AWS Certified Advanced Networking Specialty ANS-C01 (ANS-C01) — Questions 451525

1705 questions total · 23pages · All types, answers revealed

Page 6

Page 7 of 23

Page 8
451
MCQeasy

A company is deploying an application that must use IPv6 for internet-facing traffic. The VPC is currently using IPv4 only. What is the simplest way to enable IPv6?

A.Use an egress-only internet gateway for IPv6 traffic.
B.Associate an IPv6 CIDR block with the VPC and subnets, and update route tables to route IPv6 traffic to an internet gateway.
C.Deploy a NAT64 device to translate IPv6 to IPv4.
D.Set up a VPN connection to an ISP that provides IPv6.
AnswerB

Simplest way to enable IPv6.

Why this answer

Option A is correct because you can assign an IPv6 CIDR block to the VPC and subnets, and then update route tables. Option B is wrong because a NAT device is for IPv4. Option C is wrong because an egress-only internet gateway is for outbound-only IPv6.

Option D is wrong because a VPN does not provide IPv6 internet access.

452
MCQhard

A company uses AWS Network Firewall to inspect traffic. They notice that some traffic is bypassing the firewall. The VPC has a route table with a default route (0.0.0.0/0) pointing to the firewall endpoint. Which configuration could cause traffic to bypass the firewall?

A.The route table has route propagation enabled
B.The subnet is not associated with the route table
C.The firewall endpoint is in a different Availability Zone
D.The route table has a more specific route for the destination traffic
AnswerD

More specific routes override the default route to the firewall.

Why this answer

If a subnet has a route for the specific destination that overrides the default route, traffic may bypass the firewall. Option A is wrong because more specific routes take precedence. Option B is wrong because subnet association does not cause bypass.

Option C is wrong because firewall endpoint is in a different subnet. Option D is wrong because route propagation does not bypass.

453
MCQhard

A company is deploying a hybrid network using AWS Direct Connect and a VPN backup. The Direct Connect connection is established, and BGP is running over the private VIF. The company wants to use the VPN as a backup only when Direct Connect fails. The network engineer configures BGP communities on the Direct Connect VIF to influence route preference. However, during a Direct Connect failure, failover to VPN takes several minutes. What can the engineer do to reduce failover time?

A.Configure AS path prepending on the VPN BGP session to deprioritize it
B.Use static routes instead of BGP for the Direct Connect VIF
C.Enable Bidirectional Forwarding Detection (BFD) on the Direct Connect VIF
D.Decrease the BGP keepalive and hold timers on both the Direct Connect and VPN BGP sessions
AnswerC

BFD provides fast failure detection.

Why this answer

Option D is correct because BFD can detect failures in sub-second time, reducing failover time. Option A is wrong because BGP timers can be adjusted but are typically already low; BFD is faster. Option B is wrong because static routes are less flexible and increase administrative overhead.

Option C is wrong because AS prepending is for route preference, not failover speed.

454
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC. They want to use the same connection to access another VPC in a different region. What is the simplest way to achieve this?

A.Use a Direct Connect Gateway
B.Create a new private VIF for the second VPC
C.Use a VPN over the internet to connect the VPCs
D.Set up VPC peering between the two VPCs
AnswerA

Direct Connect Gateway enables multi-VPC connectivity across regions over the same private VIF.

Why this answer

Direct Connect Gateway allows a single private VIF to connect to multiple VPCs in different regions.

455
MCQmedium

A company uses AWS Direct Connect to connect its on-premises data center to a VPC. The network team notices that traffic from on-premises to the VPC is intermittently dropping. You check the Direct Connect virtual interface status and find it is 'down'. Which AWS service should you use to troubleshoot the physical layer connectivity?

A.Amazon CloudWatch
B.VPC Flow Logs
C.AWS Support
D.AWS Direct Connect console
AnswerD

The console provides LOA-CFA status and physical link information.

