers
A.Set a higher BGP local preference on the VPN routes compared to Direct Connect routes for the same prefix.
B.Advertise a more specific route for 10.0.1.0/24 over the VPN BGP session.
C.Disable route propagation on the VPN connection's route table.
D.Prepend the AS path on the Direct Connect BGP advertisement for the 10.0.1.0/24 prefix to make it less preferred.
E.Delete the VPN connection and rely solely on Direct Connect.
AnswersA, B, D

Higher local preference is preferred.

Why this answer

Option A, Option B, and Option C are correct. A more specific prefix (10.0.1.0/24) is preferred over 10.0.0.0/8. Setting a higher local preference on the VPN route for 10.0.1.0/24 also ensures it is preferred.

Additionally, using an AS path prepend on Direct Connect for the specific prefix can make it less preferred. Option D is wrong because disabling propagation on VPN would remove the route. Option E is wrong because the VPN should be used for the specific subnet, not disabled.

1531
Multi-Selectmedium

A security engineer notices that an EC2 instance in a public subnet is receiving inbound SSH traffic from a range of IP addresses that should be blocked. Which two actions should the engineer take to troubleshoot? (Choose two.)

Select 2 answers
A.Check the instance metadata for IP restrictions
B.Check the route table associated with the subnet
C.Review the Security Group rules attached to the instance
D.Check the Network ACL associated with the subnet
E.Check VPC Flow Logs to identify the source IP addresses
AnswersC, E

Security groups control inbound traffic to the instance.

Why this answer

Options A and D are correct. Checking VPC Flow Logs helps identify the source IP of the traffic. Reviewing Security Group rules ensures that the security group is not allowing the unwanted SSH traffic.

Option B is wrong because Network ACLs are stateless and might be blocking, but they are not the first place to check for inbound traffic to an instance. Option C is wrong because the route table does not affect inbound traffic to the instance. Option E is wrong because the instance metadata does not contain network access rules.

1532
Multi-Selecthard

Which THREE components are required to enable AWS Shield Advanced automatic application layer DDoS mitigation for an Application Load Balancer? (Choose three.)

Select 3 answers
A.AWS Shield Advanced subscription
B.Amazon CloudFront distribution in front of the ALB
C.Amazon Route53 DNS configuration
D.An AWS WAF rate-based rule
E.AWS WAF web ACL associated with the ALB
AnswersA, D, E

Required for Advanced features.

Why this answer

Options A, B, and C are correct. Shield Advanced integrates with WAF for automatic mitigation, requires a web ACL, and must be associated with the ALB. Option D is wrong because CloudFront is not required.

Option E is wrong because Route53 is not required.

1533
MCQhard

A company has a Direct Connect connection with a private VIF connected to a VPC. The network engineer notices that traffic from on-premises to the VPC is being dropped intermittently. The on-premises router shows BGP session is up, but the VPC route table does not have the on-premises prefix. What is the most likely cause?

A.The MTU on the on-premises router is set too high.
B.The BGP session is flapping due to high latency.
C.The on-premises router is advertising a route that is more specific than the allowed prefix list on the Direct Connect gateway.
D.The on-premises router is using AS_PATH prepending.
AnswerC

The allowed prefix list on the Direct Connect gateway may not include the specific prefix, causing the route to be rejected.

Why this answer

Option C is correct because the Direct Connect gateway (DXGW) uses allowed prefix lists to control which routes are accepted from the on-premises router via BGP. If the on-premises router advertises a prefix that is more specific (e.g., /28) than the allowed prefix list (e.g., /24), the DXGW will reject the route, causing the VPC route table to lack the on-premises prefix. The BGP session remains up because the session itself is not affected, but the specific route is not installed.

Exam trap

AWS often tests the distinction between BGP session state and route acceptance, trapping candidates who assume a stable BGP session guarantees route installation, when in fact prefix filtering on the DXGW can silently drop specific routes.

How to eliminate wrong answers

Option A is wrong because MTU settings affect packet fragmentation and delivery, not BGP route advertisement or route table population; a high MTU would cause packet drops due to size mismatch, not intermittent route absence. Option B is wrong because if the BGP session were flapping due to high latency, the on-premises router would show the session as up/down, not consistently up; the question states the BGP session is up, ruling out flapping. Option D is wrong because AS_PATH prepending influences route preference and path selection, not route acceptance; it does not cause the VPC route table to miss the prefix entirely.

1534
MCQmedium

A company has a VPC with both IPv4 and IPv6 CIDR blocks. The application team wants to allow internet traffic to an IPv6-enabled web server. Which resource must be configured?

A.NAT64
B.Egress-Only Internet Gateway
C.NAT Gateway
D.Internet Gateway
AnswerD

Supports IPv6 inbound.

Why this answer

An Internet Gateway (IGW) is required to allow inbound and outbound IPv6 traffic between a VPC and the internet. Unlike IPv4, IPv6 addresses in AWS are globally unique by default, so no NAT is needed; the IGW directly routes traffic for both IPv4 and IPv6 when attached to the VPC and associated with the route table.

Exam trap

The trap here is that candidates often confuse the Egress-Only Internet Gateway with a full-duplex gateway, forgetting that it only supports outbound IPv6 traffic and cannot accept inbound connections from the internet.

How to eliminate wrong answers

Option A is wrong because NAT64 is used to translate IPv6 traffic to IPv4 for communication with IPv4-only endpoints, not to allow direct internet access to an IPv6-enabled web server. Option B is wrong because an Egress-Only Internet Gateway only supports outbound IPv6 traffic from the VPC to the internet and does not allow inbound internet traffic to reach the web server. Option C is wrong because a NAT Gateway is designed for outbound IPv4 traffic from private subnets and does not support IPv6 traffic at all.

1535
MCQeasy

A company is deploying a VPC with public and private subnets. The private subnets need outbound internet access for updates, but must not be directly reachable from the internet. Which AWS service should be used to achieve this?

A.AWS Site-to-Site VPN
B.AWS Direct Connect
C.Internet Gateway
D.NAT Gateway
AnswerD

NAT Gateway provides outbound internet access for private subnets while blocking inbound internet traffic.

Why this answer

Option C is correct because a NAT Gateway enables instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Options A and B are for VPN and Direct Connect, which are private connections. Option D is for inbound traffic management.

