AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 226300

1705 questions total · 23pages · All types, answers revealed

Page 3

Page 4 of 23

Page 5
226
Multi-Selecthard

A company is designing a network security architecture for a multi-account environment using AWS Organizations. The security team needs to ensure that all internet-bound traffic from VPCs in the organization goes through a centralized egress VPC where it is inspected by a firewall. Which TWO steps are required to enforce this?

Select 2 answers
A.Create a central egress VPC with an Internet Gateway and a NAT Gateway or firewall.
B.Use AWS WAF to block internet access from all VPCs except the central egress VPC.
C.Set up an AWS Direct Connect connection to route internet traffic through the central VPC.
D.Configure VPC endpoints for all AWS services to force traffic through the central VPC.
E.Apply an SCP that denies the ec2:CreateInternetGateway action in all accounts except the central network account.
AnswersA, E

Central egress VPC hosts the internet gateway.

Why this answer

Options A and D are correct. Option A: A central egress VPC with an internet gateway is required. Option D: A service control policy (SCP) can prevent creation of internet gateways in other accounts.

Option B is wrong because Direct Connect is for private connectivity, not internet. Option C is wrong because VPC endpoints are for private access to AWS services. Option E is wrong because AWS WAF is for web ACLs, not egress enforcement.

227
Multi-Selecteasy

Which TWO AWS services can be used to monitor and log network traffic in a VPC for security analysis? (Choose two.)

Select 2 answers
A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon Inspector
E.Amazon GuardDuty
AnswersA, C

Captures metadata about IP traffic.

Why this answer

Options A and B are correct. VPC Flow Logs capture IP traffic information, and AWS CloudTrail logs API calls. Option C is wrong because AWS Config is for configuration compliance, not traffic logging.

Option D is wrong because Amazon Inspector is a vulnerability assessment service. Option E is wrong because Amazon GuardDuty is a threat detection service that uses data sources, but not directly a logging service.

228
MCQmedium

A company has a VPC with public and private subnets. An EC2 instance in a private subnet needs to access an S3 bucket in the same Region. Which solution provides the most secure and cost-effective connectivity?

A.Create a NAT gateway in a public subnet and add a route in the private subnet's route table pointing to the NAT gateway.
B.Create an interface endpoint for S3 in the private subnet.
C.Attach an internet gateway to the VPC and add a route to the internet gateway in the private subnet's route table.
D.Create a gateway endpoint for S3 in the VPC and add a route in the private subnet's route table pointing to the endpoint.
AnswerD

A gateway endpoint provides private, cost-effective access to S3 without internet connectivity.

Why this answer

Option B is correct because a gateway endpoint for S3 is free and provides private connectivity to S3 without traversing the internet. Option A is wrong because an internet gateway would expose the instance to the internet and incur costs. Option C is wrong because a NAT gateway incurs costs and is less secure than a VPC endpoint.

Option D is wrong because an interface endpoint for S3 is not available; S3 uses gateway endpoints.

229
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The VPC has a virtual private gateway (VGW) attached. The on-premises network advertises a prefix 10.0.0.0/8 over BGP. The VPC has subnets with CIDR 10.0.1.0/24 and 10.0.2.0/24. The company wants to ensure that traffic to on-premises uses Direct Connect. However, traffic to an S3 bucket uses the internet. What route configuration is required?

A.Change the VPC CIDR to avoid overlap with on-premises.
B.Add specific routes for S3 public IP prefixes pointing to the internet gateway.
C.Add a static route for 0.0.0.0/0 pointing to the internet gateway.
D.Add a static route in the VPC route table for 0.0.0.0/0 pointing to the VGW.
AnswerB

More specific routes override the general route to VGW, directing S3 traffic to IGW.

Why this answer

Option D is correct because adding a specific route for S3 prefixes to the internet gateway will override the more general route through the VGW for those destinations. Option A is wrong because S3 traffic would go through Direct Connect. Option B is wrong because VPC CIDR cannot be changed.

Option C is wrong because more specific routes to IGW are needed.

230
MCQhard

A company is migrating its on-premises data center to AWS and wants to use AWS Direct Connect for private connectivity. The network team plans to advertise the company's public IP prefixes to AWS via BGP. Which AWS resource must be configured to allow advertisement of these prefixes?

A.A VPN CloudHub topology
B.A public virtual interface on the Direct Connect connection
C.A private virtual interface on the Direct Connect connection
D.A transit virtual interface on the Direct Connect connection
AnswerB

Public VIF is used to advertise public IP prefixes.

Why this answer

To advertise public IP prefixes over AWS Direct Connect, you must use a public virtual interface (VIF). A public VIF allows you to reach public AWS endpoints (such as S3, DynamoDB, or any public IP range) over the Direct Connect link, and it supports BGP peering where you can advertise your public IP prefixes to AWS. Private VIFs are only for private VPC connectivity and do not accept customer-originated public prefix advertisements.

Exam trap

The trap here is that candidates often confuse private VIFs (used for VPC connectivity) with public VIFs (used for public IP reachability), assuming that any BGP session on Direct Connect can advertise public prefixes, but only the public VIF is designed for that purpose.

How to eliminate wrong answers

Option A is wrong because a VPN CloudHub topology is used for connecting multiple VPN sites together over AWS VPN, not for advertising public IP prefixes over Direct Connect. Option C is wrong because a private virtual interface is used for connecting to a VPC via private IP addresses and does not support the advertisement of public IP prefixes. Option D is wrong because a transit virtual interface is used for connecting a Direct Connect gateway to a transit gateway, enabling connectivity to multiple VPCs, but it does not handle public prefix advertisements; that is the role of a public VIF.

231
MCQeasy

A company uses AWS Direct Connect to connect its on-premises data center to AWS. The network engineer is troubleshooting connectivity issues and notices that the BGP session between the on-premises router and the AWS Direct Connect virtual interface is down. The engineer has verified the physical connectivity and the VLAN configuration. What should the engineer check next?

A.Ensure the virtual interface type is set to 'public'.
B.Verify that the on-premises router is advertising a CIDR block smaller than /24.
C.Confirm that the BGP ASN configured on the on-premises router matches the one provided by AWS.
D.Check the VPC CIDR range in the route table.
AnswerC

Correct: BGP ASN mismatch prevents session establishment.

Why this answer

Option C is correct because BGP session establishment depends on matching the BGP ASN on both sides. If they do not match, the session will not come up. Option A is wrong because CIDR size does not affect BGP.

Option B is wrong because the VPC CIDR is not used in the BGP peering process. Option D is wrong because the virtual interface type (private or public) is not the direct cause of BGP failure.

232
MCQhard

A company has a VPC with a CIDR block of 172.16.0.0/20. They need to create subnets for three tiers: web, application, and database. The web tier must be public and support at least 1000 hosts. The application and database tiers must be private. Which subnet design meets the requirements?

A.Web: 172.16.0.0/22, App: 172.16.4.0/24, DB: 172.16.5.0/24
B.Web: 172.16.0.0/23, App: 172.16.2.0/23, DB: 172.16.4.0/23
C.Web: 172.16.0.0/20, App: 172.16.0.0/20, DB: 172.16.0.0/20
D.Web: 172.16.0.0/24, App: 172.16.1.0/24, DB: 172.16.2.0/24
AnswerA

/22 provides 1022 hosts, meeting 1000 requirement.

Why this answer

Option A is correct because the web tier subnet 172.16.0.0/22 provides 2^(32-22) - 5 = 1024 - 5 = 1019 usable host addresses (AWS reserves 5 IPs per subnet), which meets the requirement of at least 1000 hosts. The application and database subnets use /24 masks, each offering 251 usable hosts, and are private. All subnets fall within the VPC CIDR 172.16.0.0/20 without overlap.

Exam trap

The trap here is that candidates often forget to subtract the 5 reserved AWS IPs from the total subnet size, leading them to incorrectly believe a /23 (512 IPs) can support 1000 hosts, or they overlook the non-overlapping subnet requirement in AWS.

How to eliminate wrong answers

Option B is wrong because the web subnet /23 provides only 512 - 5 = 507 usable addresses, which is insufficient for 1000 hosts. Option C is wrong because it assigns the entire VPC CIDR /20 to all three tiers, causing overlapping subnets, which is invalid in AWS (subnets cannot overlap). Option D is wrong because the web subnet /24 provides only 256 - 5 = 251 usable addresses, far below the 1000-host requirement.

233
MCQmedium

A company is designing a hybrid network architecture that connects its on-premises data center to AWS via AWS Direct Connect. The on-premises network uses BGP to advertise routes to AWS. The company wants to ensure that if the Direct Connect connection fails, traffic automatically fails over to a VPN connection. Which configuration ensures this failover behavior?

A.Advertise the on-premises prefixes over Direct Connect with a higher AS path prepend than over the VPN.
B.Advertise the on-premises prefixes over Direct Connect with a specific BGP community to influence path selection.
C.Advertise the on-premises prefixes over Direct Connect with a lower MED value than over the VPN.
D.Advertise the on-premises prefixes over Direct Connect with a higher local preference than over the VPN.
AnswerC

Lower MED makes Direct Connect preferred.

Why this answer

Option A is correct because using a lower MED value on the Direct Connect advertisement makes it preferred over the VPN route. Option B is incorrect because AS path prepending would make the Direct Connect route less preferred. Option C is incorrect because the local preference is only relevant within the same AS.

Option D is incorrect because the multi-exit discriminator (MED) is used for BGP path selection, not community tags.

234
MCQhard

A company wants to connect multiple VPCs in different AWS accounts to on-premises networks using AWS Transit Gateway. Each VPC must be able to communicate with on-premises resources over AWS Direct Connect. What is the MINIMUM number of Transit Gateway attachments required if the company has 5 VPCs and 2 Direct Connect connections from different locations?

A.6
B.7
C.5
D.8
AnswerB

5 VPC attachments + 2 Direct Connect attachments = 7.

Why this answer

Option D is correct. Each VPC requires one attachment to the Transit Gateway. For Direct Connect, a single Transit Virtual Interface (VIF) attachment per Direct Connect connection is sufficient, but the question asks for the minimum number of attachments.