Why this answer

The correct answer is D because AWS Direct Connect Troubleshooting Guide recommends checking the cross-connect and using the AWS Direct Connect console to view the LOA-CFA status. Option A is wrong because AWS Support is not a service but a support plan. Option B is wrong because CloudWatch metrics show logical metrics, not physical layer.

Option C is wrong because VPC Flow Logs capture IP traffic logs, not physical connectivity.

456
MCQeasy

A network engineer needs to monitor network traffic to an Amazon RDS instance for security analysis. Which AWS service should be used to capture and analyze network traffic?

A.Amazon Inspector
B.VPC Flow Logs
C.VPC Traffic Mirroring
D.AWS CloudTrail
AnswerC

Traffic Mirroring captures and inspects network traffic for analysis.

Why this answer

Option C is correct because VPC Traffic Mirroring allows capturing and inspecting network traffic from an RDS instance. Option A is wrong because AWS CloudTrail records API activity, not network traffic. Option B is wrong because Amazon Inspector is for vulnerability assessment.

Option D is wrong because VPC Flow Logs provide metadata about traffic, not full packet capture.

457
MCQhard

A network engineer is designing a hybrid network with Direct Connect and VPN backup. The company has multiple VPCs connected via Transit Gateway. They want to use BGP to exchange routes. Which BGP feature should be configured to fail over from Direct Connect to VPN if the Direct Connect link goes down?

A.BGP communities
B.Multi-Exit Discriminator (MED)
C.Bidirectional Forwarding Detection (BFD)
D.AS_PATH prepending
AnswerA

AWS uses BGP community tags to set local preference and control route priority.

Why this answer

Option C is correct because BGP communities allow controlling route preference; AWS uses community tags to influence route priority. Option A is wrong because BFD detects failures faster but does not control preference. Option B is wrong because AS_PATH prepending is used to influence inbound routes, not outbound.

Option D is wrong because MED is used to influence inbound routes.

458
MCQhard

A company has a Direct Connect connection with a private VIF attached to a Direct Connect Gateway. The Direct Connect Gateway is associated with a Transit Gateway. The on-premises network advertises a prefix via BGP, but the prefix does not appear in the Transit Gateway route table. What is the most likely cause?

A.Route propagation is not enabled on the Transit Gateway route table.
B.The on-premises router is not sending the BGP community attribute.
C.The Transit Gateway is not associated with the Direct Connect Gateway.
D.The prefix is not included in the allowed prefixes list for the Direct Connect Gateway.
AnswerD

The allowed prefixes list controls which BGP prefixes are accepted.

Why this answer

Option C is correct because the allowed prefixes list on the Direct Connect Gateway filters which prefixes are accepted. Option A is incorrect because route propagation is for VPCs, not Direct Connect. Option B is incorrect because Transit Gateway associations are for attachments, not prefix filtering.

Option D is incorrect because BGP communities are used for tagging, not for prefix acceptance.

459
MCQmedium

A company is using AWS CloudFormation to deploy a VPC with two public subnets and two private subnets across two Availability Zones. The template includes an internet gateway and a NAT gateway in each public subnet. The company needs to ensure that instances in the private subnets can access the internet. Which route table configuration should be used?

A.Add a route to the internet gateway in the private subnet route tables.
B.Add a route to the NAT gateway in the public subnet route tables.
C.Add a route 0.0.0.0/0 pointing to the NAT gateway in the same AZ in each private subnet route table.
D.Add a route 0.0.0.0/0 pointing to a single NAT gateway in both private subnet route tables.
AnswerC

Provides high availability and AZ independence.

Why this answer

Option D is correct because private subnets need a default route (0.0.0.0/0) pointing to a NAT gateway in the same AZ for high availability. A and B point to IGW which would not work for private subnets. C only points to one NAT gateway, not AZ-specific.

460
Drag & Dropmedium

Order the steps to set up a Network Load Balancer with a TCP listener in front of an Auto Scaling group:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the target group, then the load balancer, register targets, associate the target group with the listener, and configure health checks.

