AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 376450

1705 questions total · 23pages · All types, answers revealed

Page 5

Page 6 of 23

Page 7
376
Multi-Selecthard

A financial services company must meet PCI DSS compliance. They have a VPC with public and private subnets. The private subnets host applications that process credit card data. The security team wants to ensure that no data leaves the VPC to the internet except through a controlled egress point. Which THREE measures should be implemented? (Choose three.)

Select 3 answers
A.Implement a central inspection VPC with AWS Network Firewall to inspect all outbound traffic.
B.Create VPC endpoints for Amazon S3 and DynamoDB to keep traffic within the AWS network.
C.Configure security groups to deny all outbound traffic from private subnets.
D.Attach an Internet Gateway to the VPC and allow all outbound traffic.
E.Deploy a NAT gateway in a public subnet and route private subnet traffic to it for internet access.
AnswersA, B, E

Correct: Central inspection provides controlled egress with inspection.

Why this answer

Option A is correct because a NAT gateway allows outbound traffic from private subnets but the team wants to control egress; however, combined with other measures it can be part of a controlled egress. Option C is correct because a VPC endpoint for S3 and DynamoDB allows access to these services without traversing the internet. Option D is correct because a central inspection VPC with AWS Network Firewall can inspect and allow/deny outbound traffic.

Option B is wrong because an Internet Gateway does not provide controlled egress; it allows direct internet access. Option E is wrong because Security Groups do not inspect traffic; they are stateful firewalls that only allow/deny based on rules.

377
MCQhard

A network engineer is configuring an AWS Site-to-Site VPN with dynamic routing (BGP). The customer gateway device is a Cisco router. The VPN tunnel is established, but BGP is not forming. Which configuration on the Cisco router is most likely missing?

A.The VPN connection's local IP address.
B.The correct IP address for the tunnel interface.
C.The pre-shared key for IKE phase 1.
D.The BGP neighbor statement with the correct Amazon ASN (64512).
AnswerD

ASN mismatch is a common cause of BGP not forming.

Why this answer

Option C is correct. The BGP neighbor must have the correct ASN; a mismatch prevents session formation. Option A is wrong because the tunnel is already established, so IKE is fine.

Option B is wrong because the tunnel interface is up. Option D is wrong because it's a routing protocol, not a VPN parameter.

378
MCQeasy

A network engineer is troubleshooting intermittent connectivity issues between an on-premises data center and AWS over a Direct Connect connection. The issue occurs only during peak business hours. CloudWatch metrics show increased latency and packet loss at the Direct Connect virtual interface. What is the MOST likely cause?

A.VPN tunnel misconfiguration over Direct Connect
B.Asymmetric routing between on-premises and AWS
C.BGP peering session flapping
D.Insufficient bandwidth on the Direct Connect connection
AnswerD

Congestion during peak hours causes latency and packet loss.

Why this answer

Option A is correct because insufficient bandwidth leads to congestion during peak hours, causing latency and packet loss. Option B is incorrect because asymmetric routing would cause persistent issues, not intermittent. Option C is incorrect because BGP peering issues would cause complete loss, not just latency/packet loss.

Option D is incorrect because VPN over Direct Connect is not a common configuration and would not cause these symptoms.

379
Multi-Selecthard

A company wants to implement a network monitoring solution that provides real-time traffic analysis and anomaly detection. Which THREE AWS services should be used together?

Select 3 answers
A.AWS Config
B.Amazon GuardDuty
C.VPC Flow Logs
D.AWS CloudTrail
E.Amazon CloudWatch
AnswersB, C, E

GuardDuty provides anomaly detection using VPC Flow Logs data.

Why this answer

The correct answers are A, B, and E. VPC Flow Logs capture traffic, CloudWatch provides metrics and alarms, and GuardDuty provides anomaly detection. Option C is wrong because CloudTrail is for API logs, not traffic analysis.

Option D is wrong because AWS Config is for configuration tracking.

380
MCQhard

A company has deployed a multi-tier application across three VPCs (VPC-A, VPC-B, VPC-C) in the us-east-1 region. Each VPC has its own CIDR block (10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16 respectively). All VPCs are attached to an AWS Transit Gateway. The web tier is in VPC-A, the application tier is in VPC-B, and the database tier is in VPC-C. The application servers in VPC-B need to connect to the database servers in VPC-C on TCP port 3306. The database servers are in a private subnet with a security group (sg-db) that allows inbound traffic from the application server security group (sg-app). The application servers have a security group (sg-app) that allows outbound traffic to the database servers. However, the application servers cannot connect to the database servers. The route tables in VPC-B and VPC-C have routes pointing to the Transit Gateway for the other VPC CIDRs. The Transit Gateway has attachments in all three VPCs and has a default route table with propagation enabled. What is the MOST likely cause of the connectivity failure?

A.The Transit Gateway attachments are not associated with the same route table
B.The network ACLs in VPC-B or VPC-C are blocking the traffic
C.The Transit Gateway does not support transitive routing between VPCs
D.The security group sg-app does not allow outbound traffic to the database server's security group
AnswerA

Correct; without association, routes are not propagated to the attachments.

Why this answer

The most likely cause is that the Transit Gateway attachments are not associated with the same route table. In AWS Transit Gateway, for traffic to flow between VPCs, the attachments must be associated with a route table that contains routes for the destination VPC CIDRs. Even though propagation is enabled on the default route table, if the attachments are associated with different route tables (or the default route table is not shared), transitive routing will fail.

Without a common route table association, the Transit Gateway cannot forward traffic between VPC-B and VPC-C.

Exam trap

The trap here is that candidates assume enabling propagation on the default route table automatically allows all inter-VPC traffic, but they overlook the requirement that all attachments must be associated with the same route table for transitive routing to work.

How to eliminate wrong answers

Option B is wrong because network ACLs are stateless and, by default, allow all inbound and outbound traffic; unless explicitly modified, they would not block TCP port 3306 traffic. Option C is wrong because AWS Transit Gateway natively supports transitive routing between all attached VPCs when route tables are properly configured; this is a core feature of the service. Option D is wrong because the security group sg-app allows outbound traffic to the database servers, as stated in the question; the issue is not with outbound rules but with the Transit Gateway routing configuration.

381
MCQeasy

A company is setting up a Direct Connect connection to AWS. They have a virtual private gateway (VGW) attached to their VPC. They need to establish a single logical connection over the Direct Connect link to access all subnets in the VPC. Which resource should they create on the Direct Connect virtual interface?

A.A private virtual interface (VIF) with a BGP session to the VGW.
B.A hosted virtual interface (VIF) provided by an AWS Partner.
C.A public virtual interface (VIF) with a BGP session to the VGW.
D.A transit virtual interface (VIF) to the VGW.
AnswerA

Private VIF allows access to the entire VPC via the VGW.

Why this answer

Option C is correct. A private virtual interface (VIF) allows access to all subnets in the VPC through the VGW. Option A is wrong because a public VIF provides access to public IP addresses.

Option B is wrong because a transit VIF is used with a transit gateway. Option D is wrong because a hosted VIF is a shared connection.

382
MCQeasy

A company is deploying a web application in a VPC and wants to protect it from common web exploits like cross-site scripting (XSS). Which AWS service should be used to filter and monitor HTTP requests?

A.Security Group
B.Network ACL
C.AWS WAF
D.AWS Shield Advanced
AnswerC

AWS WAF provides rules to filter HTTP requests and block attacks like XSS.

Why this answer

Option A is correct because AWS WAF is a web application firewall that helps protect web applications from common exploits. Option B is incorrect because AWS Shield Advanced is for DDoS protection. Option C is incorrect because Network ACLs are stateless and at the subnet level.

Option D is incorrect because Security Groups are stateful firewalls at the instance level.

383
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to use BGP to advertise a specific /24 prefix from their on-premises network to AWS. After configuration, the prefix is not visible in the VPC route tables. The BGP session is established. What should the company check?

A.Verify that the prefix is included in the allowed prefixes list for the Direct Connect virtual interface
B.Ensure that route propagation is enabled on the VPC route table
C.Check that the BGP ASN on the customer gateway is unique and not conflicting
D.Add a static route in the VPC route table for the on-premises prefix
AnswerA

The virtual private gateway only accepts prefixes that are in the allowed prefix list.

Why this answer

Option A is correct because the prefix must be allowed by the allowed prefixes list on the virtual private gateway; otherwise, it will not be propagated. Option B is wrong because the BGP session is established, so ASN is not an issue. Option C is wrong because route propagation is for VPN, not Direct Connect.

Option D is wrong because the VPC route table can have custom routes, but the virtual private gateway will not accept prefixes not in the allowed list.

384
MCQmedium

A company has a VPC with an internet gateway and wants to restrict outbound traffic from a private subnet to only allow traffic to specific AWS services, such as S3 and DynamoDB. Which solution should be used?

A.Configure a security group on the instances in the private subnet to allow outbound traffic only to the IP ranges of the AWS services.
B.Use a NAT gateway in the public subnet and add a route to it in the private subnet.
C.Attach an internet gateway to the VPC and add a route to it in the private subnet.
D.Create VPC endpoints for S3 and DynamoDB, and attach a policy to the endpoints to restrict access.
AnswerD

VPC endpoints provide private connectivity to AWS services and can be restricted with policies.

Why this answer

Option C is correct because VPC endpoints (Gateway or Interface) allow private subnet instances to access AWS services without traversing the internet, and they can be combined with bucket/endpoint policies to restrict access. Option A is incorrect because a NAT gateway allows all outbound traffic, not just to specific services. Option B is incorrect because security groups cannot filter by destination service.

Option D is incorrect because an internet gateway would allow unrestricted outbound traffic.

385
Multi-Selectmedium

A company wants to securely store secrets such as database credentials and API keys. Which TWO AWS services can be used for this purpose? (Choose two.)

Select 2 answers
A.AWS Systems Manager Parameter Store
B.Amazon S3
C.AWS CloudFormation
D.AWS Secrets Manager
E.AWS Identity and Access Management (IAM)
AnswersA, D

Parameter Store can store secrets securely with encryption.

Why this answer

Option B (AWS Secrets Manager) and Option D (AWS Systems Manager Parameter Store) are correct. Secrets Manager is designed for secrets with automatic rotation. Parameter Store can store secrets securely with encryption.

Option A (S3) is not secure by default. Option C (CloudFormation) is for infrastructure as code. Option E (IAM) is for users and roles.