With two Direct Connect connections, you need at least one attachment per connection, but typically you would have one attachment per Direct Connect gateway. However, the minimum is 5 VPC attachments plus 2 Direct Connect attachments = 7. Option A is wrong because it misses the Direct Connect attachments.

Option B is wrong because it assumes only one Direct Connect attachment. Option C is wrong because it underestimates the VPC attachments.

235
MCQmedium

A company is designing a hybrid network architecture that requires high availability and low latency between its on-premises data center and AWS. They have two redundant 1 Gbps AWS Direct Connect connections. The company wants to use BGP to advertise the same prefix from both locations to AWS. How should they configure the BGP attributes to ensure active/passive failover with automatic failback?

A.Prepend the AS path on the secondary connection's BGP advertisements
B.Set a higher MED value on the primary connection's BGP advertisements
C.Set a higher local preference on the secondary connection's BGP advertisements
D.Use BGP communities to tag routes and manipulate preference on AWS side
AnswerA

AS path prepending makes the secondary path less preferred; the primary will be used, and failover/failback occurs automatically.

Why this answer

Option B is correct because setting a shorter AS path prepend on the primary connection makes it preferred; if that path fails, the prepended path becomes active, and when the primary recovers, the shorter AS path is again preferred, providing automatic failback. Option A is wrong because local preference is applied inbound, not outbound. Option C is wrong because MED is not typically used across different AS.

Option D is wrong because communities do not directly influence path selection for failover.

236
MCQhard

A company is designing a global application that will serve users across North America and Europe. The application consists of a static website hosted on Amazon S3, a REST API hosted on Amazon API Gateway, and a backend application running on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The company wants to minimize latency for users by serving content from the closest AWS region. They also want to ensure high availability and automatic failover if a region becomes unavailable. The company is considering using Amazon Route 53 with a latency-based routing policy. However, they are concerned about DNS caching and propagation delays during failover. Which additional service should they use to improve the failover experience and provide a single endpoint for users?

A.Use a Network Load Balancer in each region and configure Route 53 with failover routing
B.Use Amazon CloudFront with multiple origins pointing to the S3 bucket and the ALB in each region
C.Use Lambda@Edge to dynamically route traffic based on the user's location
D.Use AWS Global Accelerator to provide a static IP address and route traffic to the ALB in the closest healthy region
AnswerD

Global Accelerator provides static IPs and fast failover using network layer routing.

Why this answer

AWS Global Accelerator uses the AWS global network to route traffic to the closest healthy endpoint via the Anycast static IP addresses, bypassing DNS caching and propagation delays. It provides a single fixed endpoint for users and integrates with the ALB in each region, automatically failing over to the next healthy region within seconds when health checks fail.

Exam trap

AWS often tests the misconception that CloudFront or DNS-based routing alone can solve latency and failover requirements for dynamic APIs, but Global Accelerator is the only service that provides static IPs and fast regional failover without DNS caching delays.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer does not provide a single global endpoint or improve DNS caching issues; Route 53 failover routing still relies on DNS TTLs, which can cause propagation delays during failover. Option B is wrong because CloudFront with multiple origins does not provide a single static IP endpoint for the REST API and backend; it is designed for content delivery, not for low-latency TCP/UDP traffic to dynamic APIs, and it still depends on DNS resolution for origin selection. Option C is wrong because Lambda@Edge is used for customizing CloudFront content and does not provide a static IP address or direct traffic to ALBs; it cannot replace the need for a global anycast network to minimize latency and ensure fast failover.

237
MCQhard

A company is designing a hybrid network using AWS Direct Connect. They have two Direct Connect connections from different providers to two different AWS Direct Connect locations. They want to configure a virtual interface (VIF) that provides connectivity to multiple VPCs in the same region. Which type of VIF should they use?

A.Hosted virtual interface
B.Public virtual interface
C.Private virtual interface
D.Transit virtual interface
AnswerD

Transit VIF connects to Transit Gateway for multiple VPCs.

Why this answer

Option D is correct because a transit virtual interface connects to a Transit Gateway, which can then be attached to multiple VPCs. Option A is incorrect because a private VIF connects to a single VPC. Option B is incorrect because a public VIF is for public services.

Option C is incorrect because a hosted VIF is for partner connections.

238
MCQeasy

A company is deploying a new application in a VPC with public and private subnets. The application needs to access an S3 bucket in the same AWS Region. Which configuration provides the MOST secure and cost-effective connectivity?

A.Configure a proxy server in the public subnet to forward requests to S3.
B.Set up an AWS Direct Connect connection to S3.
C.Create a NAT gateway in the public subnet and route traffic through it.
D.Create an S3 Gateway Endpoint in the VPC and add a route to it.
AnswerD

Gateway Endpoint provides private, free access to S3 within same Region.

Why this answer

Option B is correct because an S3 Gateway Endpoint provides private connectivity to S3 without traversing the internet or incurring NAT gateway costs. Option A is wrong because a NAT gateway adds cost and still uses internet. Option C is wrong because Direct Connect is overkill and costly.

Option D is wrong because proxy servers add complexity and cost.

239
MCQmedium

A company is designing a multi-Region active-active application using Application Load Balancers (ALBs) in us-east-1 and eu-west-1, with Route 53 latency-based routing. Users report that after a failover, existing connections fail. What should the company implement to ensure seamless failover?

A.Use a Global Accelerator instead of Route 53
B.Enable client IP affinity on the ALBs
C.Use Amazon Route 53 geolocation routing instead of latency
D.Enable sticky sessions (session affinity) on the ALBs with a cookie duration
AnswerD

Sticky sessions ensure users are routed to the same ALB based on a cookie, maintaining session state.

Why this answer

Sticky sessions are required to maintain user sessions during failover. Route 53 latency routing alone does not preserve sessions. Option C is correct because ALB sticky sessions with a cookie duration keep users pinned to the same ALB.

Option A is wrong because cross-Region VPC peering does not affect session persistence. Option B is wrong because client IP affinity is not supported across Regions. Option D is wrong because Global Accelerator does not provide session stickiness.

240
Multi-Selecthard

A company has a hybrid network with an AWS Direct Connect connection and an AWS Site-to-Site VPN as a backup. The network team notices that traffic is asymmetrically routing through both connections, causing performance issues. Which TWO steps should the team take to ensure traffic uses the primary Direct Connect and only fails over to the VPN? (Choose two.)

Select 2 answers
A.Increase the BGP MED value on the VPN connection to make it less preferred.
B.Enable VPN automatic failover using AWS VPN CloudHub.
C.Configure BGP communities on the Direct Connect to influence route preference.
D.Disable AS path prepend on the Direct Connect BGP session.
E.Advertise a more specific prefix over Direct Connect compared to the VPN.
AnswersC, E

BGP communities can be used to influence routing.

Why this answer

Option A is correct because adjusting the BGP metrics (AS path prepend or MED) on the Direct Connect side makes it preferred. Option D is correct because using a more specific prefix for the Direct Connect route attracts traffic to it. Option B is wrong because enabling VPN is not needed.

Option C is wrong because disabling AS path prepend would make Direct Connect less preferred. Option E is wrong because increasing the VPN BGP metric would make VPN less preferred, but the goal is to prefer Direct Connect.

241
MCQeasy

A network engineer is troubleshooting connectivity issues from an on-premises network to an AWS VPC over a Site-to-Site VPN. The VPN tunnel status shows as UP. The on-premises network can ping the virtual private gateway (VGW) IP address, but cannot reach EC2 instances inside the VPC. What is the most likely cause?

A.The VPN tunnel is not properly configured with the correct pre-shared key.
B.The security groups on the EC2 instances are blocking inbound traffic from the on-premises network.
C.The virtual private gateway has its own security group that blocks traffic.
D.The VPC route tables do not have a route to the on-premises network pointing to the virtual private gateway.
AnswerD

Without a route back, return traffic is dropped.

Why this answer

Option B is correct because the route table for the subnets must have a route to the on-premises network via the VGW. Option A is wrong because the tunnel is UP. Option C is wrong because security groups are stateful and allow return traffic.

Option D is wrong because the VGW does not have security groups.

242
MCQhard

A financial services company has a multi-account AWS environment using AWS Organizations. They have a central security account with AWS Network Firewall and a central inspection VPC. All other VPCs are connected to the inspection VPC via AWS Transit Gateway. The company wants to enforce that all traffic between VPCs (east-west) and traffic to the internet (north-south) passes through the Network Firewall. They have configured the Transit Gateway route tables appropriately. However, they notice that traffic from an application VPC to another application VPC is not being inspected. The network engineer has verified that the application VPCs have a default route to the Transit Gateway, and the Transit Gateway route table has a route for the inspection VPC. What is the most likely reason that east-west traffic is bypassing the Network Firewall?

A.The Transit Gateway route tables allow direct communication between application VPCs
B.The inspection VPC does not have a subnet for east-west traffic
C.Network Firewall cannot inspect traffic between VPCs at high throughput
D.Network Firewall is not stateful and cannot handle return traffic
AnswerA

If routes exist for direct VPC-to-VPC traffic, it will bypass inspection.

Why this answer

Option C is correct. For east-west traffic to be inspected, the Transit Gateway must route traffic from one VPC to the inspection VPC, then to the destination VPC. This requires that the route tables in the Transit Gateway are configured so that traffic between VPCs is forced through the inspection VPC.

If the application VPCs have a direct route to each other via the Transit Gateway (e.g., a static route or a route in the same route table), traffic will not go through the inspection VPC. The most common cause is that the Transit Gateway route table association allows direct VPC-to-VPC routing. Option A is wrong because Network Firewall can inspect traffic at scale.

Option B is wrong because Network Firewall is stateful and can handle return traffic. Option D is wrong because the inspection VPC can have multiple subnets for different traffic types.

243
Drag & Dropmedium

Arrange the steps to configure BGP on a Cisco router for a Direct Connect private virtual interface:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First enter config mode, enable BGP, define the neighbor, advertise prefixes, then verify.

244
MCQeasy

A company is setting up a new VPC with both IPv4 and IPv6 support. They need to ensure that instances in a private subnet can access the Internet for software updates. Which combination of resources is required?

A.VPC endpoint and internet gateway
B.NAT gateway and egress-only internet gateway
C.NAT instance and internet gateway
D.Internet gateway and NAT gateway
AnswerB

NAT for IPv4, egress-only for IPv6.

