AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 301375

1705 questions total · 23pages · All types, answers revealed

Page 4

Page 5 of 23

Page 6
301
Multi-Selectmedium

Which TWO of the following are valid ways to encrypt data in transit between an on-premises data center and an Amazon VPC? (Choose two.)

Select 2 answers
A.Use AWS Site-to-Site VPN.
B.Use AWS Direct Connect without any additional encryption.
C.Use AWS Direct Connect with a VPN tunnel over the connection.
D.Use VPC peering.
E.Use an internet gateway with a security group.
AnswersA, C

Site-to-Site VPN uses IPSec to encrypt traffic between on-premises and VPC.

Why this answer

Options A and C are correct. AWS Site-to-Site VPN creates an IPSec tunnel, encrypting all traffic. AWS Direct Connect can be combined with a VPN over the connection to encrypt traffic.

Option B is incorrect because Direct Connect alone does not provide encryption. Option D is incorrect because VPC peering does not encrypt traffic. Option E is incorrect because internet gateway does not encrypt traffic.

302
Multi-Selectmedium

A company has a VPC with public and private subnets. The security team wants to inspect all traffic between the private subnets and the internet using a centralized inspection VPC. The company uses AWS Network Firewall and wants to ensure that traffic cannot bypass the firewall. Which TWO actions should the company take? (Choose TWO.)

Select 2 answers
A.Configure an AWS WAF web ACL and associate it with the internet gateway.
B.Deploy the Network Firewall in a dedicated inspection VPC and use a VPC peering or transit gateway to route traffic from the workload VPC to the inspection VPC.
C.Enable VPC Flow Logs on the private subnets to monitor traffic.
D.Configure the private subnet route table in the workload VPC to route 0.0.0.0/0 traffic to the Network Firewall endpoint.
E.Create an internet gateway in the workload VPC and attach it to the private subnets.
AnswersB, D

A centralized inspection VPC allows the firewall to inspect traffic without being in the workload VPC.

Why this answer

Option B is correct because deploying AWS Network Firewall in a dedicated inspection VPC and using a transit gateway (or VPC peering) allows centralized traffic inspection. This architecture ensures that all traffic between the workload VPC and the internet is routed through the inspection VPC, preventing bypass. The transit gateway enables transitive routing, while VPC peering can also be used with proper route table entries to force traffic through the firewall.

Exam trap

The trap here is that candidates often confuse AWS WAF with Network Firewall, thinking WAF can inspect all network traffic, when in fact WAF only inspects HTTP/HTTPS traffic at the application layer and cannot inspect non-web protocols like SSH, RDP, or custom TCP/UDP traffic.

303
MCQhard

A company is designing a multi-account AWS environment using AWS Organizations. The company wants to centralize outbound internet traffic from all VPCs in all accounts through a single VPC in a shared services account. The shared services account has a VPC with a NAT gateway and an internet gateway. Which architecture meets this requirement?

A.Create VPC gateway endpoints for all AWS services in each VPC.
B.Set up a VPN connection from each VPC to the shared services VPC and use the latter's internet gateway.
C.Attach all VPCs to a transit gateway and route traffic through a shared services VPC that has NAT gateway and internet gateway.
D.Peer each VPC to the shared services VPC and configure a default route pointing to the shared services VPC's NAT gateway.
AnswerC

Transit gateway enables transitive routing and centralized internet.

Why this answer

Option B is correct because a transit gateway with a default route to the shared services VPC and a NAT gateway there provides centralized outbound internet access. Option A is incorrect because VPC peering does not support transitive routing. Option C is incorrect because a VPN connection is not needed.

Option D is incorrect because VPC endpoints are for specific services, not general internet.

304
MCQmedium

A company is using AWS Site-to-Site VPN connections to connect multiple branch offices to a central VPC. The network team wants to ensure high availability and automatic failover if one VPN tunnel goes down. Which configuration should be implemented?

A.Configure a second VPN connection to the same customer gateway and use BGP with equal-cost multipath
B.Use the two tunnels provided by the VPN connection with dynamic routing (BGP)
C.Use a single tunnel and rely on AWS automatic recovery
D.Configure static routes with a higher metric for the secondary tunnel
AnswerB

Two tunnels with BGP provide automatic failover.

Why this answer

Each AWS Site-to-Site VPN connection provides two tunnels for high availability. By using dynamic routing (BGP) with both tunnels, the VPN automatically fails over to the second tunnel if the first goes down, without manual intervention. This meets the requirement for automatic failover and high availability.

Exam trap

The trap here is that candidates assume a single VPN connection with two tunnels is not enough, and they over-engineer by adding a second VPN connection or using static routes, missing that AWS's built-in dual-tunnel design with BGP already provides automatic failover.

How to eliminate wrong answers

Option A is wrong because configuring a second VPN connection to the same customer gateway with BGP and ECMP does not provide automatic failover within a single VPN connection; it adds complexity and is not the standard AWS HA design. Option C is wrong because a single tunnel lacks redundancy; AWS automatic recovery only restores a failed tunnel, but there is no failover path during the recovery period, causing downtime. Option D is wrong because static routes with a higher metric for the secondary tunnel do not support automatic failover with BGP; static routing requires manual intervention or additional scripting to detect failure and switch routes, and it does not leverage BGP's dynamic path selection.

305
Multi-Selecthard

Which THREE are best practices for designing a highly available AWS Direct Connect connection? (Choose 3.)

Select 3 answers
A.Use a single Direct Connect connection with redundant virtual interfaces
B.Use multiple Direct Connect connections to different AWS Direct Connect locations
C.Configure BGP with graceful restart and fast failover timers
D.Connect to multiple AWS Direct Connect routers in the same location
E.Use a single large Direct Connect connection instead of multiple smaller ones
AnswersB, C, D

Diverse locations provide geographical redundancy.

Why this answer

Option B is correct because using multiple Direct Connect connections to different AWS Direct Connect locations provides geographic redundancy. If one location experiences an outage, traffic can fail over to the other location, ensuring high availability. This aligns with AWS best practices for resilient hybrid networking.

Exam trap

AWS often tests the misconception that redundant virtual interfaces on a single physical connection provide high availability, but the physical link itself remains a single point of failure.

306
MCQhard

An engineer is trying to create a VPC Flow Log that delivers to a CloudWatch Logs log group in the same account. The IAM role used has the above trust policy. However, the flow log creation fails with an error. What is the most likely reason?

A.The log group does not exist yet.
B.The trust policy incorrectly specifies the service principal; it should be 'ec2.amazonaws.com'.
C.The IAM role lacks a permissions policy that grants the actions on the log group.
D.The resource ARN in the trust policy does not include the log group name.
AnswerC

The trust policy allows the service to assume the role, but the role needs a permissions policy to perform the actions.

Why this answer

The trust policy shown trusts the VPC Flow Logs service principal, but the IAM role itself must have a permissions policy that allows the actions on the log group. The exhibit only shows the trust policy; the permissions policy is missing. The error likely indicates that the role does not have the necessary permissions to perform the actions.

307
MCQmedium

A company uses AWS Direct Connect with a public VIF to access Amazon S3. The network team notices that S3 traffic is taking a suboptimal path over the internet instead of the Direct Connect. Which configuration is MOST likely missing?

A.The VPC route tables are not updated to include the Direct Connect route
B.The public VIF is not associated with the VPC
C.A Direct Connect gateway is not attached to the VPC
D.A VPC endpoint for S3 is not configured
AnswerA

The VPC needs a route pointing to the virtual private gateway for Direct Connect.

Why this answer

Option A is correct because without propagating the Direct Connect route to the VPC route tables, traffic may default to the internet. Option B is wrong because VPC endpoints are for private connectivity, but the question already uses Direct Connect. Option C is wrong because the public VIF already provides access to AWS public services.

Option D is wrong because the Direct Connect gateway is used for private VIFs, not public VIFs.

308
MCQeasy

A network engineer is troubleshooting connectivity issues between an EC2 instance in a VPC and an on-premises server over AWS Site-to-Site VPN. The VPN tunnel status is UP, and BGP is established. The engineer can ping the on-premises server's private IP from the EC2 instance, but TCP connections to a specific port (e.g., 443) are timing out. What is the most likely cause?

A.Incorrect route table entries on the on-premises router for the VPC CIDR
B.Security group or network ACL blocking inbound TCP port 443 on the EC2 instance
C.MTU mismatch on the VPN tunnel causing packet fragmentation for TCP
D.BGP prefix limits exceeded causing route table incompleteness
AnswerB

Stateful firewalls can block specific ports while allowing ICMP.

Why this answer

Option B is correct because security groups or network ACLs can block specific ports while allowing ICMP. Option A is wrong because MTU mismatch would affect all traffic. Option C is wrong because the VPN tunnel is UP, so routing issues would affect all traffic.

Option D is wrong because BGP is established, indicating proper route exchange.

309
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to download patches from the internet. The instance is associated with a security group that allows outbound HTTPS (443) traffic. The route table for the private subnet has a default route pointing to a NAT Gateway in the public subnet. Which additional configuration is required to ensure the NAT Gateway can route the traffic?

A.Configure the security group of the NAT Gateway to allow inbound traffic from the private subnet.
B.Add a route in the private subnet route table to the NAT Gateway's private IP.
C.Add a route in the public subnet route table to the Internet Gateway.
D.Assign an Elastic IP address to the NAT Gateway.
AnswerC

The NAT Gateway needs a route to the Internet Gateway to forward traffic.

Why this answer

The NAT Gateway must be in a public subnet with an Internet Gateway route. The security group of the NAT Gateway does not control traffic; it's a managed service. The NAT Gateway's Elastic IP is automatically assigned.

The route table of the public subnet must have a default route to the Internet Gateway. The private subnet route is already correct.

310
MCQeasy

A company is deploying an internet-facing application in AWS. The application must only accept traffic from specific IP addresses of business partners. Which AWS service should be used to enforce this restriction?

A.Network ACLs with inbound allow rules
B.Security Groups with inbound allow rules
C.Amazon Route 53 geoproximity routing
D.AWS WAF with an IP set rule
AnswerD

AWS WAF can filter traffic based on IP addresses using IP sets.