461
Multi-Selecteasy

Which TWO services can be used to centrally manage and monitor VPN connections across multiple AWS accounts? (Choose 2.)

Select 2 answers
A.AWS Network Manager
B.AWS Transit Gateway
C.AWS CloudFormation
D.AWS Organizations
E.AWS Direct Connect Gateway
AnswersA, B

Monitors global network across accounts.

Why this answer

AWS Network Manager centrally manages and monitors VPN connections across multiple AWS accounts by providing a global view of your network topology, including on-premises and AWS resources. It integrates with Transit Gateway to monitor VPN tunnel status and performance metrics, enabling cross-account visibility via resource shares.

Exam trap

AWS often tests the misconception that AWS Organizations itself provides network monitoring, but it only handles account governance, not VPN management or monitoring.

462
MCQmedium

A company uses a centralized inspection VPC for traffic inspection. All VPCs route traffic to the inspection VPC via Transit Gateway. The security team wants to ensure that all traffic between VPCs is inspected by a network virtual appliance in the inspection VPC. Which Transit Gateway feature should be configured?

A.Transit Gateway flow logs
B.Transit Gateway multicast
C.Transit Gateway route tables
D.Transit Gateway peering
AnswerA

Flow logs can be analyzed to verify that traffic passes through the inspection VPC.

Why this answer

Option D is correct because Transit Gateway flow logs can be used to verify that traffic is flowing as expected. Option A is wrong because Transit Gateway peering is for connecting TGWs, not for inspection. Option B is wrong because Transit Gateway route tables are used for routing decisions, not for ensuring inspection.

Option C is wrong because Transit Gateway multicast is for multicast traffic.

463
MCQmedium

A company is designing a multi-VPC architecture with VPC peering. They need to ensure that traffic between VPCs in different AWS Regions is encrypted. Which solution should they use?

A.Direct Connect gateway with VIFs
B.Transit Gateway VPN attachments
C.VPC peering with VPN encryption
D.Transit Gateway inter-Region peering
AnswerD

Transit Gateway inter-Region peering encrypts traffic automatically.

Why this answer

Transit Gateway inter-Region peering is the correct solution because it provides encrypted traffic between VPCs in different AWS Regions natively, using the AWS global network infrastructure with automatic encryption at the transport layer. This feature supports transitive routing and does not require additional VPN tunnels or third-party appliances, making it the most efficient and scalable option for multi-region VPC connectivity.

Exam trap

AWS often tests the misconception that VPC peering alone provides encryption, or that VPN attachments are required for inter-Region encryption, when in fact Transit Gateway inter-Region peering natively encrypts traffic without additional VPN layers.

How to eliminate wrong answers

Option A is wrong because Direct Connect gateway with VIFs provides private connectivity to AWS but does not inherently encrypt traffic between VPCs in different Regions; it requires additional VPN or MACsec for encryption. Option B is wrong because Transit Gateway VPN attachments are designed for site-to-site VPN connections between on-premises networks and AWS, not for inter-Region VPC peering, and they would introduce unnecessary complexity and latency. Option C is wrong because VPC peering with VPN encryption is not a native AWS feature; VPC peering itself does not support encryption, and adding a VPN overlay would require manual configuration of VPN appliances, which is not a recommended or scalable solution for inter-Region traffic.

464
MCQmedium

A company is designing a hybrid network with an AWS Direct Connect connection. They have two virtual interfaces (VIFs): a private VIF to a VPC and a public VIF to access AWS public services. They want to ensure that traffic to Amazon S3 in the same region uses the Direct Connect connection and not the internet. Which configuration should be applied?

A.Advertise the S3 prefix via BGP on the public VIF and ensure the VPC route table has a more specific route for S3 pointing to the virtual private gateway.
B.Add a route in the VPC route table for S3 prefix with target as the internet gateway.
C.Create a VPC endpoint for S3 and attach it to the VPC route table.
D.Create a VPN connection to the VPC and route S3 traffic through the VPN.
AnswerA

This directs S3 traffic over Direct Connect.