Why this answer

Option B is correct because a NAT gateway provides IPv4 internet access, and an egress-only internet gateway provides IPv6 internet access for private instances. Option A is wrong because internet gateway is for public subnets. Option C is wrong because NAT instance is outdated and more complex.

Option D is wrong because VPC endpoint is for AWS services, not internet.

245
MCQeasy

A company wants to encrypt data in transit between an on-premises data center and AWS. Which service provides a dedicated encrypted connection?

A.AWS Transit Gateway
B.AWS Direct Connect with MACsec
C.AWS Site-to-Site VPN
D.AWS Client VPN
AnswerB

Direct Connect provides a dedicated connection with encryption.

Why this answer

Option D is correct because AWS Direct Connect with MACsec provides dedicated encrypted connection. Option A is wrong because AWS Site-to-Site VPN is over the internet, not dedicated. Option B is wrong because client VPN is for individual users.

Option C is wrong because Transit Gateway is a hub, not a connection type.

246
MCQmedium

A company is using AWS Direct Connect with a private VIF to connect to a VPC. They want to ensure high availability by having a second Direct Connect connection. Which configuration provides the most resilient setup?

A.Two Direct Connect connections from the same provider to the same Direct Connect location with separate VIFs.
B.Two Direct Connect connections from different providers to different Direct Connect locations.
C.One Direct Connect connection and one Site-to-Site VPN as backup.
D.One Direct Connect connection with two private VIFs.
AnswerB

Diverse paths provide maximum resilience.

Why this answer

Option A is correct because using two separate Direct Connect connections from different providers to different AWS locations ensures that no single point of failure (e.g., a single provider outage or location failure) can bring down connectivity. Option B is wrong because a single connection with two VIFs still has a single physical link. Option C is wrong because placing both connections in the same location still has a single location failure risk.

Option D is wrong because a VPN is lower bandwidth and less reliable than Direct Connect.

247
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. They want to create a subnet that can host at least 2000 EC2 instances. Which subnet size should they choose?

A./21
B./22
C./24
D./20
AnswerA

Provides 2048 IPs, enough for 2000 instances.

Why this answer

A /21 subnet provides 2,048 usable IP addresses (2^(32-21) - 5 = 2,048 - 5 = 2,043 for AWS, but the key is that 2,048 total addresses minus the 5 reserved by AWS yields 2,043, which exceeds the requirement of 2,000 EC2 instances). AWS reserves 5 IP addresses per subnet (network, VPC router, DNS, future use, broadcast), so the usable count is total addresses minus 5. A /21 is the smallest subnet that meets the 2,000-instance requirement.

Exam trap

AWS often tests the misconception that you only need to consider total IP addresses (e.g., /22 gives 1,024, which seems close to 2,000) without accounting for AWS's 5 reserved addresses, or that a larger subnet like /20 is automatically better, ignoring the principle of choosing the smallest subnet that meets the requirement.

How to eliminate wrong answers

Option B (/22) is wrong because it provides only 1,024 total IP addresses, yielding 1,019 usable after AWS reserves 5, which is insufficient for 2,000 instances. Option C (/24) is wrong because it provides only 256 total IP addresses, yielding 251 usable, far below the requirement. Option D (/20) is wrong because although it provides 4,096 total IP addresses (4,091 usable) and would technically work, it is larger than necessary; the question asks which subnet size they should choose, implying the most efficient size that meets the requirement, and /21 is the smallest that satisfies it.

248
MCQmedium

A network engineer is monitoring network performance between an EC2 instance and an on-premises server using AWS VPN. The engineer notices intermittent packet loss. Which AWS service can provide detailed network metrics and path visualization to troubleshoot?

A.Amazon CloudWatch
B.VPC Flow Logs
C.AWS Transit Gateway Network Manager
D.AWS X-Ray
AnswerC

Network Manager provides topology and monitoring for VPN and Direct Connect.

Why this answer

AWS X-Ray is for application tracing, not network path. VPC Flow Logs provide packet metadata but not path visualization. Amazon CloudWatch can monitor VPN tunnels but not path.

AWS Transit Gateway Network Manager provides network topology and path visualization.

249
MCQeasy

A security team needs to audit all network traffic entering and leaving a VPC. Which AWS service should be used to capture IP traffic information?

A.VPC Flow Logs
B.AWS Config
C.Amazon CloudWatch Logs
D.AWS CloudTrail
AnswerA

VPC Flow Logs capture IP traffic information.

Why this answer

Option C is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A is wrong because CloudTrail records API calls. Option B is wrong because CloudWatch Logs can store logs but does not capture network traffic.

Option D is wrong because AWS Config records resource configuration changes.

250
Multi-Selectmedium

A network engineer is troubleshooting a VPN connectivity issue. The VPN tunnel is up, but traffic is not passing. Which TWO AWS services should the engineer use to diagnose the problem?

Select 2 answers
A.AWS Config
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Direct Connect
E.Amazon CloudWatch
AnswersB, E

Flow Logs can show traffic flow to the VPN endpoint.

Why this answer

The correct answers are A and C. VPC Flow Logs can show if traffic is reaching the VPN endpoint, and CloudWatch provides tunnel metrics and logs. Option B is wrong because CloudTrail logs API calls, not traffic.

Option D is wrong because AWS Config tracks configuration, not traffic. Option E is wrong because Direct Connect is for dedicated connections, not VPN.

251
MCQmedium

A company is deploying an AWS Network Firewall in a centralized inspection VPC to inspect traffic between VPCs connected to an AWS Transit Gateway. The architecture uses Transit Gateway route tables to send inter-VPC traffic through the inspection VPC. The Network Firewall is configured with stateful and stateless rule groups. After deployment, the security team notices that traffic from VPC A to VPC B is being dropped. Other traffic flows correctly. What is the MOST likely cause of this issue?

A.The route table for VPC A's subnets does not have a route to the inspection VPC.
B.The stateless rule group is set to forward traffic, but the stateful rule group is not configured to allow the traffic.
C.The stateful rule group is configured to drop all traffic that is not explicitly allowed.
D.The security group attached to the Transit Gateway is blocking the traffic.
AnswerB

Stateful rules process first and can drop traffic even if stateless allows.

Why this answer

Option B is correct because the stateful rule group must have a pass rule for the traffic. Option A is incorrect because stateless rules forward traffic but stateful rules can drop. Option C is incorrect because route tables in VPC A do not affect firewall.

Option D is incorrect because Transit Gateway does not have security groups.

252
Multi-Selectmedium

A company is designing a multi-VPC architecture using AWS Transit Gateway. They need to ensure that traffic between VPCs is encrypted and that only specific VPCs can communicate with each other. Which two services should they use together? (Choose TWO.)

Select 2 answers
A.AWS PrivateLink
B.AWS Direct Connect
C.AWS Transit Gateway
D.AWS VPN CloudHub
E.AWS Network Firewall
AnswersC, E

Provides connectivity between VPCs.

Why this answer

AWS Transit Gateway provides transitive routing between VPCs. AWS Network Firewall can inspect and encrypt traffic. AWS PrivateLink is for service access, not transitive routing.

AWS VPN CloudHub is for VPN connections. AWS Direct Connect is for on-premises.

253
MCQmedium

A company uses AWS Shield Advanced and AWS WAF to protect its web application. The security team notices that some legitimate traffic is being blocked. They want to allow traffic from a specific set of IP addresses used by their partners. How can they ensure that partner traffic is not blocked by WAF rules?

A.Add the partner IPs to a Network ACL allow rule in the VPC.
B.Remove the blocking WAF rules and rely on Shield Advanced only.
C.Add the partner IPs to an AWS Shield Advanced IP whitelist.
D.Create a WAF IP set and add a rule to allow traffic from that IP set, with a higher priority than blocking rules.
AnswerD

This ensures partner traffic is allowed before it reaches blocking rules.

Why this answer

Option B is correct because creating an IP set in WAF and adding a rule to allow traffic from that IP set with higher priority than blocking rules will whitelist partner IPs. Option A is wrong because Shield Advanced does not have IP whitelisting; it's for DDoS protection. Option C is wrong because Network ACLs operate at the subnet level, not at the application layer.

Option D is wrong because removing blocking rules entirely would weaken security.

254
MCQeasy

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download software patches from the internet. Which AWS service should be used to provide outbound internet access without allowing inbound traffic?

A.Site-to-Site VPN connection
B.VPC endpoint
C.NAT gateway
D.Internet gateway
AnswerC

NAT gateway enables outbound internet access for instances in private subnets.

Why this answer

Option A is correct because a NAT gateway allows outbound internet traffic from private subnets and blocks unsolicited inbound traffic. Option B is wrong because an internet gateway is for public subnets and allows inbound traffic. Option C is wrong because a VPC endpoint is for accessing AWS services privately, not the internet.

Option D is wrong because a VPN connection is for hybrid connectivity, not internet access.

255
MCQhard

A company is using AWS Client VPN for remote access. Users can authenticate and establish a VPN connection, but they cannot access resources in the VPC. The Client VPN endpoint is associated with a subnet in the VPC. The security group for the Client VPN endpoint allows all traffic. What is the most likely cause?

A.There is no authorization rule to allow access to the VPC CIDR.
B.The Client VPN endpoint is not associated with the correct subnet.
C.The route table for the subnet does not have a route to the Client VPN endpoint.
D.The Client VPN endpoint's server certificate is expired.
AnswerA

Authorization rules define which networks VPN clients can access; without it, traffic is blocked.

Why this answer

Client VPN uses an authorization rule to grant access to specific networks. Without an authorization rule that allows access to the VPC CIDR, traffic from clients will be dropped.

256
MCQhard

A company is expanding its on-premises network to AWS using Direct Connect and VPN backup. They have two Direct Connect connections from different providers to two different Direct Connect locations in the same region. They have configured a private virtual interface (VIF) on each connection to a virtual private gateway (VGW) attached to a VPC. They have also configured a VPN connection as a backup. The company uses BGP to advertise the on-premises prefixes to AWS. They want to ensure that traffic is load-balanced across both Direct Connect connections under normal conditions and that the VPN is used only if both Direct Connect connections fail. They also want to minimize the cost of data transfer. Which BGP configuration should they use?

