AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 16511705

1705 questions total · 23pages · All types, answers revealed

Page 22

Page 23 of 23

1651
MCQmedium

A company has a VPC with a CIDR of 172.16.0.0/16. They have a subnet 172.16.1.0/24 for web servers and another subnet 172.16.2.0/24 for database servers. The web servers need to access the database servers on port 3306. Which configuration is required?

A.Configure network ACLs to allow inbound on port 3306 from web subnet.
B.Web SG: inbound from 0.0.0.0/0 on port 3306. DB SG: outbound to web SG on port 3306.
C.Web SG: outbound to DB SG on port 3306. DB SG: inbound from web SG on port 3306.
D.Web SG: outbound to DB SG on all ports. DB SG: inbound from web SG on all ports.
AnswerC

Allows only MySQL traffic from web to DB.

Why this answer

Option C is correct because security groups are stateful and control traffic at the instance level. The web server security group needs an outbound rule allowing traffic to the database security group on port 3306, and the database security group needs an inbound rule allowing traffic from the web security group on port 3306. This ensures that only the web servers can initiate connections to the database servers on the required port.

Exam trap

The trap here is that candidates often confuse the stateless nature of network ACLs with the stateful behavior of security groups, or they incorrectly assume that inbound rules on the source security group are needed instead of outbound rules on the source and inbound rules on the destination.

How to eliminate wrong answers

Option A is wrong because network ACLs are stateless and apply at the subnet level, not the instance level, and they require both inbound and outbound rules to allow traffic; additionally, the question asks for a configuration that works with security groups, not network ACLs. Option B is wrong because it incorrectly sets the web security group to allow inbound traffic on port 3306 from 0.0.0.0/0, which would allow any source to connect to the web servers on the database port, and the outbound rule on the database security group is unnecessary because security groups are stateful and return traffic is automatically allowed. Option D is wrong because it allows all ports instead of restricting to port 3306, violating the principle of least privilege and unnecessarily exposing the database servers to all traffic from the web servers.

1652
Multi-Selecteasy

A company is setting up a site-to-site VPN connection between an on-premises network and AWS. Which TWO components are required for the VPN connection?

Select 2 answers
A.Customer gateway
B.Transit gateway
C.Virtual private gateway
D.VPN connection
E.Direct Connect connection
AnswersA, C

Represents the on-premises router.

Why this answer

Option A is correct because a virtual private gateway is the AWS-side VPN concentrator. Option B is correct because a customer gateway represents the on-premises router. Option C is wrong because a Direct Connect connection is a separate service.

Option D is wrong because a transit gateway is optional. Option E is wrong because a VPN connection is the VPN itself, not a component.

1653
MCQeasy

A company wants to connect its on-premises data center to AWS using a dedicated, high-bandwidth, low-latency connection. The data center is collocated with an AWS Direct Connect location. Which AWS service should be used to establish this connection?

A.VPC peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS Site-to-Site VPN
AnswerC

Direct Connect provides a dedicated, private connection with high bandwidth and low latency.

Why this answer

AWS Direct Connect provides a dedicated private connection from on-premises to AWS. Option B is correct. Option A (VPN) uses the public internet.

Option C (VPC peering) is for VPC-to-VPC. Option D (Transit Gateway) is a network transit hub but requires an underlying connection.

1654
Multi-Selectmedium

A company is designing a multi-region active-active application. They need to ensure that traffic is routed to the closest healthy region and that failover happens automatically. Which TWO services should be used together to achieve this?

Select 2 answers
A.AWS Transit Gateway with inter-region peering
B.Amazon CloudFront with multiple origins
C.AWS Global Accelerator with endpoint groups
D.Amazon Route 53 with latency-based routing
E.AWS Direct Connect with multiple locations
AnswersC, D

Provides anycast IPs and health checks.

Why this answer

AWS Global Accelerator (C) uses Anycast IPs to direct traffic to the closest healthy endpoint group, automatically rerouting traffic if a region becomes unhealthy. This provides fast regional failover and low-latency routing without DNS caching delays, making it ideal for active-active multi-region applications.

Exam trap

The trap here is that candidates often think Route 53 latency-based routing (D) alone is sufficient for automatic failover, but it relies on DNS caching and TTLs, which can delay failover by minutes, whereas Global Accelerator provides sub-second failover and is the recommended service for active-active multi-region traffic steering.

1655
MCQmedium

A company is using AWS CloudFormation to deploy a stack that includes an S3 bucket with a bucket policy that restricts access to a specific VPC endpoint. The stack fails to create, and the error indicates that the bucket policy contains an invalid principal. Which principal should be used to restrict access to a VPC endpoint?

A.The condition key aws:SourceVpce
B.The VPC ID
C.The ARN of the VPC endpoint
D.The VPC endpoint service
AnswerA

The aws:SourceVpce condition key restricts access to requests originating from a specific VPC endpoint.

Why this answer

The condition key aws:SourceVpce allows restricting access to a specific VPC endpoint. Option A is wrong because a VPC endpoint has its own ARN, but it is not used as a principal. Option C is wrong because the VPC ID is not a principal.

Option D is wrong because the VPC endpoint service is not a principal for S3 bucket policies.

1656
MCQhard

A company is designing a network architecture for a critical application that requires sub-millisecond latency between EC2 instances in the same placement group. The instances will be launched in a single Availability Zone in us-east-1. Which combination of features should be used to achieve the lowest latency?

A.Launch instances in a cluster placement group with Enhanced Networking (ENA) enabled.
B.Launch instances in a spread placement group with SR-IOV enabled.
C.Launch instances in a spread placement group with Enhanced Networking (ENA) enabled.
D.Launch instances in a cluster placement group with Elastic Fabric Adapter (EFA) enabled.
AnswerD

Cluster placement group minimizes network distance, and EFA provides OS-bypass for low latency.

Why this answer

Option C is correct. A placement group with a cluster strategy places instances in a low-latency group within a single AZ, and Elastic Fabric Adapter (EFA) provides high-throughput, low-latency networking for HPC and ML workloads. Option A is wrong because Enhanced Networking alone does not guarantee sub-millisecond latency; EFA is needed.

Option B is wrong because Spread placement group spreads instances across hardware, increasing latency. Option D is wrong because a spread placement group with SR-IOV is not as low-latency as cluster placement with EFA.

1657
MCQmedium

A company has a VPC with an Application Load Balancer (ALB) that distributes traffic to EC2 instances in private subnets. The ALB needs to be accessible from the internet. The security team requires that all traffic to the ALB be inspected by AWS WAF. Which configuration meets these requirements?

A.Associate AWS WAF with the ALB and make the ALB internet-facing
B.Use a Network Load Balancer with AWS WAF attached
C.Place the ALB behind a Security Group that inspects traffic
D.Use Amazon CloudFront in front of the ALB with AWS WAF
AnswerA

ALB supports AWS WAF integration for web traffic inspection.

Why this answer

Option B is correct because AWS WAF can be integrated with an ALB to inspect HTTP/HTTPS traffic. Option A is incorrect because a Network Load Balancer does not support AWS WAF. Option C is incorrect because Security Groups are stateful firewalls but do not support WAF rules.

Option D is incorrect because CloudFront can have WAF, but it is a CDN, not a regional load balancer.

1658
MCQhard

A network engineer is setting up a cross-account Route 53 Resolver rule association. The engineer creates the above resource-based policy on a resolver rule in account 111111111111. The engineer then tries to associate the rule from account 222222222222 but receives an access denied error. What is the MOST likely reason for the failure?

A.The policy does not allow the 'route53resolver:AssociateResolverRule' action.
B.The policy does not include the 'route53resolver:DisassociateResolverRule' action.
C.The policy's Principal is set to account 111111111111 instead of account 222222222222.
D.The resolver rule is not shared with account 222222222222.
AnswerC

The principal should be the account that will use the rule.

Why this answer

The resource-based policy on the Route 53 Resolver rule must specify the consuming account (222222222222) as the Principal to authorize cross-account association. Since the policy incorrectly sets the Principal to the owning account (111111111111), the request from account 222222222222 lacks the required permissions, resulting in an access denied error.