1536
MCQhard

A company has a hub-and-spoke VPC architecture using AWS Transit Gateway. The hub VPC contains shared services (e.g., Active Directory). Spoke VPCs need to resolve DNS names from the hub VPC. The hub VPC has an Amazon Route 53 Resolver inbound endpoint. What is the correct configuration for the spoke VPCs to use this endpoint?

A.Configure the spoke VPC's DHCP options set to use the hub VPC's CIDR as the domain name server
B.Create an inbound endpoint in each spoke VPC
C.Use VPC peering and configure the spoke VPC's route table to route DNS traffic to the hub VPC
D.Create an outbound endpoint in the spoke VPC and associate a resolver rule that forwards queries to the inbound endpoint in the hub VPC
AnswerD

This configuration allows spoke VPCs to forward DNS queries to the hub's inbound endpoint for resolution.

Why this answer

To use a Route 53 Resolver inbound endpoint in the hub VPC, spoke VPCs must forward DNS queries to the endpoint's IP addresses. This is done by creating an outbound endpoint in the spoke VPC and associating a forwarding rule that points to the hub's inbound endpoint. The rule must be associated with the spoke VPC via a resolver rule association.

Simply updating DHCP options or using the hub's VPC CIDR does not configure DNS forwarding.

1537
MCQmedium

A security engineer reviews the NACL entries above for a subnet. Which statement about incoming SSH traffic (port 22) is correct?

A.SSH traffic is allowed only from the 10.0.0.0/8 range.
B.SSH traffic is allowed from all IP addresses.
C.SSH traffic is allowed from 10.0.0.0/8 and denied from all others.
D.SSH traffic is denied from all IP addresses.
AnswerB

Rule 100 allows all SSH traffic; subsequent rules are not evaluated.

Why this answer

NACLs are stateless and rules are evaluated in order by rule number. Rule 100 allows SSH from all IPs. Rule 200 denies SSH from all IPs, but it is not evaluated because rule 100 already allowed.

Rule 300 allows SSH from 10.0.0.0/8 but is not reached. Since rule 100 allows all, SSH is allowed from all IPs. Option A is correct.

1538
MCQeasy

A company is designing a VPC with both IPv4 and IPv6 workloads. The VPC has an internet gateway, and the company wants to allow outbound IPv6 traffic to the internet from instances in a private subnet while blocking inbound IPv6 traffic from the internet. Which configuration should be used?

A.Configure a security group that allows outbound traffic and denies inbound traffic.
B.Configure a virtual private gateway and route traffic through it.
C.Configure an egress-only internet gateway in the VPC and add a route for ::/0 to the egress-only internet gateway in the private subnet's route table.
D.Configure a NAT gateway in a public subnet.
AnswerC

Egress-only internet gateway provides outbound-only IPv6 internet access.

Why this answer

Option B is correct. An egress-only internet gateway allows outbound IPv6 traffic from instances in a private subnet to the internet, but prevents the internet from initiating connections to those instances. It is the IPv6 equivalent of a NAT gateway for IPv4.

Option A is incorrect because a NAT gateway only supports IPv4. Option C is incorrect because a virtual private gateway is for VPN connections, not internet access. Option D is incorrect because a security group can control traffic but cannot provide outbound-only internet access for IPv6.

1539
MCQeasy

A company needs to enforce that all IAM users use multi-factor authentication (MFA) to access the AWS Management Console. Which policy element should be used in an IAM policy to deny access if MFA is not present?

A.Resource
B.Condition
C.Action
D.Effect
AnswerB

Condition can check aws:MultiFactorAuthPresent.

Why this answer

The Condition element in an IAM policy allows you to specify conditions for when a policy is in effect. To deny access if MFA is not present, you use the `aws:MultiFactorAuthPresent` condition key with a Boolean value of `false`. This ensures that only requests authenticated with MFA are allowed, enforcing the security requirement.

Exam trap

The trap here is that candidates often confuse the Condition element with the Resource or Action elements, thinking MFA enforcement is tied to specific resources or actions, rather than understanding it is a contextual check applied via a condition key.

How to eliminate wrong answers

Option A is wrong because the Resource element specifies the AWS resources (e.g., ARNs) the policy applies to, not the authentication context like MFA presence. Option C is wrong because the Action element defines the specific API actions (e.g., ec2:DescribeInstances) that are allowed or denied, not the conditions under which they are evaluated. Option D is wrong because the Effect element only sets whether the policy allows or denies access (e.g., Allow or Deny), but it cannot enforce MFA requirements on its own without a Condition.

1540
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. What should be done to avoid overlapping CIDRs?

A.Configure a VPN with overlapping CIDRs, it will still work
B.Use NAT on the customer gateway to translate addresses
C.Create a new VPC with a non-overlapping CIDR and migrate resources
D.Use VPC peering to connect to on-premises
AnswerC

Changing the VPC CIDR requires recreation; a new VPC is the practical solution.

Why this answer

Overlapping CIDRs cause routing issues; the VPC CIDR must be changed to a non-overlapping range.

1541
MCQmedium

A company has deployed a web application on an EC2 instance that needs to access an S3 bucket and a DynamoDB table. The instance is in a private subnet. Which approach meets the security best practice of avoiding long-lived credentials on the instance?

A.Store IAM user access keys in the application configuration file.
B.Configure security group rules to allow outbound traffic to S3 and DynamoDB endpoints.
C.Use AWS Systems Manager Parameter Store to store credentials and retrieve them at runtime using the instance's IAM role.
D.Create an IAM role with policies granting access to S3 and DynamoDB, and attach the role to the EC2 instance profile.
AnswerD

The instance can obtain temporary credentials from the instance metadata service, eliminating the need for long-lived credentials.

Why this answer

The best practice is to attach an IAM role with the necessary permissions to the EC2 instance. The instance will automatically obtain temporary credentials via the instance metadata service. Option C is correct.

Option A (IAM user credentials) is not recommended as they are long-lived. Option B (AWS Systems Manager Parameter Store) still requires credentials to access the parameters. Option D (security groups) does not grant access to S3 or DynamoDB.

1542
MCQeasy

A company wants to allow its VPC to access an S3 bucket securely without traversing the internet. Which AWS resource enables private connectivity between a VPC and S3?

A.Internet Gateway
B.AWS Site-to-Site VPN
C.VPC Gateway Endpoint
D.NAT Gateway
AnswerC

VPC Gateway Endpoint provides private, secure access to S3.