Why this answer

Option A is correct because AWS WAF allows you to create IP set rules to block or allow traffic from specific IP addresses. Option B is wrong because Security Groups do not support allow lists for specific IP addresses from different sources (they support CIDR blocks but not dynamic IP sets). Option C is wrong because Network ACLs are stateless and operate at the subnet level; they can allow/deny by CIDR but are not as flexible as WAF for partner IP lists.

Option D is wrong because Route 53 is for DNS, not traffic filtering.

311
MCQeasy

A company has a VPC with a CIDR of 10.0.0.0/16. They have two subnets: 10.0.1.0/24 (public) and 10.0.2.0/24 (private). An EC2 instance in the private subnet needs to download patches from the internet. The team creates a NAT gateway in the public subnet and updates the private subnet route table to route 0.0.0.0/0 to the NAT gateway. The EC2 instance still cannot reach the internet. The team confirms the NAT gateway has an elastic IP and the public subnet has an internet gateway. What is the MOST likely cause?

A.The private subnet route table does not have a route for the NAT gateway's IP.
B.The network ACL for the private subnet denies outbound traffic to the internet.
C.The public subnet does not have a route to the internet gateway.
D.The NAT gateway does not have source/destination check disabled.
AnswerB

Network ACL must allow outbound ephemeral ports and inbound return traffic.

Why this answer

The security group or network ACL of the private subnet may be blocking outbound traffic. However, a common mistake is not disabling source/destination check on the NAT gateway. But NAT gateway is a managed service, so source/destination check is automatically disabled.

Option A is correct: the private subnet's network ACL must allow outbound traffic and inbound return traffic. Option B is not needed because NAT gateway is managed. Option C is not a requirement.

Option D would be for the NAT gateway's subnet.

312
Multi-Selecthard

A company has a VPC with public and private subnets. The security team wants to inspect all traffic leaving the VPC to the internet for malicious activity. Which THREE services should be used together to achieve this? (Choose three.)

Select 3 answers
A.VPC Flow Logs
B.Internet gateway
C.Amazon GuardDuty
D.AWS Network Firewall
E.NAT gateway
AnswersA, C, E

Captures network traffic metadata for analysis.

Why this answer

A NAT gateway routes outbound traffic, VPC Flow Logs capture metadata, and Amazon GuardDuty analyzes flow logs for threats. Options A, C, and D are correct. Option B is wrong because Internet Gateway is for inbound.

Option E is wrong because Network Firewall can inspect, but the combination of NAT, Flow Logs, and GuardDuty is a common pattern for outbound inspection.

313
MCQhard

A company is designing a network for a real-time gaming application that requires the lowest possible latency across AWS Regions. The application uses UDP traffic. Which AWS service should be used to optimize traffic routing?

A.AWS Direct Connect with multiple connections.
B.AWS Global Accelerator.
C.Amazon Route 53 with latency-based routing.
D.Amazon CloudFront with custom origins.
AnswerB

Global Accelerator supports UDP and uses the AWS backbone to reduce latency.

Why this answer

AWS Global Accelerator uses the Anycast IP address concept to route UDP traffic over the AWS global network, minimizing latency by directing traffic to the nearest healthy endpoint. It is specifically designed for real-time applications like gaming that require low latency and jitter, and it supports UDP traffic natively.

Exam trap

AWS often tests the misconception that DNS-based routing (like Route 53 latency routing) provides the same latency optimization as Global Accelerator, but the trap is that DNS routing only affects the initial resolution and does not control the actual network path for ongoing UDP traffic, while Global Accelerator optimizes every packet in real time.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect provides dedicated private connectivity but does not optimize traffic routing across regions for latency; it is a physical connection to a single region and does not use Anycast or global path optimization. Option C is wrong because Amazon Route 53 with latency-based routing operates at the DNS level, which introduces DNS caching and resolution delays, and it does not optimize the actual network path for UDP traffic after the initial DNS lookup. Option D is wrong because Amazon CloudFront is a content delivery network optimized for HTTP/HTTPS traffic and does not support UDP traffic; it is designed for web content acceleration, not real-time gaming UDP streams.

314
MCQeasy

A company wants to monitor network traffic between VPCs in the same AWS Region that are connected via VPC Peering. Which AWS service can provide visibility into the traffic?

A.VPC Flow Logs
B.AWS Config
C.AWS Direct Connect
D.AWS CloudTrail
AnswerA

Flow Logs on the peering connection capture traffic.

Why this answer

The correct answer is A because VPC Flow Logs can be enabled on the peering connection to capture traffic. Option B is wrong because CloudTrail does not capture network traffic. Option C is wrong because AWS Config does not provide traffic logs.

Option D is wrong because Direct Connect is for on-premises, not VPC Peering.

315
MCQhard

A company has a VPC with public and private subnets. The public subnet has a NAT gateway for outbound internet access from private subnets. The private subnets have EC2 instances that need to access an S3 bucket in the same region. The company wants to minimize data transfer costs and avoid traversing the internet. What is the MOST cost-effective solution?

A.Configure an S3 bucket policy that restricts access to the VPC's public IP addresses.
B.Create a VPC Gateway Endpoint for S3 and attach a policy allowing access from the private subnets.
C.Route traffic to the NAT gateway and then to the S3 bucket using a VPC peering connection.
D.Create a VPC Interface Endpoint for S3 and associate with the private subnets.
AnswerB

Gateway endpoints are free and keep traffic within AWS network.

Why this answer

A VPC Gateway Endpoint for S3 allows private subnet instances to access S3 over the AWS network without traversing the internet or a NAT gateway, eliminating data transfer costs for the NAT gateway and avoiding internet egress charges. This is the most cost-effective solution because gateway endpoints are free and use prefix lists in the route table to direct traffic to S3 via the AWS backbone.

Exam trap

AWS often tests the misconception that interface endpoints are always the best choice for AWS service access, but for S3 and DynamoDB, gateway endpoints are the most cost-effective because they are free and avoid the per-GB data processing charges of interface endpoints.

How to eliminate wrong answers

Option A is wrong because restricting access to the VPC's public IP addresses does not address routing; private instances still need a path to S3, and this policy alone does not prevent traffic from going through the NAT gateway or internet. Option C is wrong because routing traffic to the NAT gateway and then to S3 via a VPC peering connection is unnecessary, incurs NAT gateway data processing and hourly charges, and VPC peering is not used for S3 access—S3 is a service endpoint, not a peered VPC. Option D is wrong because a VPC Interface Endpoint for S3 incurs hourly charges and per-GB data processing costs, making it more expensive than a gateway endpoint, which is free and designed for S3 and DynamoDB access within the same region.

316
MCQmedium

Refer to the exhibit. A company has attached the IAM policy to an S3 bucket named example-bucket. Users report they cannot access objects in the bucket even when coming from the allowed IP range. What is the most likely cause?

A.The policy syntax is invalid because of the Principal element
B.The IP address range in the condition does not match the users' IP
C.The condition uses aws:SourceIp incorrectly
D.S3 Block Public Access settings are enabled, overriding the policy
AnswerD

Block Public Access denies all public access even if the bucket policy allows it.

Why this answer

The policy allows anonymous access (Principal: "*"). However, S3 bucket policies require explicit context; if the bucket is not configured for public access, the policy is ignored. Option C is correct because S3 Block Public Access settings can override the policy.

Option A is wrong because the policy does allow from that range. Option B is wrong because the condition is correct. Option D is wrong because the policy is valid.

317
MCQmedium

A company has a Direct Connect connection with a private virtual interface to a VPC. They want to use the same Direct Connect connection to access another VPC in the same region. Which solution should they implement?

A.Create a second private virtual interface to the second VPC.
B.Set up a Site-to-Site VPN over the Direct Connect connection to the second VPC.
C.Use a Transit Gateway and a transit virtual interface.
D.Order a second Direct Connect connection.
AnswerC

Transit VIF connects to TGW, which can attach to multiple VPCs.

Why this answer

Option B is correct because a Transit Gateway can be attached to both VPCs and a transit VIF can be used. Option A is incorrect because a private VIF is for a single VPC. Option C is incorrect because a VPN can be used but is not leveraging Direct Connect fully.

Option D is incorrect because a second Direct Connect is unnecessary.

318
MCQeasy

A company has a VPC with a public subnet containing a NAT gateway and a private subnet containing EC2 instances. The EC2 instances need to download patches from the internet. The security team wants to ensure that the EC2 instances cannot initiate outbound connections to any other internet destinations. What should the network engineer do?

A.Remove the NAT gateway and attach an Internet Gateway to the private subnet route table.
B.Attach an egress-only Internet Gateway to the VPC and route private subnet traffic to it.
C.Configure a network ACL on the private subnet to allow outbound traffic only to the patch server's IP address.
D.Assign a security group to the EC2 instances that allows outbound HTTPS traffic only to the patch server's IP address.
AnswerD

Correct: Security groups can restrict outbound traffic to specific destinations.

Why this answer

Option D is correct because an egress-only Internet Gateway is for IPv6, not IPv4. For IPv4, the solution is to use a NAT gateway with a security group that denies all outbound traffic except to the patch server. However, the best approach is to configure the security group to allow only HTTPS outbound to the patch server's IP and deny all else.

Option A is wrong because it would allow all outbound traffic. Option B is wrong because egress-only IGW is for IPv6. Option C is wrong because NACLs are stateless and not ideal for this granular control.

319
MCQmedium

A company has multiple VPCs connected via VPC peering. They want to simplify network management and reduce the number of peering connections. Which AWS service should they use?

A.AWS PrivateLink
B.AWS VPN CloudHub
C.AWS Transit Gateway
D.AWS Direct Connect Gateway
AnswerC

Transit Gateway provides hub-and-spoke connectivity.

Why this answer

Transit Gateway acts as a hub to connect multiple VPCs and on-premises networks, reducing the need for full mesh peering.