Why this answer

To force traffic to Amazon S3 in the same region over the Direct Connect public VIF, you must advertise the S3 prefix (e.g., 52.216.0.0/15) via BGP on the public VIF. This makes the Direct Connect path the most specific route for S3 in the VPC route table when combined with a more specific route pointing to the virtual private gateway, overriding the default internet route.

Exam trap

AWS often tests the misconception that a VPC endpoint for S3 is the correct way to route S3 traffic over Direct Connect, but a VPC endpoint does not use the Direct Connect public VIF; it uses private connectivity within AWS, so it cannot force traffic over the Direct Connect connection when a public VIF is already in place.

How to eliminate wrong answers

Option B is wrong because adding a route for the S3 prefix with the internet gateway as target would send S3 traffic over the internet, not over Direct Connect, defeating the purpose of using the dedicated connection. Option C is wrong because a VPC endpoint for S3 uses AWS private networking within the region and does not route traffic through Direct Connect; it bypasses the internet but also bypasses the Direct Connect public VIF. Option D is wrong because a VPN connection would route S3 traffic over the internet (or over Direct Connect if using a VPN over Direct Connect, but the question specifies a public VIF is already available, and a VPN adds unnecessary complexity and latency without leveraging the public VIF's BGP advertisement for S3 prefixes.

465
MCQhard

A company runs a multi-tier web application in a VPC with public and private subnets across two Availability Zones. The web tier uses an Application Load Balancer (ALB) in the public subnets, and the application tier uses EC2 instances in private subnets. The database tier uses an RDS MySQL Multi-AZ instance in private subnets. The company has implemented a network ACL (NACL) on the private subnets to allow only traffic from the ALB security group. Recently, the application tier instances are unable to connect to the RDS database. The security group for RDS allows inbound traffic on port 3306 from the application tier security group. The network team has verified that the application tier instances can reach the internet through a NAT Gateway. What is the MOST likely cause of the connectivity issue?

A.The NACL on the private subnets is blocking outbound traffic from the application tier to the RDS database.
B.The application tier instances are in a different Availability Zone than the RDS primary instance.
C.The NAT Gateway is blocking traffic to the RDS endpoint.
D.The RDS security group is not allowing inbound traffic from the application tier security group.
AnswerA

Correct: NACL's stateless nature requires explicit outbound rules for ephemeral ports.

Why this answer

The NACL on the private subnets is stateful only for inbound rules; outbound traffic is evaluated separately. Since the NACL allows only inbound traffic from the ALB security group but does not have an outbound rule permitting traffic from the application tier to the RDS database (port 3306), the outbound SYN packets from the application instances are dropped, preventing the TCP handshake from completing.

Exam trap

The trap here is that candidates assume NACLs are stateful like security groups, leading them to overlook the need for explicit outbound rules for traffic initiated from within the subnet.

How to eliminate wrong answers

Option B is wrong because RDS Multi-AZ automatically handles failover across Availability Zones, and the application tier instances can connect to the RDS endpoint regardless of which AZ the primary instance is in; the issue is not AZ-specific. Option C is wrong because the NAT Gateway is used for outbound internet traffic, not for traffic within the VPC to RDS (which uses private IPs); the NAT Gateway is not in the path between the application tier and RDS. Option D is wrong because the question explicitly states that the RDS security group allows inbound traffic on port 3306 from the application tier security group, so this is not the cause.

466
MCQeasy

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. They need to ensure that traffic between VPCs is inspected by a network virtual appliance. Which architecture should they use?

A.Use a Network Load Balancer in each VPC to forward traffic to the appliance.
B.Attach the appliance directly to each VPC using VPC Peering.
C.Create an inspection VPC with the appliance. Configure Transit Gateway route tables to send inter-VPC traffic to the inspection VPC attachment.
D.Place the appliance in each VPC and configure VPC Peering.
AnswerC

This allows traffic to be routed through the appliance for inspection.