Why this answer

Option C is correct because a VPC Gateway Endpoint provides private access to S3 without using the internet. Option A is wrong because NAT Gateway is for outbound internet access, not for S3 access. Option B is wrong because Internet Gateway allows internet traffic, not private access.

Option D is wrong because a VPN connection is for on-premises connectivity, not for S3 access.

1543
MCQhard

A CloudFormation stack created a VPC Gateway Endpoint for S3 with the above policy. An EC2 instance in the VPC is unable to download objects from the S3 bucket using the AWS CLI. The instance has an IAM role with s3:GetObject permission. What is the most likely cause?

A.The security group associated with the VPC Endpoint blocks traffic.
B.The VPC Endpoint policy does not allow s3:GetObject.
C.The VPC Endpoint policy does not allow s3:ListBucket, which is needed for the CLI to list objects.
D.The route table for the private subnet does not have a route to the VPC Endpoint.
AnswerC

The CLI often lists objects first, requiring ListBucket permission.

Why this answer

Option B is correct because the VPC Endpoint policy allows only s3:GetObject, but the CLI often requires s3:ListBucket to list objects, and also the endpoint policy must be combined with IAM; the instance role may not have the correct permissions. Option A is wrong because the endpoint policy allows GetObject. Option C is wrong because Gateway Endpoints do not use security groups.

Option D is wrong because the route table must have a route to the endpoint, but the question implies it's configured.

1544
Multi-Selecthard

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team requires that the web tier can only be accessed from the internet, the application tier can only be accessed from the web tier, and the database tier can only be accessed from the application tier. Additionally, the team needs to ensure that no traffic can bypass these controls. Which THREE actions should the team take?

Select 3 answers
A.Use security group rules that reference other security groups as sources.
B.Configure security groups to allow only necessary traffic between tiers.
C.Configure network ACLs (NACLs) to allow only necessary traffic between subnets as a defense-in-depth measure.
D.Enable VPC Flow Logs on all subnets and send logs to Amazon S3.
E.Attach an internet gateway to the VPC and add a default route to the internet gateway in the web tier subnet's route table.
AnswersA, B, C

This allows allowing traffic from instances in another security group, enforcing tier-to-tier access.

Why this answer

Security group rules can reference other security groups as sources, which allows the web tier security group to permit traffic only from the application tier security group, and the application tier security group to permit traffic only from the database tier security group. This creates a logical, stateful firewall that enforces the required traffic flow between tiers without relying on IP addresses, ensuring that no traffic can bypass the controls even if subnet configurations change.

Exam trap

The trap here is that candidates often confuse VPC Flow Logs (a monitoring tool) with a security control, or they mistakenly think that adding an internet gateway alone enforces the tier-to-tier access rules, when in fact the correct actions must directly restrict traffic flow between tiers using security group references, security group rules, and NACLs.

1545
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy. What is the result of this policy?

A.All objects must be encrypted with SSE-S3 or SSE-KMS.
B.All PutObject requests must use SSE-KMS encryption.
C.All objects must be encrypted with a specific KMS key.
D.All PutObject requests are allowed regardless of encryption.
AnswerB

The policy denies if encryption is not aws:kms.

Why this answer

Option C is correct. The policy denies s3:PutObject if the object is not encrypted with SSE-KMS (condition StringNotEquals aws:kms). Option A is wrong because it does not require a specific KMS key, just SSE-KMS.

Option B is wrong because it does not allow any encryption. Option D is wrong because the policy explicitly denies, not allows.

1546
MCQhard

A network engineer is designing a multi-region architecture using AWS Transit Gateway and wants to minimize inter-region latency for data transfer between VPCs. The application requires high throughput and low latency. Which design should be used?

A.Establish VPC peering connections between all VPCs across regions
B.Use AWS Site-to-Site VPN between Transit Gateways in each region
C.Configure VPC endpoints to route traffic through AWS backbone
D.Use Transit Gateway inter-region peering between Transit Gateways
AnswerD

This provides low-latency, high-throughput connectivity.

Why this answer

Option C is correct because Transit Gateway inter-region peering provides direct, encrypted connections with low latency. Option A is wrong because VPC peering is limited to two VPCs and does not scale. Option B is wrong because VPN adds overhead and latency.

Option D is wrong because VPC endpoints are for service access, not inter-VPC traffic.

1547
MCQeasy

A company wants to encrypt all data in transit between its on-premises data center and AWS. They are using AWS Direct Connect for connectivity. Which additional configuration is required to ensure encryption?

A.Use MACsec to encrypt the Direct Connect connection
B.Configure TLS on all applications
C.No additional configuration is needed; Direct Connect encrypts traffic automatically
D.Set up an IPsec VPN over the Direct Connect connection
AnswerD

IPsec provides encryption for the entire traffic.

Why this answer

Option C is correct. Direct Connect does not provide encryption by default; you need to establish an IPsec VPN over the Direct Connect connection. Option A is wrong because Direct Connect itself does not encrypt.

Option B is wrong because TLS is for application-level. Option D is wrong because MACsec is for encryption of Direct Connect at Layer 1, but it is not commonly used; IPsec is the standard.

1548
MCQhard

A company is migrating a legacy application to AWS. The application requires that all traffic between the web and application tiers be encrypted, but the application does not support TLS. What should a network engineer do to meet this requirement without modifying the application?

A.Establish a VPN connection between the web and application instances.
B.Use a Network Load Balancer (NLB) with TLS termination and target groups with TCP, then enable encryption on the NLB.
C.Use an Application Load Balancer (ALB) with TLS termination between the tiers.
D.Use a Classic Load Balancer with TCP listeners.
AnswerB

NLB can terminate TLS and forward decrypted traffic to targets that don't support TLS.

Why this answer

Using a Network Load Balancer (NLB) with TLS termination can offload encryption/decryption. Option C is correct. Option A is wrong because Application Load Balancer works at layer 7 and requires TLS support from the app.

Option B is wrong because Classic Load Balancer is deprecated and less capable. Option D is wrong because VPN is for hybrid connectivity, not within a VPC.

1549
Drag & Dropmedium

Order the steps to set up a redundant Direct Connect connection with two virtual interfaces in different AWS regions:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First provision the connections, then create VIFs, configure BGP, tune routing, then test failover.