320
MCQeasy

A company has a Direct Connect connection with a private virtual interface to a VPC. The network team wants to monitor the bandwidth utilization of the Direct Connect connection. They have enabled VPC Flow Logs for the VPC, but the flow logs do not show traffic that traverses the Direct Connect. The team needs a solution to capture the bandwidth usage of the Direct Connect connection. Which solution should they implement?

A.Use CloudWatch metrics for the Direct Connect connection.
B.Enable AWS CloudTrail for the Direct Connect connection.
C.Enable VPC Flow Logs on the Direct Connect virtual interface.
D.Use AWS Config rules to monitor bandwidth.
AnswerA

CloudWatch provides Direct Connect metrics.

Why this answer

Option B is correct because Direct Connect publishes metrics to CloudWatch, including bandwidth utilization, connection state, and BGP status. VPC Flow Logs capture IP traffic within the VPC, not traffic on the Direct Connect physical connection. Option A is wrong because flow logs only capture traffic on VPC network interfaces.

Option C is wrong because AWS Config does not provide bandwidth metrics. Option D is wrong because CloudTrail logs API calls.

321
MCQhard

A network engineer is troubleshooting intermittent connectivity issues between an EC2 instance in a private subnet and an RDS database in another VPC connected via a VPC peering connection. The connection works for a few minutes and then drops. CloudWatch logs show no errors on the peering connection. What should the engineer check first?

A.The DNS resolution settings of the VPC peering connection.
B.The network ACL of the subnet where the EC2 instance resides.
C.The security group attached to the RDS database allowing traffic from the EC2 instance.
D.The route tables in both VPCs to ensure they have routes pointing to the peering connection for the respective CIDR blocks.
AnswerD

Missing or incorrect routes can cause asymmetric routing and drops.

Why this answer

Option C is correct because the most common cause of intermittent drops over VPC peering is the lack of proper route table entries in both VPCs to route traffic back to the source. Option A is wrong because security groups are stateful and do not cause intermittent drops. Option B is wrong because NACLs are stateless but would block consistently, not intermittently.

Option D is wrong because DNS resolution settings affect name resolution, not connectivity drops.

322
MCQhard

A company has a VPC with a CIDR block of 10.0.0.0/16. It has two subnets: subnet A (10.0.1.0/24) and subnet B (10.0.2.0/24). Both subnets have a route to an Internet Gateway. An EC2 instance in subnet A has a security group that allows inbound HTTP from 0.0.0.0/0. The instance's network ACL allows inbound HTTP from 0.0.0.0/0. Users report they cannot access the web server. What is the most likely cause?

A.The instance does not have a public IP address
B.The network ACL inbound rule is incorrectly configured
C.The security group is not associated with the instance
D.The route table does not have a route to the Internet Gateway
AnswerA

Without a public IP, the instance is not reachable from the internet.

Why this answer

The instance does not have a public IP address, so it cannot be reached from the internet. Without a public IP or Elastic IP, traffic from the internet cannot be routed to the instance even if security groups and network ACLs allow it.

323
MCQhard

An organization uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via VPN. They want to implement traffic inspection between VPCs using a third-party firewall appliance in a central VPC. The firewall must inspect traffic for all inter-VPC flows. Which architecture meets this requirement?

A.Configure Transit Gateway route tables to send inter-VPC traffic to the inspection VPC's attachment, and enable appliance mode on the attachment.
B.Create VPC peering connections between all VPCs and route traffic through the central VPC.
C.Use a Network Load Balancer in the central VPC to distribute traffic to the firewall appliances.
D.Set up Direct Connect gateways and route all traffic through the on-premises network for inspection.
AnswerA

Appliance mode ensures that return traffic is sent back through the same firewall, enabling stateful inspection.

Why this answer

Option D is correct because Transit Gateway with appliance mode (enabling asymmetric routing) and appropriate route tables can force traffic through the inspection VPC. Option A is wrong because VPC peering does not allow centralized inspection without complex routing. Option B is wrong because Network Load Balancer does not support traffic inspection.

Option C is wrong because Direct Connect alone does not provide inspection.

324
MCQeasy

A company is designing a multi-tier application with web servers in public subnets and database servers in private subnets. The database servers should only be accessible from the web servers. Which AWS feature should be used to enforce this?

A.Security groups that reference the web server security group as a source
B.VPC endpoints to restrict access to the database servers
C.Network ACLs with allow rules for the web server subnet CIDR
D.Network ACLs with deny rules for all traffic except from the web server subnet
AnswerA

Security groups allow you to specify another security group as the source, enabling fine-grained access control.

Why this answer

Option C is correct because security groups act as a virtual firewall for instances, and you can allow inbound traffic from a specific security group (the web servers' security group). Option A is wrong because NACLs are stateless and applied at subnet level, not instance-level. Option B is wrong because network ACLs are not as granular as security groups for this use case.

Option D is wrong because VPC endpoints are for accessing AWS services privately.

325
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. The on-premises network advertises the 10.0.0.0/8 prefix. One VPC has a route to the Transit Gateway for 0.0.0.0/0. Instances in that VPC can reach the internet via a NAT gateway but cannot reach on-premises resources. What is the most likely issue?

A.The security group of the instances does not allow inbound traffic from on-premises
B.The Direct Connect virtual interface is not associated with the Transit Gateway
C.The VPC route table does not have a route to the on-premises CIDR via the Transit Gateway
D.The on-premises router is not advertising the 10.0.0.0/8 prefix to AWS
AnswerC

A specific route for 10.0.0.0/8 via Transit Gateway must exist.

Why this answer

Option D is correct because the more specific 10.0.0.0/8 route from on-premises should be preferred over the default route. If propagation is not enabled, the route is missing. Option A is wrong because the NAT gateway is for internet access, not on-premises.

Option B is wrong because security groups can block traffic but the question implies connectivity issue due to routing. Option C is wrong because Direct Connect bandwidth does not affect routing.

326
Multi-Selecteasy

A company has an AWS Direct Connect connection and wants to connect to multiple VPCs in the same region. Which TWO services can be used to achieve this? (Choose TWO.)

Select 2 answers
A.VPC Peering
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.Direct Connect Gateway
E.AWS CloudHub
AnswersB, D

Transit Gateway can connect multiple VPCs and Direct Connect.

Why this answer

AWS Transit Gateway (Option B) acts as a central hub that interconnects VPCs and on-premises networks via a single Direct Connect connection, allowing you to connect to multiple VPCs in the same region without needing individual virtual interfaces. Direct Connect Gateway (Option D) enables you to associate multiple VPCs in the same or different regions with a single Direct Connect connection by using a single private virtual interface (VIF) and transit virtual interfaces (VIFs) to reach those VPCs through Transit Gateway or virtual private gateways.

Exam trap

The trap here is that candidates often confuse VPC Peering (Option A) as a way to extend Direct Connect connectivity to multiple VPCs, but VPC Peering does not support transitive routing and cannot be used to route traffic from Direct Connect to multiple VPCs without a central hub like Transit Gateway.

327
MCQhard

Refer to the exhibit. A network engineer is analyzing a VPC Flow Log record from a VPC with CIDR 10.0.0.0/16. The record indicates a REJECT action. Which component is most likely blocking the traffic?

A.The destination instance's operating system firewall
B.A missing route in the route table
C.The destination instance's security group
D.The network ACL of the destination subnet
AnswerC

Security groups evaluate inbound rules and can REJECT traffic.

Why this answer

Flow logs record traffic after security group and NACL evaluation. A REJECT indicates the traffic was dropped by a security group or NACL. Since the destination port is 80 (HTTP), a security group is likely blocking inbound HTTP.

Option C is correct. Option A is wrong because the source IP is within the VPC. Option B is wrong because there is no indication of a missing route.

Option D is wrong because NACL rules are stateless and would show REJECT if they block, but security groups are more common for instance-level blocking.

328
MCQhard

A financial services company has a multi-account AWS environment managed via AWS Organizations. The security team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key (CMK) from the security account. Currently, some accounts have S3 buckets with SSE-S3 encryption or no encryption. The security team must not be able to read the data in the buckets, but must be able to detect and remediate non-compliant buckets. The solution must use AWS native services and minimize operational overhead. Which combination of actions should the security team take?

A.Enable AWS Config in each member account individually and create a custom rule using AWS Lambda to check bucket encryption, then send compliance results to the security account via Amazon EventBridge.
B.Use a service control policy (SCP) to deny s3:PutObject unless the request includes a specific KMS key ID.
C.Create an AWS Config rule in the security account with an organization conformance pack to check bucket encryption settings, and use an automatic remediation action with AWS Systems Manager Automation to apply the required KMS key.
D.Enable AWS CloudTrail in the security account and create a metric filter to detect PutBucketEncryption API calls, then trigger a Lambda function to remediate.
AnswerC

This solution uses AWS Config rules to continuously evaluate compliance, and automatic remediation ensures non-compliant buckets are fixed. The security team can view compliance status without data access.

Why this answer

Option C is correct because using AWS Config rules with an organization-level conformance pack allows centralized enforcement. The custom rule can check bucket encryption settings, and the remediation action (SSM automation) can apply the correct KMS key. The security team can view compliance without accessing the data.

Option A is wrong because SCPs can only deny actions, not enforce specific encryption settings proactively. Option B is wrong because CloudTrail trails only log events, they do not enforce policies. Option D is wrong because enabling AWS Config in every account individually creates operational overhead and does not allow organization-wide enforcement easily.

329
Multi-Selecthard

A company is designing a network security architecture for a multi-tier web application. Which THREE best practices should they implement? (Choose three.)

Select 3 answers
A.Attach an internet gateway to the private subnet for outbound traffic
B.Use security groups as a stateless firewall
C.Use network ACLs as a stateless firewall for subnet-level traffic
D.Place databases in private subnets with no direct internet access
E.Use security groups to control traffic at the instance level
AnswersC, D, E

NACLs are stateless and provide subnet-level filtering.

Why this answer

Options A, C, and E are correct. A: Use security groups as a virtual firewall. C: Use private subnets for databases.

E: Use NACLs as a stateless firewall layer. Option B is wrong because security groups are stateful, not stateless. Option D is wrong because the internet gateway should be attached to public subnets, not private.