A.Configure a single BGP session over both Direct Connect connections using the same virtual interface
B.Advertise the same prefixes over both Direct Connect connections with equal local preference, and prepend AS path on the VPN routes to make them less preferred
C.Set a higher MED on one of the Direct Connect connections to make it the primary, and use the VPN as secondary
D.Advertise different on-premises prefixes over each Direct Connect connection and use the VPN for all traffic
AnswerB

Equal local preference allows load balancing; AS path prepending makes VPN less preferred.

Why this answer

Option D is correct. By using BGP with equal local preference for both Direct Connect paths and AS_PATH prepending on the VPN routes, the VPN will be less preferred. To achieve active/active load balancing across Direct Connect connections, the company should advertise the same prefixes with equal MED or local preference.

Option A is wrong because advertising different prefixes would not load-balance traffic. Option B is wrong because a single BGP session over one Direct Connect connection creates a single point of failure. Option C is wrong because increasing MED on one Direct Connect connection makes it less preferred, not equal.

257
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices intermittent packet loss and latency spikes during peak hours. Which action should the team take to diagnose the issue?

A.Increase the bandwidth of the Direct Connect connection
B.Enable Bidirectional Forwarding Detection (BFD) on the virtual interfaces
C.Apply a tag to the Direct Connect connection for monitoring
D.Change the private ASN on the customer router
AnswerB

BFD helps detect failures quickly, aiding diagnosis.

Why this answer

Option B is correct because enabling Bidirectional Forwarding Detection (BFD) on the virtual interfaces allows rapid detection of connectivity failures, which can help isolate whether the issue is on the AWS side or the customer side. Option A is wrong because increasing bandwidth may not resolve intermittent issues caused by routing problems. Option C is wrong because changing the private ASN does not affect performance.

Option D is wrong because tagging does not impact network performance.

258
MCQmedium

A company has a Direct Connect connection with a public virtual interface (VIF) to access AWS public services. They want to ensure that all traffic to Amazon S3 from on-premises uses the Direct Connect connection instead of the internet. Which configuration is required?

A.Establish a VPN connection over the Direct Connect private VIF and route S3 traffic through the VPN.
B.Use the public virtual interface and configure a route filter to only accept routes for the S3 service.
C.Create a private virtual interface and attach it to the VPC.
D.Create a Direct Connect gateway and associate the public VIF with it.
AnswerB

A public VIF provides access to AWS public services, and route filters can restrict which prefixes are advertised.

Why this answer

Option B is correct because using a public VIF with a route filter that only allows S3 prefixes ensures traffic to S3 uses Direct Connect. Option A is wrong because a private VIF is for private IP connectivity to VPCs, not public services. Option C is wrong because a VPN over Direct Connect is unnecessary and adds complexity.

Option D is wrong because a Direct Connect gateway is used for private VIFs to multiple VPCs, not public VIFs.

259
MCQmedium

A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?

A.AWS CloudTrail
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS Config
AnswerA

CloudTrail logs API calls for auditing.

Why this answer

AWS CloudTrail is the correct service because it records all API calls made to the AWS environment, including those that modify security groups and network ACLs. By enabling CloudTrail, you can capture CreateSecurityGroup, AuthorizeSecurityGroupIngress, RevokeSecurityGroupEgress, CreateNetworkAclEntry, and similar API calls, providing an audit trail of who made the change, when, and from which IP address.

Exam trap

The trap here is that candidates often confuse AWS Config (which tracks configuration state) with CloudTrail (which tracks API actions), but the question explicitly asks for capturing the API calls themselves, not the resulting configuration changes.

How to eliminate wrong answers

Option B (Amazon GuardDuty) is wrong because it is a threat detection service that monitors for malicious activity using anomaly detection and threat intelligence, not a service that captures API call logs for auditing changes. Option C (VPC Flow Logs) is wrong because it captures IP traffic metadata (source/destination IP, ports, protocol) at the network interface level, not API calls that modify security group or network ACL configurations. Option D (AWS Config) is wrong because it evaluates resource configurations against desired policies and tracks configuration changes over time, but it does not directly capture the API calls that initiated those changes; it records the resulting state, not the action itself.

260
MCQeasy

A company is designing a disaster recovery solution that requires replicating data from an on-premises database to an Amazon RDS instance in a different AWS region. The data transfer must be encrypted in transit and should not traverse the public internet. Which approach meets these requirements?

A.Use an AWS Direct Connect connection with public VIF
B.Establish an AWS Site-to-Site VPN over an AWS Direct Connect connection
C.Establish an AWS Site-to-Site VPN over the internet
D.Use VPC Peering between the on-premises network and the RDS VPC
AnswerB

Correct; this provides encryption and uses a private connection.

Why this answer

Option B is correct because an AWS Site-to-Site VPN over an AWS Direct Connect connection provides encrypted IPsec tunnels for data in transit while keeping traffic entirely within the private network, avoiding the public internet. The Direct Connect private VIF establishes a dedicated private link to AWS, and the VPN overlay adds encryption, meeting both requirements for an on-premises to RDS cross-region replication scenario.

Exam trap

The trap here is that candidates often assume a Direct Connect public VIF (Option A) provides encryption because it is a private circuit, but it does not encrypt the payload; only a VPN overlay or dedicated encrypted transport (e.g., MACsec) satisfies the encryption requirement.

How to eliminate wrong answers

Option A is wrong because a public VIF on Direct Connect provides access to public AWS services (e.g., S3, DynamoDB) but does not inherently encrypt traffic; data would traverse the Direct Connect link without IPsec encryption, failing the encryption-in-transit requirement. Option C is wrong because an AWS Site-to-Site VPN over the internet uses the public internet as the transport medium, which violates the requirement that data should not traverse the public internet. Option D is wrong because VPC Peering is used to connect VPCs within AWS and cannot extend to an on-premises network; it does not support on-premises connectivity and does not provide encryption by default.

261
Multi-Selectmedium

A company wants to connect its on-premises network to AWS using AWS Direct Connect. The company has two data centers, each with a redundant connection to an AWS Direct Connect location. The company wants to ensure high availability and failover capability. Which THREE steps should be taken?

Select 3 answers
A.Configure a VPN connection as a backup in case Direct Connect fails.
B.Order at least two Direct Connect connections from different providers or locations.
C.Configure BGP sessions over each Direct Connect connection.
D.Use a Direct Connect gateway to connect to multiple VPCs.
E.Provision multiple virtual interfaces on a single Direct Connect connection.
AnswersB, C, D

Multiple connections ensure redundancy if one fails.

Why this answer

Option A is correct: Order two or more Direct Connect connections for redundancy. Option C is correct: Use Border Gateway Protocol (BGP) to exchange routes between on-premises and AWS. Option E is correct: Use a Direct Connect gateway to connect to multiple VPCs.

Option B is incorrect because VPN is not required if Direct Connect is used, though it can be a backup. Option D is incorrect because multiple virtual interfaces can be established over a single connection, but that does not provide connection-level redundancy.

262
MCQhard

A network engineer troubleshoots a VPN connection that shows 'available' state but traffic is not passing. The on-premises firewall logs show that the tunnel is established, but no traffic. The engineer checks the VPN configuration. Based on the exhibit, what is the MOST likely cause of the problem?

A.The VPN connection is not in 'available' state.
B.The VPN is configured for BGP (StaticRoutesOnly: false), but only a static route is added.
C.The outside IP addresses are not routable over the internet.
D.The inside IP addresses for the tunnels are missing.
AnswerB

With StaticRoutesOnly: false, BGP is required for route propagation; static routes are ignored.

Why this answer

Option A is correct because the VPN connection has StaticRoutesOnly set to false, meaning dynamic routing (BGP) is expected, but the route shown is a static route, which would not be used because the VPN is configured for BGP. Option B is incorrect because the VPN state is available. Option C is incorrect because the inside IP addresses are present.

Option D is incorrect because the outside IP addresses are routable.

263
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. Both connections will terminate at the same Direct Connect gateway. Which TWO steps are required to enable BGP multipath (ECMP) across the two connections?

Select 2 answers
A.Ensure the same customer-side ASN is used on both virtual interfaces.
B.Use a different autonomous system number (ASN) on each virtual interface.
C.Advertise different BGP prefixes on each virtual interface.
D.Advertise the same BGP prefixes (routes) on both virtual interfaces.
E.Attach each virtual interface to a different VPC.
AnswersA, D

Same ASN is required for ECMP.

Why this answer

To enable BGP multipath (ECMP) across two Direct Connect connections terminating on the same Direct Connect gateway, you must use the same customer-side ASN on both virtual interfaces. This allows the Direct Connect gateway to treat both paths as equal-cost routes. Additionally, you must advertise the same BGP prefixes on both virtual interfaces so that the gateway sees identical routes from both paths and can load-balance traffic across them.

Exam trap

AWS often tests the misconception that using different ASNs or different prefixes is required for redundancy, but the key to ECMP is identical ASN and identical prefixes to enable equal-cost multipath routing.

264
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to connect to an on-premises network via AWS Direct Connect. The on-premises network uses 10.0.0.0/16. Which solution allows connectivity without IP overlap?

A.Establish a VPC peering connection between the VPC and on-premises network.
B.Use AWS Direct Connect with a private VIF and static routes to route traffic.
C.Create a new VPC with a non-overlapping CIDR, connect both VPCs via Transit Gateway, and use NAT on the Transit Gateway attachment to the on-premises network.
D.Deploy a NAT instance in the VPC to translate on-premises IPs.
AnswerC

Transit Gateway with NAT attachment allows IP translation to resolve overlap.

Why this answer

Option D is correct because creating a new VPC with a non-overlapping CIDR (e.g., 172.16.0.0/16) and using Transit Gateway with network address translation (NAT) on the attachment resolves overlap. Option A is wrong because overlapping CIDRs cannot be directly peered or connected via VPN. Option B is wrong because Direct Connect does not change IP addresses.

Option C is wrong because a single NAT instance cannot handle all traffic for overlapping CIDRs.