Why this answer

Option C is correct because it uses an inspection VPC as a central point for traffic inspection. By attaching the network virtual appliance to a dedicated inspection VPC and configuring Transit Gateway route tables to route inter-VPC traffic to that attachment, all traffic between VPCs is forced through the appliance for inspection. This leverages Transit Gateway's ability to route traffic between attachments based on route table entries, enabling centralized security enforcement without complex peering or per-VPC appliance deployments.

Exam trap

AWS often tests the misconception that you can simply attach a virtual appliance to a Transit Gateway and have it automatically inspect all traffic, but the trap here is that you must explicitly configure Transit Gateway route tables to route inter-VPC traffic to the inspection VPC attachment, otherwise traffic will flow directly between VPC attachments without inspection.

How to eliminate wrong answers

Option A is wrong because a Network Load Balancer (NLB) distributes traffic to targets but does not inherently inspect or route traffic between VPCs; it would require additional configuration and does not solve the need for centralized inspection across multiple VPCs. Option B is wrong because attaching the appliance directly to each VPC using VPC Peering creates a mesh of peering connections that is not scalable, does not centralize inspection, and violates the hub-and-spoke model that Transit Gateway is designed to provide. Option D is wrong because placing the appliance in each VPC and configuring VPC Peering leads to redundant appliances, increased management overhead, and does not leverage Transit Gateway's centralized routing capabilities, making it inefficient and costly.

467
Multi-Selectmedium

A network engineer is troubleshooting connectivity between two VPCs connected via a VPC peering connection. Security groups and NACLs are configured correctly. The engineer verifies that the route tables have the necessary entries. However, traffic from an EC2 instance in VPC A to an RDS instance in VPC B fails. Which TWO additional checks should be performed? (Choose two.)

Select 2 answers
A.Check that the security group attached to the RDS instance allows inbound traffic from the CIDR block of VPC A.
B.Verify that the network ACLs in both VPCs have appropriate inbound and outbound rules for the traffic.
C.Confirm that the VPCs have an Internet Gateway attached.
D.Check that the EC2 instance has an IAM role that allows it to communicate with RDS.
E.Ensure that the VPC peering connection is in the 'active' state.
AnswersA, E

Correct: Security groups must allow traffic from peer VPC.

Why this answer

Option B is correct because a VPC peering connection must accept the request; if it's in 'pending-acceptance' or 'rejected' state, traffic will not flow. Option D is correct because security group rules must allow inbound traffic from the peer VPC's CIDR; misconfigured rules can block traffic. Option A is wrong because NACLs are stateless and if correctly configured should allow traffic; but the issue is likely elsewhere.

Option C is wrong because IAM roles are not required for VPC peering. Option E is wrong because the issue is not about Internet Gateway; it's about VPC peering.

468
Multi-Selectmedium

A company is designing a VPC with multiple subnets. The company wants to use VPC Flow Logs to monitor network traffic. Which TWO of the following are valid destinations for VPC Flow Logs?

Select 2 answers
A.Amazon RDS
B.Amazon CloudWatch Logs
C.Amazon S3
D.Amazon SQS
E.Amazon Kinesis Data Firehose
AnswersB, C

Supported destination.

Why this answer

Option B and D are correct. VPC Flow Logs can be published to Amazon S3 or Amazon CloudWatch Logs. Option A is wrong because Kinesis Data Firehose is not a direct destination; it can be used via a subscription filter, but not directly.

Option C is wrong because an SQS queue is not a supported destination. Option E is wrong because an RDS database is not a destination.

469
MCQeasy

A security engineer notices that a security group allows inbound SSH from 0.0.0.0/0. Which immediate action should be taken to reduce risk?

A.Modify the security group inbound rule to allow SSH only from the company's public IP range
B.Add a network ACL deny rule for SSH from 0.0.0.0/0
C.Move the instances to a different subnet with a restrictive NACL
D.Delete the security group and create a new one with the correct rules
AnswerA

Directly reduces attack surface.

Why this answer

Option B is correct because restricting SSH access to known corporate IPs reduces exposure. Option A is wrong because deleting the security group may affect running instances. Option C is wrong because a NACL is stateless and less precise.