330
MCQmedium

Based on the route table, which of the following is true?

A.The route table is the main route table for the VPC
B.The subnet is connected to a Transit Gateway
C.The subnet has a VPN connection to a network with CIDR 172.31.0.0/16
D.The subnet is a private subnet with no internet access
AnswerC

The route to vgw for 172.31.0.0/16 indicates a VPN connection.

Why this answer

Option C is correct because the route table has a local route for the VPC CIDR, a default route to an Internet Gateway, and a route to a VPN Gateway (vgw) for a different CIDR (172.31.0.0/16). This indicates a VPN connection to a network with that CIDR. Option A is wrong because there is no route to a Transit Gateway.

Option B is wrong because there is a route to an Internet Gateway, so it is not a private subnet. Option D is wrong because the route table is associated with a subnet, not a VPC.

331
Multi-Selecthard

A company is using AWS Transit Gateway with multiple VPCs and Direct Connect Gateway. They want to ensure that traffic between VPCs and on-premises is encrypted. Which TWO solutions can achieve this?

Select 2 answers
A.Enable MACsec on the Direct Connect connection
B.Create a VPN attachment on the Transit Gateway and configure IPsec VPN to on-premises
C.Use Transit Gateway IPsec VPN to encrypt traffic between VPCs
D.Enable IPsec on the private virtual interface
E.Use VPC peering with encryption
AnswersA, B

MACsec encrypts at Layer 2 between customer router and AWS.

Why this answer

Options B and D are correct. A VPN attachment on the Transit Gateway encrypts traffic between the Transit Gateway and on-premises VPN device. MACsec on the Direct Connect connection encrypts traffic at Layer 2.

Option A is incorrect because IPsec over a private VIF is not possible; IPsec is used over public VIF or VPN. Option C is incorrect because Transit Gateway does not support IPsec natively. Option E is incorrect because VPC peering does not involve on-premises.

332
Multi-Selecthard

Which TWO actions are recommended to troubleshoot asymmetric routing in a VPC with multiple NAT gateways?

Select 2 answers
A.Enable source/destination check on all EC2 instances
B.Use a Network Load Balancer to distribute traffic
C.Disable VPC Flow Logs
D.Use a single NAT gateway per Availability Zone
E.Ensure route tables point to the NAT gateway in the same subnet's Availability Zone
AnswersD, E

This ensures consistent routing within an AZ.

Why this answer

Asymmetric routing occurs when traffic takes different paths. Using a single NAT gateway per AZ and ensuring route tables point to the NAT gateway in the same subnet's AZ can prevent this. Additionally, disabling source/destination check on instances that do not need it can help, but for NAT gateways, this is not configurable.

333
Multi-Selectmedium

A company is using AWS Client VPN to provide remote access to their VPC. Users report that they can connect to the VPN but cannot reach resources in the VPC. Which THREE configuration items should the engineer verify?

Select 3 answers
A.The authorization rules allow access to the VPC's CIDR.
B.The Client VPN endpoint is associated with the correct subnets.
C.The Client VPN endpoint has a public IP address.
D.The security groups attached to the target resources allow traffic from the VPN CIDR.
E.The client certificate is issued by a valid CA.
AnswersA, B, D

Authorization rules define which networks users can access.

Why this answer

Option B is correct because the subnet association determines which subnets are accessible. Option C is correct because the authorization rules control access to specific networks. Option E is correct because security groups associated with the VPC resources can block traffic.

Option A is incorrect because client certificates are for authentication, not routing. Option D is incorrect because the VPN endpoint does not have a public IP; clients connect via a DNS name.

334
Multi-Selectmedium

Which TWO options are valid methods to connect multiple VPCs together in a hub-and-spoke topology? (Select TWO.)

Select 2 answers
A.VPC peering
B.AWS Direct Connect
C.VPC Endpoints
D.AWS Site-to-Site VPN
E.AWS Transit Gateway
AnswersA, E

Can be used to create hub-and-spoke.

Why this answer

VPC peering (A) is a valid method because it establishes a direct, one-to-one network connection between two VPCs using the AWS global backbone, enabling private IPv4 or IPv6 communication without gateways or VPNs. AWS Transit Gateway (E) is valid because it acts as a central hub that connects multiple VPCs and on-premises networks through a single, scalable gateway, simplifying the hub-and-spoke topology management.

Exam trap

AWS often tests the misconception that AWS Direct Connect or Site-to-Site VPN can directly interconnect multiple VPCs, but these are designed for on-premises connectivity, not VPC-to-VPC peering or transit routing.

335
MCQeasy

A company wants to design a highly available architecture for a web application that runs on EC2 instances in an Auto Scaling group across multiple Availability Zones. The application must be able to handle sudden traffic spikes. Which load balancing solution provides the best combination of high availability, automatic scaling, and SSL offloading?

A.Amazon CloudFront with an origin pointing to the Auto Scaling group
B.Network Load Balancer
C.Application Load Balancer
D.Classic Load Balancer
AnswerC

ALB provides SSL termination, health checks, and integrates with Auto Scaling.

Why this answer

An Application Load Balancer (ALB) is Layer 7, supports SSL termination, and integrates with Auto Scaling for health checks. Option A is correct. Option B is incorrect because Classic Load Balancer is deprecated and less feature-rich.

Option C is incorrect because NLB is Layer 4 and does not natively offload SSL. Option D is incorrect because CloudFront is a CDN, not a load balancer for the application.

336
Multi-Selecthard

A company has a VPC with both IPv4 and IPv6 CIDR blocks. The network engineer needs to capture all traffic between the VPC and the internet. Which THREE resources must have VPC Flow Logs enabled?

Select 3 answers
A.Internet gateway
B.NAT gateway
C.Subnet
D.VPC
E.Egress-only internet gateway
AnswersA, B, E

The internet gateway's ENI captures traffic to/from the internet.

Why this answer

Option B is correct because the internet gateway (igw) is the attachment point to the internet. Option D is correct because egress-only internet gateway handles IPv6 traffic. Option E is correct because the NAT gateway handles IPv4 traffic from private subnets.

Option A is incorrect because VPC itself does not have flow logs; they are on network interfaces. Option C is incorrect because subnets do not have flow logs directly.

337
MCQhard

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS and that bucket policies restrict access to specific IAM roles. They have created an SCP that denies s3:PutBucketPolicy unless the bucket is encrypted with KMS (using a condition) and restricts the PutBucketPolicy action to a specific role. After applying the SCP, the development team reports that they cannot update bucket policies even when using the allowed role. The SCP is attached to the root OU. The allowed role is in the dev account and has full S3 permissions via an IAM policy. What is the most likely reason for the failure?

A.The SCP denies s3:PutBucketPolicy for all principals except the allowed role, but the SCP is applied at the root OU and affects all accounts, so the allowed role is still denied because SCPs are deny-by-default and the allow list in the SCP does not override the implicit deny.
B.The SCP must be applied to the dev account specifically, not the root OU, because SCPs attached to OUs do not affect member accounts unless explicitly inherited.
C.The SCP condition key for KMS encryption is incorrect because the s3:PutBucketPolicy action does not support condition keys for encryption.
D.The IAM policy attached to the allowed role does not include s3:PutBucketPolicy permission, even though it has full S3 access.
AnswerA

SCPs are deny-by-default. An SCP that denies an action unless a specific role is used effectively denies all other principals. But if the SCP has an Allow effect for the specific role, it still does not grant permission; it only removes the deny. However, the issue is that the SCP likely has a Deny statement with a condition that the role should not be denied, but if the condition is not met, the deny applies. The stem suggests the SCP restricts PutBucketPolicy to a specific role; if the SCP is written as a Deny for all principals except that role, it works only if the role ARN matches. The most common mistake is that the SCP uses a NotPrincipal element incorrectly, causing the deny to apply to everyone.

338
MCQhard

A company is using Amazon Route 53 for DNS resolution. They want to restrict access to a private hosted zone so that only authorized VPCs can query it. Which configuration should they use?

A.Configure a network ACL to block UDP port 53 from other VPCs
B.Create an IAM policy to deny DNS queries from other VPCs
C.Configure a security group to block DNS traffic from other VPCs
D.Associate the private hosted zone with the authorized VPCs
AnswerD

Private hosted zones are accessible only to associated VPCs.

Why this answer

Option A is correct because associating a private hosted zone with VPCs allows only those VPCs to resolve records. Option B (IAM policy) affects API calls, not DNS queries. Option C (security group) is for network interfaces.

Option D (NACL) is subnet-level.

339
MCQhard

A network engineer is troubleshooting connectivity issues between two VPCs that are connected via VPC peering. The VPCs are in the same region and have overlapping CIDR blocks. The engineer can ping the private IP of an instance in the peered VPC from an instance in the first VPC. However, traffic on TCP port 443 (HTTPS) fails. Which is the most likely cause?

A.The network ACL in the target subnet is blocking inbound HTTPS traffic
B.The security group of the target instance does not allow inbound HTTPS traffic from the source
C.The VPC peering connection is not in the 'active' state
D.The route tables in both VPCs do not have routes to the peered VPC's CIDR
AnswerB

Security groups are stateful; ICMP may be allowed but HTTPS not.

Why this answer

Option A is correct because the security group of the target instance must allow inbound HTTPS traffic from the source instance's security group or CIDR. Option B is wrong because ICMP works. Option C is wrong because the route table has a route to the peering connection.

Option D is wrong because NACLs are stateless and would block ICMP too if misconfigured.

340
MCQeasy

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16. They need to add an additional non-overlapping CIDR to the VPC. What is a valid CIDR block they can add?

A.10.0.1.0/24
B.10.1.0.0/16
C.10.0.0.0/8
D.10.0.0.0/16
AnswerB

Non-overlapping, valid addition.

Why this answer

Option C is correct because 10.1.0.0/16 does not overlap with 10.0.0.0/16. Option A is wrong because 10.0.0.0/8 is a superset and overlaps. Option B is wrong because 10.0.0.0/16 is the same CIDR.

Option D is wrong because 10.0.1.0/24 is within 10.0.0.0/16 and overlaps.