265
MCQhard

A company runs a critical application on EC2 instances in a VPC with a single private subnet (10.0.1.0/24) in us-east-1a. The instances need to download security updates from the internet. The company currently uses a NAT Gateway in a public subnet (10.0.0.0/24) in us-east-1a. Recently, an Availability Zone failure caused us-east-1a to become unavailable, and the application could not reach the internet. The company wants to redesign the network to be highly available across multiple AZs for internet access. The application must continue to use private IP addresses for outbound traffic. The company has a limited budget and wants to minimize costs while meeting high availability. Which solution should the company implement?

A.Deploy one NAT Gateway in a new public subnet in us-east-1b and update the private subnet route table to use it.
B.Remove the NAT Gateway and attach an internet gateway to the VPC. Add a route in the private subnet route table pointing 0.0.0.0/0 to the internet gateway.
C.Deploy a NAT Gateway in each of two AZs (us-east-1a and us-east-1b) in public subnets. Create private subnets in both AZs with separate route tables pointing to the local NAT Gateway.
D.Replace the NAT Gateway with a NAT instance in a public subnet in us-east-1a and configure a secondary ENI in us-east-1b for failover.
AnswerC

Multi-AZ NAT Gateways provide high availability with automatic failover.

Why this answer

Option C is correct because it ensures high availability for outbound internet traffic by deploying a NAT Gateway in each of two Availability Zones (us-east-1a and us-east-1b) with separate private subnets and route tables. This design eliminates the single point of failure; if one AZ fails, the other NAT Gateway continues to route traffic. The application retains private IP addresses for outbound traffic, and the cost is minimized by using only two NAT Gateways (one per AZ) rather than a more expensive multi-AZ architecture like a transit gateway or VPN.

Exam trap

The trap here is that candidates often think a single NAT Gateway in a different AZ (Option A) provides high availability, but they miss that a NAT Gateway is AZ-scoped and cannot fail over to another AZ automatically, so a single NAT Gateway remains a single point of failure.

How to eliminate wrong answers

Option A is wrong because deploying a single NAT Gateway in us-east-1b still creates a single point of failure; if us-east-1b fails, internet access is lost. Option B is wrong because attaching an internet gateway directly to a private subnet would assign public IP addresses to the instances, violating the requirement to use private IP addresses for outbound traffic; internet gateways only work with public subnets and public IPs. Option D is wrong because using a NAT instance with a secondary ENI in another AZ for failover is more complex, less reliable (manual or scripted failover), and typically more expensive than managed NAT Gateways; NAT instances also require ongoing patching and management, contradicting the limited budget and high availability goals.

266
MCQhard

The EC2 instance has a private IP 10.0.1.5. The first two hops are 10.0.1.1 (the subnet's default gateway) and 10.0.0.1. Based on the traceroute, what is the most likely configuration of the VPC?

A.The subnet is a public subnet with a route to an Internet Gateway
B.The subnet is a private subnet with no route to an Internet Gateway, and the default route points to a NAT instance or is missing
C.The subnet is a private subnet with a route to a NAT Gateway
D.The subnet is connected to a VPN
AnswerB

Traffic stops at VPC router, indicating no internet path.

Why this answer

The traceroute shows the first hop as 10.0.1.1 (the subnet's default gateway) and the second hop as 10.0.0.1 (the VPC router's IP for the main route table). The absence of a third hop to a public IP or NAT device indicates that the instance's traffic is not being forwarded beyond the VPC router. This is consistent with a private subnet that has no route to an Internet Gateway and either has no default route or a default route pointing to a NAT instance that is not responding or is missing, causing the traceroute to stop at the VPC router.

Exam trap

The trap here is that candidates often assume a private subnet must have a NAT Gateway or NAT instance for outbound traffic, but the traceroute's lack of a third hop indicates that either no NAT device exists or the default route is missing entirely, not that a NAT device is present but unresponsive.

How to eliminate wrong answers

Option A is wrong because if the subnet were public with a route to an Internet Gateway, the traceroute would show a third hop to the Internet Gateway's public IP or beyond, not stop at 10.0.0.1. Option C is wrong because a private subnet with a route to a NAT Gateway would show a third hop to the NAT Gateway's private IP (e.g., 10.0.0.100) before reaching the Internet, not stop at the VPC router. Option D is wrong because a VPN connection would route traffic through a Virtual Private Gateway, which would appear as a hop with a private IP in the VPC's CIDR range (e.g., 10.0.0.2) and then to the on-premises network, not stop at 10.0.0.1.

267
MCQmedium

A company is designing a multi-region active-active application using Application Load Balancers (ALBs) behind AWS Global Accelerator. The application uses Aurora MySQL global database. Which design should be used to minimize cross-region latency for writes?

A.Use Route 53 latency-based routing with a single ALB in the primary region.
B.Use Amazon CloudFront with origins in both regions and cache invalidation for writes.
C.Use Global Accelerator with a single ALB endpoint in one region and failover to the second region.
D.Deploy an ALB in each region with a Global Accelerator endpoint group containing both ALBs.
AnswerD

Global Accelerator with two endpoints provides active-active, anycast routing to the nearest region.

Why this answer

Option D is correct because deploying an ALB in each region and adding both to a Global Accelerator endpoint group enables active-active traffic distribution with optimal path routing via the AWS global network. Global Accelerator uses Anycast IPs to direct user traffic to the nearest healthy endpoint, minimizing latency. For writes to an Aurora MySQL global database, the primary region handles all write operations, but Global Accelerator ensures that write requests are routed to the primary region's ALB with the lowest possible latency from the client's location, while read traffic can be served locally from the secondary region's ALB.

Exam trap

The trap here is that candidates often assume Global Accelerator only supports active-passive failover, but it actually supports active-active configurations with multiple endpoints in an endpoint group, which is essential for minimizing cross-region latency in a multi-region setup.

How to eliminate wrong answers

Option A is wrong because Route 53 latency-based routing does not provide static Anycast IPs and can introduce DNS caching delays, making it unsuitable for minimizing cross-region write latency in an active-active design. Option B is wrong because CloudFront is a content delivery network optimized for static and dynamic content caching, not for handling database write operations; cache invalidation does not reduce write latency to an Aurora global database. Option C is wrong because using a single ALB endpoint with failover to a second region creates an active-passive architecture, not active-active, and fails to minimize latency for writes as traffic is not distributed to the nearest region.

268
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to extend this connectivity to multiple VPCs in the same region without creating additional VIFs. Which solution should they implement?

A.Provision additional private VIFs for each VPC
B.Use VPC peering between the VPCs
C.Use a Transit VPC with VPN connections
D.Use a Direct Connect Gateway and attach the VPCs
AnswerD

Direct Connect Gateway enables a single VIF to connect to multiple VPCs.

Why this answer

Option B is correct because a Direct Connect Gateway allows a single private VIF to connect to multiple VPCs in the same region. Option A is for hybrid connectivity but not for multi-VPC. Option C is for inter-VPC routing.

Option D is for additional VIFs.

269
MCQmedium

A company is designing a multi-region architecture with an Application Load Balancer (ALB) in each region. They want to route users to the nearest healthy ALB using latency-based routing. Which AWS service should be used?

A.Amazon Route 53 latency-based routing
B.Amazon CloudWatch
C.VPC Traffic Mirroring
D.AWS Global Accelerator
AnswerA

Latency-based routing routes users to the region with the lowest latency.

Why this answer

Amazon Route 53 latency-based routing directs user traffic to the AWS region with the lowest network latency for the end user, based on latency measurements between the user and each region's resources. This matches the requirement to route users to the nearest healthy ALB, as Route 53 can evaluate health checks on the ALBs and only route to healthy endpoints.

Exam trap

AWS often tests the distinction between DNS-based latency routing (Route 53) and anycast-based traffic acceleration (Global Accelerator), where candidates mistakenly choose Global Accelerator because it also improves performance, but it does not perform per-request latency-based DNS routing to the nearest healthy ALB.

How to eliminate wrong answers

Option B (Amazon CloudWatch) is wrong because CloudWatch is a monitoring and observability service for collecting metrics, logs, and alarms; it does not perform DNS routing or traffic steering. Option C (VPC Traffic Mirroring) is wrong because it copies network traffic from an elastic network interface for analysis (e.g., security inspection) and has no capability to route users based on latency or health. Option D (AWS Global Accelerator) is wrong because while it uses the AWS global network and anycast IPs to improve performance, it does not use latency-based DNS routing; it relies on static anycast IPs and endpoint weights, not per-request latency measurements to the nearest healthy ALB.

270
MCQeasy

A developer wants to allow an EC2 instance in a VPC to access an Amazon S3 bucket without traversing the public internet. Which AWS service should be used?

A.AWS PrivateLink with an interface VPC endpoint.
B.VPC Gateway Endpoint for S3.
C.NAT gateway in the public subnet.
D.AWS Direct Connect with a public VIF.
AnswerB

Gateway endpoints provide private access to S3 and DynamoDB.

Why this answer

Option D is correct because a VPC Gateway Endpoint allows private access to S3 without requiring an internet gateway or NAT device. Option A is incorrect because S3 does not use an interface endpoint directly (it uses gateway endpoint). Option B is incorrect because NAT gateway provides internet access but not private access to S3.

Option C is incorrect because S3 does not support Direct Connect privately without a VPC endpoint.

271
MCQhard

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that some VPCs cannot communicate with each other even though they are attached to the same transit gateway. What is the most likely cause?

A.The security groups on the instances are not allowing inbound traffic from the other VPCs.
B.The transit gateway route tables are missing routes to the other VPCs.
C.The VPC attachments are not in the 'available' state.
D.The VPCs' network ACLs are blocking traffic.
AnswerB

Proper routing configuration is essential for inter-VPC communication.

Why this answer

Transit Gateway uses route tables to control inter-VPC traffic. If the route tables do not have routes to the other VPCs, or if the VPCs are in different route tables that are not associated or propagated correctly, communication fails. The most common issue is that the transit gateway route tables are not properly configured with routes to the other VPC attachments.

272
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises data centers. They want to centralize internet traffic through a single VPC that has an internet gateway. Which Transit Gateway feature should they enable?

A.Transit Gateway route tables
B.VPN attachments
C.Multicast support
D.IPsec acceleration
AnswerA

Route tables allow you to centralize internet traffic through a specific VPC.