Exam trap

AWS often tests the distinction between the resource-based policy's Principal field and the Action field, tricking candidates into thinking a missing action is the cause when the real issue is an incorrect principal account ID.

How to eliminate wrong answers

Option A is wrong because the policy does include the 'route53resolver:AssociateResolverRule' action (as shown in the policy snippet), so the failure is not due to a missing action. Option B is wrong because the 'DisassociateResolverRule' action is irrelevant for associating a rule; the error occurs during association, not disassociation. Option D is wrong because the policy itself is the mechanism for sharing; if the policy were correctly configured, the rule would be shared, but the error stems from an incorrect Principal, not from a lack of sharing.

1659
MCQeasy

A startup is launching a new web application on AWS and needs to design a highly available and secure network architecture. The application will run on EC2 instances in an Auto Scaling group across two Availability Zones in a single region. The application must be accessible from the internet over HTTPS. The company expects variable traffic and wants to reduce costs where possible. They also need to protect against common web exploits like SQL injection and cross-site scripting. Which combination of AWS services should be used for the network design?

A.Use an Application Load Balancer (ALB) in private subnets. Enable AWS WAF on the ALB. Place EC2 instances in public subnets with a VPC endpoint for outbound traffic.
B.Use an Application Load Balancer (ALB) in public subnets. Enable AWS WAF on the ALB. Place EC2 instances in private subnets with a NAT gateway for outbound traffic.
C.Use an Application Load Balancer (ALB) in public subnets. Use a VPC endpoint for outbound traffic. Place EC2 instances in public subnets with Elastic IPs.
D.Use a Network Load Balancer (NLB) in public subnets. Enable AWS Shield Advanced for DDoS protection. Place EC2 instances in private subnets with a NAT gateway for outbound traffic.
AnswerB

ALB provides HTTP/HTTPS termination, integrates with WAF for web exploit protection, and supports private subnet instances.

Why this answer

Option B is correct because an Application Load Balancer (ALB) in public subnets can terminate HTTPS and distribute traffic to EC2 instances in private subnets, which enhances security by removing direct internet access from the instances. Enabling AWS WAF on the ALB protects against common web exploits like SQL injection and cross-site scripting. A NAT gateway in public subnets provides outbound internet access for instances in private subnets, which is cost-effective for variable traffic as it scales automatically and incurs charges only when used.

Exam trap

The trap here is that candidates often confuse the placement of load balancers and instances, mistakenly thinking that placing the ALB in private subnets is acceptable or that a VPC endpoint can replace a NAT gateway for general outbound internet access.

How to eliminate wrong answers

Option A is wrong because placing the ALB in private subnets would prevent it from receiving internet traffic directly, as private subnets lack a route to an internet gateway; also, placing EC2 instances in public subnets with a VPC endpoint for outbound traffic is incorrect because VPC endpoints are used for private connectivity to AWS services, not for general internet outbound traffic. Option C is wrong because placing EC2 instances in public subnets with Elastic IPs exposes them directly to the internet, bypassing the security and load-balancing benefits of the ALB, and using a VPC endpoint for outbound traffic does not provide general internet access. Option D is wrong because a Network Load Balancer (NLB) operates at Layer 4 and cannot inspect application-layer traffic, so it cannot be integrated with AWS WAF for web exploit protection; AWS Shield Advanced is overkill for basic DDoS protection and adds unnecessary cost for a startup with variable traffic.

1660
MCQhard

A network engineer configured a custom network ACL for a VPC. An EC2 instance in a subnet associated with this ACL cannot receive ping (ICMP) from the internet. The security group allows ICMP. Which rule is causing the issue?

A.The default NACL rules are missing.
B.Outbound rule 220 blocks all outbound traffic.
C.Inbound rule 130 allows ICMP, but it is overridden by rule 120.
D.Inbound rule 100 only allows HTTPS.
AnswerC

Rule 120 (deny all) is evaluated before rule 130 (allow ICMP), so ICMP is denied.

Why this answer

Option D is correct because the inbound deny-all rule (120) with priority 120 blocks all traffic not explicitly allowed, and ICMP (protocol 1) is allowed only by rule 130 but rule 120 is evaluated first? Actually, evaluation order is by rule number; rule 120 (deny) has lower number than 130 (allow), so rule 120 is evaluated first? Wait, NACL rules are evaluated in ascending order; rule 100, 110, 120, 130. Since rule 120 is deny all, it is evaluated before rule 130. Thus, ICMP traffic is denied by rule 120.

The outbound rules are fine because egress is allowed for ephemeral ports. Option A is incorrect because the inbound ICMP rule (130) exists but is after deny-all. Option B is incorrect because inbound HTTPS is allowed.

Option C is incorrect because outbound rules are not the issue.

1661
Multi-Selectmedium

A company is designing a multi-region active-active application using Amazon Route 53 and Application Load Balancers (ALBs). The application must be highly available and route traffic to the closest healthy endpoint. Which TWO configurations should the company use? (Choose two.)

Select 2 answers
A.Configure Route 53 with failover routing
B.Configure Route 53 with latency-based routing
C.Associate health checks with each Route 53 record
D.Configure Route 53 with weighted routing
E.Configure Route 53 with geoproximity routing
AnswersB, C

Latency-based routing sends traffic to the region with the lowest latency, supporting active-active and health checks.

Why this answer

Latency-based routing directs traffic to the region with the lowest latency, supporting active-active. Health checks ensure traffic is not sent to unhealthy endpoints. Failover routing is active-passive, not active-active.

Geoproximity is for location-based, not latency. Weighted routing distributes traffic by weight, not based on health or latency for active-active.

1662
Multi-Selectmedium

A network engineer is troubleshooting an issue where an EC2 instance in a VPC cannot reach an S3 bucket via a gateway endpoint. The instance is in a private subnet with a route table that has a route for the S3 prefix list pointing to the gateway endpoint. Which TWO actions should the engineer take to diagnose the problem?

Select 2 answers
A.Verify that the route table for the subnet includes a route for the S3 prefix list (com.amazonaws.region.s3) with target type gateway endpoint.
B.Ensure the VPC has an interface endpoint for S3.
C.Review VPC Flow Logs for the subnet to see if traffic is being dropped.
D.Confirm that the EC2 instance has a public IP address.
E.Check the security group associated with the EC2 instance to ensure it allows outbound HTTPS (443) traffic.
AnswersA, E

Without this route, traffic goes to NAT/IGW.

Why this answer

Options A and C are correct. The route table must have the prefix list route, and the security group must allow HTTPS traffic. Option B is wrong because the instance does not need a public IP for gateway endpoint.

Option D is wrong because interface endpoints are different. Option E is wrong because VPC Flow Logs can help but are not the first diagnostic step.

1663
Multi-Selectmedium

A company is designing a VPN connection between an on-premises network and AWS. The network engineer wants to ensure high availability and fast failover. Which TWO actions should the engineer take? (Select TWO.)

Select 2 answers
A.Use the same customer gateway IP address for both tunnels
B.Use static routes instead of BGP to simplify configuration
C.Create two separate VPN connections to the same VPC
D.Enable BGP and configure BFD (Bidirectional Forwarding Detection) on the VPN tunnels
E.Configure two VPN tunnels to two different AWS endpoint IP addresses
AnswersD, E

BFD provides sub-second failure detection.

Why this answer

Options A and C are correct. A: Two tunnels on two separate AWS endpoints provide redundancy. C: BGP with BFD provides fast failover detection.

Option B is wrong because static routes do not provide dynamic failover. Option D is wrong because the same customer gateway IP is used for both tunnels. Option E is wrong because multiple VPN connections to the same VPC are not needed if the tunnels are diverse.

1664
MCQeasy

A company wants to block inbound SSH traffic to all EC2 instances in a VPC while allowing all other traffic. Which security group rule should be configured?