386
MCQmedium

A network engineer has configured an AWS Site-to-Site VPN connection between a VPC and an on-premises network. The engineer checks the VPN status and sees the output above. What is the MOST likely cause of Tunnel2 being down?

A.The BGP ASN on the on-premises device is misconfigured.
B.The route tables in the VPC do not have a route to the on-premises network.
C.The IKE pre-shared key used for Tunnel2 is incorrect.
D.The IPsec encryption or integrity algorithms do not match between the AWS VPN endpoint and the on-premises device.
AnswerD

Mismatched IPsec parameters cause Phase 2 negotiation failure.

Why this answer

Tunnel2 is down while Tunnel1 is up, indicating a per-tunnel configuration mismatch. The most common cause is a mismatch in IPsec security parameters (encryption, integrity, or DH group) between the AWS VPN endpoint and the on-premises device for that specific tunnel. AWS uses separate pre-shared keys and IPsec settings per tunnel, so a mismatch in algorithms would affect only the misconfigured tunnel.

Exam trap

AWS often tests the distinction between IKE phase 1 (pre-shared key, authentication) and IPsec phase 2 (encryption/integrity algorithms); candidates mistakenly attribute a single tunnel failure to a pre-shared key mismatch, but AWS assigns unique keys per tunnel, so a key error would affect only that tunnel—making algorithm mismatch the more subtle and likely cause when only one tunnel is down.

How to eliminate wrong answers

Option A is wrong because a misconfigured BGP ASN would affect BGP session establishment, but the tunnel itself (IPsec phase 1 and 2) would still come up; the tunnel status shows IPsec layer status, not BGP peering. Option B is wrong because VPC route tables do not affect the tunnel's IPsec negotiation; they only control traffic forwarding once the tunnel is established. Option C is wrong because an incorrect IKE pre-shared key would prevent both IKE phase 1 authentication and the tunnel from coming up, but the question states Tunnel1 is up, and each tunnel uses a unique pre-shared key; if Tunnel2's key were wrong, it would fail, but the more precise cause given the output is an algorithm mismatch, as AWS generates unique keys per tunnel and the key mismatch would be equally likely to affect either tunnel.

387
MCQhard

A company has a multi-account AWS environment using AWS Organizations. They want to centralize VPC flow logs from all accounts into a single Amazon S3 bucket in the management account. The management account S3 bucket policy allows the log delivery service to write logs. However, flow logs are failing to deliver from member accounts. What is the most likely reason?

A.Flow logs cannot be delivered cross-account; they must be in the same account
B.The member account's IAM role for flow logs does not have permission to write to the bucket
C.The S3 bucket policy does not include a principal condition for the member account's log delivery service
D.The S3 bucket uses SSE-KMS encryption and the member account does not have access to the KMS key
AnswerC

The bucket policy must allow the log delivery service from the member account.

Why this answer

Option C is correct because the S3 bucket policy must explicitly allow the log delivery service principal (delivery.logs.amazonaws.com) from the member account to write objects. Option A is incorrect because flow logs can be delivered cross-account with proper permissions. Option B is incorrect because the bucket policy is evaluated, not the member account's VPC flow log role.

Option D is incorrect because encryption is not the issue.

388
MCQmedium

A network engineer is troubleshooting connectivity issues from an on-premises data center to an Amazon VPC via an AWS Site-to-Site VPN. The VPN tunnel is up, but ping from an on-premises host (10.0.0.5) to an EC2 instance (172.16.1.10) fails. The VPC CIDR is 172.16.0.0/16. The on-premises CIDR is 10.0.0.0/8. The customer gateway device has a route for 172.16.0.0/16 pointing to the VPN tunnel. The VPC route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. Security groups and NACLs allow ICMP. What is the MOST likely cause?

A.The on-premises host does not have a route to the VPC CIDR
B.The customer gateway device is not configured with the correct pre-shared key
C.The route table associated with the EC2 instance's subnet does not have a route for the on-premises CIDR
D.The virtual private gateway is not attached to the correct VPC
AnswerC

Correct; the subnet route table must include a route for the on-premises CIDR pointing to the virtual private gateway.

Why this answer

Option D is correct because by default, an EC2 instance in a VPC does not send traffic destined for the VPC's own CIDR range to the virtual private gateway; it uses local routing. The on-premises ping source IP is 10.0.0.5, which is within the VPC CIDR (172.16.0.0/16) range? Actually 10.0.0.5 is not within VPC CIDR, but the issue is that the EC2 instance's response to 10.0.0.5 will be sent via the local route (since 10.0.0.0/8 is not local but the VPC has a route for it) – wait: The VPC has a route for 10.0.0.0/8 to the virtual private gateway, so the EC2 instance should send traffic to the VGW. But the ping might be failing due to asymmetric routing if the on-premises side does not have a route for the return traffic? No, the on-premises has a route.

Actually, the most common issue is that the EC2 instance does not have the correct route in its subnet route table for the return traffic? But the route table has the route. Another common issue is that the virtual private gateway does not propagate routes to the subnet route table? But the route is there. Wait: The correct answer is that the on-premises host's return traffic might be dropped due to the VPN tunnel not having the correct source/destination check? No.

Let me re-evaluate: The VPC route table has a route for 10.0.0.0/8 to the virtual private gateway. That is correct. The on-premises has a route for 172.16.0.0/16 to the VPN tunnel.

So traffic should flow. However, by default, EC2 instances have source/destination check enabled. If the EC2 instance is used as a NAT instance or similar, it might need to be disabled.

But here it's a simple ping. The most likely cause is that the on-premises network does not have a route for the VPC CIDR pointing to the customer gateway? But it does. Actually, the issue might be that the customer gateway device's route is not pointing to the correct interface.

Another possibility: The VPN tunnel uses dynamic routing (BGP) and the routes are not being advertised correctly. But the question does not specify BGP. Given the options, the correct answer is likely D: The route table does not have a route for the on-premises CIDR.

Wait, the VPC route table does have a route for 10.0.0.0/8. So that's not it. Let me think again: The ping from 10.0.0.5 to 172.16.1.10: The packet goes from on-prem to VPC via VPN.

The EC2 instance receives it. The EC2 instance sends a reply to 10.0.0.5. The EC2 instance checks its route table: the VPC route table has a route for 10.0.0.0/8 to the virtual private gateway.

So it sends the reply to the VGW. The VGW forwards it to the VPN tunnel. That should work.

But why does it fail? Possibly because the subnet route table for the EC2 instance does not have the route for 10.0.0.0/8? The question says the VPC route table has the route, but the subnet route table might be different. Actually, each subnet route table can be different. The question says 'The VPC route table has a route for 10.0.0.0/8 pointing to the virtual private gateway.' That implies the main route table.

But the EC2 instance might be in a subnet with a custom route table that does not have that route. So the most likely cause is that the route is missing from the subnet route table associated with the EC2 instance's subnet. Option D says 'The route table associated with the EC2 instance's subnet does not have a route for on-premises traffic.' That is exactly it.

So D is correct.

389
Multi-Selecthard

A company has a Direct Connect connection with a private VIF to a VPC. They want to add redundant connectivity using a second Direct Connect connection from a different provider. They need to ensure that if the primary connection fails, traffic automatically fails over to the secondary. Which THREE components are required?

Select 3 answers
A.An AWS Site-to-Site VPN as a backup
B.A second private VIF on the same Direct Connect connection
C.A second Direct Connect connection from a different provider
D.A Direct Connect Gateway
E.BGP sessions on both connections advertising the same prefixes
AnswersC, D, E

Diverse provider ensures no single point of failure.

Why this answer

To achieve automatic failover, BGP is required to advertise the same prefixes over both connections. A Direct Connect Gateway aggregates the VIFs and propagates routes to the VPC. A Transit Gateway can be used to manage multiple VIFs, but is not strictly required if using Direct Connect Gateway.

VPN is not involved. A second VIF on the same connection does not provide provider diversity.

390
MCQmedium

A company is deploying a VPC with public and private subnets in two Availability Zones. The public subnets contain NAT gateways for outbound internet access from the private subnets. The private subnets host web servers that need to make API calls to an external service over the internet. After implementation, the web servers cannot reach the internet. Which configuration is the most likely cause?

A.The NAT gateway is placed in a private subnet and does not have a route to the internet gateway.
B.The route table for the private subnets is not associated with the VPC's main route table.
C.The private subnets have a default route (0.0.0.0/0) pointing to an internet gateway instead of the NAT gateway.
D.The public subnets have a default route pointing to the NAT gateway instead of the internet gateway.
AnswerA

NAT gateways must reside in a public subnet with a route to an internet gateway. If placed in a private subnet, outbound traffic cannot reach the internet.

Why this answer

Option B is correct because each NAT gateway must be in a public subnet with a route to an internet gateway. If the NAT gateway is in a private subnet, it cannot route traffic to the internet. Option A is incorrect because private subnets do not need default routes to the internet gateway.

Option C is incorrect because route propagation is not required. Option D is incorrect because NAT gateway is not a required check for public subnets.

391
MCQhard

A company has a VPC with multiple subnets. An EC2 instance in a private subnet needs to access an S3 bucket to download files. The company wants to avoid using a NAT gateway and minimize latency. Which solution should be used?

A.Create a VPC endpoint for S3 and attach it to the private subnet's route table.
B.Place the instance in a public subnet and use a NAT gateway.
C.Use a VPC endpoint for EC2.
D.Use an internet gateway and a route to 0.0.0.0/0.
AnswerA

Provides private, low-latency access to S3.

Why this answer

Option C is correct because a VPC endpoint for S3 allows private access without NAT or IGW. A is not for S3. B adds latency.

D is not for S3.

392
Multi-Selectmedium

A company is designing a highly available network architecture using AWS Direct Connect. Which TWO actions should be taken to ensure redundancy?

Select 2 answers
A.Create a single private VIF on the Direct Connect connection
B.Set up a VPN connection over the internet as a backup
C.Provision two Direct Connect connections at different locations
D.Use a single Direct Connect connection with multiple VIFs
E.Configure BGP with different ASNs on each connection
AnswersC, E

Two connections at different locations provide physical diversity.

Why this answer

Option A and C are correct because using two separate Direct Connect connections and configuring BGP with different ASNs provide path diversity and failover. Option B is wrong because a single connection is a single point of failure. Option D is wrong because VPN backup over the same internet connection does not provide true diversity.

Option E is wrong because a single VIF on a single connection offers no redundancy.

393
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to add IPv6 connectivity to the VPC and allow resources in a private subnet to access the internet via IPv6. Which design should be used?