Why this answer

To centralize internet traffic through a single VPC with an internet gateway, you need to control the routing of traffic from other VPCs and on-premises networks. Transit Gateway route tables allow you to isolate or share routes between attachments, enabling you to create a default route (0.0.0.0/0) pointing to the centralized VPC's attachment. This ensures all outbound internet traffic from other VPCs is forwarded to the egress VPC, which then uses its internet gateway.

Exam trap

The trap here is that candidates often confuse Transit Gateway route tables with VPC route tables, thinking that simply attaching an internet gateway to a VPC will automatically route traffic from other VPCs through it, without realizing that explicit route table entries in the Transit Gateway are required to direct traffic to the egress VPC.

How to eliminate wrong answers

Option B is wrong because VPN attachments are used to connect on-premises networks over IPsec tunnels, not to centralize internet traffic through a specific VPC. Option C is wrong because multicast support enables group communication using UDP multicast traffic, which is unrelated to routing internet-bound traffic to a single egress point. Option D is wrong because IPsec acceleration is a feature to offload IPsec encryption processing, not a routing or forwarding mechanism for internet traffic centralization.

273
MCQmedium

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to access an S3 bucket. The company wants to avoid using a NAT gateway and ensure that traffic does not traverse the internet. Which solution should be used?

A.Attach an internet gateway to the VPC and assign a public IP to the instance
B.Create a VPC endpoint for S3 (Gateway type) and update the route table
C.Set up a VPN connection to the S3 bucket
D.Deploy a NAT gateway in the public subnet and route traffic through it
AnswerB

This provides private connectivity to S3 without internet.

Why this answer

Option D is correct. A VPC endpoint for S3 (Gateway type) allows private access to S3 without going over the internet. Option A is wrong because a NAT gateway would traverse the internet.

Option B is wrong because a VPN connection is not needed for S3 access. Option C is wrong because an internet gateway would expose the instance to the internet.

274
MCQmedium

A company is implementing a hybrid network using AWS Direct Connect and VPN backup. They have multiple VPCs in a single AWS Region. Which design minimizes the number of Direct Connect virtual interfaces while providing connectivity to all VPCs?

A.Create one private VIF attached to a Direct Connect gateway and associate the gateway with all VPCs.
B.Set up a transit VPC with EC2-based routers.
C.Create a separate private VIF for each VPC.
D.Use a single public VIF and route through the internet.
AnswerA

Direct Connect gateway enables multi-VPC connectivity over one VIF.

Why this answer

Option B is correct because a Direct Connect gateway allows multiple VPCs to connect via a single virtual interface (VIF). Option A is wrong because each VIF is limited to one VPC. Option C is wrong because VPN is a backup, not primary.

Option D is wrong because transit VPC adds complexity.

275
Multi-Selecthard

A company is designing a multi-region architecture using AWS Direct Connect. Which TWO of the following are valid configurations for connecting to multiple regions? (Select TWO.)

Select 2 answers
A.Use a single Direct Connect connection to connect to all regions
B.Set up separate Direct Connect connections in each region
C.Use a Transit Gateway to connect to multiple regions
D.Use a single private VIF associated with multiple regions
E.Create a Direct Connect Gateway and associate VPCs from different regions
AnswersB, E

You can have multiple connections in different regions.

Why this answer

Options B and D are correct. A Direct Connect Gateway allows connections to multiple VPCs in different regions, and multiple Direct Connect connections can be used to different regions. Option A is incorrect because a single VIF cannot be associated with multiple regions.

Option C is incorrect because a Direct Connect connection is tied to a specific AWS region. Option E is incorrect because a Transit Gateway is regional.

276
Multi-Selectmedium

A company needs to log all network traffic between EC2 instances in a VPC for security analysis. They want to capture metadata about traffic, including source and destination IP, ports, protocol, and packet counts. Which THREE AWS services or features can be used to achieve this? (Choose three.)

Select 3 answers
A.AWS CloudTrail
B.VPC Flow Logs
C.Traffic Mirroring
D.AWS Network Firewall flow logs
E.Security Group rules logging
AnswersB, C, D

VPC Flow Logs capture IP traffic metadata at the network interface level.

Why this answer

Options A, B, and E are correct because VPC Flow Logs capture metadata, Traffic Mirroring captures packets for deep inspection, and AWS Network Firewall provides flow logs. Option C is wrong because CloudTrail logs API calls, not network traffic. Option D is wrong because Security Groups do not log traffic.

277
MCQeasy

A company is designing a multi-Region application using Amazon Route 53 latency-based routing. The application must be highly available and failover automatically if an AWS Region becomes unavailable. What should the company do to meet these requirements?

A.Configure latency-based routing with health checks and enable DNS failover.
B.Configure active-passive failover with latency-based routing and associate health checks with each record.
C.Configure geolocation routing policies and associate health checks.
D.Configure weighted routing policies with equal weights for all regions.
AnswerB

Correct: Active-passive failover with health checks and latency routing provides automatic regional failover.

Why this answer

Option B is correct because it combines latency-based routing with health checks and active-passive failover, which allows Route 53 to route traffic to the region with the lowest latency under normal conditions and automatically fail over to the passive region if the active region's health check fails. This meets the high availability and automatic failover requirements by leveraging Route 53's DNS failover mechanism, which updates DNS responses based on health check status.

Exam trap

The trap here is that candidates often assume that simply enabling health checks with latency-based routing (Option A) is sufficient for automatic failover, but without explicitly configuring an active-passive failover policy, Route 53 does not have a defined secondary target to fail over to when all endpoints in a latency-based set become unhealthy.

How to eliminate wrong answers

Option A is wrong because while it mentions latency-based routing with health checks and DNS failover, it does not specify active-passive failover, which is necessary to ensure a clear failover target when a region becomes unavailable; without an active-passive setup, latency-based routing alone may still send traffic to unhealthy endpoints if all regions are considered active. Option C is wrong because geolocation routing policies route traffic based on the geographic location of the user, not latency or availability, and do not provide automatic failover between regions based on health checks. Option D is wrong because weighted routing policies distribute traffic based on weights and do not inherently support failover; without health checks and active-passive configuration, traffic would continue to be sent to an unavailable region.

278
MCQmedium

A company wants to allow a specific IAM user to manage network ACLs for a specific VPC only. Which IAM policy action should be used?

A.ec2:AuthorizeSecurityGroupIngress
B.ec2:ModifyNetworkAclAttribute
C.ec2:CreateNetworkAcl
D.ec2:DescribeNetworkAcls
AnswerC

Allows creating network ACLs.

Why this answer

Option C is correct because ec2:CreateNetworkAcl is the action to create network ACLs. Option A is wrong because ec2:DescribeNetworkAcls is read-only. Option B is wrong because ec2:ModifyNetworkAclAttribute modifies attributes, not creation.

Option D is wrong because ec2:AuthorizeSecurityGroupIngress is for security groups, not network ACLs.

279
MCQeasy

A network engineer needs to monitor the number of packets dropped by a VPC flow log for a specific network interface. Which Amazon CloudWatch metric should be used?

A.NetworkPacketsDropped
B.VPCFlowLogsDroppedPackets
C.ENIDroppedPackets
D.FlowLogsBytesDropped
AnswerD

This metric from the AWS/FlowLogs namespace indicates bytes dropped by flow logs.

Why this answer

VPC Flow Logs publish metrics to CloudWatch only if using the 'publish to CloudWatch Logs' option. However, the question asks about 'packets dropped' - the metric 'FlowLogsBytesDropped' is available. Option B is correct.

Options A, C, and D are not actual metrics for this purpose.

280
MCQmedium

A company has deployed a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application must be accessible over the internet, but the security team requires that all traffic be inspected by a third-party firewall appliance. What is the MOST scalable architecture?

A.Configure a Network Load Balancer with target groups pointing to firewall appliances.
B.Use an EC2 instance as a transparent proxy and set it as the next-hop in the route table.
C.Use a Gateway Load Balancer with firewall appliances in each Availability Zone.
D.Deploy a single firewall appliance in one Availability Zone and route all traffic through it.
AnswerC

GWLB provides scalable, HA traffic inspection.

Why this answer

Option C is correct because using Gateway Load Balancer with the firewall appliances in different AZs provides high availability and scalability. Option A is wrong because a single firewall is a SPOF. Option B is wrong because EC2 instances as next-hop in route table is not scalable.

Option D is wrong because Network Load Balancer does not inspect traffic; it load balances.

281
MCQhard

A global e-commerce company operates a production environment on AWS with a VPC (10.0.0.0/16) containing public and private subnets in three Availability Zones. The application runs on EC2 instances in private subnets behind an Application Load Balancer (ALB) in public subnets. The company uses AWS Transit Gateway to connect multiple VPCs and on-premises data centers via Site-to-Site VPN. Recently, the operations team noticed intermittent connectivity issues: users in the Asia-Pacific region experience slow page load times and occasional timeouts, while users in other regions have no issues. The network team suspects packet loss or high latency on the VPN connection to the on-premises data center in Singapore, which hosts a critical database. The AWS Direct Connect connection is not yet available. The team ran a traceroute from an EC2 instance in the production VPC to the database server (IP 203.0.113.50) and observed high latency and packet loss on the fifth hop (a transit gateway attachment). The VPN tunnel status shows 'UP' on both ends. CloudWatch metrics for the VPN tunnel show no errors but high 'TunnelData' bytes. What should the network engineer do FIRST to resolve the issue?

A.Enable jumbo frames on the transit gateway and the EC2 instances in the private subnets.
B.Increase the VPN tunnel bandwidth by creating a second VPN tunnel and enabling ECMP.
C.Modify the BGP attributes on the transit gateway to prefer the Direct Connect path once it becomes available.
D.Rebuild the VPN connection using a different customer gateway device with stronger encryption.
AnswerA

Jumbo frames increase MTU, reducing fragmentation and packet loss, thus improving performance.

Why this answer

Option D is correct because enabling jumbo frames on the transit gateway and EC2 instances can improve throughput and reduce latency by allowing larger MTU, which reduces the number of packets and thus CPU overhead. High latency and packet loss on a transit gateway attachment, especially with high data volume, suggests MTU issues. Option A is incorrect because while BGP attributes can influence routing, the symptoms point to MTU fragmentation rather than suboptimal routing.