A.Add an inbound rule to deny TCP port 22
B.Remove any inbound rule that allows TCP port 22
C.Add an inbound deny rule for TCP port 22 to the network ACL
D.Add an outbound rule to deny TCP port 22
AnswerB

Security groups are stateful and have implicit deny; removing the allow rule blocks SSH.

Why this answer

Option A is correct because inbound rules are evaluated permissive: denying SSH by not having an allow rule means SSH is implicitly blocked. Option B is wrong because outbound rules control egress, not inbound. Option C is wrong because network ACLs are stateless and require explicit deny rules, but the question asks about security groups.

Option D is wrong because only inbound rules affect inbound traffic for security groups.

1665
MCQhard

A company has a multi-VPC architecture connected via AWS Transit Gateway. They have VPCs in different AWS accounts. The network team wants to centralize internet traffic through a single egress VPC that has a NAT Gateway and an Internet Gateway. All other VPCs should route outbound internet traffic through the Transit Gateway to the egress VPC. They have configured route tables accordingly, but instances in non-egress VPCs cannot reach the internet. What is the most likely missing configuration?

A.The Transit Gateway route table does not have a route to the non-egress VPC attachments for the return traffic.
B.The security group for the NAT Gateway in the egress VPC is blocking inbound traffic from other VPCs.
C.The egress VPC's route table does not have a route to the Transit Gateway for the return traffic from the internet.
D.The non-egress VPCs are using VPC endpoints instead of the Transit Gateway for internet access.
AnswerA

For return traffic from the egress VPC to reach the non-egress VPCs, the TGW route table must have routes to those attachments.

Why this answer

Option D is correct. For Transit Gateway to forward traffic from one VPC to another, attachment routes must be propagated and route tables must allow transitive routing. Also, the egress VPC must have a route to the Transit Gateway for return traffic.

Option A is incorrect because security groups are stateful. Option B is incorrect because NAT Gateway does not need routes back to Transit Gateway; it sends traffic to IGW. Option C is incorrect because VPC endpoints are not for general internet.

1666
Multi-Selectmedium

A company has a VPC with multiple subnets and uses an AWS Direct Connect private VIF for connectivity to on-premises. The company wants to ensure that traffic from the VPC to on-premises uses the Direct Connect connection, while internet traffic uses an internet gateway. Which configurations must be applied? (Choose TWO.)

Select 2 answers
A.Create a VPC endpoint for Direct Connect.
B.Deploy a NAT gateway in a public subnet.
C.Add a default route (0.0.0.0/0) pointing to the virtual private gateway.
D.Add a route in the VPC route table for the on-premises CIDR pointing to the virtual private gateway.
E.Add a default route (0.0.0.0/0) pointing to the internet gateway.
AnswersD, E

Directs on-premises traffic to DX.

Why this answer

Option D is correct because adding a route for the on-premises CIDR block pointing to the virtual private gateway (VGW) ensures that traffic destined for the on-premises network is directed over the Direct Connect private VIF. This is necessary because the VGW is the attachment point for the Direct Connect private VIF, and without this specific route, VPC traffic to on-premises would not use the Direct Connect connection.

Exam trap

The trap here is that candidates often think a default route to the virtual private gateway is sufficient for all traffic, but they must remember that internet traffic requires a separate default route to the internet gateway, and the on-premises traffic needs a specific route to the VGW to avoid asymmetric routing.

1667
MCQmedium

A company wants to audit all changes to security groups in their AWS account. They need to be notified whenever a security group rule is added, modified, or removed. They also want to see who made the change. Which solution should they implement?

A.Use AWS Trusted Advisor to check for security group changes and send email alerts.
B.Use AWS Config to monitor security group changes and trigger a Lambda function to send notifications.
C.Enable AWS CloudTrail and create a CloudWatch Events rule that triggers on EC2 SecurityGroup events, sending notifications via SNS.
D.Enable VPC Flow Logs and analyze logs for changes to security group rules.
AnswerC

CloudTrail logs API calls to create, modify, and delete security group rules. CloudWatch Events can filter on these events and send to SNS for notification.

Why this answer

AWS CloudTrail captures all API calls, including EC2 SecurityGroup-related actions (AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress, etc.), recording the identity of the caller. A CloudWatch Events rule can filter for these specific events and trigger an SNS notification, providing both the change details and the IAM user or role that made the change. This meets the audit and notification requirements precisely.

Exam trap

The trap here is that candidates confuse AWS Config's configuration tracking (which detects drift but not per-event user identity) with CloudTrail's API-level audit trail, or they mistakenly think VPC Flow Logs can capture security group changes when they only capture traffic metadata.

How to eliminate wrong answers

Option A is wrong because AWS Trusted Advisor provides best-practice checks and alerts for security group configurations (e.g., overly permissive rules), but it does not log or notify on every individual rule change event, nor does it identify who made the change. Option B is wrong because AWS Config evaluates resource configurations and can detect drift, but it does not natively trigger real-time notifications on every security group rule change; it evaluates on a schedule or on configuration changes, and while it can invoke a Lambda function, it is not the direct, event-driven approach for per-change notifications and does not inherently capture the identity of the user making the change. Option D is wrong because VPC Flow Logs capture network traffic metadata (source/destination IP, ports, protocol) and do not log API-level changes to security group rules; they are used for traffic analysis, not for auditing configuration changes.

1668
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add additional IP address space for new subnets. The existing subnets use 10.0.0.0/17 and 10.0.128.0/17. Which CIDR block should be added as a secondary CIDR to the VPC to provide the most additional contiguous address space?

A.10.1.0.0/16
B.10.0.0.0/0
C.10.0.0.0/8
D.10.0.0.0/16
AnswerA

This is a non-overlapping /16 block contiguous to the existing /16, providing additional address space.

Why this answer

Option C is correct because 10.1.0.0/16 is a contiguous block that does not overlap with the existing CIDR and adds a full /16 of address space. Option A is wrong because 10.0.0.0/8 overlaps with the existing CIDR and is too large. Option B is wrong because 10.0.0.0/16 duplicates the existing CIDR.

Option D is wrong because 10.0.0.0/0 is invalid.

1669
MCQeasy

A company is using AWS CloudTrail to log API calls. They want to ensure that log files are encrypted at rest and that only authorized users can access them. Which combination of actions should they take?

A.Use SSE-KMS with a customer managed key and allow CloudTrail to use the key.
B.Disable public access to the S3 bucket and enable versioning.
C.Enable default encryption (SSE-S3) on the S3 bucket and attach a bucket policy that restricts access to authorized IAM principals.
D.Enable SSE-C on the S3 bucket and provide the encryption key in each API call.
AnswerC

SSE-S3 encrypts logs at rest, and bucket policy controls access.

Why this answer

Option A is correct because enabling SSE-S3 provides encryption at rest, and a bucket policy with principal conditions restricts access. Option B is wrong because CloudTrail does not natively integrate with KMS for SSE-C. Option C is wrong because SSE-C requires managing your own keys.

Option D is wrong because disabling public access alone does not encrypt the logs.

1670
MCQhard

A company is expanding its on-premises data center to AWS using a hybrid cloud architecture. They have established an AWS Direct Connect connection with a private virtual interface to a VPC. The on-premises network uses BGP to exchange routes with the VPC. The network engineer notices that the on-premises network can reach some EC2 instances in the VPC but not others. All EC2 instances are in the same subnet (10.0.1.0/24) and have private IP addresses. The Direct Connect virtual interface is configured with the VPC CIDR (10.0.0.0/16) advertised to on-premises. The on-premises firewall logs show that traffic to the unreachable instances is being dropped. What is the most likely cause?

A.The subnet route table does not have a route to the on-premises network.
B.The BGP session is not advertising the on-premises routes to the VPC.
C.The network ACL on the subnet is blocking inbound traffic from on-premises.
D.The security group attached to the unreachable instances is not allowing inbound traffic from the on-premises network.
AnswerD

Correct: Security groups can be different per instance, causing inconsistent reachability.

Why this answer

Option D is correct because security groups are stateful and control inbound traffic; if the security group does not allow inbound traffic from on-premises, it will be dropped. Option A is wrong because the subnet route table has a route to the virtual private gateway, which is correct. Option B is wrong because the VPC CIDR is advertised.