A.Allocate an IPv6 CIDR block and add a route to an Internet Gateway from the private subnet.
B.Use a NAT instance with IPv6 support in a public subnet.
C.Allocate an IPv6 CIDR block and use a NAT Gateway for IPv6 traffic.
D.Allocate an IPv6 CIDR block, create an egress-only Internet Gateway, and add a route to it from the private subnet.
AnswerD

Egress-only IGW allows outbound IPv6 traffic but blocks inbound.

Why this answer

An egress-only Internet Gateway (EIGW) is the correct AWS-managed service for enabling outbound-only IPv6 traffic from a VPC's private subnet to the internet, while preventing any unsolicited inbound connections. Unlike an Internet Gateway (IGW), which allows bidirectional traffic, an EIGW is specifically designed for IPv6 and ensures that resources in private subnets can initiate outbound connections without being directly reachable from the internet.

Exam trap

The trap here is that candidates confuse the egress-only Internet Gateway with a NAT Gateway or assume that a standard Internet Gateway can be used for private subnets, not realizing that IPv6 requires a different outbound-only mechanism to maintain subnet privacy.

How to eliminate wrong answers

Option A is wrong because adding a route to an Internet Gateway from a private subnet would make the subnet effectively public, allowing inbound IPv6 traffic and violating the requirement for a private subnet. Option B is wrong because NAT instances do not support IPv6; NAT is an IPv4-only function, and AWS NAT Gateways/instances cannot translate IPv6 traffic. Option C is wrong because a NAT Gateway is designed for IPv4 traffic only and does not support IPv6; using it for IPv6 would fail to provide connectivity.

394
MCQeasy

A company uses AWS WAF to protect its web application. The security team wants to block requests that contain SQL injection attempts. Which WAF rule type should be used?

A.Geographic match rule
B.SQL injection match condition
C.IP set rule
D.Rate-based rule
AnswerB

AWS WAF includes managed rules for SQL injection.

Why this answer

Option C is correct because AWS WAF has managed rule groups specifically for SQL injection. Option A is wrong because rate-based rules limit request rate. Option B is wrong because IP set rules block IP addresses.

Option D is wrong because geo-match rules filter by geography.

395
MCQhard

A company has a VPC with public and private subnets. They want to provide outbound internet access to instances in private subnets while preventing inbound internet traffic. The solution must be highly available and scale automatically. Which combination of services should be used?

A.NAT instances in each Availability Zone
B.VPC endpoint for S3 and DynamoDB
C.Internet Gateway attached to the VPC with route tables pointing to the Internet Gateway
D.NAT Gateway in each Availability Zone with route tables pointing to the NAT Gateway
AnswerD

NAT Gateways are managed, highly available within an AZ, and scale automatically. Using one per AZ provides AZ-level redundancy.

Why this answer

A NAT Gateway in each AZ provides high availability and scales automatically. Route tables direct private subnet traffic to the NAT Gateway. An Internet Gateway is needed for the NAT Gateway to reach the internet.

A NAT instance is single point of failure and requires manual scaling. VPC endpoint is for accessing AWS services privately, not for general internet. Egress-Only Internet Gateway is for IPv6 only.

396
MCQeasy

A security engineer needs to audit all API calls that modify security group rules in a VPC. Which AWS service should be used to record these API calls?

A.AWS CloudTrail
B.Amazon Inspector
C.AWS Config
D.VPC Flow Logs
AnswerA

AWS CloudTrail records API calls for security group modifications, including the caller identity and timestamp.

Why this answer

AWS CloudTrail records all API calls made to the AWS API, including modifications to security group rules. Option B is correct. AWS Config records resource configuration changes but not API calls.

VPC Flow Logs capture network traffic logs, not API calls. Amazon Inspector is for vulnerability assessment.

397
MCQmedium

A company uses AWS Client VPN to provide remote access to its VPC resources. Users report that they can connect to the VPN but cannot reach any resources in the VPC. The VPN endpoint is associated with a subnet in VPC A. The VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint. The security group assigned to the VPN endpoint allows inbound traffic from the VPN clients. What is the most likely cause of the issue?

A.The Client VPN endpoint's authentication is failing.
B.The VPN endpoint is not associated with the correct subnet.
C.The route table in VPC A does not have a route for the Client VPN CIDR.
D.The security group associated with the VPN endpoint does not allow inbound traffic from the VPN client CIDR.
AnswerD

The security group must allow inbound traffic from the client CIDR (10.200.0.0/16) to reach VPC resources.

Why this answer

The most likely cause is that the security group associated with the VPN endpoint does not allow inbound traffic from the VPN client CIDR (10.200.0.0/16). Even though users can connect to the VPN, the security group acts as a virtual firewall for the endpoint; without an inbound rule permitting traffic from the client CIDR, packets from clients are dropped before they can be routed to VPC resources. The question states that the security group allows inbound traffic from 'the VPN clients' but not specifically from the client CIDR range, which is a common misconfiguration.

Exam trap

The trap here is that candidates assume a successful VPN connection implies all traffic is allowed, but AWS security groups operate independently of the VPN tunnel and must explicitly permit traffic from the client CIDR range.

How to eliminate wrong answers

Option A is wrong because if authentication were failing, users would not be able to connect to the VPN at all; the issue is that they can connect but cannot reach resources. Option B is wrong because the VPN endpoint is already associated with a subnet in VPC A, and the question confirms this association; if it were associated with the wrong subnet, the VPN connection itself would likely fail or be misrouted. Option C is wrong because the question explicitly states that the VPC's route table has a route for the Client VPN CIDR (10.200.0.0/16) pointing to the VPN endpoint, so this is not the issue.

398
MCQeasy

A network engineer runs the AWS CLI command shown in the exhibit. The VPC has an Amazon Route 53 private hosted zone associated. What is the impact of this setting?

A.No instances in the VPC can resolve DNS records from the private hosted zone.
B.Only instances in public subnets can resolve private hosted zone records.
C.The DHCP option set must be updated to provide DNS resolution.
D.The private hosted zone is automatically deleted.
AnswerA

DNS support disabled means no DNS resolution via VPC.

Why this answer

Option B is correct because when DNS support is disabled, instances in the VPC cannot use the DNS resolution provided by the VPC's Route 53 Resolver, including private hosted zones. Option A is incorrect because the VPC's DNS resolution affects all resources. Option C is incorrect because the private hosted zone is still associated but not resolvable.

Option D is incorrect because the DHCP option set is separate.

399
MCQmedium

A company has an AWS Site-to-Site VPN connection between its on-premises network and a VPC. The tunnel status is up, but traffic from on-premises cannot reach an EC2 instance in the VPC. The instance's security group allows inbound traffic from the on-premises CIDR. Which configuration should be checked first?

A.Ensure the VPN connection is attached to a transit gateway instead of a virtual private gateway.
B.Check the network ACL associated with the EC2 instance's subnet to ensure it allows inbound traffic from on-premises.
C.Verify that the VPC route table includes a route to the on-premises CIDR with the VPN gateway as target.
D.Confirm that BGP session is established and exchanging routes.
AnswerC

Traffic from on-premises enters the VPC via VPN, but the return traffic needs a route back to the VPN gateway.

Why this answer

Option A is correct. The VPC's route table must have a route pointing to the VPN gateway for the on-premises CIDR. If missing, traffic will not be forwarded to the VPN tunnel.

Option B is wrong because network ACLs are stateless and need both inbound and outbound rules; but first check routing. Option C is wrong because the VPN connection uses a virtual private gateway, not a transit gateway, unless specifically designed. Option D is wrong because the VPN tunnel being up indicates BGP is working; the issue is likely routing.

400
Multi-Selectmedium

Which THREE of the following are features of AWS Transit Gateway? (Select THREE.)

Select 3 answers
A.Multicast support
B.Built-in NAT capabilities
C.Transitive routing between multiple VPCs
D.Centralized routing and management
E.Edge-to-edge routing for VPN connections
AnswersA, C, D

Transit Gateway supports multicast groups.

Why this answer

Options A, B, and D are correct. Transit Gateway supports transitive peering, multicast, and central routing. Option C is incorrect because Transit Gateway does not support edge-to-edge routing for VPN.

Option E is incorrect because Transit Gateway does not replace NAT Gateway; NAT Gateway is separate.

401
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team notices that traffic from an on-premises data center to a VPC is intermittently dropping. CloudWatch metrics show no errors on the Direct Connect virtual interface. What is the most likely cause of the intermittent drops?

A.Latency spikes on the Direct Connect link due to AWS VPN backup path
B.MTU mismatch causing packet fragmentation for jumbo frames
C.BGP keepalive timer mismatch between the on-premises router and the Direct Connect router
D.Asymmetric routing due to missing or incorrect route propagation in Transit Gateway route tables
AnswerD

Asymmetric routing can cause intermittent drops if return traffic takes a different path.

Why this answer

Option B is correct because asymmetric routing can cause packet drops when Transit Gateway does not have a route back to the source. Option A is wrong because BGP timers would cause sustained loss. Option C is wrong because MTU mismatch typically causes packet loss only for large packets.

Option D is wrong because VPN would not be in path if Direct Connect is used.

402
MCQeasy

A company wants to centralize VPC flow log management from multiple accounts into a single S3 bucket in the management account. Which combination of AWS services should be used?

A.AWS CloudTrail and Amazon S3
B.AWS Lambda and Amazon S3
C.Amazon Kinesis Data Firehose and Amazon S3
D.AWS Organizations and Amazon S3 bucket policy
AnswerD

Using Organizations, you can set a bucket policy that allows flow logs from member accounts to be delivered to the central bucket.

Why this answer

AWS Organizations with SCP can allow cross-account S3 bucket policies. AWS CloudTrail is not needed for flow logs. Option D is correct.

Options A, B, and C either miss key services or include unnecessary ones.

403
MCQeasy

A company has a VPC with an IPv4 CIDR block of 10.0.0.0/16. They need to connect two separate branch offices using AWS Client VPN. Each branch office has a different subnet: Branch A uses 10.0.1.0/24 and Branch B uses 10.0.2.0/24. The Client VPN endpoint is configured with a CIDR range of 10.0.3.0/24. The route table for the VPC has the local route and routes to the Client VPN endpoint. Users from both branches can connect to the VPN but cannot communicate with each other. What is the most likely reason?

A.The branch subnets 10.0.1.0/24 and 10.0.2.0/24 are part of the VPC CIDR, so the VPC routes traffic locally instead of via the VPN
B.The route tables in the branch subnets do not have routes to the Client VPN endpoint
C.The Client VPN endpoint is configured with a CIDR that overlaps with the branch subnets
D.The security group for the Client VPN endpoint does not allow inbound traffic from branch subnets
AnswerA

Local routes take precedence.