Option B is incorrect because increasing VPN bandwidth does not address packet loss due to MTU. Option C is incorrect because the VPN tunnel is already up and CloudWatch shows high data volume, not errors.

282
MCQeasy

A network engineer needs to allow an EC2 instance in a private subnet to access an S3 bucket without traversing the internet. Which AWS service should be used?

A.VPC Peering
B.VPC Gateway Endpoint
C.Internet Gateway
D.NAT Gateway
AnswerB

Gateway Endpoint allows private access to S3.

Why this answer

A VPC Gateway Endpoint provides private connectivity to S3 and DynamoDB without requiring a NAT or IGW.

283
Multi-Selectmedium

A company is designing a network for a VPC with a CIDR of 10.0.0.0/16. The VPC has three private subnets in three different Availability Zones. The company needs to provide internet access to instances in the private subnets for software updates. The architecture must be highly available and cost-effective. Which TWO actions should the network engineer take?

Select 2 answers
A.Configure each private subnet's route table to route 0.0.0.0/0 to the NAT Gateway in the same Availability Zone.
B.Use a NAT instance in an Auto Scaling group.
C.Deploy a NAT Gateway in each Availability Zone.
D.Use a single route table for all private subnets and route to one NAT Gateway.
E.Deploy a single NAT Gateway in one Availability Zone.
AnswersA, C

This ensures traffic uses the NAT Gateway in the same AZ.

Why this answer

To achieve high availability, deploy a NAT Gateway in each AZ. Each private subnet's route table should point to the NAT Gateway in its own AZ. Option A is correct because multiple NAT Gateways provide fault tolerance.

Option D is correct because routing to the NAT Gateway in the same AZ ensures traffic stays within the AZ. Option B is incorrect because a single NAT Gateway is a single point of failure. Option C is incorrect because NAT instances are not fully managed and less reliable.

Option E is incorrect because a single route table would force all traffic through one NAT Gateway.

284
MCQhard

A company has a Direct Connect connection with a public VIF to access AWS public services. The on-premises network team reports that they can reach S3 but not DynamoDB. The route table on the customer router shows a default route to the public VIF. What is the most likely cause?

A.The Direct Connect connection is degraded and only supports S3 traffic.
B.The BGP session between the customer router and AWS is down.
C.The on-premises firewall is blocking outbound traffic to the DynamoDB IP ranges.
D.The VPC route table does not have a route to the DynamoDB endpoint.
AnswerC

Different AWS services have different IP ranges; firewall may block DynamoDB.

Why this answer

Option C is correct because DynamoDB uses a different set of public IP ranges than S3, and the on-premises firewall might block access to those ranges. Option A is wrong because the VPC does not affect public VIF traffic. Option B is wrong because the public VIF does not involve BGP; it uses public IPs.

Option D is wrong because the Direct Connect connection is working for S3.

285
MCQhard

A company has multiple VPCs connected via AWS Transit Gateway. They need to inspect all inter-VPC traffic using a centralized firewall appliance. What is the most efficient way to achieve this?

A.Attach the firewall appliance to the Transit Gateway and configure Transit Gateway route tables to send traffic to the appliance
B.Enable VPC Flow Logs and analyze traffic patterns
C.Create VPC Gateway Endpoints for each VPC and route traffic through them
D.Use a Network Load Balancer to distribute traffic to the firewall appliance
AnswerA

This centralizes inspection by routing inter-VPC traffic through the firewall appliance.

Why this answer

Option B is correct because Transit Gateway supports route tables and attachments; you can attach the firewall appliance to a Transit Gateway and create a blackhole route or use the appliance as a route target. Option A is wrong because VPC endpoints are for accessing AWS services. Option C is wrong because Network Load Balancer does not inspect traffic.

Option D is wrong because VPC Flow Logs only log traffic metadata.

286
MCQmedium

A company has multiple VPCs across different AWS Regions and wants to enable communication between them using AWS's global network backbone. Which solution meets these requirements with minimal operational overhead?

A.Use AWS Transit Gateway with inter-Region peering.
B.Set up AWS Direct Connect connections to each VPC.
C.Create VPC peering connections between each pair of VPCs.
D.Use AWS Site-to-Site VPN between VPCs.
AnswerA

Simplifies connectivity across Regions.

Why this answer

AWS Transit Gateway with inter-Region peering is correct because it allows you to connect multiple VPCs across different AWS Regions using AWS's global network backbone, providing a hub-and-spoke architecture that scales easily. This solution minimizes operational overhead by centralizing routing and eliminating the need to manage individual connections between each VPC, as Transit Gateway automatically handles route propagation and traffic distribution across peered transit gateways.

Exam trap

AWS often tests the misconception that VPC peering is the simplest solution for multi-VPC connectivity, but the trap here is that VPC peering lacks transitive routing and requires a full mesh for more than two VPCs, making it operationally heavy for multi-region setups, whereas Transit Gateway with inter-Region peering provides a scalable, centrally managed alternative.

How to eliminate wrong answers

Option B is wrong because AWS Direct Connect is a dedicated physical connection from on-premises to AWS, not designed for inter-VPC or inter-Region VPC communication, and would require additional virtual interfaces and complex routing to connect multiple VPCs across regions, increasing operational overhead. Option C is wrong because VPC peering does not support transitive routing, meaning you would need to create a full mesh of peering connections between every pair of VPCs, which becomes unmanageable as the number of VPCs grows and does not leverage AWS's global backbone for inter-Region traffic efficiently. Option D is wrong because AWS Site-to-Site VPN is typically used for connecting on-premises networks to AWS VPCs over the public internet, not for inter-VPC communication within AWS, and it introduces latency and complexity compared to using Transit Gateway peering over the AWS global network.

287
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and an on-premises network via VPN. The on-premises network advertises a route for 10.0.0.0/8. One VPC has a CIDR of 10.0.1.0/24. How does Transit Gateway handle the overlapping route?

A.The Transit Gateway uses the longest prefix match; the VPC route 10.0.1.0/24 is more specific.
B.The Transit Gateway prefers the on-premises route because it is learned via BGP.
C.The Transit Gateway drops traffic to 10.0.1.0/24 due to conflict.
D.The Transit Gateway summarises the on-premises route to 10.0.0.0/16.
AnswerA

Longest prefix match determines forwarding.

Why this answer

Option B is correct because Transit Gateway uses the longest prefix match, so the more specific 10.0.1.0/24 route from the VPC takes precedence. Option A is wrong because it does not summarise. Option C is wrong because there is no conflict resolution based on attachment type.

Option D is wrong because it does not blackhole.

288
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. The on-premises router is advertising a default route (0.0.0.0/0) via BGP. The VPC has an internet gateway attached, and the route table has a default route to the internet gateway. The network team notices that traffic from on-premises to the internet is not working as expected. What is the most likely cause?

A.The BGP session is not established.
B.The on-premises router is advertising a default route, causing a routing conflict.
C.The VPC route table does not have a route to the internet gateway for the on-premises traffic.
D.The private VIF is associated with the wrong VLAN.
AnswerB

The default route from Direct Connect may override the internet gateway route, breaking internet access for on-premises traffic.

Why this answer

The on-premises router advertising a default route (0.0.0.0/0) via BGP over the private VIF causes a routing conflict because the VPC route table already has a default route pointing to the internet gateway. When traffic from on-premises destined for the internet enters the VPC, it matches the more specific BGP-learned default route and is forwarded back toward the on-premises router (or black-holed), rather than being sent to the internet gateway. This creates a routing loop or asymmetric routing, breaking internet connectivity from on-premises.

Exam trap

AWS often tests the misconception that a default route advertised via BGP over Direct Connect is harmless or that the internet gateway route will always take precedence, but in reality, the VPC route table matches the most specific route (both are /0), and the BGP-learned route over the virtual private gateway is preferred for traffic entering the VPC from on-premises, causing the conflict.

How to eliminate wrong answers

Option A is wrong because if the BGP session were not established, the on-premises router would not be advertising any routes, and the issue described (traffic not working) would be due to a lack of routing, not a conflict; the scenario explicitly states the on-premises router is advertising a default route, implying BGP is established. Option C is wrong because the VPC route table does have a default route to the internet gateway (as stated in the question), so the absence of such a route is not the cause. Option D is wrong because a private VIF associated with the wrong VLAN would prevent the VIF from functioning at Layer 2, causing complete loss of connectivity (not just internet traffic), and the question indicates that the BGP session is established and routes are being exchanged, which requires correct VLAN association.

289
MCQmedium

A company uses AWS Transit Gateway to interconnect multiple VPCs and on-premises networks. They notice that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What configuration change should be made to ensure optimal routing?

A.Enable route propagation from the VPC attachments into the Transit Gateway route table.
B.Disable cross-zone load balancing on the Transit Gateway.
C.Add static routes to the Transit Gateway route table pointing to the VPN attachment.
D.Modify the VPC route tables to add routes to the other VPC via the Transit Gateway.
AnswerA

Route propagation allows VPC routes to be exchanged, enabling direct routing.

Why this answer

Option A is correct because Transit Gateway route tables control the path; enabling route propagation from VPC attachments will add routes for direct VPC-to-VPC communication. Option B is incorrect because VPN attachments do not affect VPC-to-VPC routing. Option C is incorrect because VPC route tables do not control Transit Gateway path selection.

Option D is incorrect because cross-zone load balancing is for load balancers, not routing.

290
Multi-Selectmedium

Which TWO of the following are valid configurations for an AWS Direct Connect virtual interface? (Choose two.)

Select 2 answers
A.VPN virtual interface
B.Private virtual interface
C.Hosted virtual interface
D.Transit virtual interface
E.Public virtual interface
AnswersB, E

Private VIF is used to connect to a VPC.

Why this answer

A private virtual interface (B) allows you to connect your on-premises network directly to an Amazon VPC using private IP addresses, providing a secure, dedicated connection that bypasses the internet. A public virtual interface (E) enables access to all AWS public services (e.g., Amazon S3, DynamoDB) over the Direct Connect link using public IP addresses, without traversing the internet. Both are standard, supported virtual interface types for AWS Direct Connect.

Exam trap

AWS often tests the distinction between the three valid virtual interface types (private, public, transit) and tricks candidates by including 'VPN virtual interface' or 'Hosted virtual interface' as plausible-sounding options, exploiting confusion about how VPNs and partner-provisioned connections relate to Direct Connect.