1550
MCQhard

An IAM policy is attached to a user who needs to manage VPC peering connections. The policy allows creating and accepting peering connections, but the user reports they cannot add routes to the route table of their VPC (vpc-11111111) for the peered connection. What is the most likely cause?

A.The condition in the policy restricts the VPC, but the route table is not associated with that VPC.
B.The user does not have permission to create routes.
C.The user needs additional permissions for the peering connection.
D.The user needs to accept the peering connection first.
AnswerA

Condition limits to specific VPC ARN, but route table may have different ARN.

Why this answer

Option A is correct because the IAM policy includes a condition that restricts the VPC (e.g., `ec2:Vpc` condition key set to `vpc-11111111`), but the route table the user is trying to modify is not associated with that VPC. Even though the user has permissions to create and accept peering connections, the condition on the route table modification action (like `ec2:CreateRoute`) limits the operation to route tables belonging to the specified VPC. Since the route table belongs to a different VPC or is not associated with `vpc-11111111`, the request fails.

Exam trap

AWS often tests the misconception that route table modifications are solely governed by the `ec2:CreateRoute` action, ignoring that IAM conditions like `ec2:Vpc` can restrict the operation based on the route table's associated VPC, leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option B is wrong because the user does have permission to create routes (the policy allows managing VPC peering connections, which typically includes `ec2:CreateRoute` for the peered VPC), but the condition on the VPC is the actual blocker. Option C is wrong because the user already has the necessary permissions for the peering connection (create and accept), and the issue is not about additional peering permissions but about the route table's VPC association. Option D is wrong because accepting the peering connection is a separate step that the user can already perform (the policy allows it), and the route cannot be added until the peering connection is in the 'active' state, but the error reported is about adding routes, not about the peering state.

1551
MCQhard

A company has a VPC with CIDR 10.0.0.0/16. They have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24). They have a Network Load Balancer (NLB) in the public subnet, and EC2 instances in the private subnet. The NLB has a target group pointing to the EC2 instances. The security group for the EC2 instances allows traffic from the NLB's private IP addresses on port 80. The network ACL for the private subnet allows inbound traffic on port 80 from the public subnet CIDR and outbound ephemeral ports to 0.0.0.0/0. However, clients connecting to the NLB experience intermittent timeouts. The network engineer checks the NLB logs and sees that connections are established but occasionally drop. The engineer also notices that the EC2 instances have a default route to a NAT Gateway in the public subnet. What is the most likely cause of the intermittent timeouts?

A.Cross-zone load balancing is disabled on the NLB.
B.The NLB health checks are failing, causing targets to be removed.
C.The EC2 instances have a default route to the NAT Gateway, causing asymmetric routing.
D.The security group for the NLB is blocking inbound traffic.
AnswerC

Return traffic goes to NAT instead of NLB, breaking the connection.

Why this answer

Option A is correct. When the NLB uses client IP preservation (default), the target instance receives traffic with the client's source IP. The target then sends the response back to the client IP.

But the target's default route points to the NAT Gateway, so the response goes to the NAT Gateway instead of directly back to the NLB. The NAT Gateway then sends the response to the internet, but the client expects the response from the NLB's IP, causing asymmetry and potential drops. Option B is wrong because health checks are independent.

Option C is wrong because disabling cross-zone load balancing does not cause timeouts. Option D is wrong because the NLB does not have security groups.

1552
MCQhard

A company is designing a highly available network for a critical application that requires sub-second failover between two AWS regions. The application uses active-active traffic distribution. Which routing policy should they use in Amazon Route 53?

A.Latency routing with health checks
B.Failover routing
C.Geolocation routing
D.Weighted routing
AnswerA

Correct: Distributes traffic based on latency and health.

Why this answer

Option B is correct because Latency-based routing with health checks can distribute traffic to the region with lowest latency and failover sub-second if health check fails. Option A is wrong because failover routing is active-passive. Option C is wrong because weighted routing does not consider health.

Option D is wrong because geolocation is not for active-active failover.

1553
MCQhard

A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?

A.The member accounts have not created an IAM role with permissions to write to the central bucket.
B.The bucket policy does not include a condition that restricts access to the flow log delivery service using aws:SourceArn or aws:SourceAccount.
C.The bucket policy does not grant write access to the member accounts' root user.
D.The central S3 bucket has not been configured with ACLs enabled.
AnswerB

This condition is essential to prevent the confused deputy problem.

Why this answer

Option B is correct because the VPC Flow Logs delivery service uses a service-linked role to write to the destination S3 bucket. Without a condition in the bucket policy that restricts access using `aws:SourceArn` or `aws:SourceAccount`, the policy is vulnerable to the confused deputy problem, where a different AWS service or account could potentially write to the bucket. The missing condition causes the delivery to fail because the service cannot verify that the request originated from the expected source.

Exam trap

AWS often tests the confused deputy problem in cross-account service delivery scenarios, and the trap here is that candidates mistakenly focus on IAM roles or root user permissions instead of recognizing that the bucket policy must include a source condition to prevent unauthorized access.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs use a service-linked role (AWSServiceRoleForVPCFlowLogs) that is automatically created in each member account; the engineer does not need to manually create an IAM role for writing to the central bucket. Option C is wrong because granting write access to the member accounts' root user is unnecessary and overly permissive; the bucket policy should grant permissions to the VPC Flow Logs service principal (delivery.logs.amazonaws.com) with the appropriate source condition. Option D is wrong because S3 ACLs are not required for this use case; bucket policies alone can grant cross-account access, and disabling ACLs (the default in modern AWS) does not prevent flow log delivery.

1554
Matchingmedium

Match each AWS service or feature to its primary function in network architecture.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hub-and-spoke connectivity between VPCs and on-premises

Dedicated network connection from on-premises to AWS

Direct network connection between two VPCs

Private access to services across VPCs and accounts

Encrypted tunnel over the internet to AWS

Why these pairings

These are core AWS networking services for connectivity.

1555
MCQeasy

A company is deploying a multi-tier application in a VPC. The web servers must be accessible from the internet, while the application servers must only be accessible from the web servers. Which architecture meets these requirements?

A.All servers in private subnets; use a load balancer in a public subnet.
B.Web servers in private subnets; application servers in public subnets with an Internet Gateway.
C.All servers in public subnets; use Security Groups to restrict access.
D.Web servers in public subnets with an Internet Gateway; application servers in private subnets with a route to the NAT Gateway.
AnswerD

This provides internet access to web servers while keeping app servers private.