Option D is wrong because moving instances is disruptive.

470
MCQmedium

A company is experiencing intermittent SSH connection failures to their EC2 instances in a VPC. The instances are in a private subnet with a NAT gateway. The security group allows inbound SSH from the corporate CIDR. The network ACL is set to default allow all. The route table has a route to the NAT gateway for 0.0.0.0/0. What is the most likely cause of the intermittent failures?

A.The network ACL inbound rule is blocking ephemeral ports.
B.The instances are behind a proxy that is not configured.
C.The security group outbound rules are not allowing return traffic.
D.The NAT gateway does not have an Elastic IP associated.
AnswerC

Security groups are stateful, but if outbound rules are restrictive, return traffic may be blocked. However, by default, security groups allow all outbound. The actual cause is likely the NAT gateway's public IP changing or a missing route.

Why this answer

Option C is correct because security groups are stateful, but if the security group does not allow inbound ICMP or the specific ephemeral ports for SSH, connections may fail intermittently due to session tracking issues. However, the more common cause in such scenarios is the NAT gateway's IP address changing if it is not associated with an Elastic IP, or the security group outbound rule not allowing return traffic. Option A is plausible but less likely as NACLs are stateless and would not cause intermittent issues.

Option B is incorrect because the NAT gateway does not use an Elastic IP if not configured. Option D is incorrect because a proxy is not typically needed.

471
Multi-Selectmedium

A company is deploying a multi-tier web application on AWS. The application uses an Application Load Balancer (ALB) to distribute traffic to EC2 instances in private subnets across multiple Availability Zones. The security team requires that all traffic between the ALB and the EC2 instances be encrypted using TLS. The application must also support HTTP health checks from the ALB. Which TWO actions should the network engineer take to meet these requirements? (Choose TWO.)

Select 2 answers
A.Configure the ALB listener to use HTTP and enable stickiness.
B.Install a certificate on each EC2 instance and configure the target group to use HTTPS.
C.Configure the ALB listener to use HTTPS and set the target group protocol to HTTP.
D.Configure the target group health check to use HTTPS.
E.Configure the security group for EC2 instances to allow inbound HTTP traffic from the ALB.
AnswersB, D

Installing a certificate on instances allows TLS termination, and HTTPS target group ensures encrypted health checks.

Why this answer

Options B and D are correct. Option B: Installing a certificate on EC2 instances enables TLS termination at the instance, allowing encrypted traffic from the ALB. Option D: Configuring the target group to use HTTPS health checks ensures health checks are sent over TLS.

Option A is incorrect because ALB does not support HTTPS health checks to instances without a certificate. Option C is incorrect because the listener should use HTTPS to forward encrypted traffic. Option E is incorrect because the security group should allow HTTPS (port 443) from the ALB, not HTTP.

472
Multi-Selectmedium

Which TWO actions can be used to improve the security of an Amazon S3 bucket that contains sensitive data? (Choose two.)

Select 2 answers
A.Enable S3 server-side encryption with AWS KMS (SSE-KMS)
B.Enable MFA Delete on the bucket
C.Enable S3 Block Public Access on the bucket
D.Enable S3 Versioning
E.Enable S3 Cross-Region Replication
AnswersA, C

Encrypts data at rest, protecting confidentiality.

Why this answer

Options A and C are correct. Enabling S3 Block Public Access prevents public exposure, and encryption at rest with SSE-KMS protects data. Option B is wrong because versioning helps with data recovery but not security.

Option D is wrong because cross-region replication is for durability, not security. Option E is wrong while MFA Delete adds protection against accidental deletion, it is not a primary security control for data confidentiality.

473
Multi-Selectmedium

A company has a VPC with multiple subnets. They want to implement network segmentation such that traffic between subnets is controlled by a centralized firewall. Which three components are required? (Choose THREE.)