Option C is wrong because network ACLs are stateless and need both inbound and outbound rules; but if they were misconfigured, all instances would be affected.

1671
MCQeasy

A company is designing a VPC for a three-tier web application. The web servers must be accessible from the internet, while the application and database servers must be isolated. Which subnet design should the company use?

A.A single subnet for all tiers with network ACLs to isolate traffic
B.Public subnet for web servers, private subnets for application and database servers
C.Private subnets for all tiers
D.Public subnets for all tiers
AnswerB

Provides internet access to web servers while isolating backend tiers.

Why this answer

Option A is correct because a public subnet for web servers allows internet access, while private subnets for application and database servers provide isolation. Option B is wrong because placing all servers in public subnets exposes them to the internet. Option C is wrong because placing all servers in private subnets would block internet access to web servers.

Option D is wrong because a single subnet for all tiers does not provide isolation.

1672
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs in different regions is encrypted. Which solution should be used?

A.Use a Site-to-Site VPN from each VPC to the on-premises network and route traffic through the corporate network.
B.Use AWS Transit Gateway inter-region peering with a VPN attachment between the transit gateways.
C.Use VPC Peering connections between the VPCs, which encrypts traffic automatically.
D.Use AWS PrivateLink to connect the VPCs across regions.
AnswerB

VPN attachment provides encryption for inter-region transit gateway traffic.

Why this answer

Option B is correct because AWS Transit Gateway inter-region peering provides encrypted transit between VPCs in different regions by establishing a VPN attachment between the transit gateways. This leverages IPsec VPN tunnels to encrypt traffic as it traverses the AWS global network, meeting the requirement for cross-region encryption without routing through on-premises infrastructure.

Exam trap

The trap here is that candidates often assume VPC Peering (Option C) provides encryption by default, but it does not; AWS only guarantees encryption for traffic within a single region via the AWS backbone, and cross-region VPC Peering traffic is not encrypted unless additional measures are taken.

How to eliminate wrong answers

Option A is wrong because routing traffic through the on-premises network introduces unnecessary latency, complexity, and potential single points of failure, and does not provide a direct encrypted path between VPCs in different regions. Option C is wrong because VPC Peering does not encrypt traffic by default; it only provides a private network connection using the AWS backbone, and encryption must be explicitly added (e.g., with VPN or TLS). Option D is wrong because AWS PrivateLink is designed for connecting VPCs to services via Network Load Balancers and does not support inter-region VPC-to-VPC connectivity or encryption between VPCs.

1673
MCQeasy

A company is deploying a web application in a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The ALB must only accept traffic from the internet and forward it to the instances. Which subnet configuration is correct for the ALB and EC2 instances?

A.ALB in private subnets, EC2 in private subnets with a NAT gateway.
B.ALB in public subnets, EC2 in private subnets.
C.ALB in public subnets, EC2 in public subnets.
D.ALB in private subnets, EC2 in public subnets.
AnswerB

Standard architecture for internet-facing ALB.

Why this answer

Option B is correct because ALBs must be in public subnets to receive internet traffic, and backend instances should be in private subnets for security. A puts both in public. C is reversed.

D puts ALB in private.

1674
MCQmedium

A company is deploying a fleet of EC2 instances in private subnets. The instances need to download patches from the internet. The company wants to minimize cost and avoid managing NAT instances. The VPC has an internet gateway (IGW) attached. What should the company do?

A.Attach the IGW to the private subnet route table.
B.Deploy a NAT Gateway in a public subnet and update the private subnet route tables.
C.Create a VPC endpoint for internet access.
D.Launch a NAT instance and configure routing.
AnswerB

Managed, cost-effective, provides internet access to private instances.

Why this answer

Option C is correct because a NAT Gateway in a public subnet provides outbound internet access for private instances, is managed, and cost-effective. Option A is wrong because private subnets cannot directly use IGW. Option B is wrong because NAT instances require management.

Option D is wrong because VPC endpoints are for specific services, not general internet.

1675
MCQhard

A company has a centralized inspection VPC architecture where all traffic from spoke VPCs is routed through a Transit Gateway to a centralized VPC that hosts firewall appliances (NGFW). The company needs to inspect traffic between two instances in the same spoke VPC. What is the simplest way to achieve this?

A.Deploy a Gateway Load Balancer (GWLB) in the spoke VPC and route traffic to it.
B.Use AWS Transit Gateway with VPC attachments and configure route tables to force traffic between the two instances through the inspection VPC.
C.Enable VPC peering and use route propagation to send traffic to the inspection VPC.
D.Create a VPC peering connection between the two instances' VPCs.
AnswerB

Transit Gateway can be configured with route tables that send inter-VPC traffic to the inspection VPC for firewall inspection.

Why this answer

Option B is correct because AWS Transit Gateway can route traffic between instances in the same spoke VPC by using VPC attachments and route tables to force the traffic through the centralized inspection VPC. This is achieved by configuring the spoke VPC's route table to send inter-instance traffic to the Transit Gateway, which then forwards it to the inspection VPC for firewall inspection before returning it to the destination instance. This approach avoids the need for additional appliances or complex routing within the spoke VPC itself.

Exam trap

AWS often tests the misconception that VPC peering can be used for transitive routing or that a Gateway Load Balancer alone can redirect traffic within the same VPC, but the key trap here is that candidates overlook the Transit Gateway's ability to hairpin traffic from the same spoke VPC through a central inspection VPC using proper route table configurations.

How to eliminate wrong answers

Option A is wrong because a Gateway Load Balancer (GWLB) is used for scaling and distributing traffic to third-party appliances, but it does not inherently route traffic between instances in the same VPC through a centralized inspection VPC; it would require additional routing configurations and does not leverage the existing Transit Gateway architecture. Option C is wrong because VPC peering does not support transitive routing; even with route propagation, traffic between two instances in the same spoke VPC cannot be forced through a separate inspection VPC via VPC peering, as peering connections are point-to-point and do not allow intermediate hops. Option D is wrong because creating a VPC peering connection between the two instances' VPCs is irrelevant when both instances are in the same spoke VPC, and it does not provide a path to the centralized inspection VPC.

1676
MCQhard

Refer to the exhibit. A company has two VPCs (vpc-aaaaaaaa and vpc-bbbbbbbb) that are peered. The CIDR blocks are both 10.0.0.0/16. The peering connection status is 'active'. Which of the following is true about this configuration?

A.The VPCs cannot communicate because of overlapping CIDR blocks
B.The VPC peering connection will not become active due to overlapping CIDRs
C.The VPCs can communicate using the peering connection without any issues
D.DNS resolution between the VPCs will be automatically enabled
AnswerA

Overlapping CIDRs prevent proper routing.

Why this answer

Option C is correct because overlapping CIDR blocks are not supported for VPC peering; even though the status is active, the overlapping CIDRs will cause routing issues. Option A is wrong because the peering connection can be active but routing may fail. Option B is wrong because overlapping CIDRs are not supported.

Option D is wrong because DNS resolution is a separate setting.

1677
MCQhard

A company has deployed a multi-account AWS environment using AWS Organizations. Each account has one or more VPCs that need to communicate with each other and with an on-premises data center via a central transit VPC. The company uses AWS Transit Gateway with a centralized network account that hosts the Transit Gateway. VPCs from other accounts are attached to the Transit Gateway via Resource Access Manager (RAM) shares. The network team notices that after attaching a new VPC from a member account, resources in that VPC cannot communicate with resources in other attached VPCs. The Transit Gateway route tables have appropriate routes, and the VPC route tables point to the Transit Gateway. What is the MOST likely cause of the issue?

A.The Transit Gateway attachment in the member account is in the 'pending acceptance' state and not yet accepted by the Transit Gateway owner.
B.The Transit Gateway route table does not have the routes from the new VPC propagated.
C.The new VPC's CIDR overlaps with an existing attachment's CIDR.
D.The member account's VPC does not have a route to the Transit Gateway in its route tables.
AnswerA

The owner must accept the attachment for it to be active.