Why this answer

Option D is correct because it places web servers in public subnets with an Internet Gateway (IGW) for direct internet access, while application servers reside in private subnets that lack a direct route to the IGW. The private subnets have a route to a NAT Gateway, allowing the application servers to initiate outbound internet connections (e.g., for updates) without being reachable from the internet. Security Groups on the application servers can further restrict inbound traffic to only the web servers' security group, ensuring the application tier is isolated.

Exam trap

AWS often tests the misconception that Security Groups alone can fully isolate traffic in a public subnet, but the trap here is that instances in public subnets still have public IP addresses and are reachable from the internet unless explicitly blocked by a Network ACL or Security Group, which is less reliable than using private subnets with no IGW route.

How to eliminate wrong answers

Option A is wrong because placing all servers in private subnets and using a load balancer in a public subnet would make the web servers inaccessible from the internet unless the load balancer is configured as an internet-facing load balancer and the web servers are in private subnets with a route to the load balancer; however, the description 'all servers in private subnets' implies the web servers themselves are not directly internet-accessible, which contradicts the requirement that web servers must be accessible from the internet. Option B is wrong because placing application servers in public subnets with an Internet Gateway would expose them directly to the internet, violating the requirement that they must only be accessible from the web servers. Option C is wrong because placing all servers in public subnets with an Internet Gateway would expose both web and application servers to the internet, and while Security Groups can restrict traffic, the application servers would still have public IP addresses and be reachable from the internet if the Security Group rules are misconfigured or if a user accidentally allows broader access; the requirement demands that application servers must only be accessible from the web servers, which is best achieved by placing them in private subnets with no direct internet path.

1556
MCQeasy

A company has a VPC with a public subnet and a private subnet. The private subnet contains Amazon RDS instances that should only be accessed by EC2 instances in the same VPC. The EC2 instances are in a security group named 'App-SG'. Which configuration will meet the requirement?

A.Configure a network ACL on the private subnet to allow inbound traffic from the VPC CIDR.
B.Configure a network ACL on the private subnet to allow inbound traffic from the public subnet CIDR.
C.Configure a security group on the RDS instances to allow inbound traffic from the 'App-SG' security group.
D.Configure a security group on the RDS instances to allow inbound traffic from the VPC CIDR.
AnswerC

Security group referencing another security group allows only instances with that security group.

Why this answer

Security groups are stateful and can reference other security groups as a source, allowing traffic from all instances associated with the source security group. By configuring the RDS security group to allow inbound traffic from 'App-SG', only EC2 instances in that group can access the RDS instances, meeting the requirement without exposing the database to the entire VPC CIDR.

Exam trap

The trap here is that candidates often confuse security groups with network ACLs, or assume that allowing the VPC CIDR is sufficient, not realizing that security group references provide more precise, instance-level access control than CIDR-based rules.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and apply at the subnet level, not the instance level; allowing inbound traffic from the VPC CIDR would permit any resource in the VPC (including unauthorized instances) to access the RDS instances, and would also require explicit outbound rules for return traffic. Option B is wrong because allowing inbound traffic from the public subnet CIDR is overly permissive and does not restrict access to only the EC2 instances in 'App-SG'; it would also allow any instance in the public subnet, not just those in the security group. Option D is wrong because allowing inbound traffic from the VPC CIDR via a security group would permit any resource in the VPC (including unauthorized instances or services) to access the RDS instances, violating the requirement for access only by EC2 instances in 'App-SG'.

1557
MCQmedium

Refer to the exhibit. A network engineer has configured VPC Flow Logs for a VPC and is verifying the logs. The flow logs are being delivered to CloudWatch Logs, but the engineer notices that the logs do not contain the 'srcaddr' and 'dstaddr' fields. What is the most likely cause?

A.The flow log is configured with TrafficType set to 'REJECT' only
B.The IAM role FlowLogRole does not have permission to write to CloudWatch Logs
C.The flow log is configured with a MaxAggregationInterval of 60 seconds, which causes fields to be omitted
D.The flow log is using the default log format, which does not include source and destination addresses
AnswerD

The default format does not include srcaddr and dstaddr; a custom format is required.

Why this answer

Option B is correct. The default log format for VPC Flow Logs includes only certain fields. To include source and destination addresses, the custom format must include `${srcaddr}` and `${dstaddr}`.

The exhibit shows a custom format that includes them, so that's fine. Actually, the exhibit shows a custom format that includes `${srcaddr}` and `${dstaddr}`. So the logs should contain them.

The issue might be that the log format is not being applied? No. Another possibility: The flow log status is ACTIVE, so it's working. Perhaps the issue is that the VPC does not have any traffic? But that would result in no logs, not missing fields.

The most likely cause is that the log format specified in the flow log creation does not match the format in the exhibit? The exhibit shows the format, so it should be correct. Wait, maybe the problem is that the flow log is configured with `TrafficType: ALL`, which includes accepted and rejected traffic. That should work.

I think the answer is that the flow log is configured with `LogDestinationType: cloud-watch-logs`, but the log format is custom. That is fine. The missing fields could be because the log format string has a typo: `${srcaddr}` and `${dstaddr}` are correct.

However, note that the default format does not include them, but here custom is used. So maybe the issue is that the flow log is not actually using the custom format because the `LogFormat` field is present, but the console or API might not return it? No. I recall that the custom format must be specified at creation time.

The exhibit shows it, so it's set. The only reason fields would be missing is if the format string does not include them. But it does.

So perhaps the answer is that the flow log is filtering by a specific subnet or ENI? The exhibit shows ResourceId is a VPC, so it logs all traffic. The most likely cause is that the flow log is using the default format, but the exhibit shows a custom format because the engineer used the describe command and it shows the custom format. So it's set.

I'll go with option B: The flow log is configured with the default format, not the custom format. But the exhibit shows custom format. Contradiction.

Let me adjust the exhibit to show the default format (no LogFormat field). I'll change the exhibit to omit LogFormat. Then the answer is B.

I'll revise the exhibit.

1558
MCQmedium

A company is designing a multi-Region architecture with active-active failover for a web application. The application uses Application Load Balancers (ALBs) in two AWS Regions. Traffic must be routed to the closest healthy Region with automatic failover. Which AWS service should be used to route traffic?