291
MCQeasy

A solutions architect needs to design a highly available web application that uses an Application Load Balancer (ALB) and spans multiple Availability Zones (AZs) in a single region. The application must be able to handle a sudden increase in traffic without manual intervention. Which feature should the architect enable on the ALB to meet this requirement?

A.Enable connection draining
B.Enable sticky sessions
C.Enable cross-zone load balancing
D.Enable deletion protection
AnswerC

Cross-zone load balancing distributes traffic evenly across instances in all AZs, allowing the ALB to handle spikes by using all healthy instances effectively.

Why this answer

Cross-zone load balancing distributes incoming traffic evenly across all registered targets in all enabled Availability Zones, rather than sending traffic only to targets in the same AZ as the load balancer node. This ensures that if one AZ receives more traffic than another, the ALB can still balance the load across all healthy instances, allowing the application to handle sudden traffic spikes without manual scaling intervention.

Exam trap

The trap here is that candidates often confuse cross-zone load balancing with auto scaling, but cross-zone load balancing is a feature of the ALB itself that distributes existing traffic more evenly, whereas auto scaling handles capacity changes; the question specifically asks for a feature to handle sudden traffic increase without manual intervention, and cross-zone load balancing ensures the ALB can use all available capacity across AZs immediately.

How to eliminate wrong answers

Option A is wrong because connection draining (also known as deregistration delay) is used to complete in-flight requests before an instance is deregistered, not to handle sudden traffic increases. Option B is wrong because sticky sessions (session affinity) bind a user's session to a specific target, which can cause uneven load distribution and does not help with handling traffic spikes. Option D is wrong because deletion protection prevents accidental deletion of the ALB, but has no effect on traffic handling or scalability.

292
MCQhard

A company runs a critical application on Amazon EC2 instances in a VPC. The application receives data from an on-premises data center over an AWS Direct Connect connection. The company wants to add redundant connectivity using a VPN connection over the internet. They need to ensure that traffic from on-premises to AWS uses the Direct Connect connection when it is healthy, and only fails over to the VPN if Direct Connect fails. Which configuration achieves this?

A.Advertise a more specific prefix over Direct Connect and a less specific prefix over VPN, and set a higher MED value on the VPN routes.
B.Advertise the same prefix over both connections but prepend AS_PATH multiple times on the Direct Connect routes.
C.Set a higher BGP weight on the VPN routes.
D.Set a lower BGP local preference on the Direct Connect routes.
AnswerA

BGP prefers more specific prefixes. Higher MED on VPN makes Direct Connect routes preferred when both are available.

Why this answer

Option A is correct. By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /23) over VPN, BGP will prefer the more specific route. Additionally, setting a higher MED value on the VPN routes makes Direct Connect routes preferred.

Option B is incorrect because longer AS_PATH in BGP makes a route less preferred. Option C is incorrect because a lower local preference makes a route less preferred. Option D is incorrect because a higher weight makes a route more preferred, which would prefer VPN.

293
MCQeasy

A company is using AWS Client VPN to provide remote access to its VPC. Users report that they can connect but cannot access any resources. The VPN is configured with a security group that allows all traffic. What should the administrator check?

A.The client VPN security group inbound rules
B.The client VPN endpoint certificate
C.The client VPN route table
D.The client VPN authorization rules
AnswerD

Authorization rules define which networks clients can access.

Why this answer

Client VPN uses an authorization rule to allow access to specific networks. Without an authorization rule, even if the security group allows traffic, the VPN will not forward traffic.

294
MCQmedium

A company has a VPC with public and private subnets. The security team wants to detect and alert on any SSH traffic (port 22) that originates from the internet to any EC2 instance in the VPC. Which solution achieves this with minimal operational overhead?

A.Enable VPC Flow Logs, publish to CloudWatch Logs, and create a metric filter for SSH traffic.
B.Configure a security group rule to deny inbound SSH and enable security group logging.
C.Use AWS Config to detect security group rules that allow SSH from 0.0.0.0/0.
D.Enable Amazon GuardDuty and rely on its threat detection.
AnswerA

This approach logs traffic and alerts on SSH without manual inspection.

Why this answer

VPC Flow Logs can be published to CloudWatch Logs, and a CloudWatch Logs filter metric can detect SSH traffic. Security Groups can deny traffic but not alert. AWS Config can track configuration changes.

GuardDuty detects threats but not specifically SSH traffic alerts.

295
MCQhard

A network engineer is designing a VPC with public and private subnets. The private subnets must have outbound internet access for software updates but must not be directly reachable from the internet. The company wants to minimize cost and operational overhead. Which solution meets these requirements?

A.Deploy a NAT Gateway in a public subnet and add a route in the private subnet route table pointing 0.0.0.0/0 to the NAT Gateway.
B.Use an egress-only internet gateway and route 0.0.0.0/0 to it from the private subnets.
C.Create a VPC peering connection to a VPC with internet access and route 0.0.0.0/0 through the peering connection.
D.Attach an internet gateway to the VPC and add a route in the private subnet route table pointing 0.0.0.0/0 to the internet gateway.
AnswerA

NAT Gateway allows outbound traffic from private subnets while blocking unsolicited inbound traffic.

Why this answer

A NAT Gateway, deployed in a public subnet with an associated Elastic IP, enables instances in private subnets to initiate outbound IPv4 connections to the internet (e.g., for software updates) while preventing unsolicited inbound connections from the internet. Adding a default route (0.0.0.0/0) in the private subnet route table pointing to the NAT Gateway satisfies the requirement for outbound-only internet access with minimal cost and operational overhead, as NAT Gateway is a managed service that scales automatically.

Exam trap

AWS often tests the misconception that an egress-only internet gateway can be used for IPv4 outbound traffic, or that VPC peering can be used to route internet-bound traffic through another VPC, when in fact both are invalid for this scenario.

How to eliminate wrong answers

Option B is wrong because an egress-only internet gateway is designed for IPv6 traffic only; it cannot provide outbound internet access for IPv4 traffic, which is required for software updates. Option C is wrong because VPC peering does not support transitive routing; routing 0.0.0.0/0 through a peering connection to another VPC would not provide internet access unless that VPC has its own internet gateway and proper routing, and it violates AWS peering rules (cannot route to internet via peering). Option D is wrong because adding a route to an internet gateway in a private subnet route table would make instances directly reachable from the internet (if they have public IPs) or would not work at all for instances without public IPs; an internet gateway requires a public IP on the instance for outbound traffic, and it does not provide the required inbound restriction.

296
MCQmedium

A company uses AWS Organizations with SCPs to enforce security controls. The security team wants to prevent users from disabling Amazon GuardDuty or modifying its configuration in any member account. Which SCP effect should be used?

A.Deny
B.Prevent
C.Allow
D.Block
AnswerA

Deny explicitly prohibits the specified actions in SCPs.

Why this answer

The correct answer is 'Deny' because SCPs use Deny to explicitly block actions. Allow is used to whitelist, but SCPs default to Allow, so Deny is needed to override. 'Block' and 'Prevent' are not valid SCP effects.

297
MCQmedium

A company has a multi-account AWS environment using AWS Transit Gateway with a centralized network account. The network team wants to ensure that only specific VPCs can communicate with each other. What is the best practice to achieve this?

A.Configure security groups in each VPC to allow traffic only from specific VPC CIDRs.
B.Use VPC peering connections between the VPCs that need to communicate.
C.Create multiple Transit Gateway route tables and associate each VPC attachment with the appropriate route table.
D.Use AWS Network Manager to create routing policies.
AnswerC

Separate route tables enable segmentation and controlled communication.

Why this answer

Option C is correct because Transit Gateway route tables with route propagation and static routes allow fine-grained control over which VPCs can communicate. Option A is wrong because Network Manager is for monitoring, not routing control. Option B is wrong because VPC peering is point-to-point and does not scale.

Option D is wrong because security groups in each VPC add complexity and do not control Transit Gateway routing.

298
MCQeasy

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets are used for NAT gateways and an Application Load Balancer (ALB). The private subnets host EC2 instances running a web application. What is the most cost-effective and highly available configuration for internet access from the private instances?

A.Deploy a NAT gateway in each public subnet and configure private route tables with a default route to the NAT gateway in the same AZ.
B.Create a single NAT gateway in one public subnet and route all private traffic to it.
C.Attach an internet gateway to the VPC and add a default route to it in the private subnets.
D.Launch a NAT instance in each public subnet and configure the private route tables.
AnswerA

Provides high availability (each AZ independent) and uses managed service, cost-effective for moderate traffic.

Why this answer

Option D is correct because using a NAT gateway in each AZ provides high availability and cost-effectiveness compared to NAT instances (which require management) or a single NAT gateway (single point of failure). Option A is wrong because NAT instances are less reliable and require maintenance. Option B is wrong because a single NAT gateway lacks high availability.

Option C is wrong because internet gateway is not used for private instances; it's for public subnets.

299
MCQeasy

A network engineer needs to block traffic from a specific IP address to an EC2 instance. Which component should be modified?

A.Route table
B.VPC Flow Logs
C.Network ACL
D.Security group
AnswerC

NACLs support allow and deny rules.

Why this answer

Option D is correct because a Network ACL can deny inbound traffic from a specific IP address at the subnet level. Option A is wrong because security groups allow rules only, not deny. Option B is wrong because route tables do not filter traffic.

Option C is wrong because VPC Flow Logs only capture traffic, not filter.

300
MCQeasy

A network engineer needs to monitor traffic between a VPC and an on-premises network over an AWS Site-to-Site VPN. Which AWS service should be used to capture packet-level information for troubleshooting?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Transit Gateway Network Manager
D.VPC Flow Logs
AnswerD

VPC Flow Logs capture IP traffic information for network interfaces.

Why this answer

Option B is correct because VPC Flow Logs capture IP traffic information for interfaces. Option A is incorrect because CloudWatch Logs can store logs but not capture packets directly. Option C is incorrect because AWS CloudTrail records API activity, not network traffic.

Option D is incorrect because Transit Gateway Network Manager provides topology and monitoring but not packet-level capture.

Page 3

Page 4 of 23

Page 5