Why this answer

Branch subnets overlap with the VPC CIDR, causing routing conflicts. The VPC sees 10.0.1.0/24 and 10.0.2.0/24 as local, thus traffic destined to those addresses is routed locally within the VPC, not to the VPN. Options B and C are not relevant to inter-branch communication.

Option D would not cause the issue because branch subnets are within the VPC CIDR.

404
MCQhard

A network administrator attached the IAM policy shown to a user. The user tries to create an internet gateway in us-east-1 without any tags. What will happen?

A.The internet gateway creation fails because the first statement does not allow it in us-east-1.
B.The internet gateway is created but the user receives a warning.
C.The internet gateway creation is denied because the Deny statement applies.
D.The internet gateway is created successfully because the first statement allows it.
AnswerC

Without the required tag, the Deny blocks the action.

Why this answer

The first statement allows CreateInternetGateway in us-east-1. The second statement denies CreateInternetGateway if the resource tag 'purpose' is not 'production'. When creating a resource without tags, the condition StringNotEquals evaluates to true (since no tag, it's not equal to 'production'), so the Deny applies.

The Deny overrides the Allow. So the action is denied. Option B is correct.

Option A is wrong because the Deny applies. Option C is wrong because the Deny does not require explicit allow. Option D is wrong because the Deny is effective.

405
MCQhard

A company has a VPC with a public subnet hosting a web server and a private subnet hosting a database. The web server must connect to the database on port 3306. Security groups are configured: Web SG allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to DB SG on port 3306. DB SG allows inbound from Web SG on port 3306. Network ACLs are default. The web server can connect to the database, but the security team notices that the database is also receiving connections from an unexpected IP address. What is the MOST likely cause?

A.The network ACL on the private subnet allows inbound traffic from all IPs.
B.The DB security group has an inbound rule allowing traffic from 0.0.0.0/0 on port 3306.
C.An unauthorized EC2 instance has been launched with the same Web security group attached.
D.Security groups are stateful, so the DB SG automatically allows inbound responses.
AnswerC

Correct: Any instance with Web SG can access DB due to the inbound rule.

Why this answer

Option D is correct because the DB SG inbound rule allows traffic from the Web SG, which includes all instances with that SG, but if the Web SG is also attached to other instances (like an unauthorized instance), those instances can connect. Option A is wrong because NACLs are default allow. Option B is wrong because the DB SG does not have an inbound rule from 0.0.0.0/0.

Option C is wrong because stateful nature does not cause unexpected connections.

406
MCQmedium

A company has a VPC with multiple subnets. They want to monitor all network traffic to and from an EC2 instance for troubleshooting. Which AWS service should they use?

A.Amazon Inspector
B.AWS Config
C.VPC Flow Logs
D.AWS CloudTrail
AnswerC

VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC.

Why this answer

VPC Flow Logs capture IP traffic information and can be used to monitor network traffic. AWS CloudTrail records API calls, not network traffic. Amazon Inspector is for security assessments.

AWS Config tracks resource configuration. Amazon GuardDuty is for threat detection.

407
MCQhard

A network engineer created a VPC endpoint for the service shown in the exhibit. The endpoint is in the 'available' state, but instances in the VPC cannot resolve the private DNS name 'example.com'. What is the most likely cause?

A.The VPC does not have a Route 53 private hosted zone for example.com
B.The VPC does not have an internet gateway
C.The endpoint does not have 'Private DNS names enabled'
D.The security group for the endpoint is blocking DNS traffic
AnswerC

Without enabling this option, the private DNS name is not resolved.

Why this answer

The private DNS name is only resolved via Route 53 private hosted zone if 'Private DNS names enabled' is set. The exhibit shows the service has a PrivateDnsName, but the endpoint must have 'Private DNS names enabled' for resolution to work.

408
MCQmedium

A company has a VPC with public and private subnets. The security team wants to analyze all traffic to and from the internet for security incidents. Which AWS service should be used to capture and analyze this traffic?

A.AWS Shield Advanced
B.AWS Network Firewall
C.AWS WAF
D.VPC Flow Logs
AnswerD

Flow Logs capture IP traffic metadata for analysis.

Why this answer

The correct answer is C because VPC Flow Logs capture IP traffic information for network interfaces, including traffic to/from the internet. Option A is wrong because AWS WAF filters web traffic but does not provide traffic logs. Option B is wrong because AWS Shield Advanced provides DDoS protection, not traffic analysis.

Option D is wrong because AWS Network Firewall provides firewall capabilities but not detailed traffic logs like Flow Logs.

409
MCQhard

A company has deployed a multi-tier application in a VPC with public and private subnets. The web tier runs on EC2 instances in public subnets, and the application tier runs on EC2 instances in private subnets. The application tier must only accept traffic from the web tier security group. The security group for the application tier has an inbound rule allowing HTTP traffic from the web tier security group. However, the application team reports that the web tier instances cannot connect to the application tier instances. The network administrator has verified that the web tier instances can resolve the private DNS names of the application tier instances, and the route tables are correctly configured. What is the MOST likely cause of the connectivity issue?

A.The application tier instances do not have a route to the web tier instances.
B.The application tier security group's inbound rule is stateful, but the outbound rule is not configured to allow return traffic.
C.The web tier security group's outbound rules do not allow traffic to the application tier security group.
D.The network ACL for the private subnet is blocking inbound traffic from the public subnet.
AnswerC

If the web tier security group does not have an outbound rule allowing traffic to the application tier, connections will fail.

Why this answer

Security groups are stateful, meaning that if you allow inbound traffic, the return traffic is automatically allowed regardless of outbound rules. However, the outbound rules of the initiating security group (the web tier) must permit the traffic to reach the destination. Since the web tier instances initiate the connection to the application tier, the web tier security group's outbound rules must allow HTTP traffic to the application tier security group.

If those outbound rules are missing or too restrictive, the connection will fail even though the application tier's inbound rule is correct.

Exam trap

AWS often tests the misconception that security groups are stateless like network ACLs, leading candidates to incorrectly assume that outbound rules on the destination security group are needed for return traffic, when in fact the issue is the outbound rules on the source security group.

How to eliminate wrong answers

Option A is wrong because the route tables are correctly configured and the web tier can resolve private DNS names, indicating that routing is functional; the application tier does not need a specific route back to the web tier because the VPC's implicit router handles return traffic as long as the destination is within the VPC. Option B is wrong because security groups are stateful, so if the inbound rule allows traffic, the outbound return traffic is automatically permitted regardless of outbound rules; no separate outbound rule is needed for return traffic. Option D is wrong because network ACLs are stateless and must allow both inbound and outbound traffic separately, but the question states route tables are correctly configured and does not mention any NACL misconfiguration; moreover, the default NACL allows all traffic, and custom NACLs would need explicit rules, but the issue is more likely at the security group level given the symptom.

410
Multi-Selectmedium

A company is deploying a multi-tier web application across multiple Availability Zones in a VPC. The architecture includes public-facing Application Load Balancers, Amazon EC2 instances in private subnets, and an Amazon RDS for MySQL Multi-AZ DB instance. To meet compliance requirements, all traffic between the web tier and database tier must be encrypted and must not traverse the internet. Which TWO actions should the company take to implement this securely? (Choose two.)

Select 2 answers
A.Establish an AWS Site-to-Site VPN between the web tier subnets and the database subnet.
B.Create a VPC endpoint for Amazon RDS and route database traffic through it.
C.Enable SSL/TLS encryption on the RDS DB instance and configure the web servers to connect using SSL.
D.Assign an Elastic IP address to the RDS DB instance to ensure a stable IP for the web tier.
E.Use the RDS endpoint (DNS name) that resolves to a private IP within the same VPC.
AnswersC, E

Encrypts traffic between web and database tiers.

Why this answer

Option A is correct because enabling encryption in transit with SSL/TLS between web tier and RDS MySQL encrypts the traffic. Option C is correct because using an RDS endpoint within the same VPC ensures traffic does not traverse the internet. Option B is incorrect because RDS instances do not have Elastic IPs in private subnets.

Option D is incorrect because an RDS endpoint already provides a private IP within the VPC; a VPC endpoint is for services like S3. Option E is incorrect because a VPN connection is not needed for traffic within the same VPC.

411
MCQhard

A company has a VPC with an IPv4 CIDR of 10.0.0.0/16 and needs to add IPv6 support for its public-facing web application. The application must be accessible via both IPv4 and IPv6. The VPC already has an Internet Gateway attached. What is the correct set of steps to enable IPv6?

A.Assign a custom IPv6 CIDR block from your own range to the VPC and add a route to the Internet Gateway.
B.Associate an Amazon-provided IPv6 CIDR block to the VPC, add a route for ::/0 to the Internet Gateway, and allocate IPv6 addresses to the subnets.
C.Associate an IPv6 CIDR block, create an Egress-Only Internet Gateway, and route ::/0 to it.
D.Associate a /64 IPv6 CIDR block to the VPC, add a route for ::/0 to the Internet Gateway, and assign IPv6 addresses to instances.
AnswerB

Standard procedure for public IPv6 access.

Why this answer

Option D is correct because to enable IPv6, you must associate an Amazon-provided IPv6 CIDR block with the VPC, update the route table to include a route for ::/0 to the Internet Gateway, and ensure the subnet has an IPv6 CIDR. Option A is wrong because you cannot assign a /64 block to a VPC. Option B is wrong because Egress-Only Internet Gateway is for outbound-only IPv6, not inbound.

Option C is wrong because you cannot assign a custom IPv6 block without requesting it.

412
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The network team notices that traffic between two VPCs is taking a suboptimal path through the on-premises network instead of staying within AWS. What is the MOST likely cause?

A.The Transit Gateway route tables do not have a route for the destination VPC CIDR, so traffic is sent to the on-premises network via a default route.
B.The subnet route tables in each VPC have a route pointing to the other VPC's CIDR via the Internet Gateway.
C.The VPCs are peered directly, bypassing the Transit Gateway.
D.Security groups are blocking traffic between the VPCs.
AnswerA

Correct: Missing route causes blackhole or fallback to default route.

Why this answer

When a Transit Gateway route table lacks a specific route for the destination VPC CIDR, traffic destined for that VPC is evaluated against the remaining routes. If a default route (0.0.0.0/0) exists pointing to an on-premises network attachment (e.g., a VPN or Direct Connect), the traffic will be forwarded over that path, resulting in a suboptimal route that leaves AWS and re-enters through the on-premises network. This is the most likely cause because the Transit Gateway performs destination-based routing, and missing a specific VPC route forces fallback to the default route.