A.Network Load Balancer with cross-zone load balancing
B.Amazon CloudFront with multiple origins
C.Amazon Route 53 with latency-based routing and health checks
D.AWS Global Accelerator
AnswerC

Route 53 latency routing directs traffic to the Region with the lowest latency, and health checks automatically fail over to the next best Region.

Why this answer

Option C is correct because Amazon Route 53 latency-based routing routes traffic to the Region with the lowest latency, and health checks enable automatic failover. Option A is wrong because Global Accelerator uses anycast IPs and does not provide latency-based routing with health checks in the same way. Option B is wrong because CloudFront is a CDN, not for active-active load balancing across Regions.

Option D is wrong because Network Load Balancer operates within a single Region.

1559
Multi-Selecteasy

A company is designing a VPC for a three-tier application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. Which THREE design elements are required? (Choose THREE.)

Select 3 answers
A.A public subnet for the web tier with an internet gateway
B.A private subnet for the database tier with a route to the application subnet
C.A private subnet for the application tier with a route to the web subnet
D.A NAT gateway in the public subnet for outbound traffic from private subnets
E.A VPN connection to on-premises
AnswersA, B, C

Provides internet access to web servers.

Why this answer

Option A is correct: Public subnet for web servers. Option B is correct: Private subnet for application servers. Option D is correct: Private subnet for database servers.

Option C is wrong because a NAT gateway is not required for inbound access; outbound access for private subnets may be needed but is not specified. Option E is wrong because a VPN is not required.

1560
MCQeasy

A company is designing a network security architecture for a multi-account AWS environment. They need to centrally inspect and filter traffic between VPCs using a third-party firewall appliance. Which AWS service should they use to route traffic through the inspection VPC?

A.VPC Peering
B.AWS Direct Connect
C.AWS Transit Gateway
D.VPC Endpoints
AnswerC

Supports hub-and-spoke architecture with inspection VPC.

Why this answer

Option B is correct because AWS Transit Gateway with a central inspection VPC allows routing traffic through a firewall appliance. Option A is wrong because VPC Peering does not support transitive routing. Option C is wrong because Direct Connect is for on-premises connectivity.

Option D is wrong because VPC Endpoints are for private access to AWS services, not inter-VPC traffic.

1561
MCQhard

A company is using an AWS Transit Gateway to connect multiple VPCs and on-premises networks via Direct Connect. The network team notices that traffic from an on-premises network (CIDR 172.16.0.0/12) to a VPC (CIDR 10.0.0.0/16) is being dropped. The transit gateway route table shows a static route for 10.0.0.0/16 pointing to the VPC attachment. The Direct Connect virtual interface (VIF) is associated with the transit gateway and the on-premises router is advertising 172.16.0.0/12 via BGP. What is the most likely cause of the traffic being dropped?

A.The VPC has a route that points to the transit gateway for the on-premises CIDR, causing asymmetric routing.
B.The Direct Connect VIF is not configured with BFD.
C.The transit gateway route table does not have a route for the on-premises CIDR (172.16.0.0/12) pointing to the Direct Connect attachment.
D.The VPC route table does not have a route for the on-premises CIDR pointing to the transit gateway.
AnswerC

The transit gateway needs a route for the on-premises CIDR to forward return traffic to the Direct Connect attachment.

Why this answer

The transit gateway route table must contain a route for the on-premises CIDR (172.16.0.0/12) pointing to the Direct Connect attachment for return traffic to be forwarded correctly. Without this route, the transit gateway has no path for traffic destined to the on-premises network, causing it to be dropped. The static route for 10.0.0.0/16 only handles traffic toward the VPC, not the return direction.

Exam trap

The trap here is that candidates often assume the transit gateway automatically learns routes from BGP advertisements over Direct Connect and installs them into the route table, but in reality, you must either propagate the attachment or add a static route for the on-premises CIDR.

How to eliminate wrong answers

Option A is wrong because asymmetric routing would not cause traffic to be dropped; it would still be delivered, though potentially with issues. Option B is wrong because BFD (Bidirectional Forwarding Detection) is used for fast failure detection, not for enabling traffic forwarding; its absence does not cause traffic to be dropped. Option D is wrong because the VPC route table is irrelevant for traffic originating from on-premises; the issue is the transit gateway's lack of a return route for the on-premises CIDR.

1562
Multi-Selectmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The company does not want to assign public IP addresses to the instance. Which combination of resources is required? (Choose TWO.)

Select 2 answers
A.VPN connection to the on-premises data center
B.NAT Gateway in a public subnet
C.VPC endpoint for Amazon S3
D.Internet Gateway attached to the VPC
AnswersB, D

The NAT Gateway enables outbound internet traffic for instances in private subnets.

Why this answer

A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet. The private subnet's route table must have a default route (0.0.0.0/0) pointing to the NAT Gateway. An Internet Gateway is needed for the NAT Gateway to reach the internet, but the question asks for resources; the IGW is already implied.

A VPC endpoint is for AWS services, not internet. A VPN connection is for on-premises connectivity.

1563
MCQeasy

A company is designing a hybrid network connecting an on-premises data center to AWS via AWS Direct Connect. The company requires high availability and wants to avoid a single point of failure. Which design meets these requirements?

A.Provision a single Direct Connect connection with multiple virtual interfaces (VIFs).
B.Provision one Direct Connect connection with two VLANs to separate production and non-production traffic.
C.Use a single Direct Connect connection and a VPN backup over the internet.
D.Provision two Direct Connect connections at two different Direct Connect locations.
AnswerD

Two connections at different locations provide physical diversity and high availability.

Why this answer

Option D is correct because provisioning two Direct Connect connections at two different Direct Connect locations eliminates any single point of failure. This design ensures that if one connection or location fails, traffic can automatically fail over to the other connection, meeting the high availability requirement. A single Direct Connect connection, regardless of the number of VIFs or VLANs, remains a single point of failure.