Why this answer

Option D is correct because when sharing a Transit Gateway attachment via RAM, the owner of the Transit Gateway must accept the attachment. Option A is incorrect because the Transit Gateway is not in the member account. Option B is incorrect because route propagation is not required.

Option C is incorrect because VPC CIDR is not the issue.

1678
MCQmedium

A company is deploying a new application on AWS and needs a highly available architecture across two Availability Zones (AZs) in a single region. The application consists of an Application Load Balancer (ALB) in front of a fleet of EC2 instances running in an Auto Scaling group, and an Amazon RDS for MySQL database with Multi-AZ deployment. The company requires that the application remain available even if an entire AZ fails. The network team has designed the VPC with two public subnets and two private subnets, each in a different AZ. The ALB is internet-facing and placed in the public subnets. The EC2 instances are in the private subnets. The RDS instance is also in the private subnets. The route tables are configured with a default route via an Internet Gateway for public subnets and via a NAT Gateway for private subnets. What change is MOST likely needed to ensure the architecture can survive an AZ failure?

A.Add a second Internet Gateway in the other AZ
B.Use a Network Load Balancer instead of an Application Load Balancer
C.Create a NAT Gateway in each Availability Zone
D.Configure the Auto Scaling group to launch instances in both AZs
AnswerC

A NAT Gateway per AZ ensures outbound connectivity survives an AZ failure.

Why this answer

To survive an AZ failure, each AZ must have its own NAT Gateway to provide outbound internet access for instances in that AZ. If a single NAT Gateway is used (e.g., in one AZ), and that AZ fails, instances in the other AZ lose internet connectivity. Similarly, a single NAT Gateway would be a single point of failure.

Therefore, the architecture should include a NAT Gateway in each AZ. The ALB and RDS Multi-AZ already provide AZ resilience. So the missing component is a NAT Gateway per AZ.

1679
Multi-Selecthard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. It needs to connect to two other VPCs: VPC B (10.1.0.0/16) and VPC C (10.2.0.0/16). The company wants to use AWS Transit Gateway. Which THREE configurations are required to enable full mesh connectivity between all three VPCs?

Select 3 answers
A.Create separate Transit Gateway route tables for each VPC to isolate traffic.
B.Create a VPN attachment to each VPC for encrypted communication.
C.Associate each VPC attachment with the Transit Gateway route table.
D.Create a Transit Gateway and attach each VPC to it.
E.Create a Transit Gateway route table and add static routes for each VPC CIDR pointing to the respective attachment.
AnswersC, D, E

Association allows the VPC to use the route table.

Why this answer

Options A, B, and C are correct. Transit Gateway requires VPC attachments, route tables with routes to each other's CIDR, and association of attachments to route tables. Option D is wrong because you can create a single route table and associate all attachments; separate route tables are needed for isolation, not required for full mesh.

Option E is wrong because a transit gateway does not require a VPN attachment for VPC-to-VPC routing.

1680
MCQmedium

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. The company currently has two Direct Connect connections from different providers terminating at two different AWS Direct Connect locations. Which solution provides the most resilient and high-performance connectivity?

A.Use a single Direct Connect connection with multiple VLANs.
B.Use two Direct Connect connections from different providers at different locations with a VPN backup.
C.Use Site-to-Site VPN over the internet as the primary connection.
D.Use two Direct Connect connections from the same provider at the same location.
AnswerB

Provides diverse paths and high availability.

Why this answer

Option B is correct because using two Direct Connect connections from different providers at different locations ensures physical and provider diversity, eliminating single points of failure. Adding a VPN backup provides an additional failover path over the internet, which is essential for maintaining connectivity if both Direct Connect links fail. This design meets the requirements for high availability and low latency by leveraging active/active or active/passive traffic engineering with BGP routing and AS path prepending.

Exam trap

AWS often tests the misconception that multiple connections from the same provider or location are sufficient for high availability, but the trap here is that true resilience requires both provider and location diversity to protect against provider-specific outages and location-level disasters.

How to eliminate wrong answers

Option A is wrong because a single Direct Connect connection with multiple VLANs does not provide any physical or provider diversity; a single failure (e.g., fiber cut or provider outage) would take down all VLANs, violating high availability. Option C is wrong because a Site-to-Site VPN over the internet typically introduces higher latency and jitter compared to Direct Connect, and it lacks the consistent performance and SLA guarantees of dedicated connections, making it unsuitable as a primary low-latency solution. Option D is wrong because using two Direct Connect connections from the same provider at the same location creates a single point of failure at the provider level and the location level; a provider outage or location-wide event (e.g., power failure) would impact both connections, failing the resilience requirement.

1681
Multi-Selecthard

A company has a VPC with multiple subnets. The network engineer wants to monitor network traffic between two specific EC2 instances in different subnets. Which THREE methods can be used to capture and analyze this traffic?

Select 3 answers
A.Enable VPC Flow Logs for the subnets containing the instances.
B.Configure Traffic Mirroring on one of the instances' ENI.
C.Use AWS CloudTrail to log network traffic.
D.Create a VPC peering connection between the two subnets' VPCs.
E.Set up AWS Network Firewall and route traffic through it.
AnswersA, B, E

Flow logs will show metadata of all traffic, including between the instances.

Why this answer

VPC Flow Logs capture metadata, Traffic Mirroring captures full packets, and AWS Network Firewall can inspect traffic. VPC Peering is for connectivity, not monitoring.

1682
Multi-Selectmedium

A company wants to connect multiple VPCs in different AWS Regions using AWS Transit Gateway. The company requires full mesh connectivity with centralized inspection of inter-Region traffic. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Create Transit Gateway peering attachments between the Transit Gateways in each Region.
B.Create VPN attachments between each Transit Gateway and the inspection VPC.
C.Use VPC peering connections between VPCs in different Regions.
D.Route traffic through a central inspection VPC in one Region using Transit Gateway route tables.
E.Disable cross-Region peering on the Transit Gateway.
AnswersA, D

Peering attachments enable inter-Region connectivity.

Why this answer

Options B and D are correct. B: Transit Gateway peering attachments allow inter-Region connectivity. D: Centralized inspection is achieved by routing traffic through a shared services VPC with a network appliance.

Option A is incorrect because VPN attachments are not needed for inter-Region connectivity. Option C is incorrect because VPC peering does not scale. Option E is incorrect because cross-Region peering is supported.

1683
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download updates from the internet. The company wants to minimize costs and avoid exposing the instance to inbound internet traffic. Which solution should the engineer choose?

A.Deploy a NAT instance in the private subnet and route traffic through it.
B.Deploy a NAT Gateway in the public subnet and add a route in the private subnet route table pointing to the NAT Gateway.
C.Configure a forward proxy on the EC2 instance itself.
D.Attach an internet gateway to the VPC and add a route to the internet gateway in the private subnet's route table.
AnswerB

NAT Gateway provides outbound internet access, cost-effective and managed.

Why this answer

Option C is correct because a NAT Gateway in the public subnet allows outbound internet access from private instances while blocking inbound traffic. Option A is wrong because a NAT instance is more expensive and less managed. Option B is wrong because an internet gateway alone does not allow private instances to reach the internet.

Option D is wrong because a proxy would need to be managed and adds latency.

1684
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16 and needs to connect to an on-premises network using AWS Site-to-Site VPN. The on-premises network uses 10.0.0.0/8. The company wants to ensure that traffic to on-premises from VPC does not overlap with VPC's own CIDR. Which action should be taken?

A.Change the VPC CIDR to a non-overlapping range such as 172.16.0.0/16.
B.Create a more specific route in the VPC route table for the on-premises network that is within the 10.0.0.0/8 range but not overlapping with the VPC's subnets.
C.Use a NAT gateway to translate the VPC's IP addresses to a different IP range when communicating with on-premises.
D.Use AWS Transit Gateway with a network overlay to encapsulate traffic.
AnswerB

More specific routes take precedence, so traffic to specific on-premises prefixes will go via VPN even if the VPC CIDR is a superset.