Exam trap

The trap here is that candidates often assume suboptimal routing is caused by asymmetric routing or security group misconfigurations, but the real issue is a missing specific route in the Transit Gateway route table, causing fallback to a default route that sends traffic on-premises.

How to eliminate wrong answers

Option B is wrong because a subnet route table pointing to an Internet Gateway for another VPC's CIDR would send traffic to the internet, not to the other VPC, and would not cause suboptimal routing through on-premises; it would simply break connectivity. Option C is wrong because if the VPCs were peered directly, traffic would stay within AWS and not traverse the on-premises network, contradicting the observed suboptimal path. Option D is wrong because security groups operate at the instance level (stateful packet filtering) and do not influence routing decisions; they can block traffic but cannot cause traffic to take a different network path.

413
Multi-Selecthard

A security engineer is designing a VPC with public and private subnets. The company requires that instances in the private subnet can initiate outbound connections to the internet but cannot receive inbound connections from the internet. Which TWO components are necessary? (Choose 2)

Select 2 answers
A.VPC Gateway Endpoint for S3
B.Security group allowing inbound traffic from 0.0.0.0/0
C.NAT Gateway in the public subnet
D.Internet Gateway attached to the private subnet
E.Route in the private subnet route table pointing to the NAT Gateway
AnswersC, E

NAT Gateway enables outbound internet from private subnets.

Why this answer

Options A and D are correct. A NAT Gateway in the public subnet allows outbound internet access. A route in the private subnet's route table pointing to the NAT Gateway enables this.

Option B is wrong because an Internet Gateway is attached to the VPC, not the private subnet. Option C is wrong because a VPC Gateway Endpoint is for AWS services, not internet. Option E is wrong because a security group can allow inbound but the requirement is to not allow inbound; a NAT Gateway already ensures no inbound.

414
MCQmedium

A company has a VPC with a public subnet and a private subnet. The public subnet contains a NAT gateway and a bastion host. The private subnet contains several EC2 instances that need to download software updates from the internet. The security team has configured the following: - A security group on the EC2 instances allows outbound traffic to 0.0.0.0/0 on ports 443 and 80. - The private subnet's route table has a default route (0.0.0.0/0) pointing to the NAT gateway. - The NAT gateway is in the public subnet with an Elastic IP and its security group allows inbound traffic from the private subnet CIDR on ports 443 and 80, and outbound to 0.0.0.0/0 on all ports. Despite this, the EC2 instances cannot reach the internet. What is the most likely cause?

A.The NAT gateway's security group inbound rule is too restrictive
B.The NAT gateway does not have an Elastic IP associated
C.The route table of the private subnet does not have a route to the NAT gateway
D.The EC2 instances' security group does not allow inbound traffic from the NAT gateway
AnswerA

It only allows ports 80 and 443 from the private subnet, but the NAT gateway needs to accept traffic on ephemeral ports for return traffic.

Why this answer

Option B is correct because the NAT gateway's security group inbound rule should allow traffic from the private subnet on ephemeral ports (1024-65535), not just ports 443 and 80. The outbound connection from the EC2 instance uses a random source port, and the NAT gateway must receive that return traffic. Option A is wrong because the route is correct.

Option C is wrong because the NAT gateway is in the public subnet with an EIP, so it can reach the internet. Option D is wrong because the security group on the EC2 instances allows outbound traffic.

415
Multi-Selecthard

Which THREE are benefits of using AWS Transit Gateway over VPC peering in a multi-VPC environment? (Select THREE.)

Select 3 answers
A.Centralized management of network policies
B.Higher bandwidth per connection
C.Simpler configuration for a few VPCs
D.Lower cost compared to VPC peering
E.Transitive routing between all attached VPCs
.Ability to attach VPN and Direct Connect connections
AnswersA, E

Single point of control.

Why this answer

AWS Transit Gateway provides a centralized hub for managing network policies across multiple VPCs, allowing you to apply consistent routing, security, and access controls from a single point. This eliminates the need to manage individual VPC peering connections and their route tables, reducing operational overhead and the risk of misconfiguration.

Exam trap

AWS often tests the misconception that Transit Gateway always reduces cost or complexity compared to VPC peering, but the trap here is that for small numbers of VPCs (e.g., 2-3), VPC peering is simpler and cheaper, while Transit Gateway's benefits (centralized management, transitive routing, hybrid connectivity) only become advantageous at scale.

416
MCQeasy

A company is running a web application on EC2 instances behind an Application Load Balancer (ALB) in a VPC. The application needs to store session state in an ElastiCache Redis cluster. The Redis cluster should not be accessible from the internet. Which network design should be used?

A.Place the Redis cluster in a public subnet and restrict access via security group.
B.Place the Redis cluster in a private subnet and the EC2 instances in a private subnet, with a NAT Gateway for outbound traffic.
C.Place the Redis cluster in a private subnet and the EC2 instances in a public subnet.
D.Place both the EC2 instances and the Redis cluster in private subnets with appropriate security groups.
AnswerD

Both in private subnets, security groups allow traffic from EC2 to Redis.

Why this answer

The Redis cluster should be in a private subnet to prevent internet access. The ALB is typically in a public subnet or a private subnet with an internet-facing ALB. The EC2 instances should be in a private subnet and access Redis via the private subnet.

Option A is wrong because a public subnet would expose Redis. Option B is wrong because placing Redis in a public subnet exposes it. Option C is wrong because a NAT Gateway is not needed for private subnet communication within the VPC.

417
MCQeasy

A company is designing a network for a three-tier web application in a single VPC. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The application servers need to make outbound calls to a third-party API. Which architecture meets these requirements?

A.Web servers in public subnets, application and database servers in private subnets with an internet gateway for outbound traffic.
B.All servers in public subnets with security groups restricting access.
C.Web servers in public subnets with an Application Load Balancer, application servers in private subnets with a NAT gateway, and database servers in private subnets.
D.All servers in private subnets and a VPN connection to the internet.
AnswerC

This follows best practices for a three-tier architecture.

Why this answer

Option C is correct because it places web servers in public subnets with an Application Load Balancer for inbound internet traffic, while application and database servers reside in private subnets without direct internet access. A NAT gateway in a public subnet enables the application servers to initiate outbound connections to a third-party API, with return traffic automatically routed back, meeting the requirement for outbound-only internet access.

Exam trap

The trap here is that candidates often confuse an internet gateway with a NAT gateway, assuming an internet gateway can provide outbound-only access from private subnets, but an internet gateway requires public IPs and allows bidirectional traffic, while a NAT gateway specifically enables outbound-only traffic from private subnets.

How to eliminate wrong answers

Option A is wrong because an internet gateway in a private subnet does not provide outbound-only access; internet gateways require a public IP and route table entry for bidirectional traffic, which would expose private instances to inbound internet traffic, violating the no-direct-internet-access requirement. Option B is wrong because placing all servers in public subnets, even with security groups, still assigns public IPs and allows potential inbound internet access to application and database servers, failing the requirement to restrict their internet access. Option D is wrong because a VPN connection to the internet would route all traffic through a VPN, but private subnets without a NAT gateway or internet gateway cannot initiate outbound connections to the internet; the VPN alone does not provide outbound internet access for private instances.

418
MCQeasy

A company is deploying an application across multiple Availability Zones in a single AWS Region. The application requires that all traffic between EC2 instances in the same subnet be inspected by a network appliance. Which configuration should be used to meet this requirement?

A.Set up a VPC peering connection between the subnets
B.Use a Transit Gateway to route traffic through the appliance
C.Deploy AWS Network Firewall in the subnet
D.Create a Gateway Load Balancer and configure the appliance as a target
AnswerD

GWLB can be used to inspect all traffic between instances in the same subnet via a Gateway Load Balancer Endpoint.

Why this answer

Option B is correct because a Gateway Load Balancer (GWLB) can be deployed in a subnet and configured to route traffic between instances in the same subnet through the network appliance. Option A is incorrect because a Transit Gateway is used for inter-VPC routing, not intra-subnet inspection. Option C is incorrect because a VPC peering connection connects different VPCs.

Option D is incorrect because AWS Network Firewall inspects traffic at VPC boundaries, not within a subnet.

419
MCQmedium

A security engineer reviews VPC Flow Logs and sees the entries shown. The last entry shows a REJECT for traffic from 203.0.113.5 to 10.0.1.5 on port 443. However, the third entry shows ACCEPT for traffic from 10.0.1.5 to 203.0.113.5 on port 443. What is the most likely reason for the REJECT?

A.The network ACL associated with the subnet of 10.0.1.5 does not allow inbound traffic from 203.0.113.5.
B.AWS WAF is blocking the inbound traffic.
C.The security group attached to the instance 10.0.1.5 does not allow inbound traffic from 203.0.113.5.
D.The route table for the subnet of 10.0.1.5 does not have a route to the internet.
AnswerA

NACLs are stateless and require explicit inbound rules for response traffic.

Why this answer

The flow logs show outbound traffic allowed, but inbound response rejected. This is typical of a stateless firewall rule, such as a network ACL, that allows outbound but not inbound. Security groups are stateful, so they would allow return traffic.

Hence, a NACL is blocking the return traffic. Option B is correct. Option A is wrong because security groups are stateful.

Option C is wrong because route table does not cause reject. Option D is wrong because WAF is layer 7 and not seen in flow logs at layer 3/4.

420
MCQmedium

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. They also have an EC2 instance in the private subnet that needs to access the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. The security group for the EC2 instance allows outbound HTTPS traffic. The network ACL for the private subnet allows inbound and outbound ephemeral ports. However, the EC2 instance cannot reach the internet. The network engineer checks the NAT Gateway and sees that it has an Elastic IP attached. The engineer also checks the route table for the public subnet and finds no route to the internet. What should the engineer do to fix the issue?

A.Deploy a second NAT Gateway in the private subnet.
B.Add a route in the public subnet route table to 0.0.0.0/0 via the internet gateway.
C.Add a route in the private subnet route table to 0.0.0.0/0 via the internet gateway.
D.Attach a second Elastic IP to the NAT Gateway.
AnswerB

This allows the NAT gateway to reach the internet.

Why this answer

Option C is correct. The public subnet needs a route to an internet gateway for the NAT Gateway to forward traffic to the internet. Option A is wrong because the private subnet route is already correct.