Exam trap

AWS often tests the misconception that multiple VIFs or VLANs on a single Direct Connect connection provide redundancy, but they do not eliminate the physical single point of failure of the connection itself.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with multiple virtual interfaces (VIFs) still relies on a single physical link and single Direct Connect location; if that connection fails, all VIFs go down, so it does not avoid a single point of failure. Option B is wrong because using one Direct Connect connection with two VLANs only separates traffic logically on the same physical link; it does not provide physical redundancy, so a failure of the single connection takes down both VLANs. Option C is wrong because while a VPN backup over the internet provides a failover path, the primary single Direct Connect connection is still a single point of failure; the design does not meet the requirement to avoid a single point of failure for the primary connection, and the VPN backup may have lower performance and higher latency.

1564
Multi-Selecteasy

Which TWO of the following are valid components of an AWS Transit Gateway design for connecting multiple VPCs and on-premises networks?

Select 2 answers
A.VPC Endpoint Gateway
B.Transit Gateway endpoint attached to a subnet in a VPC
C.Direct Connect Gateway associated with a Transit Gateway
D.Transit Gateway route table
E.Transit Gateway peering attachment
AnswersD, E

Route tables control traffic between attachments.

Why this answer

Option D is correct because a Transit Gateway route table is a fundamental component that controls how traffic is routed between attachments (VPCs, VPNs, Direct Connect) within the Transit Gateway. Each attachment is associated with exactly one route table, and route propagation enables dynamic learning of routes across the network.

Exam trap

AWS often tests the misconception that a Transit Gateway endpoint attaches to a subnet like a VPC endpoint, but in reality, Transit Gateway attachments are VPC-level constructs that require a subnet in each AZ for the attachment's elastic network interfaces.

1565
Multi-Selecthard

A company uses AWS Direct Connect with a public VIF to access S3. The on-premises network uses BGP to advertise a specific prefix to AWS. The company wants to ensure that traffic to S3 from on-premises always uses the Direct Connect connection and not the internet. Which TWO configurations must be in place?

Select 2 answers
A.Set a higher MED value on routes learned from the internet to make them less preferred.
B.Set a higher local preference on the Direct Connect BGP session for the S3 prefixes.
C.Disable the internet gateway for the VPC.
D.Set the AS_PATH prepend on the Direct Connect BGP session.
E.Configure the on-premises router to advertise a more specific route for the S3 CIDR blocks over the Direct Connect BGP session.
AnswersB, E

Local preference influences outbound route selection; higher value is preferred.

Why this answer

To force traffic to S3 through Direct Connect, the on-premises routers must prefer the Direct Connect path. This involves advertising a specific prefix (like the S3 service endpoints) over BGP with a higher local preference, and using the most specific route (longest prefix match).

1566
MCQhard

A company has a VPC with multiple subnets across three Availability Zones. They are deploying an NFS file system using Amazon EFS. They need high availability and low latency from all subnets. Which EFS deployment option meets these requirements?

A.Use EFS One Zone storage class with a single mount target in the same Availability Zone as the application.
B.Use EFS Standard storage class with Multi-AZ and create a single mount target in one Availability Zone.
C.Use EFS Standard storage class with Multi-AZ and create mount targets in each Availability Zone.
D.Use EFS One Zone storage class and create mount targets in each Availability Zone.
AnswerC

Standard storage is replicated across AZs; mount targets in each AZ provide low latency.

Why this answer

EFS One Zone storage class stores data in a single AZ, which does not provide high availability. EFS Standard with Multi-AZ is the correct choice for high availability across AZs. Option A is wrong because EFS One Zone is not highly available.

Option C is wrong because EFS Standard with Multi-AZ using mount targets in each AZ provides both high availability and low latency. Option D is wrong because EFS Standard with Multi-AZ using a single mount target would create a single point of failure.

1567
MCQmedium

A company is deploying a web application across multiple Availability Zones in a VPC. The application needs to be highly available and scale based on traffic. The architecture includes an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group. The company wants to ensure that if an Availability Zone fails, the ALB can still route traffic to healthy instances in other zones. What should the network engineer implement to meet this requirement?

A.Configure a Network Load Balancer instead of an ALB, and enable cross-zone load balancing.
B.Use an ALB with a target group that contains instances from only one Availability Zone, and use Route 53 health checks.
C.Deploy one ALB in each Availability Zone and use Route 53 latency-based routing.
D.Enable cross-zone load balancing on the ALB.
AnswerD

Cross-zone load balancing allows the ALB to distribute traffic across instances in all enabled AZs, providing high availability.

Why this answer

Option D is correct because enabling cross-zone load balancing on the ALB allows it to distribute traffic across all registered targets in all enabled Availability Zones. Option A is wrong because a Network Load Balancer does not support cross-zone load balancing by default. Option B is wrong because multiple ALBs per AZ would introduce complexity and is not the simplest solution.

Option C is wrong because it does not address cross-zone load balancing.

1568
MCQeasy

A company has several VPCs in the same AWS account and region. They want to centrally manage and monitor network traffic between these VPCs and also to on-premises networks. Which AWS service should they use?

A.AWS Direct Connect
B.VPC Peering
C.Transit Gateway
D.AWS VPN CloudHub
AnswerC

Transit Gateway provides a hub-and-spoke architecture for connecting multiple VPCs and on-premises networks.

Why this answer

A transit gateway acts as a central hub for routing traffic between VPCs and on-premises networks. Option B is wrong because VPC peering is point-to-point, not centralized. Option C is wrong because Direct Connect alone does not connect VPCs.

Option D is wrong because VPN CloudHub is for multiple VPN connections, not VPCs.

1569
MCQhard

A company uses AWS Direct Connect with a private VIF to connect to a VPC. They have an on-premises application that needs to resolve private hosted zone names in Amazon Route 53. The on-premises DNS server forwards queries for the private domain to the VPC's DNS resolver. However, resolution fails. What is the most likely cause?

A.The private hosted zone is not associated with the VPC.
B.The VPC's DHCP option set is not configured to use the Route 53 Resolver.
C.The security group for the VPC DNS resolver is blocking inbound UDP port 53 from the on-premises network.
D.A Route 53 Resolver outbound endpoint is not configured to forward queries from on-premises to the VPC.
AnswerD

An outbound endpoint allows on-premises to forward DNS queries to Route 53 Resolver.

Why this answer

Option D is correct because the Route 53 Resolver outbound endpoint is required to forward DNS queries from on-premises to the Route 53 private hosted zones. Without it, the VPC resolver does not accept queries from external sources. Option A is wrong because the private hosted zone is associated with the VPC.