Why this answer

Option A is correct because splitting the VPC into smaller subnets and using more specific routes can avoid overlap. Option B is wrong because NAT is used for internet access, not for route overlap. Option C is wrong because VPC CIDR cannot be changed without recreation.

Option D is wrong because overlay network is not a standard solution for route overlap.

1685
Multi-Selectmedium

Which TWO actions improve the security of an AWS account's root user? (Choose two.)

Select 2 answers
A.Create an IAM user with administrative privileges and use it for daily tasks.
B.Enable multi-factor authentication (MFA) on the root user.
C.Share the root user password with the security team.
D.Set a strong password for the root user.
E.Generate an Access Key for the root user and use it for programmatic access.
AnswersA, B

This follows the principle of least privilege and reduces root user usage.

Why this answer

Options A and D are correct. Enabling MFA on the root user is a critical security best practice. Creating an IAM admin user and not using the root user for daily tasks reduces exposure.

Option B is wrong because a strong password alone is insufficient; MFA is also needed. Option C is wrong because sharing the password is insecure. Option E is wrong because the Access Key is not needed and should be avoided.

1686
MCQeasy

A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers must be in private subnets except the web tier. Which combination of AWS services and routing should be used to meet these requirements?

A.Use a NAT gateway in the public subnet for web tier, and route all traffic through it.
B.Use a VPN connection to the internet gateway and route traffic through a virtual private gateway.
C.Use an internet gateway, public subnet for web tier, private subnets for app and database, and network ACLs to filter traffic between tiers.
D.Use an internet gateway attached to the VPC, public subnet for web tier, private subnets for app and database tiers, and security groups to restrict traffic between tiers.
AnswerD

This standard architecture meets all requirements.

Why this answer

An internet gateway provides internet access to the public subnet (web tier). Security groups control traffic between tiers: allow HTTP/HTTPS from internet to web, allow traffic from web to app, and from app to database. Option A is correct.

Option B is incorrect because NACLs are stateless and more complex for tier-to-tier filtering. Option C is incorrect because NAT gateways are for outbound internet, not inbound. Option D is incorrect because a VPN is not needed for internet access.

1687
Multi-Selecteasy

A network engineer is setting up a VPC peering connection between two VPCs in the same AWS account and Region. Which TWO steps are required to enable communication between instances in the peered VPCs? (Choose two.)

Select 2 answers
A.Attach an internet gateway to each VPC
B.Establish a VPN connection between the VPCs
C.Add routes in each VPC's route table pointing to the CIDR of the other VPC
D.Configure a NAT gateway in each VPC
E.Update security group rules to allow traffic from the peered VPC CIDR
AnswersC, E

Routes are needed for traffic to traverse the peering connection.

Why this answer

Option A is correct because VPC peering requires adding routes in both VPC route tables. Option D is correct because security group rules must allow traffic from the peered VPC CIDR. Option B is wrong because VPC peering does not require an internet gateway.

Option C is wrong because VPC peering does not use a VPN connection. Option E is wrong because a NAT gateway is not required for VPC peering.

1688
Multi-Selecteasy

Which TWO AWS services can be used to provide inbound internet connectivity to resources in a VPC? (Select TWO.)

Select 2 answers
A.VPC Endpoint
B.Internet Gateway
C.Elastic Load Balancer (internet-facing)
D.Amazon CloudFront
E.NAT Gateway
AnswersB, C

Direct inbound access.

Why this answer

An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that provides a target in VPC route tables for internet-routable traffic and performs network address translation (NAT) for instances with public IPs. It enables inbound internet connectivity by allowing traffic from the internet to reach resources in the VPC, provided the resources have public IPs and the route table directs 0.0.0.0/0 traffic to the IGW.

Exam trap

The trap here is that candidates often confuse NAT Gateway with providing inbound internet access, but NAT Gateway is strictly one-way (outbound only) and cannot initiate or forward unsolicited inbound connections from the internet.

1689
Multi-Selecthard

Which THREE of the following are required to configure a site-to-site VPN connection between an on-premises network and an Amazon VPC? (Select THREE.)

Select 3 answers
A.A customer gateway resource representing the on-premises VPN device.
B.A public virtual interface.
C.A virtual private gateway or transit gateway attached to the VPC.
D.An AWS Direct Connect connection.
E.Two VPN tunnels for high availability.
AnswersA, C, E

Defines the on-premises endpoint.

Why this answer

A customer gateway resource is required because it represents the on-premises VPN device in AWS, providing the necessary configuration information such as the device's public IP address and BGP ASN (if dynamic routing is used) to establish the site-to-site VPN connection. Without this resource, AWS has no reference to the remote endpoint for the IPsec tunnels.

Exam trap

The trap here is that candidates often confuse the requirements for a site-to-site VPN with those for AWS Direct Connect, mistakenly selecting a public virtual interface or Direct Connect connection as necessary components when they are actually part of a separate hybrid connectivity solution.

1690
MCQmedium

A company has a VPC with IPv4 and IPv6 CIDRs. They have a public subnet with an internet gateway and a private subnet with a NAT gateway. EC2 instances in the private subnet need to download updates from the internet. The instances have IPv6 addresses. The private subnet route table has a default route (::/0) pointing to an egress-only internet gateway. However, instances cannot reach IPv6 internet destinations. The egress-only internet gateway is attached to the VPC and in 'available' state. What is the most likely cause?

A.The security group for the instances is blocking outbound IPv6 traffic
B.The NAT gateway does not support IPv6
C.The instances do not have an IPv6 address assigned
D.The egress-only internet gateway is not attached to the VPC
AnswerC

Without IPv6 address, instances cannot use egress-only internet gateway.

Why this answer

Egress-only internet gateway is for outbound-only IPv6 traffic. It requires a route in the subnet route table. The route is present.

However, egress-only internet gateway does not support IPv6 traffic that originates from the private subnet if the instances have public IPv6 addresses? Actually, egress-only internet gateway works for instances with IPv6 addresses. The issue might be that the instances have IPv6 addresses but the route table for the private subnet does not have a route to the egress-only internet gateway. But the question says it does.

Another common issue: the egress-only internet gateway must be the target of the default IPv6 route. The most likely cause is that the route table for the public subnet (not private) does not have a route to the internet gateway for IPv6, but that's for public subnet. For private subnet, egress-only internet gateway is correct.

But instances may need to have IPv6 addresses assigned. Option B (NAT gateway) is for IPv4 only. Option C (security group) is not likely.

Option D (auto-assign IPv6) might be disabled.

1691
MCQeasy

A company wants to connect its on-premises data center to a VPC using AWS Site-to-Site VPN. Which of the following is required to establish the VPN connection?

A.Direct Connect gateway associated with the VPC
B.Internet gateway attached to the VPC
C.Virtual private gateway attached to the VPC and a customer gateway representing the on-premises router
D.VPC endpoint for the VPN service
AnswerC

A virtual private gateway is the AWS-side VPN endpoint, and a customer gateway represents the on-premises device.

Why this answer

To establish a Site-to-Site VPN, you need a virtual private gateway (VGW) or transit gateway on the AWS side, and a customer gateway (CGW) representing the on-premises router. Option B is correct. Option A is incorrect because an internet gateway is used for public internet traffic, not VPN.

Option C is incorrect because a Direct Connect gateway is for Direct Connect connections. Option D is incorrect because a VPC endpoint is for private access to AWS services.

1692
MCQmedium

A company has set up a site-to-site VPN connection between its on-premises network and AWS. The tunnel status shows 'UP' on both sides, but traffic from on-premises cannot reach EC2 instances in the VPC. What is the most likely cause?

A.The pre-shared keys are mismatched.
B.The VPC route tables do not have a route pointing to the virtual private gateway for the on-premises CIDR.
C.The VPN tunnel has been idle for too long and needs to be re-initiated.
D.The security group associated with the EC2 instances does not allow inbound traffic from the VPN gateway.
AnswerB

Without a route to the virtual private gateway, traffic from the VPC to on-premises will not be forwarded.