Option B is wrong because a second NAT Gateway is not needed. Option D is wrong because the NAT Gateway already has an EIP.

421
MCQhard

A company is designing a hybrid network with a Direct Connect connection. The VPC has multiple subnets that need to communicate with on-premises. The company wants to use a single VIF for both private and public traffic. Which type of VIF should be used?

A.Public VIF
B.Hosted VIF
C.A single VIF cannot carry both private and public traffic
D.Private VIF
AnswerC

Private and public VIFs are separate; you need two VIFs.

Why this answer

Option D is correct because a private VIF allows access to VPCs via private IP addresses. A public VIF is for accessing public AWS services. Option A is wrong because a private VIF is for VPC access, but the question asks for both private and public traffic.

Option B is wrong because a public VIF only provides access to public AWS services, not VPCs. Option C is wrong because a hosted VIF is a type of private VIF but still only private.

422
MCQmedium

A company has a VPC with an Application Load Balancer (ALB) in front of EC2 instances. The security group for the ALB allows inbound HTTP traffic from 0.0.0.0/0. The security group for the EC2 instances allows inbound traffic only from the ALB security group. However, the health checks are failing. What is the most likely cause?

A.The target group is not configured with the correct health check path
B.The ALB is in a private subnet
C.The EC2 security group does not allow inbound traffic from the ALB security group
D.The ALB security group does not allow outbound traffic
AnswerC

Health checks originate from ALB; security group must allow from ALB.

Why this answer

Option C is correct because ALB health checks come from the ALB's private IP addresses, which are in the VPC CIDR; the security group must allow traffic from the ALB security group, not from the internet. Option A is wrong because the ALB security group is correct. Option B is wrong because the ALB subnet is not relevant.

Option D is wrong because the target group configuration is separate.

423
MCQeasy

A company is using AWS Direct Connect to connect its on-premises data center to a VPC. The company wants to use a single Direct Connect connection to connect to multiple VPCs in different AWS accounts. Which AWS service should be used to achieve this?

A.Direct Connect Gateway
B.Transit Gateway
C.AWS Site-to-Site VPN
D.VPC Peering
AnswerA

Direct Connect Gateway enables connectivity to multiple VPCs over a single Direct Connect connection.

Why this answer

A Direct Connect Gateway allows a single Direct Connect connection to be associated with multiple VPCs across accounts and regions. Option A is wrong because a VPN connection is separate. Option B is wrong because a transit gateway is used for inter-VPC routing but not directly for Direct Connect.

Option D is wrong because VPC peering does not extend Direct Connect.

424
Multi-Selectmedium

Which TWO options are valid methods to connect a VPC to an on-premises network? (Choose 2)

Select 2 answers
A.Internet gateway
B.AWS Direct Connect
C.VPC endpoint
D.VPC peering connection
E.AWS Site-to-Site VPN
AnswersB, E

Direct Connect provides a dedicated private connection from on-premises to AWS.

Why this answer

AWS Site-to-Site VPN and AWS Direct Connect are the two primary services for hybrid connectivity. VPC peering is for VPC-to-VPC, not on-premises. VPC endpoints are for accessing AWS services privately.

Internet gateway is for public internet access.

425
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and an on-premises network via AWS Direct Connect. They need to ensure that traffic between VPCs is inspected by a centralized security appliance. How should they design the routing?

A.Use Network ACLs on the subnets to restrict traffic and allow inspection.
B.Create VPC peering connections between all VPCs and route traffic through a security appliance in a central VPC.
C.Use security groups on the security appliance to inspect traffic.
D.Create a Transit Gateway with separate route tables. Attach each VPC and the Direct Connect virtual interface to the Transit Gateway. In the route tables, propagate routes and add static routes to send inter-VPC traffic to the security appliance VPC.
AnswerD

Transit Gateway route tables allow you to centralize routing through an inspection VPC.

Why this answer

Option D is correct because AWS Transit Gateway supports separate route tables, allowing you to isolate traffic domains. By attaching each VPC and the Direct Connect virtual interface to the Transit Gateway, you can create a centralized inspection VPC. Static routes in the Transit Gateway route tables direct inter-VPC traffic to the security appliance VPC, ensuring all traffic between VPCs is inspected before reaching its destination.

Exam trap

The trap here is that candidates often confuse the transitive routing capability of Transit Gateway with VPC peering, assuming VPC peering can route through a central VPC, but VPC peering does not support transitive routing, making Option B invalid.

How to eliminate wrong answers

Option A is wrong because Network ACLs are stateless and operate at the subnet level, not at the routing level; they cannot redirect traffic to a centralized security appliance for inspection. Option B is wrong because VPC peering connections do not support transitive routing, meaning traffic between VPCs cannot be routed through a central VPC without complex and non-scalable configurations. Option C is wrong because security groups are stateful and apply to individual ENIs, not to routing; they can filter traffic but cannot force traffic to traverse a security appliance for inspection.

426
MCQhard

A company uses AWS CloudFormation to deploy resources. The security team wants to ensure that no IAM user can modify the stack set if they are not authorized via a specific IAM policy. Which feature should be used?

A.AWS Config rule with remediation
B.CloudFormation stack policy
C.Service control policy (SCP) in AWS Organizations
D.IAM permissions boundary
AnswerC

Can deny CloudFormation actions across accounts.

Why this answer

Option D is correct because a service control policy (SCP) can be used to deny CloudFormation actions at the organization level. Option A is wrong because stack policies protect resources within a stack, not who can update the stack. Option B is wrong because IAM policies are account-specific and can be overridden by administrators.

Option C is wrong because AWS Config does not prevent modifications.

427
MCQhard

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to communicate with an on-premises server using an IPsec VPN. The company has set up a Virtual Private Gateway (VGW) and a Customer Gateway (CGW) with a Site-to-Site VPN connection. The VPN tunnel is established. However, the EC2 instance cannot ping the on-premises server. The security groups and network ACLs allow all traffic. What is the most likely cause?

A.The VGW is not configured with the correct BGP ASN
B.The VGW is not attached to the VPC
C.The VPN tunnel is not in the UP state
D.The private subnet route table does not have a route for the on-premises CIDR pointing to the VGW
AnswerD

Without this route, traffic from the instance to on-premises is dropped.

Why this answer

Option B is correct because the private subnet route table must include a route for the on-premises CIDR pointing to the VGW. Option A is wrong because the VGW is attached and the VPN is established. Option C is wrong because the VPN is up.

Option D is wrong because the VPN is established.

428
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They also have a VPN connection as a backup. They want to ensure that traffic always uses the Direct Connect connection when it is available, and only fails over to the VPN if Direct Connect goes down. How should they configure routing?

A.Advertise a more specific prefix over Direct Connect and a less specific prefix over VPN.
B.Use static routes pointing to the Direct Connect virtual interface with a lower metric than the VPN route.
C.Advertise the same prefix over both connections but with a lower AS path length over Direct Connect.
D.Advertise the same prefix over both connections but set a higher weight on the VPN BGP session.
AnswerA

BGP always prefers the most specific prefix (longest match). This ensures Direct Connect is used when available.

Why this answer

By advertising a more specific prefix (e.g., /24) over Direct Connect and a less specific prefix (e.g., /16) over VPN, BGP will prefer the more specific route. Option A (same prefix with lower AS path) is incorrect because AS path length is considered after prefix length. Option B (same prefix with different local preference) could work but the standard approach is prefix length.

Option C (VPN with higher weight) is not a standard BGP attribute.

429
MCQmedium

A company has a VPC with multiple subnets. The network ACL for a subnet is configured to deny all inbound traffic. A security group attached to an EC2 instance in that subnet allows SSH from a specific IP range. Will SSH traffic from that IP range reach the instance?

A.Yes, because the security group allows SSH.
B.No, because the network ACL denies all inbound traffic.
C.Yes, because the security group overrides the network ACL.
D.It depends on the rule number order in the network ACL.
AnswerB

The network ACL is stateless and denies all inbound traffic, so the traffic is blocked.

Why this answer

Option B is correct because network ACLs are stateless and deny all inbound traffic, so even though the security group allows SSH, the network ACL will block the traffic before it reaches the instance. Option A is wrong because security groups are stateful but are evaluated after network ACLs. Option C is wrong because the network ACL operates at the subnet level.

Option D is wrong because the order does not matter for stateless ACLs.

430
Multi-Selectmedium

Which TWO of the following are true about using a Network Load Balancer (NLB) with AWS PrivateLink? (Choose 2.)

Select 2 answers
A.NLB supports Server Name Indication (SNI)
B.NLB can perform TLS termination
C.NLB supports sticky sessions by default
D.NLB can be assigned Elastic IPs
E.NLB can be used as a service provider in a VPC endpoint service
AnswersD, E

NLB supports static IPs via Elastic IPs.

Why this answer

Option D is correct because a Network Load Balancer (NLB) supports the assignment of Elastic IPs (EIPs) per Availability Zone, which provides a static, fixed IP address for the NLB. This is critical for AWS PrivateLink, as the service provider's VPC endpoint service uses the NLB's IP addresses to accept traffic from consumer VPCs, ensuring the endpoint remains reachable even if the underlying instances change.

Exam trap

The trap here is that candidates often confuse NLB's ability to be assigned Elastic IPs with the misconception that NLB can terminate TLS or support SNI, but NLB is a Layer 4 load balancer and does not inspect HTTP headers, making SNI impossible, while TLS termination is an optional feature not inherent to PrivateLink usage.

431
Multi-Selecteasy

A company wants to restrict access to an S3 bucket so that only traffic from a specific VPC can read objects. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Assign a security group to the VPC endpoint that allows inbound traffic from the VPC.
B.Create an S3 bucket policy with a condition that allows access only from the VPC endpoint.
C.Attach a VPC endpoint policy that allows the desired actions on the S3 bucket.
D.Configure a network ACL on the subnet to deny all inbound traffic except from the VPC.
E.Use an IAM role to grant the VPC access to the S3 bucket.
AnswersB, C

Correct: S3 bucket policies can use aws:SourceVpce condition to restrict access.

Why this answer

Option A is correct because an S3 bucket policy can use the aws:SourceVpce condition key to allow access only from a specific VPC endpoint. Option C is correct because a VPC endpoint policy controls what actions principals within the VPC can perform on the S3 bucket. Option B is wrong because NACLs are stateless and not designed for this purpose; they control traffic at the subnet level but cannot enforce S3 bucket access.

Option D is wrong because Security Groups do not apply to VPC endpoints; they are for EC2 instances. Option E is wrong because IAM roles do not restrict traffic origin; they grant permissions to identities.