341
MCQeasy

A company is designing a VPC with a public subnet for web servers and a private subnet for database servers. The web servers must be able to access the internet for software updates, but the database servers must not have direct internet access. Which solution meets these requirements?

A.Use a VPC endpoint for Amazon S3 to provide internet access to the database servers.
B.Deploy a NAT gateway in the public subnet and add a route to it in the private subnet's route table.
C.Set up a VPN connection to an on-premises data center and route traffic through it.
D.Attach an internet gateway to the VPC and add a route to it in the private subnet's route table.
AnswerB

A NAT gateway allows outbound internet traffic from private subnets while blocking inbound traffic.

Why this answer

Option B is correct because a NAT gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet while preventing inbound traffic from the internet. Option A is incorrect because an internet gateway in the private subnet would allow direct inbound traffic. Option C is incorrect because a VPC endpoint is for accessing AWS services privately, not for general internet access.

Option D is incorrect because a VPN connection does not provide internet access.

342
Multi-Selecthard

A company has a global application deployed across multiple AWS regions. The application uses Application Load Balancers (ALBs) and Auto Scaling groups. The network team wants to route traffic to the nearest region based on latency, and also wants to failover to another region if the primary region becomes unhealthy. Which THREE services should be used together to achieve this? (Choose THREE.)

Select 3 answers
A.Amazon CloudFront with origin failover
B.Amazon Route 53 latency-based routing
C.Amazon CloudWatch alarms to detect regional health
D.AWS Lambda to update Route 53 records on failover
E.AWS Global Accelerator
AnswersB, C, D

Routes based on latency.

Why this answer

Options A, B, and D are correct. Route 53 latency routing routes to the region with lowest latency, CloudWatch alarms can monitor health, and Lambda can automate DNS changes for failover. C is wrong because Global Accelerator uses anycast and does not use Route 53 latency routing.

E is wrong because CloudFront is for content delivery, not regional failover.

343
MCQhard

A company has a VPC with a CIDR of 10.0.0.0/16. They need to connect to two on-premises data centers, each with overlapping CIDR blocks (192.168.0.0/16). The company wants to use AWS Site-to-Site VPN with dynamic routing (BGP). Which design allows the VPC to reach both data centers without route conflicts?

A.Create two VPN connections to a single virtual private gateway and advertise the same CIDR from both data centers. Use BGP AS_PATH prepending to influence routing.
B.Create a single VPN connection with two tunnels to the same virtual private gateway. Use different BGP ASNs for each data center.
C.Create two separate virtual private gateways, each in a different VPC, and use VPC peering. Alternatively, use a transit gateway with separate VPN attachments and BGP communities to tag routes.
D.Create two VPN connections to the same virtual private gateway. Use static routes with different metric values.
AnswerC

Transit gateway with separate attachments and BGP communities can handle overlapping CIDRs by using route priority or filtering.

Why this answer

Option C is correct because overlapping CIDR blocks cannot be advertised to the same virtual private gateway (VPG) without causing route conflicts. By using a transit gateway with separate VPN attachments, each data center's routes are isolated in separate route tables, and BGP communities can be used to tag and differentiate routes. This design allows the VPC to reach both data centers by leveraging the transit gateway's ability to manage overlapping prefixes through separate route tables and path selection.

Exam trap

AWS often tests the misconception that a single virtual private gateway can handle overlapping CIDRs by using BGP attributes like AS_PATH prepending, but the fundamental limitation is that the VPG's route table cannot store duplicate prefixes, regardless of BGP attributes.

How to eliminate wrong answers

Option A is wrong because advertising the same CIDR from both data centers to a single VPG will cause the VPG to see duplicate routes, and AS_PATH prepending only influences route preference, not route uniqueness; the VPG cannot distinguish between the two overlapping prefixes, leading to routing conflicts. Option B is wrong because a single VPN connection with two tunnels still terminates on one VPG, and using different BGP ASNs does not resolve the issue of overlapping CIDRs; the VPG will still receive identical prefixes from both tunnels and cannot differentiate them. Option D is wrong because static routes with different metric values cannot be used with dynamic routing (BGP) as specified in the question; moreover, static routes to the same VPG for overlapping CIDRs would create ambiguity and the VPG would not know which tunnel to use for a given destination.

344
MCQeasy

Refer to the exhibit. A flow log record shows ACCEPT for traffic from 10.0.1.5 to 10.0.2.10 on port 443. Which AWS service is most likely the destination?

A.Amazon RDS instance
B.Application Load Balancer
C.NAT Gateway
D.Amazon S3
AnswerB

ALB listens on port 443 for HTTPS.

Why this answer

An Application Load Balancer (ALB) terminates HTTPS (port 443) connections and forwards traffic to targets. Flow logs showing ACCEPT for traffic to port 443 on an ALB's internal IP (10.0.2.10) are expected because the ALB listens on that port for incoming client connections. The ALB operates at Layer 7 and is the only listed service that natively accepts HTTPS traffic on port 443 within a VPC.

Exam trap

AWS often tests the misconception that any service accepting HTTPS traffic must be an Amazon S3 endpoint, but S3 does not have a VPC private IP; the trap here is confusing a service's public endpoint with its internal VPC representation, leading candidates to pick S3 instead of recognizing the ALB's private IP and port 443 listener.

How to eliminate wrong answers

Option A is wrong because an Amazon RDS instance does not accept traffic on port 443 by default; it uses port 3306 (MySQL/Aurora), 5432 (PostgreSQL), or other database-specific ports, and HTTPS is not a native protocol for RDS. Option C is wrong because a NAT Gateway does not accept inbound traffic from private subnets; it only forwards outbound traffic from private instances to the internet and does not listen on port 443 for incoming connections. Option D is wrong because Amazon S3 is a global object storage service accessed via an S3 endpoint (e.g., bucket.s3.amazonaws.com) and does not have a VPC IP address like 10.0.2.10; S3 traffic uses HTTPS but the destination is an S3 API endpoint, not a private IP.

345
MCQhard

A large financial services company is migrating its on-premises data center to AWS. The network design must meet strict low-latency requirements for trading applications that communicate with external exchanges. The company has two AWS Direct Connect connections from two different providers to two different AWS Direct Connect locations in the same region. They have a VPC with multiple subnets across three Availability Zones. The trading applications are deployed on EC2 instances in private subnets and need to communicate with external exchanges over the Direct Connect connections. The company also requires high availability and automatic failover if one Direct Connect connection fails. The network team has configured two virtual interfaces (VIFs) for private connectivity to the VPC, one on each Direct Connect connection, and has set up BGP sessions. However, during a failover test, traffic does not fail over as expected. The team notices that the VPC route tables have static routes pointing to the virtual private gateway (VGW) with the same prefix, but no BGP routes are propagated. What is the most likely cause of the failover issue, and what should be done to resolve it?

A.The VPC route tables do not have route propagation enabled for the VGW. Enable route propagation in the route tables.
B.The BGP timers are set too high, causing slow convergence. Reduce the BGP keepalive and hold timers.
C.The VPC route tables have static routes that are overriding the BGP routes. Remove the static routes and rely on BGP routes propagated through the VGW.
D.The BGP configuration on the on-premises router is using AS_PATH prepending, making the backup path less preferred. Remove AS_PATH prepending.
AnswerC

Static routes have higher priority than BGP routes, preventing failover.

Why this answer

The failover issue occurs because static routes in the VPC route tables take precedence over BGP-propagated routes, even when the BGP session goes down. Since the static routes point to the virtual private gateway (VGW) with the same prefix, traffic continues to use the failed Direct Connect connection instead of failing over to the active one. Removing the static routes and enabling route propagation allows BGP to dynamically update the route tables based on the availability of the Direct Connect connections.

Exam trap

AWS often tests the misconception that enabling route propagation alone ensures failover, but the trap here is that static routes in the VPC route table take precedence over BGP-propagated routes, so they must be removed for automatic failover to work.

How to eliminate wrong answers

Option A is wrong because route propagation is already implied to be disabled or not the primary issue; the problem is that static routes override BGP routes, not that propagation is missing. Option B is wrong because BGP timers affect convergence speed but do not prevent failover entirely; the core issue is route precedence, not timer values. Option D is wrong because AS_PATH prepending influences path selection on the on-premises side, not within the VPC route tables; the failover failure is due to static routes in the VPC, not BGP path preference.

346
MCQmedium

A company has an AWS Transit Gateway with multiple VPC attachments. They need to inspect traffic between VPCs using a third-party firewall appliance. What is the best approach?

A.Create a firewall VPC with the appliance and use Transit Gateway route tables to direct traffic through it
B.Use VPC security groups across VPCs
C.Use AWS Network Firewall directly in each VPC
D.Use network ACLs on each VPC subnet
AnswerA

This allows centralized inspection via routing.

Why this answer

Placing a firewall appliance in a dedicated VPC and routing traffic through it via Transit Gateway route tables allows inspection.

347
MCQhard

A company is deploying a latency-sensitive application across two AWS Regions using Application Load Balancers (ALBs) and AWS Global Accelerator. The application uses TCP port 8443. Which configuration ensures the lowest possible latency for global users?

A.Use Amazon CloudFront with the ALBs as origins.
B.Use Amazon Route 53 latency-based routing with ALB endpoints in each Region.
C.Use AWS Global Accelerator with endpoints as the ALBs in each Region.
D.Deploy a Network Load Balancer in each Region and use Route 53 geoproximity routing.
AnswerC

Global Accelerator uses anycast and AWS backbone for lower latency.

Why this answer

Option D is correct because Global Accelerator uses the AWS global network and anycast IPs, reducing latency. Option A is wrong because Route 53 with latency routing still uses public internet. Option B is wrong because CloudFront is for HTTP/HTTPS, not TCP.

Option C is wrong because Network Load Balancer does not have multi-region capability.

348
MCQeasy

A network engineer is troubleshooting high latency to an application hosted in Amazon EC2. The application uses an Application Load Balancer. Which metrics in Amazon CloudWatch should be examined to identify if the load balancer is causing latency?