Option B is wrong because the VPC's DHCP option set typically uses the default VPC resolver (or custom), but the issue is inbound queries. Option C is wrong because security groups apply to instances, not to the VPC DNS resolver.

1570
MCQhard

A company uses AWS Direct Connect with a private VIF to connect its on-premises network to a VPC. The on-premises router advertises a specific route for a subnet (192.168.1.0/24) to the VPC via BGP. However, instances in the VPC cannot reach the 192.168.1.0/24 subnet. The VPC route table shows the route as 'active' and 'propagated' from the Direct Connect virtual interface. What is the most likely cause?

A.The security group for the VPC instances is blocking inbound traffic from the on-premises network.
B.The VPC has overlapping CIDR with the on-premises network.
C.The on-premises router is not advertising the correct BGP community.
D.The VPC route table does not have a route to the 192.168.1.0/24 subnet pointing to the virtual private gateway.
AnswerD

Route propagation does not automatically add the route to the route table; it must be associated.

Why this answer

Option B is correct. Even if the route is propagated, the VPC subnet route table must have a route pointing to the virtual private gateway for that CIDR. If the route is not explicitly added (or not propagated due to route table association), traffic will not be directed.

Option A is incorrect because BGP is used, so AS_PATH does not affect reachability inside VPC. Option C is incorrect because security groups don't apply to on-premises traffic via Direct Connect. Option D is incorrect because the VPC route table shows the route as active, so the prefix is known.

1571
Multi-Selectmedium

A company has multiple VPCs that need to communicate with each other and with an on-premises network via AWS Transit Gateway. Which THREE of the following are valid attachment types for a transit gateway?

Select 3 answers
A.Direct Connect Gateway
B.Internet Gateway
C.Site-to-Site VPN connection
D.VPC
E.Network Load Balancer
AnswersA, C, D

Direct Connect Gateway can be associated with a transit gateway.

Why this answer

Transit gateway supports attachments to VPCs, VPN connections, and Direct Connect gateways. Option D is incorrect because an internet gateway is attached to a VPC, not to a transit gateway. Option E is incorrect because a network load balancer is not directly attached to a transit gateway.

1572
MCQeasy

A company has a VPC with public and private subnets. An EC2 instance in the private subnet needs to access the internet. The instance has a route table with a default route to a NAT gateway. However, the instance cannot reach the internet. What is the most likely cause?

A.The NAT gateway is placed in a private subnet.
B.The instance does not have a public IP address assigned.
C.The security group attached to the instance does not allow outbound HTTPS traffic.
D.The network ACL on the private subnet blocks outbound HTTP traffic.
AnswerA

NAT gateway must be in a public subnet with an internet gateway.

Why this answer

Option C is correct because the NAT gateway must be in a public subnet with an internet gateway to route traffic. Option A is wrong because security groups are stateful and allow outbound traffic by default. Option B is wrong because a public IP is not needed for outbound traffic through NAT.

Option D is wrong because network ACLs are stateless and need explicit rules, but the default allows outbound traffic.

1573
MCQmedium

A network engineer configured VPC Flow Logs for a subnet to capture all traffic. After reviewing the logs in CloudWatch Logs, they notice that some logs show 'NODATA' for the log-status field. What does 'NODATA' indicate?

A.No network traffic was observed for the given capture period.
B.The flow log record was skipped due to an internal error.
C.The log record was successfully delivered to CloudWatch.
D.The traffic was rejected by a network ACL or security group.
AnswerA

Correct meaning.

Why this answer

When VPC Flow Logs display 'NODATA' for the log-status field, it indicates that no network traffic was observed for the subnet during the aggregation interval (typically 10 minutes). This is a normal status meaning the capture window had zero packets flowing through the monitored interfaces, not an error or delivery issue.

Exam trap

AWS often tests the distinction between 'NODATA' (no traffic) and 'SKIPDATA' (internal error), leading candidates to incorrectly associate 'NODATA' with rejected traffic or delivery failures.

How to eliminate wrong answers

Option B is wrong because 'NODATA' is not caused by an internal error; internal errors are reported as 'SKIPDATA' in the log-status field. Option C is wrong because a successful delivery to CloudWatch is indicated by 'OK' in the log-status field, not 'NODATA'. Option D is wrong because traffic rejected by a network ACL or security group is still captured and logged with an 'ACCEPT' or 'REJECT' action in the flow log record, not as 'NODATA'.

1574
MCQmedium

A company is migrating a legacy application to AWS. The application requires a fixed IP address for outbound traffic to a partner's firewall. The application will run on Amazon EC2 instances in a private subnet. Which design meets the requirement without exposing the instances to inbound internet traffic?

A.Deploy a NAT gateway with an Elastic IP and route outbound traffic through it
B.Attach an Internet Gateway to the VPC and assign public IPs to the instances
C.Place the instances behind an Application Load Balancer
D.Create a VPC Gateway Endpoint for the partner's service
AnswerA

A NAT gateway with an Elastic IP provides a single fixed IP for all outbound traffic from private instances, and no inbound traffic is allowed.

Why this answer

A NAT gateway with an Elastic IP provides a fixed public IP address for outbound traffic from instances in a private subnet while preventing any unsolicited inbound connections from the internet. The NAT gateway translates the private source IPs of the instances to its own Elastic IP, meeting the partner firewall's requirement for a fixed source IP without exposing the EC2 instances directly.

Exam trap

The trap here is that candidates often confuse a NAT gateway with an Internet Gateway, thinking both provide outbound connectivity, but an Internet Gateway alone does not offer a fixed source IP for private instances and would expose them to inbound traffic if public IPs are assigned.

How to eliminate wrong answers

Option B is wrong because attaching an Internet Gateway and assigning public IPs to the instances would expose them to inbound internet traffic, violating the requirement to keep instances private. Option C is wrong because an Application Load Balancer operates at Layer 7 and does not provide a fixed source IP for outbound traffic; it distributes inbound traffic to targets, not outbound. Option D is wrong because a VPC Gateway Endpoint is used for private connectivity to AWS services like S3 or DynamoDB, not for routing general outbound traffic to an external partner's firewall.

1575
Drag & Dropmedium

Order the steps to troubleshoot an AWS Direct Connect virtual interface that is in the 'down' state:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with the connection status, then verify virtual interface configuration, check on-premises BGP, test connectivity, and escalate if unresolved.

Page 20

Page 21 of 23

Page 22