432
MCQeasy

A company uses AWS CloudFormation to manage its network infrastructure. After a recent update, the stack fails to update, with an error indicating that a security group rule conflicts with an existing rule. What is the most likely cause?

A.The CIDR block in the rule is not in the same VPC.
B.The referenced security group was deleted outside of CloudFormation.
C.The stack update exceeded the service quota for security groups.
D.The template attempts to add a security group rule that already exists.
AnswerD

AWS rejects duplicate rules to avoid ambiguity.

Why this answer

Option B is correct because a duplicate security group rule (same protocol, port, and source) causes a conflict. Option A is wrong because IAM permissions cause a different error. Option C is wrong because it would not cause a conflict error.

Option D is wrong because security groups are typically referenced by ID, not name.

433
MCQhard

A company has a VPC with multiple subnets across two AZs. The VPC is connected to an on-premises data center via AWS Direct Connect. The company wants to ensure that traffic between the VPC and on-premises is load-balanced across two Direct Connect virtual interfaces (VIFs) for high availability. Which configuration should be used?

A.Configure two VIFs and use BGP to advertise the same prefixes with equal metrics to enable ECMP.
B.Configure a VPN connection over each VIF and use equal-cost routes between the VPN tunnels.
C.Configure a single Direct Connect VIF with a 10 Gbps connection and a single BGP session.
D.Configure two VIFs with static routes pointing to different on-premises IPs.
AnswerA

BGP ECMP allows load balancing across multiple VIFs.

Why this answer

Option D is correct because using BGP routing with equal-cost multipath (ECMP) across two VIFs allows traffic to be load-balanced. Option A is wrong because a single VIF is a single point of failure. Option B is wrong because static routes do not provide load balancing; one route is typically preferred.

Option C is wrong because a VPN over the VIFs adds overhead and does not provide native load balancing.

434
MCQmedium

A company wants to centralize logging of VPC Flow Logs from multiple accounts into a single Amazon S3 bucket. The logs must be encrypted at rest using an AWS KMS CMK. What is the recommended approach?

A.Enable encryption on VPC Flow Logs using a KMS key in each account and aggregate logs using AWS Logs cross-account subscription.
B.Create a centralized S3 bucket with default encryption using a KMS CMK and a bucket policy that allows cross-account writes from the source accounts.
C.Create a bucket with SSE-S3 encryption and have each account write flow logs directly.
D.Use a single bucket with a bucket policy that denies access unless encryption headers are present, and use a KMS key shared across accounts.
AnswerB

This ensures encryption and centralized logging.

Why this answer

Option D is correct because using a centralized S3 bucket with appropriate bucket policies to allow cross-account writes and enabling default encryption with a KMS CMK is the best practice. Option A is wrong because SSE-S3 is not a CMK. Option B is wrong because enabling encryption at the flow log level uses SSE-S3 or CloudWatch Logs encryption, not S3 bucket encryption.

Option C is wrong because bucket policies control access, not encryption.

435
MCQmedium

A company is designing a multi-account architecture using AWS Transit Gateway. They need to isolate development and production environments but allow shared services account access to both. What is the most scalable and secure design?

A.Use a single Transit Gateway and configure separate route tables for each environment, attaching VPCs from each account.
B.Use a single Transit Gateway with one route table for all environments and implement security groups to isolate traffic.
C.Create two Transit Gateways: one for development and one for production. Share the Transit Gateways with the shared services account via AWS Resource Access Manager.
D.Use VPC Peering between each VPC and the shared services VPC, and set up Internet Gateway for each environment.
AnswerC

Correct: Separate Transit Gateways provide full isolation, and RAM enables shared services.

Why this answer

Option B is correct because separate Transit Gateways with resource sharing provide complete isolation. Option A is wrong because a single Transit Gateway with separate route tables still has a shared control plane. Option C is wrong because VPC Peering does not scale.

Option D is wrong because a single Transit Gateway with centralized inspection does not isolate traffic.

436
MCQeasy

A network engineer needs to monitor the network traffic between EC2 instances in a VPC. Which AWS service should be used to capture IP traffic information?

A.VPC Flow Logs
B.AWS Config
C.AWS CloudTrail
D.Amazon CloudWatch Logs
AnswerA

VPC Flow Logs capture IP traffic information for network interfaces.

Why this answer

Option D is correct because VPC Flow Logs capture IP traffic information for network interfaces. Option A is wrong because CloudWatch Logs can store logs but does not capture network traffic. Option B is wrong because AWS Config tracks resource configuration changes.

Option C is wrong because CloudTrail records API calls.

437
MCQeasy

A security engineer needs to audit all changes to security group rules in an AWS account. Which AWS service should be used to record these changes?

A.VPC Flow Logs
B.AWS CloudTrail
C.AWS Config
D.Amazon CloudWatch Logs
AnswerB

CloudTrail records API activity.

Why this answer

Option B is correct because AWS CloudTrail records API calls, including changes to security group rules. Option A is wrong because AWS Config records configuration changes but not API calls. Option C is wrong because CloudWatch Logs is for log storage, not recording API calls.

Option D is wrong because VPC Flow Logs capture network traffic, not API calls.

438
MCQmedium

A company has a hybrid network architecture with multiple VPCs connected via a transit gateway and on-premises via Direct Connect. The network team wants to automate the response to a BGP session failure on a Direct Connect virtual interface. Which AWS service can be used to monitor the BGP status and trigger an automated action?

A.AWS Lambda with VPC Flow Logs
B.AWS Systems Manager Automation
C.AWS CloudWatch Events (EventBridge) with Direct Connect BGP metric alarms
D.AWS Config rules
AnswerC

EventBridge can trigger actions based on CloudWatch alarms for BGP status.

Why this answer

Option C is correct because AWS CloudWatch Events (EventBridge) can monitor Direct Connect BGP session status via the `bgp_session_state` metric in the `AWS/DX` namespace. When the BGP session transitions to the `down` state, you can create an EventBridge rule that triggers an automated action, such as invoking a Lambda function or sending an SNS notification, enabling a rapid response to BGP failures without manual intervention.

Exam trap

AWS often tests the misconception that VPC Flow Logs or AWS Config can monitor BGP status, but candidates must remember that BGP is a control-plane protocol and only Direct Connect metrics in CloudWatch provide the BGP session state for automation.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture IP traffic metadata (e.g., source/destination IPs, ports, protocols) and cannot monitor BGP session state, which is a Layer 3 control-plane protocol between routers. Option B is wrong because AWS Systems Manager Automation is designed for operational tasks on EC2 instances and on-premises resources (e.g., patching, configuration), not for reacting to real-time network events like BGP session failures. Option D is wrong because AWS Config rules evaluate resource configurations for compliance (e.g., checking if a Direct Connect virtual interface has the correct VLAN ID) but cannot monitor dynamic BGP session state changes or trigger actions based on metric thresholds.

439
MCQeasy

A company is designing a VPC for a three-tier application (web, application, database). The database tier should not be accessible from the internet, but the web tier must be accessible. Which subnet design should the network engineer use?

A.Place web and app servers in public subnets, and database servers in private subnets.
B.Place all servers in private subnets and use a NAT Gateway for internet access.
C.Place web servers in public subnets with an internet gateway, and app and database servers in private subnets.
D.Place all servers in public subnets and rely on security group rules to restrict access.
AnswerC

This follows the traditional security model of isolation for backend tiers.

Why this answer

Option C is correct because it places the web servers in a public subnet with an Internet Gateway (IGW) to allow inbound HTTP/HTTPS traffic from the internet, while the application and database servers are placed in private subnets with no direct internet path. This design ensures the database tier is isolated from the internet, meeting the security requirement, while the web tier remains accessible. The application servers can communicate with the database via private IP addresses within the VPC, and outbound internet access for the private subnets (if needed) can be provided through a NAT Gateway in a public subnet.

Exam trap

The trap here is that candidates often assume placing all servers in private subnets with a NAT Gateway provides inbound internet access, confusing outbound-only NAT with the inbound access required for the web tier, or they mistakenly think security groups alone can fully replace subnet-level isolation in a public subnet.

How to eliminate wrong answers

Option A is wrong because placing both web and app servers in public subnets exposes the application tier to the internet unnecessarily, increasing the attack surface and violating the principle of least privilege; the app tier should remain private to mediate traffic between web and database tiers. Option B is wrong because placing all servers in private subnets with a NAT Gateway only provides outbound internet access, not inbound access from the internet; the web tier would not be accessible to external users without an Internet Gateway and a public subnet. Option D is wrong because placing all servers in public subnets and relying solely on security group rules does not prevent direct internet access to the application and database tiers; security groups are stateful firewalls but do not replace the network-level isolation provided by private subnets, and a misconfiguration could expose sensitive tiers.

440
MCQhard

A Network Engineer is troubleshooting a cross-account VPC endpoint connection. The service provider account (123456789012) has the above IAM policy attached to the endpoint service. The consumer account (111111111111) has created a VPC endpoint (vpce-abc123) and is trying to accept the connection. The consumer receives an 'AccessDenied' error when calling ec2:AcceptVpcEndpointConnections. What is the MOST likely cause?

A.The policy action should be 'ec2:CreateVpcEndpoint' instead.
B.The policy condition 'aws:SourceArn' does not match the consumer's endpoint ARN.
C.The policy resource ARN is incorrect; it should be the endpoint service ARN.
D.The consumer account does not have permission to accept the connection; only the service provider can accept.
AnswerD

The AcceptVpcEndpointConnections API is called by the service provider, not the consumer. The consumer must wait for the provider to accept.

Why this answer

Option D is correct. The policy allows the ec2:AcceptVpcEndpointConnections action, but that action is performed by the service provider, not the consumer. The consumer needs to create the endpoint, but the acceptance is done by the provider.

The error likely occurs because the consumer does not have permission to call AcceptVpcEndpointConnections on the provider's endpoint service. The policy in the provider account allows the provider to accept connections from the specified consumer endpoint. However, the consumer is trying to accept the connection themselves, which is not allowed.

The provider must accept the connection using the provider account. Alternatively, the consumer might be trying to modify the endpoint to auto-accept, but that requires permissions. The most likely cause is that the consumer is attempting to accept the connection, but only the provider can accept.

So the answer is D: The consumer does not have the required permissions to accept the connection on the provider's endpoint service.

441
MCQhard

A company is deploying a multi-tier application across multiple VPCs connected via AWS Transit Gateway. The web tier must be able to initiate connections to the app tier, but the app tier must not be able to initiate connections to the web tier. How can this be achieved?