A.HTTP 5XX Count
B.ActiveConnectionCount
C.TargetResponseTime
D.RequestCount
AnswerC

This metric measures time to respond from targets.

Why this answer

Option C is correct because TargetResponseTime measures the time taken by the target to respond, which directly indicates backend latency. Option A is wrong because RequestCount is a count, not latency. Option B is wrong because ActiveConnectionCount is about concurrent connections.

Option D is wrong because HTTP 5XX count indicates errors, not latency.

349
MCQmedium

A company is designing a multi-region active-active architecture using Application Load Balancers (ALBs) and AWS Global Accelerator. The application servers are in private subnets behind Network Load Balancers (NLBs). The company needs to ensure that traffic from a client is consistently routed to the same ALB endpoint for the duration of a session. Which configuration should be used?

A.Configure cross-zone load balancing on the NLBs and enable stickiness on the target groups.
B.Enable proxy protocol on the NLB target groups and configure stickiness on the NLB.
C.Enable stickiness on the ALB target groups with a duration of 1 second.
D.Enable client IP address preservation on the Global Accelerator endpoint groups and configure stickiness on the ALB based on the client IP.
AnswerD

This ensures sessions are consistently routed to the same ALB based on the client's IP.

Why this answer

Option D is correct because Global Accelerator preserves the client IP address when client IP address preservation is enabled on the endpoint group, allowing the ALB to see the original client IP. Configuring stickiness on the ALB based on the client IP ensures that all requests from the same client IP are routed to the same ALB endpoint for the duration of the session, which is essential for session persistence in an active-active multi-region architecture.

Exam trap

The trap here is that candidates often assume stickiness must be configured on the NLB or that proxy protocol is required, but they overlook that Global Accelerator can preserve the client IP, which is the key to enabling ALB-based stickiness using the client IP as the persistence key.

How to eliminate wrong answers

Option A is wrong because cross-zone load balancing and stickiness on the NLB target groups would only ensure persistence at the NLB level, not at the ALB level, and the NLB is not the endpoint that needs session affinity—the ALB is. Option B is wrong because enabling proxy protocol on the NLB target groups passes the client IP in a header, but stickiness on the NLB does not guarantee that the ALB will consistently route traffic to the same ALB endpoint; the ALB must handle stickiness itself. Option C is wrong because setting stickiness duration to 1 second is effectively disabling stickiness, as sessions would not persist long enough to maintain affinity for a meaningful session duration.

350
MCQhard

A company has a VPC with multiple subnets. They want to enforce that all traffic between subnets must be inspected by a security appliance deployed in a centralized inspection VPC. Which AWS feature should be used to route traffic to the inspection VPC without changing the routing on each subnet?

A.VPC Peering
B.Transit Gateway with route tables
C.NAT Gateway
D.Network Load Balancer
AnswerB

Transit Gateway enables centralized routing and inspection.

Why this answer

A Transit Gateway with route tables allows central routing and inspection. Option A is wrong because VPC peering does not support centralized inspection easily. Option B is wrong because NAT Gateway is for outbound internet.

Option D is wrong because a Network Load Balancer is for load balancing, not routing.

351
MCQmedium

A network engineer is assigned an IAM policy to manage VPC resources. The engineer attempts to create a VPC with CIDR 10.0.0.0/16 and fails. What is the reason?

A.The resource ARN in the Deny statement does not match the VPC being created.
B.The Deny statement overrides the Allow statement for the specific CIDR.
C.The condition in the Deny statement is not evaluated correctly.
D.The first statement allows only specific actions, not CreateVpc.
AnswerB

Explicit deny overrides allow.

Why this answer

Option C is correct because the second statement explicitly denies creating a VPC with CIDR 10.0.0.0/16. Option A is incorrect because the first statement allows VPC creation in general. Option B is incorrect because the resource ARN matches all VPCs.

Option D is incorrect because the condition is on the CIDR, not region.

352
MCQeasy

A company is migrating an on-premises application to AWS. The application requires low-latency, high-throughput connectivity between the on-premises data center and the AWS VPC. The company wants a dedicated, private connection that bypasses the internet. Which AWS service should they use?

A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Dedicated, private, high-bandwidth connection.

Why this answer

AWS Direct Connect provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the internet entirely. This ensures low-latency, high-throughput connectivity ideal for latency-sensitive or high-volume workloads, as it uses a physical cross-connect or hosted virtual interface over a private circuit.

Exam trap

The trap here is that candidates often confuse AWS Transit Gateway as a connectivity method itself, when it is actually a hub that requires an underlying connection (Direct Connect or VPN) to reach on-premises networks.

How to eliminate wrong answers

Option B (AWS Transit Gateway) is wrong because it is a network transit hub that interconnects VPCs and on-premises networks via VPN or Direct Connect, but it does not itself provide a dedicated private connection; it requires an underlying connectivity method like Direct Connect or VPN. Option C (AWS Site-to-Site VPN) is wrong because it uses the public internet, encrypted over IPsec tunnels, which introduces latency and throughput variability, failing the requirement to bypass the internet. Option D (VPC Peering) is wrong because it connects two VPCs within AWS using private IP addresses, not an on-premises data center, and cannot extend to external networks.

353
MCQmedium

A company runs a critical application on EC2 instances in an Auto Scaling group across two Availability Zones in a VPC. The application communicates with an on-premises database over an AWS Direct Connect private VIF. The network team has configured a VPN connection as a backup. Recently, the application experienced intermittent timeouts when accessing the database. The team suspects asymmetric routing because the primary Direct Connect and backup VPN are both active. The network team wants to ensure that all traffic to the on-premises network uses the Direct Connect when it is available, and only fails over to the VPN if Direct Connect goes down. The BGP sessions are configured on both connections. The Direct Connect advertises the on-premises CIDR of 10.0.0.0/16, and the VPN advertises the same CIDR. The team has access to the on-premises router configuration and AWS console. Which action should the team take to resolve the issue?

A.Add a static route in the VPC route table pointing to the Direct Connect virtual interface for the on-premises CIDR.
B.Configure the on-premises router to prepend one or more AS numbers to the routes advertised over the VPN BGP session.
C.Advertise a more specific prefix (e.g., 10.0.0.0/24) over the VPN BGP session to attract traffic.
D.Disable BGP on the VPN connection and use static routes instead.
AnswerB

AS path prepend makes the VPN route less preferred, so Direct Connect is used.

Why this answer

Option C is correct because adjusting the BGP attributes to make the Direct Connect path more preferred ensures all traffic uses Direct Connect when available. Adding AS path prepend on the VPN side makes the VPN path less preferred, so Direct Connect is chosen. Option A is wrong because adding a static route might not be as dynamic and could cause issues if Direct Connect fails.

Option B is wrong because removing the VPN BGP session removes redundancy. Option D is wrong because reducing the prefix size on the VPN side would make the VPN path more specific and thus preferred, causing the same issue.

354
MCQhard

A company uses AWS CloudFormation to deploy a VPC with public and private subnets. The template includes an Internet Gateway and a NAT Gateway. After deployment, instances in the private subnet cannot access the internet. The network engineer checks the route tables and finds that the private subnet route table has a default route pointing to the NAT Gateway. What is the most likely cause of the issue?

A.The NAT Gateway is deployed in the private subnet instead of the public subnet.
B.The security group attached to the NAT Gateway blocks outbound traffic.
C.The private subnet route table does not have a default route (0.0.0.0/0) to the NAT Gateway.
D.The NAT Gateway is in a private subnet and has no route to the internet gateway.
AnswerA

NAT Gateway must be in a public subnet with a route to IGW to function.

Why this answer

Option D is correct because the NAT Gateway must be in a public subnet with a route to the IGW. Option A is wrong because the route is present. Option B is wrong because security groups allow outbound traffic by default.

Option C is wrong because the default route points to NAT Gateway, not IGW.

355
MCQhard

A company has multiple AWS accounts under AWS Organizations. The security team wants to centrally log all network traffic that is denied by security group rules across all accounts. Which approach meets this requirement with the least operational overhead?

A.Enable AWS Config rules for security group changes and send logs to a central account
B.Create VPC Flow Logs in each account and publish to a central S3 bucket
C.Use AWS CloudTrail to log all API calls and filter for security group events
D.Enable VPC Flow Logs with organization-level aggregation and publish to a central S3 bucket
AnswerD

Organization-level aggregation simplifies cross-account logging of rejected traffic.

Why this answer

VPC Flow Logs can capture rejected traffic, and publishing to a central S3 bucket using Organization-level aggregation simplifies management. Option D is correct because it uses VPC Flow Logs with organization-level aggregation. Option A is wrong because AWS Config does not log network traffic.

Option B is wrong because it requires per-account setup. Option C is wrong because CloudTrail does not capture network flows.

356
MCQhard

A company is designing a hybrid network with AWS Direct Connect. They have multiple VPCs in the same Region and want to use a single Direct Connect connection to access all VPCs. Which AWS resource should be used?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.Direct Connect Gateway
D.Virtual Private Gateway
AnswerC

Enables multi-VPC access.

Why this answer

A Direct Connect Gateway allows you to associate up to 10 Virtual Private Gateways (VGWs) or Transit Gateways in the same or different AWS accounts, enabling a single Direct Connect connection to reach multiple VPCs in the same Region. This is the correct resource because it acts as a hub that terminates the Direct Connect virtual interfaces (VIFs) and propagates routes to the associated VPCs via their VGWs or Transit Gateways.

Exam trap

The trap here is that candidates often confuse the Direct Connect Gateway with the Transit Gateway, thinking the Transit Gateway alone can terminate the Direct Connect connection, but the Transit Gateway requires a Direct Connect Gateway (via a transit VIF) to be attached to the Direct Connect link.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a regional network transit hub that can interconnect VPCs and on-premises networks, but it does not directly terminate a Direct Connect connection; you still need a Direct Connect Gateway to attach the Transit Gateway to the Direct Connect link. Option B is wrong because AWS Site-to-Site VPN is an IPsec-based connection over the internet, not a dedicated private connection, and it cannot replace the Direct Connect Gateway for aggregating multiple VPCs over a single Direct Connect link. Option D is wrong because a Virtual Private Gateway is a per-VPC attachment point for VPN or Direct Connect, but it cannot be shared across multiple VPCs; using a single VGW would only provide access to one VPC, not all VPCs.