Why this answer

The correct answer is C because the tunnel being up indicates Layer 3 connectivity, but traffic may be blocked by VPC route tables or security group rules. Option A is incorrect because tunnel status is up. Option B is incorrect because a mismatch in pre-shared keys would prevent the tunnel from establishing.

Option D is incorrect because the VPN gateway is the target, not a route table entry.

1693
Multi-Selectmedium

A company is using AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. The network team wants to log and monitor all traffic flows across the Transit Gateway for security analysis. Which TWO actions should the team take? (Choose TWO.)

Select 2 answers
A.Use AWS Config rules to evaluate the Transit Gateway route tables.
B.Send the flow logs to Amazon CloudWatch Logs for monitoring and alerting.
C.Enable VPC Flow Logs on each Transit Gateway attachment.
D.Enable VPC Flow Logs on the Transit Gateway itself.
E.Configure VPC Traffic Mirroring on the Transit Gateway.
AnswersB, C

CloudWatch Logs can aggregate and analyze flow logs for security monitoring.

Why this answer

Option B is correct because VPC Flow Logs can be published to Amazon CloudWatch Logs, enabling real-time monitoring, alerting, and integration with AWS Lambda or third-party tools for security analysis. This allows the network team to capture IP traffic information for all flows across Transit Gateway attachments when flow logs are enabled on those attachments. Option C is correct because VPC Flow Logs must be enabled at the Transit Gateway attachment level (not on the Transit Gateway itself) to capture traffic traversing the Transit Gateway, as the Transit Gateway is a network transit hub and does not generate its own flow logs.

Exam trap

The trap here is that candidates mistakenly think VPC Flow Logs can be enabled directly on the Transit Gateway itself (Option D), but AWS only supports flow logs on Transit Gateway attachments, not the Transit Gateway as a resource.

1694
MCQhard

A company is using AWS Client VPN for remote access. They want to ensure that only clients with a valid client certificate can connect, and that traffic is routed through a centralized inspection VPC. The VPN endpoint is configured with mutual authentication using server and client certificates. The route table in the VPN VPC has a default route pointing to an AWS Network Firewall endpoint in the inspection VPC. Users report that they can connect to the VPN but cannot access any internal resources. The network engineer checks the Client VPN endpoint configuration and confirms that the authorization rules allow access to the internal CIDR (10.0.0.0/8). What is the most likely cause?

A.The route table in the VPN VPC has a default route (0.0.0.0/0) pointing to the Network Firewall, but the Network Firewall's route table needs a route back to the VPN VPC for the client CIDR, which is missing.
B.The client certificate is not associated with the same CA as the server certificate, causing TLS handshake failure.
C.The subnet route table in the VPN VPC does not have a route for the client CIDR (assigned by the VPN) pointing to the VPN endpoint's network interface.
D.The AWS Network Firewall in the inspection VPC is blocking traffic from the VPN client CIDR because it does not have a rule allowing it.
AnswerA

For traffic to flow, the inspection VPC must have a route back to the VPN VPC for the client CIDR. If the Network Firewall's route table (or the inspection VPC's route table) does not have a route for the client CIDR pointing to the VPN VPC's attachment (e.g., Transit Gateway), return traffic is dropped.

1695
MCQmedium

A company has a VPC with multiple subnets across two Availability Zones. They are designing a highly available web application using an Application Load Balancer (ALB) and EC2 instances in an Auto Scaling group. Which of the following is the most resilient and cost-effective design for the network layer?

A.Deploy a Network Load Balancer (NLB) in each AZ and associate them with a single ALB.
B.Deploy an ALB in one AZ and EC2 instances in the same AZ.
C.Deploy a single ALB with subnets in two AZs and enable cross-zone load balancing.
D.Deploy an ALB in each AZ and use Route 53 weighted routing.
AnswerC

Cross-zone balancing ensures traffic is distributed across instances in all AZs.

Why this answer

Option C is correct because deploying a single Application Load Balancer (ALB) with subnets in two Availability Zones (AZs) and enabling cross-zone load balancing provides high availability and fault tolerance at the network layer. The ALB automatically distributes incoming traffic across healthy targets in all enabled AZs, eliminating the need for multiple load balancers and reducing costs while maintaining resilience. This design leverages the ALB's native ability to handle AZ failures by routing traffic only to healthy AZs, making it both resilient and cost-effective.

Exam trap

The trap here is that candidates often assume deploying a load balancer in each AZ (Option D) is necessary for high availability, but they overlook that a single ALB with subnets in multiple AZs and cross-zone load balancing already provides full AZ-level redundancy at lower cost and complexity.

How to eliminate wrong answers

Option A is wrong because deploying a Network Load Balancer (NLB) in each AZ and associating them with a single ALB introduces unnecessary complexity and cost; the ALB already supports multi-AZ deployments natively, and the NLB at Layer 4 does not provide application-layer features like path-based routing or host-based routing that the ALB offers, making this design redundant and more expensive. Option B is wrong because deploying an ALB and EC2 instances in a single AZ creates a single point of failure; if that AZ goes down, the entire application becomes unavailable, violating the high availability requirement. Option D is wrong because deploying an ALB in each AZ and using Route 53 weighted routing is overly complex and costly; Route 53 weighted routing does not provide automatic health-based failover between ALBs, and each ALB incurs separate hourly and data processing charges, making this design less resilient and more expensive than a single ALB with cross-zone load balancing.

1696
Multi-Selecthard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to ensure that traffic between VPCs is inspected by a third-party firewall appliance deployed in a centralized inspection VPC. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Configure the firewall appliance to perform stateful inspection and route traffic back to the Transit Gateway.
B.Set up VPC peering between the inspection VPC and each spoke VPC.
C.Create Transit Gateway route tables that propagate routes from the inspection VPC and associate them with the other VPC attachments.
D.Establish an AWS Direct Connect connection between the inspection VPC and the on-premises network.
E.Attach the inspection VPC to the Transit Gateway.
AnswersA, C, E

Correct: Firewall must inspect and forward traffic.

Why this answer

Option A is correct because the inspection VPC must be attached to the Transit Gateway. Option B is correct because route tables must direct inter-VPC traffic to the inspection VPC. Option C is correct because the firewall appliance must be configured to inspect and forward traffic.

Option D is wrong because Direct Connect is not required; VPN is already used. Option E is wrong because VPC Peering is not used with Transit Gateway; Transit Gateway replaces peering.

1697
MCQhard

A company is using AWS CloudFormation to deploy a VPC with public and private subnets across multiple Availability Zones. The template includes a NAT gateway in each public subnet. The company wants to ensure that the private subnet route tables automatically update when the NAT gateway ID changes. Which feature should be used?

A.Use the 'DependsOn' attribute to ensure the route is created after the NAT gateway.
B.Use the 'AWS::EC2::Route' resource with a 'GatewayId' property that references the NAT gateway using 'Ref'.
C.Use the 'Fn::GetAtt' intrinsic function to retrieve the NAT gateway ID and pass it to the route.
D.Use an AWS Lambda custom resource to update the route table when the NAT gateway changes.
AnswerC

Fn::GetAtt can retrieve the physical ID of the NAT gateway, and if the NAT gateway is replaced, CloudFormation updates the route automatically.

Why this answer

Option C is correct because the `Fn::GetAtt` intrinsic function can retrieve the NAT gateway ID (e.g., `Fn::GetAtt: [NatGateway, NatGatewayId]`) and pass it as the `GatewayId` property of an `AWS::EC2::Route` resource. This ensures that when the NAT gateway is replaced (e.g., due to an update or failure), the route automatically updates to reference the new NAT gateway ID, maintaining connectivity for private subnets without manual intervention.