A.Configure network ACLs on the web tier subnets to allow outbound traffic and deny inbound from app tier.
B.Establish VPC peering between the web and app VPCs and restrict routes.
C.Use security groups across the VPCs by referencing each other's CIDR blocks.
D.Deploy a centralized firewall appliance in a shared VPC and use Transit Gateway to route all inter-VPC traffic through it.
AnswerD

Enables stateful inspection and unidirectional rules.

Why this answer

Option D is correct because a stateful network firewall appliance in a central VPC can enforce unidirectional traffic rules. Transit Gateway route tables can direct traffic to the firewall VPC for inspection, and the firewall rules allow only web-to-app traffic. Option A is wrong because NACLs are stateless and cannot track connection state.

Option B is wrong because VPC peering does not provide transitive routing. Option C is wrong because security groups are stateful but cannot be applied across VPCs.

442
MCQmedium

A company has a Direct Connect connection with a private VIF to a VPC. They want to add a second Direct Connect connection for redundancy. The two connections will terminate on different AWS Direct Connect locations. Which configuration will provide the HIGHEST availability?

A.Use the same customer gateway device for both connections
B.Use the same Direct Connect location for both connections
C.Use the same BGP ASN for both connections
D.Use different customer gateway devices and different Direct Connect locations
AnswerD

Physical diversity.

Why this answer

Option C is correct because using two different devices and different locations provides physical diversity, increasing availability. Option A is incorrect because using the same device introduces a single point of failure. Option B is incorrect because using the same location reduces diversity.

Option D is incorrect because using the same ASN can cause issues but is not the primary concern.

443
MCQhard

A security engineer created the above S3 bucket policy to grant public read access to objects in the 'confidential/' prefix. However, users report that they receive 'Access Denied' errors when trying to access objects that have the tag 'classification: public'. What is the most likely cause?

A.The bucket policy does not grant access to objects owned by other AWS accounts.
B.The 's3:GetObjectVersion' action is not allowed because the bucket is not versioned.
C.The objects in the 'confidential/' prefix do not have the required tag 'classification: public'.
D.The condition should use 'StringLike' instead of 'StringEquals' for tag matching.
AnswerC

The condition requires the tag; without it, access is denied.

Why this answer

Option C is correct because the bucket policy includes a condition that requires the object to have the tag 'classification: public' (using s3:ExistingObjectTag). If the objects in the 'confidential/' prefix do not have this tag, the condition fails and access is denied, even though the prefix matches. The policy explicitly grants public read access only to objects that satisfy both the prefix and the tag condition.

Exam trap

AWS often tests the interaction between prefix-based and tag-based conditions in S3 bucket policies, leading candidates to overlook that both conditions must be satisfied simultaneously, not just one.

How to eliminate wrong answers

Option A is wrong because the policy grants public access (Principal: '*'), which does not depend on object ownership across AWS accounts; cross-account access would require additional permissions but is not relevant here. Option B is wrong because the 's3:GetObjectVersion' action is not required for accessing the current version of an object; 's3:GetObject' is sufficient, and the bucket being versioned or not does not cause an 'Access Denied' error for this action. Option D is wrong because 'StringEquals' is the correct operator for matching an exact tag value; 'StringLike' would allow wildcard patterns but is not needed for an exact match, and using 'StringLike' would not fix the issue if the tag is missing entirely.

444
MCQmedium

A company has a VPC with a CIDR of 10.0.0.0/16. It has two public subnets (10.0.1.0/24 and 10.0.2.0/24) and two private subnets (10.0.3.0/24 and 10.0.4.0/24). The company hosts a web application on EC2 instances in the private subnets behind an Application Load Balancer (ALB) in the public subnets. The ALB is internet-facing. The company wants to add a second ALB in the same VPC for a different application but using the same public subnets. The new ALB also needs to be internet-facing. However, when the company tries to create the new ALB, they receive an error: 'The subnet 'subnet-xxxxxxxx' does not have enough free IP addresses to satisfy the request.' The network engineer checks the subnets and finds that the public subnets have only 2 free IP addresses each. The private subnets have plenty of free IP addresses. The company wants to resolve this error without changing the architecture of the existing applications. What should the network engineer do?

A.Create new public subnets with larger CIDR blocks (e.g., /23) and associate them with the same route table.
B.Use the private subnets for the new ALB and add a NAT gateway for internet access.
C.Reduce the size of the existing public subnets by modifying their CIDR blocks.
D.Launch a NAT gateway in one public subnet to free up IP addresses.
AnswerA

New public subnets provide more IP addresses.

Why this answer

Option B is correct. The public subnets are running out of IP addresses. Adding new public subnets with larger CIDR blocks (e.g., /23) will provide more IP addresses without affecting the existing subnets.

Option A is incorrect because the private subnets cannot be used for internet-facing ALBs. Option C is incorrect because shrinking existing subnets would disrupt running resources. Option D is incorrect because launching a NAT gateway does not add IP addresses to subnets.

445
Multi-Selectmedium

A company is deploying a web application across multiple Availability Zones in a single AWS Region. The application consists of an Application Load Balancer (ALB) in front of EC2 instances in an Auto Scaling group, and an Amazon RDS Multi-AZ database. The company needs to ensure that the application can survive the loss of an entire Availability Zone. Which THREE actions should they take? (Select THREE.)

Select 3 answers
A.Use larger EC2 instance types to handle the load
B.Configure the Auto Scaling group to launch instances in at least two Availability Zones
C.Configure the Application Load Balancer to be internet-facing and enable cross-zone load balancing
D.Enable Multi-AZ deployment for the RDS database
E.Deploy a single NAT Gateway in one AZ for outbound traffic
AnswersB, C, D

Ensures instances are spread across AZs.

Why this answer

Option B is correct because configuring the Auto Scaling group to launch instances in at least two Availability Zones ensures that if one AZ fails, the remaining AZ(s) still have healthy EC2 instances to serve traffic. This is a fundamental requirement for multi-AZ high availability, as the Auto Scaling group will automatically replace failed instances in the remaining AZs.

Exam trap

AWS often tests the misconception that simply enabling cross-zone load balancing on the ALB (Option C) alone is sufficient for AZ resilience, but without the Auto Scaling group spanning multiple AZs (Option B), there would be no healthy targets in the surviving AZs to route traffic to.

446
Multi-Selecteasy

A company wants to enable communication between two VPCs (VPC A and VPC B) in the same AWS account and region. They want to use private IP addresses and avoid using the internet. Which THREE options can achieve this?

Select 3 answers
A.VPC peering connection
B.AWS Site-to-Site VPN connection between VPCs
C.Internet gateway attached to both VPCs
D.AWS Transit Gateway
E.NAT gateway in each VPC
AnswersA, B, D

Direct private connection between VPCs.

Why this answer

VPC peering connection (Option A) allows direct, private IP connectivity between two VPCs using the AWS global network, with no internet gateway or VPN required. Traffic stays within AWS's internal infrastructure, meeting the requirement for private IP addresses and avoiding the internet.

Exam trap

The trap here is that candidates confuse a NAT gateway with a VPC-to-VPC connectivity solution, but NAT gateways only handle outbound internet traffic and cannot forward traffic between VPCs.

447
MCQhard

A company uses AWS Direct Connect with a private VIF to connect its data center to a VPC. The VPC has multiple subnets. The on-premises network team reports that they can ping the VPC's private IP addresses but cannot connect to an EC2 instance's port 443. The EC2 instance's security group allows HTTPS from the on-premises CIDR. What should the engineer check NEXT?

A.Check the security group's inbound rules for port 443.
B.Confirm that the Direct Connect virtual interface is in the 'up' state.
C.Check the EC2 instance's operating system firewall (e.g., iptables, Windows Firewall) to see if port 443 is blocked.
D.Verify that the route tables in the VPC have a route back to the on-premises CIDR.
AnswerC

OS firewall can block even if security group allows.

Why this answer

Option C is correct because the instance may have a host-based firewall blocking the port; this is a common issue. Option A is wrong because route tables are for routing, not port filtering. Option B is wrong because security group already allows the traffic.

Option D is wrong because the virtual interface is up (ping works).

448
MCQmedium

A company has an AWS account with multiple VPCs. The security team wants to ensure that no VPC has an internet gateway attached. Which AWS service can be used to automatically detect and remediate non-compliant VPCs?

A.Amazon GuardDuty
B.AWS CloudTrail
C.Service control policies (SCPs)
D.AWS Config with a managed rule to detect internet gateways and an automatic remediation action to detach them.
AnswerD

Config can detect and auto-remediate.

Why this answer

AWS Config rules can evaluate compliance and trigger remediation. Option A is correct. Option B is wrong because GuardDuty is for threat detection, not configuration compliance.

Option C is wrong because SCPs prevent actions but do not detect existing resources. Option D is wrong because CloudTrail is for auditing API calls, not real-time compliance.

449
Matchingmedium

Match each AWS networking service to the OSI layer it primarily operates at.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Layer 4 (Transport)

Layer 7 (Application)

Layer 3 and 4 (Network and Transport)

Layer 3 (Network)

Layer 2 (Data Link) or Layer 1 (Physical)

Why these pairings

Understanding the OSI layer helps in designing network solutions.

450
MCQmedium

A company has a web application behind an Application Load Balancer (ALB) in a VPC. The ALB is internet-facing and has a security group that allows inbound HTTP/HTTPS from 0.0.0.0/0. The EC2 instances are in a private subnet with a security group that allows inbound traffic only from the ALB's security group. The application works correctly. However, the security team wants to add an additional layer of protection by using AWS WAF. What is the best way to integrate AWS WAF with the ALB to filter malicious requests?

A.Create a web ACL in AWS WAF and associate it with the ALB.
B.Replace the ALB with a Network Load Balancer and use AWS WAF with it.
C.Configure the security group of the ALB to only allow traffic that passes AWS WAF inspection.
D.Use AWS WAF in front of Amazon CloudFront and then forward requests to the ALB.
AnswerA

WAF can be associated with ALB to filter HTTP/HTTPS requests.

Why this answer

Option A is correct. AWS WAF can be associated directly with an ALB to filter incoming requests before they reach the ALB. Option B is incorrect because WAF works at the application layer, not at CloudFront unless CloudFront is used.

Option C is incorrect because WAF is not applied at the security group level. Option D is incorrect because WAF is not a Network Load Balancer feature.

Page 5

Page 6 of 23

Page 7