357
Multi-Selecthard

A company is designing a multi-account architecture using AWS Organizations. They want to centrally manage and enforce network security policies across all accounts. Which THREE services or features should they use together to achieve this? (Choose THREE.)

Select 3 answers
A.AWS Network Firewall
B.Service Control Policies (SCPs)
C.Security Groups
D.AWS Config
E.AWS Firewall Manager
AnswersA, B, E

Provides stateful firewall capabilities.

Why this answer

Options A, C, and D are correct. AWS Firewall Manager (A) centrally manages firewall rules. AWS Network Firewall (C) provides stateful inspection.

Service Control Policies (D) enforce guardrails. Option B is wrong because AWS Config is for compliance monitoring, not enforcement. Option E is wrong because Security Groups are per-resource.

358
MCQeasy

A network engineer is troubleshooting an AWS Direct Connect connection that is experiencing high latency. The connection is a 1 Gbps dedicated connection. The engineer notices that the link utilization is at 90%. What is the MOST likely cause of the high latency?

A.The virtual interface is configured as private instead of public
B.BGP keepalive timer misconfiguration
C.High bandwidth utilization causing queuing
D.The use of jumbo frames
AnswerC

Correct; when utilization is high, packets are queued, increasing latency.

Why this answer

Option B is correct because high link utilization can cause queuing delays, which increase latency. Option A is wrong because jumbo frames generally reduce latency. Option C is wrong because BGP timers affect convergence, not latency.

Option D is wrong because the virtual interface type does not directly cause high latency.

359
MCQeasy

A company wants to ensure that all traffic to and from its VPC is inspected by a security appliance. The appliance must be able to inspect traffic between subnets within the VPC. Which architecture should the company use?

A.Use a Gateway Load Balancer with security appliances in a separate inspection VPC and configure route tables to send traffic to the GWLB endpoint.
B.Deploy a NAT Gateway and route all internet traffic through it.
C.Create a VPC Peering connection to a centralized VPC with security appliances.
D.Attach an Internet Gateway and use Security Groups to log traffic.
AnswerA

GWLB provides transparent inspection of all traffic.

Why this answer

Option A is correct because a Gateway Load Balancer (GWLB) with security appliances in a separate inspection VPC allows you to centrally inspect all traffic, including east-west traffic between subnets within the same VPC. By configuring route tables to send traffic to the GWLB endpoint, you can enforce stateful inspection for all inbound, outbound, and inter-subnet traffic without introducing a single point of failure or complex routing.

Exam trap

AWS often tests the misconception that a NAT Gateway or Internet Gateway can provide full traffic inspection, but they only handle specific traffic types and lack the ability to inspect east-west traffic within a VPC.

How to eliminate wrong answers

Option B is wrong because a NAT Gateway only handles outbound internet traffic from private subnets and cannot inspect inbound traffic or traffic between subnets within the VPC. Option C is wrong because a VPC Peering connection does not inherently route traffic through a central inspection point; it simply connects two VPCs, and you would still need additional routing and appliances to force traffic through the security stack. Option D is wrong because an Internet Gateway provides internet access but does not inspect traffic, and Security Groups are stateful firewalls that operate at the instance level, not as inline inspection appliances for all traffic flows.

360
Multi-Selectmedium

A network engineer is troubleshooting connectivity issues between an Amazon EC2 instance in a public subnet and an on-premises server over AWS Direct Connect. The instance can reach the internet but cannot reach the on-premises server. Which TWO actions should the engineer take to diagnose the issue?

Select 2 answers
A.Check the VPC route table to ensure a route exists for the on-premises CIDR pointing to the virtual private gateway
B.Check the VPN connection status to ensure the tunnel is up
C.Check the security group attached to the EC2 instance to ensure it allows inbound traffic from the on-premises CIDR
D.Enable VPC Flow Logs and analyze them for dropped packets
E.Check the network ACLs for the subnet to ensure they allow inbound traffic from on-premises
AnswersA, C

Correct routing is essential.

Why this answer

Options B and D are correct. Checking route tables verifies that the on-premises CIDR is pointing to the virtual private gateway. Checking security groups ensures inbound traffic from on-premises is allowed.

Option A is incorrect because NACLs are stateless and usually allow return traffic if properly configured. Option C is incorrect because flow logs are for logging, not real-time diagnosis. Option E is incorrect because the VPN is not involved.

361
MCQeasy

A company wants to connect multiple VPCs across different AWS accounts to a common on-premises network using AWS Transit Gateway. Which resource should be used to allow cross-account VPC attachments?

A.AWS PrivateLink
B.VPC peering connection
C.AWS Organizations
D.AWS Resource Access Manager (RAM)
AnswerD

RAM enables sharing Transit Gateways with other accounts.

Why this answer

AWS Resource Access Manager (RAM) allows sharing Transit Gateways across accounts. VPC peering does not attach to Transit Gateway. AWS Organizations is an organization management service but does not directly share Transit Gateways.

AWS PrivateLink is for private connectivity to services.

362
MCQhard

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks. They have a security requirement that all traffic between VPCs must be inspected by a third-party firewall deployed in a central inspection VPC. The Transit Gateway has route tables configured with blackhole routes for inter-VPC traffic, and the inspection VPC has the firewall. However, traffic is not being inspected; it is being dropped. What is the MOST likely cause?

A.The inspection VPC is not propagating its routes to the Transit Gateway.
B.The firewall appliance is not configured to forward traffic back to the Transit Gateway.
C.The Transit Gateway route tables do not have static routes for the inspection VPC.
D.The Transit Gateway route table for inter-VPC traffic has blackhole routes instead of pointing to the inspection VPC attachment.
AnswerD

Correct: Blackhole routes drop traffic.

Why this answer

Option D is correct because if the Transit Gateway route table has blackhole routes for inter-VPC traffic, that traffic is dropped before reaching the inspection VPC. The route table should direct traffic to the inspection VPC attachment, not blackhole. Option A is wrong because firewall configuration is not the issue if traffic is not reaching it.

Option B is wrong because static routes are fine. Option C is wrong because propagation is not the issue.

363
MCQhard

A company needs to ensure that all API calls to AWS services are logged and monitored for suspicious activity. Additionally, any API call that creates a security group rule should trigger an immediate notification. Which combination of services should be used?

A.VPC Flow Logs and Amazon CloudWatch
B.AWS CloudTrail and Amazon CloudWatch Events
C.AWS Config and Amazon SNS
D.AWS Shield and AWS WAF
AnswerB

CloudTrail logs API calls; CloudWatch Events can trigger alerts.

Why this answer

Option C is correct because CloudTrail logs API calls, and CloudWatch Events (now Amazon EventBridge) can trigger notifications. Option A is wrong because AWS Config is for resource configuration, not API call monitoring. Option B is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because AWS Shield is for DDoS protection.

364
MCQhard

A financial services company is migrating its on-premises data center to AWS. The company has a three-tier application that consists of web servers, application servers, and a database. The application servers must communicate with the database using a private IP address. The database is hosted on an Amazon RDS for MySQL instance in a private subnet. The application servers are in a public subnet. The company has a security requirement that all traffic between the application servers and the database must be encrypted in transit. The network engineer has created a security group for the RDS instance that allows inbound traffic on port 3306 from the security group of the application servers. The engineer has also enabled encryption at rest for the RDS instance. During a security audit, it is discovered that traffic between the application servers and the database is not encrypted. The application team confirms that the application is configured to connect to the database using standard MySQL client library without any SSL/TLS options. The network engineer must ensure that all traffic between the application servers and the database is encrypted without modifying the application code. What should the network engineer do?

A.Create an AWS Site-to-Site VPN connection between the application servers' subnet and the database subnet to encrypt all traffic.
B.Enable the 'require_secure_transport' parameter in the RDS parameter group and set it to ON.
C.Deploy a Network Load Balancer (NLB) with a TLS listener in front of the RDS instance. Configure the NLB to terminate TLS from the application servers and forward traffic to the RDS instance using TLS.
D.Modify the security group for the RDS instance to only allow traffic from the application servers' security group on port 3306 with the 'tls' protocol.
AnswerC

The NLB can offload TLS encryption, allowing the application to connect without modification while ensuring encryption.

Why this answer

Option B is correct because using a Network Load Balancer (NLB) with TLS termination between the application servers and the RDS instance allows offloading the SSL/TLS encryption from the application. The NLB can be configured with a TLS listener that terminates the client's TLS connection and then re-encrypts traffic to the RDS instance using TLS. This requires the RDS instance to have SSL/TLS enabled.

Option A is incorrect because the application does not support TLS, so enabling SSL on RDS alone will not encrypt traffic if the client does not request it. Option C is incorrect because a VPN connection between subnets is unnecessarily complex and still requires the application to use TLS. Option D is incorrect because creating a new security group does not enforce encryption at the transport layer.

365
Multi-Selecteasy

Which TWO of the following are benefits of using AWS Global Accelerator? (Choose TWO.)

Select 2 answers
A.Static anycast IP addresses that serve as a fixed entry point
B.Built-in AWS WAF capabilities
C.Content caching similar to CloudFront
D.DNS-based load balancing
E.Improved application performance by using edge locations
AnswersA, E

Provides consistent IP addresses.

Why this answer

Option A (improved performance via edge locations) and Option C (static anycast IP addresses) are correct. Option B is wrong because it's not a DNS service. Option D is wrong because it does not replace CloudFront.

Option E is wrong because it does not provide DDoS protection (AWS Shield does).

366
MCQeasy

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

A.Use a public virtual interface (VIF) and route traffic through a NAT gateway.
B.Use a private VIF and establish an IPsec VPN tunnel over the Direct Connect connection.
C.Use a private virtual interface (VIF) and enable encryption on the Direct Connect connection.
D.Use a private VIF and enable TLS on all applications.
AnswerB

IPsec provides encryption over the Direct Connect link.