Exam trap

The trap here is that candidates confuse `Ref` (which returns the logical resource name or a default attribute like the AZ) with `Fn::GetAtt` (which returns a specific physical attribute like the NAT gateway ID), leading them to choose Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because the `DependsOn` attribute only controls the order of resource creation, not the dynamic resolution of the NAT gateway ID; it does not cause the route to update when the NAT gateway ID changes. Option B is wrong because the `AWS::EC2::Route` resource does not have a `GatewayId` property; it uses `NatGatewayId` for NAT gateway routes, and using `Ref` on a NAT gateway returns its logical name, not the physical ID, so the route would not automatically update on replacement. Option D is wrong because using an AWS Lambda custom resource is unnecessarily complex and introduces custom code and potential failure points; CloudFormation's built-in `Fn::GetAtt` already provides the required dynamic reference without additional resources.

1698
Multi-Selecthard

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose 3)

Select 3 answers
A.A VPN tunnel between the customer gateway and the virtual private gateway
B.A VPC endpoint for the VPN service
C.An AWS Direct Connect dedicated line
D.A virtual private gateway (VGW) or transit gateway
E.A customer gateway device
AnswersA, D, E

The encrypted connection.

Why this answer

Options A, C, and D are correct: virtual private gateway (or transit gateway), customer gateway device, and VPN tunnel. Option B is wrong because Direct Connect is separate. Option E is wrong because VPC endpoint is for AWS services.

1699
MCQmedium

A company has a VPC with multiple subnets across three Availability Zones. The company wants to deploy a Network Load Balancer (NLB) to distribute TCP traffic to a fleet of EC2 instances. The NLB must preserve the source IP address of the client. Which configuration is required?

A.Enable Proxy Protocol v2 on the NLB target group.
B.Enable cross-zone load balancing on the NLB.
C.Attach a security group to the NLB that allows inbound traffic from the client IP range.
D.Create the NLB with a TCP listener and register the EC2 instances as targets in a target group.
AnswerD

NLB preserves source IP for TCP traffic when targets are instances.

Why this answer

Option A is correct because NLB preserves the source IP address by default when using TCP traffic and target group with instance targets. Option B is wrong because enabling Proxy Protocol would add a proxy header, but NLB still preserves source IP. Option C is wrong because an NLB does not use security groups.

Option D is wrong because cross-zone load balancing does not affect source IP preservation.

1700
Multi-Selecthard

A company has a VPC with public and private subnets. They want to implement a bastion host to allow secure SSH access to instances in private subnets. Which TWO components are required for this design?

Select 2 answers
A.A bastion host deployed in a public subnet
B.A NAT gateway in the public subnet
C.An Internet Gateway attached to the VPC
D.Security group rules allowing SSH from the bastion to private instances
E.A Site-to-Site VPN connection to the VPC
AnswersA, D

Bastion must be publicly accessible.

Why this answer

A bastion host must be deployed in a public subnet because it needs direct internet access via an Internet Gateway (IGW) to allow administrators to initiate SSH connections from the internet. The bastion then acts as a jump box, forwarding SSH traffic to private instances. Security group rules on the private instances must explicitly allow inbound SSH (TCP port 22) from the bastion host's private IP or security group, ensuring that only the bastion can reach them, not the internet directly.

Exam trap

AWS often tests the misconception that a NAT gateway is required for inbound SSH access to private instances, when in fact it only provides outbound internet access and cannot initiate inbound connections from the internet.

1701
MCQeasy

A network engineer needs to analyze network traffic between EC2 instances in the same VPC to troubleshoot a performance issue. Which AWS feature should they use?

A.AWS Config.
B.AWS CloudTrail.
C.AWS X-Ray.
D.VPC Flow Logs.
AnswerD

Flow logs capture IP traffic metadata.

Why this answer

VPC Flow Logs capture IP traffic metadata (source/destination IP, ports, protocol, packet/byte counts) for network interfaces in a VPC, making them the correct tool for analyzing network traffic between EC2 instances to troubleshoot performance issues. Unlike other options, Flow Logs operate at the network layer (Layer 3/4) and can be published to CloudWatch Logs or S3 for detailed traffic analysis.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network-level traffic metadata) with CloudTrail (API-level logging) or X-Ray (application tracing), failing to recognize that only Flow Logs provide the raw IP flow data needed for network performance analysis.

How to eliminate wrong answers

Option A is wrong because AWS Config is a resource inventory and compliance auditing service that tracks configuration changes, not network traffic flows. Option B is wrong because AWS CloudTrail records API calls and management events (control plane), not data plane network traffic between instances. Option C is wrong because AWS X-Ray is a distributed tracing service for application-level request analysis (Layer 7), not for raw network packet metadata analysis.

1702
MCQmedium

A company has a VPC with a NAT Gateway in a public subnet. The network team notices that instances in private subnets cannot access the internet. Reviewing the route tables, the private subnet route table has a default route (0.0.0.0/0) pointing to the NAT Gateway. What is the most likely cause of the issue?

A.The network ACL in the private subnet blocks outbound traffic.
B.The NAT Gateway's subnet route table does not have a default route pointing to an Internet Gateway.
C.The NAT Gateway does not have an Elastic IP address attached.
D.The security group attached to the NAT Gateway blocks outbound traffic.
AnswerB

Without a route to IGW, NAT Gateway cannot forward traffic to the internet.

Why this answer

The NAT Gateway must have a route to an Internet Gateway. If the NAT Gateway's subnet route table does not have a default route pointing to an IGW, it cannot route traffic to the internet. Security groups, NACLs, or EIP are less likely to be the issue.

1703
MCQhard

A company is implementing a multicast application in AWS. The application requires that multicast traffic be forwarded between Amazon EC2 instances in different VPCs. The company has set up a multicast domain using AWS Transit Gateway Connect with multicast support. The multicast group is using the IP address 239.0.1.10. The network engineer has confirmed that the EC2 instances are registered as multicast members and that the Transit Gateway multicast domain is configured correctly. However, receivers in VPC B are not receiving multicast traffic from senders in VPC A. What is the MOST likely cause of this issue?

A.The multicast group is not associated with the correct subnet in VPC A.
B.The multicast traffic has a TTL value of 1, which prevents it from leaving the source subnet.
C.The security group for the sender EC2 instances does not allow outbound UDP traffic to the multicast group address.
D.The receiver instances are not sending IGMP join messages to the multicast group.
AnswerC

Security groups control outbound traffic; if outbound rule missing, traffic is dropped.

Why this answer

Option A is correct because multicast traffic must be allowed by the source's security group outbound rules. Option B is incorrect because IGMP is not used; multicast group members are statically registered. Option C is incorrect because multicast groups are not tied to subnets.

Option D is incorrect because TTL is not the issue as hosts are in same region.

1704
Multi-Selectmedium

A network engineer is configuring a Site-to-Site VPN connection between an on-premises network and AWS. The engineer wants to ensure high availability by using two tunnels. Which two components must be configured to achieve this? (Choose TWO.)

Select 2 answers
A.A single customer gateway with two IP addresses
B.An AWS Transit Gateway
C.Two customer gateways, each with a unique public IP address
D.Two VPN connections
E.A virtual private gateway with two BGP sessions
AnswersC, E

Each tunnel requires a separate customer gateway.

Why this answer

Options A and D are correct. Two customer gateways are needed for two tunnels (one per tunnel endpoint), and the virtual private gateway must have two BGP sessions, one per tunnel. Option B is wrong because one VPN connection can have two tunnels.

Option C is wrong because a Transit Gateway is not required. Option E is wrong because one customer gateway is insufficient.

1705
Multi-Selecteasy

Which TWO of the following are true about AWS VPC security groups? (Choose two.)

Select 2 answers
A.Rules are evaluated in order, and the first matching rule is applied.
B.They have an implicit deny all rule at the end.
C.They are stateful, meaning return traffic is automatically allowed regardless of outbound rules.
D.They support both allow and deny rules.
E.They can be associated with subnets.
AnswersB, C

If no rule matches, traffic is denied.

Why this answer

Options A and C are correct. Security groups are stateful (option A) and support allow rules only (option C). Option B is wrong because security groups support allow rules only, not deny rules.

Option D is wrong because security groups are applied to ENIs, not subnets. Option E is wrong because security groups are evaluated as a whole; all rules are considered before deciding.

Page 22

Page 23 of 23