Why this answer

Option B is correct because AWS Direct Connect does not natively encrypt traffic; it provides a private, dedicated network connection. To meet the encryption requirement, you can establish an IPsec VPN tunnel over the private VIF, which encrypts all traffic between the on-premises network and the VPC. This approach combines the low latency and reliability of Direct Connect with the security of IPsec encryption.

Exam trap

The trap here is that candidates assume Direct Connect inherently encrypts traffic because it is a private connection, but AWS explicitly states that Direct Connect does not provide encryption, so an overlay like IPsec is required.

How to eliminate wrong answers

Option A is wrong because a public VIF provides access to AWS public services (e.g., S3, DynamoDB) but does not encrypt traffic; routing through a NAT gateway adds no encryption and is unrelated to securing the Direct Connect link. Option C is wrong because Direct Connect does not support native encryption at the physical or link layer; there is no option to 'enable encryption' on the connection itself. Option D is wrong because TLS encrypts only application-layer traffic for specific protocols (e.g., HTTPS), not all IP traffic between networks; it does not provide a general-purpose, network-layer encryption solution.

367
MCQmedium

A network engineer runs the above command to list VPC endpoints. The engineer notices that the second endpoint (vpce-0b2c3d4e5f6g7h8i9) does not have a policy document displayed. What does this indicate?

A.The endpoint is configured to use an AWS managed policy that is not shown.
B.The endpoint is not active and needs to be recreated.
C.The endpoint is for DynamoDB, which does not support endpoint policies.
D.The endpoint has the default full-access policy.
AnswerD

If no custom policy is specified, the default policy allows full access.

Why this answer

Option B is correct because by default, a Gateway endpoint for DynamoDB uses a full-access policy if no custom policy is specified. Option A is wrong because the endpoint is active. Option C is wrong because the missing policy field indicates no custom policy was set.

Option D is wrong because DynamoDB endpoints do not require a policy; the default allows all actions.

368
MCQmedium

A company has a VPC with public and private subnets. The private subnets need to access the internet for software updates. The company wants to ensure that traffic can only go out to the internet and not be initiated from the internet. Which configuration should be used?

A.Attach an Internet Gateway to the private subnets
B.Deploy a NAT Gateway in a public subnet and update the private subnet route table
C.Set up a VPN connection to an on-premises network
D.Create a VPC endpoint for S3
AnswerB

NAT Gateway provides outbound-only internet access for private instances.

Why this answer

Option B is correct because a NAT Gateway in a public subnet allows private instances to initiate outbound traffic to the internet while blocking inbound traffic. Option A is incorrect because an Internet Gateway allows both inbound and outbound traffic. Option C is incorrect because a VPC endpoint is for accessing AWS services, not the internet.

Option D is incorrect because a VPN connection is for private connectivity to on-premises.

369
Multi-Selecteasy

A solutions architect is designing a VPC with public and private subnets. The application in the private subnet needs to download patches from the internet. Which TWO options allow outbound internet access while keeping the EC2 instance in the private subnet without a public IP address?

Select 2 answers
A.Attach an Internet Gateway to the VPC and assign a public IP to the instance.
B.Set up a Direct Connect connection to an on-premises data center.
C.Create a VPC endpoint for Amazon S3 and update the route table.
D.Establish a VPN connection to a third-party proxy service.
E.Deploy a NAT Gateway in a public subnet and update the private subnet route table to point 0.0.0.0/0 to the NAT Gateway.
AnswersC, E

VPC endpoint allows private access to S3 without internet.

Why this answer

Options A and D are correct. A NAT Gateway in a public subnet allows instances in private subnets to initiate outbound traffic to the internet. A VPC endpoint for S3 allows private access to S3 buckets.

Option B (Internet Gateway) requires a public IP. Option C (Direct Connect) is for dedicated private connections. Option E (VPN) is for hybrid connectivity.

370
MCQmedium

A company is migrating on-premises workloads to AWS using AWS Direct Connect. The company has two Direct Connect connections from different providers for redundancy. Which configuration ensures seamless failover with automatic traffic rerouting?

A.Create two Direct Connect gateways, each attached to a separate Transit Gateway, and advertise the same prefixes via BGP.
B.Use one Direct Connect connection as primary and the other as standby with static routes.
C.Connect both Direct Connect connections to the same Virtual Private Gateway (VGW) and enable BGP.
D.Use a VPN connection over the internet as a backup for the Direct Connect links.
AnswerA

Enables automatic failover using BGP path selection.

Why this answer

Option C is correct because using a Transit Gateway with two Direct Connect gateways (one for each connection) and dynamic BGP routing enables automatic failover via BGP path selection. Option A is wrong because both connections to the same VGW do not provide true redundancy if the VGW fails. Option B is wrong because static routes require manual intervention.

Option D is wrong because a VPN over the internet defeats the purpose of Direct Connect.

371
MCQeasy

A company needs to allow a specific IP address range (203.0.113.0/24) to access an Amazon RDS database in a private subnet. The RDS instance is deployed in a VPC with no public access. Which configuration step is required?

A.Add a security group rule allowing inbound traffic from 203.0.113.0/24
B.Create an AWS Site-to-Site VPN connection and update route tables to route the on-premises CIDR to the virtual private gateway
C.Assign a public IP address to the RDS instance
D.Modify the network ACL of the private subnet to allow inbound traffic from 203.0.113.0/24
AnswerB

A VPN provides a secure tunnel from on-premises to the VPC, and route tables direct traffic to the VPN gateway.

Why this answer

RDS instances in a private subnet are not directly accessible from the internet. To allow access from an on-premises network, a VPN or Direct Connect connection is needed. The security group must allow inbound traffic from the on-premises CIDR, and the route tables must route traffic to the VPN/Direct Connect.

Simply adding a security group rule does not provide connectivity; a network path is required.

372
Multi-Selecthard

A company is designing a multi-account AWS environment using AWS Transit Gateway. They have 10 VPCs in separate accounts that need to communicate with each other and with an on-premises network via Direct Connect. Which three components are required to enable this connectivity? (Choose three.)

Select 3 answers
A.AWS Resource Access Manager to share the Transit Gateway with other accounts
B.Direct Connect Gateway attached to the Transit Gateway
C.AWS Transit Gateway in the network account
D.VPC Peering connections between each pair of VPCs
E.AWS Site-to-Site VPN connection from the Transit Gateway to the on-premises network
AnswersA, B, C

RAM allows sharing the Transit Gateway with VPCs in other accounts.

Why this answer

Options A, C, and E are correct. A Transit Gateway in the network account acts as a hub. Resource Access Manager (RAM) is used to share the Transit Gateway with other accounts.

A Direct Connect Gateway allows connecting the Transit Gateway to the on-premises network via Direct Connect. Option B is wrong because VPC Peering is not needed when using Transit Gateway. Option D is wrong because a VPN Connection is not required if Direct Connect is used.

373
MCQmedium

A company needs to provide secure access to an Amazon S3 bucket for a third-party partner. The partner has their own AWS account. The company wants to avoid exposing the bucket to the public internet. Which solution meets these requirements?

A.Set up Amazon CloudFront with an origin access identity (OAI)
B.Use pre-signed URLs generated by AWS Lambda
C.Configure an S3 bucket policy that grants access to the partner's AWS account
D.Create a VPC Gateway Endpoint for S3 in your VPC and allow the partner to access the bucket through a VPC peering connection
AnswerD

The endpoint keeps traffic within AWS network; VPC Peering extends access to partner VPC.

Why this answer

Option D is correct because an S3 VPC Gateway Endpoint allows access from a VPC, and the partner can connect to that VPC via VPC Peering or Direct Connect. Option A is wrong because bucket policies with Principal set to partner's account allow access from anywhere, not just from a specific VPC. Option B is wrong because Pre-signed URLs expire and are not a permanent solution.

Option C is wrong because CloudFront requires public internet access to the origin.

374
MCQhard

A company is deploying a multi-tier web application on EC2 instances behind an Application Load Balancer (ALB). The security team requires that the web servers only accept traffic from the ALB and that the ALB only accepts traffic from the internet on ports 80 and 443. Additionally, the web servers should be able to make outbound connections to the internet for updates. Which combination of security group rules meets these requirements?

A.Use network ACLs instead: public subnet NACL allow 80/443 inbound, private subnet NACL allow from ALB on app port
B.ALB SG: inbound 0.0.0.0/0 on 80/443, outbound to web SG on app port; Web SG: inbound from ALB SG on app port, outbound to 0.0.0.0/0 on ephemeral
C.ALB SG: inbound 0.0.0.0/0 on 80/443, outbound deny all; Web SG: inbound from ALB SG on app port, outbound allow all
D.ALB SG: inbound 0.0.0.0/0 on 80/443, outbound to web SG on app port; Web SG: inbound from VPC CIDR on app port, outbound to 0.0.0.0/0 on ephemeral
AnswerB

Correct use of security group references.

Why this answer

The ALB security group should allow inbound from 0.0.0.0/0 on 80 and 443, and outbound to web servers. The web server security group should allow inbound from ALB security group on application port, and outbound to 0.0.0.0/0 on ephemeral ports. Option D is correct.

Option A is wrong because it uses VPC CIDR. Option B is wrong because it restricts outbound. Option C is wrong because NACLs are not the best fit.

375
Multi-Selecthard

Which THREE considerations are important when implementing a multi-region Direct Connect architecture? (Choose 3)

Select 3 answers
A.Ensure Direct Connect connections are in at least two separate geographic locations.
B.Use a single Direct Connect connection to reduce complexity.
C.Connect all Direct Connect connections to the same AWS Direct Connect device.
D.Use diverse paths and providers for the Direct Connect connections.
E.Set up a VPN connection as a backup to Direct Connect.
AnswersA, D, E

Diverse locations provide redundancy against site failures.

Why this answer

To ensure high availability and disaster recovery, you should have Direct Connect connections in at least two separate locations, use diverse paths, and have a backup VPN connection. Using a single location creates a single point of failure. Using the same AWS device also creates a single point of failure.

Direct Connect gateway can be used to associate multiple VPCs.

Page 4

Page 5 of 23

Page 6