Select 3 answers
A.AWS Transit Gateway
B.Route tables in each subnet that route traffic to the Transit Gateway
C.Gateway Load Balancer
D.VPC peering connections
E.NAT Gateway
AnswersA, B, C

Provides transitive routing between VPCs.

Why this answer

Centralized firewall inspection requires a Transit Gateway to route traffic to the firewall VPC, a Gateway Load Balancer to distribute traffic to firewall instances, and appropriate route tables to direct traffic accordingly. VPC peering does not support transitive routing. NAT Gateway is for outbound internet access.

474
MCQhard

A company is setting up a new AWS account and wants to centrally manage VPC network traffic inspection across multiple accounts using a central VPC. The company uses AWS Organizations. Which architecture meets these requirements?

A.Create VPC peering connections between each account's VPC and the central VPC.
B.Use AWS Transit Gateway with a central inspection VPC that has firewall appliances.
C.Use VPC endpoints to route traffic to the central VPC.
D.Deploy a Network Load Balancer in each VPC and route traffic through it.
AnswerB

TGW enables hub-and-spoke architecture with inspection.

Why this answer

Option B is correct because using a Transit Gateway with a central inspection VPC allows centralized traffic inspection across accounts. Option A is wrong because VPC peering does not centralize inspection. Option C is wrong because Network Load Balancer is not for inspection.

Option D is wrong because VPC endpoints are for specific services.

475
MCQhard

A company has a VPC with multiple subnets that are peered with another VPC using a VPC Peering connection. They want to ensure that traffic between the two VPCs is encrypted. What should they do?

A.Configure network ACLs to enforce encryption.
B.Use AWS Transit Gateway with a VPN attachment between the VPCs.
C.Use AWS Direct Connect with a public VIF.
D.Enable encryption on the VPC Peering connection using a security group.
AnswerB

Transit Gateway with VPN can provide encrypted connectivity between VPCs.

Why this answer

VPC Peering does not support encryption of traffic. To add encryption, you can deploy a VPN connection between the VPCs, or use an overlay solution. Option A (Transit Gateway with VPN) is a valid approach.

Option B (Internet Gateway) would expose traffic to the internet. Option C (NACL) does not encrypt. Option D (Direct Connect) does not encrypt by default.

476
MCQhard

A company is designing a network for a multi-account architecture using AWS Resource Access Manager (RAM) to share VPC subnets across accounts. They want to ensure that instances in shared subnets can communicate with instances in the owner's VPC using private IP addresses. What is required?

A.Establish a VPC peering connection between the owner and participant accounts.
B.Configure a VPC endpoint for Amazon EC2 to allow cross-account private communication.
C.No additional networking configuration is required; the shared subnet is part of the same VPC.
D.Create a transit gateway and attach both VPCs to it.
AnswerC

Shared subnets are within the same VPC, so routing is inherent.

Why this answer

When you share a subnet using AWS Resource Access Manager (RAM), the shared subnet is part of the owner's VPC. Instances launched into that shared subnet reside in the same VPC as the owner's instances, so they can communicate using private IP addresses by default, with no additional networking configuration required. This is because VPC subnets are a logical subdivision of the VPC's CIDR block, and all instances within the same VPC can route to each other via the VPC's internal router.

Exam trap

The trap here is that candidates mistakenly think cross-account subnet sharing requires additional connectivity like VPC peering or a transit gateway, when in fact the shared subnet is logically part of the same VPC, so no extra networking is needed for private IP communication.

How to eliminate wrong answers

Option A is wrong because VPC peering is used to connect two separate VPCs, but a shared subnet is part of the same VPC as the owner, so peering is unnecessary and would add complexity without benefit. Option B is wrong because a VPC endpoint for EC2 is used to privately access EC2 APIs (e.g., for managing instances) and does not enable instance-to-instance private IP communication; it is a gateway for API calls, not for data-plane traffic between instances. Option D is wrong because a transit gateway is designed to interconnect multiple VPCs or on-premises networks, but since the shared subnet is already within the same VPC, there is no need for a transit gateway; it would introduce unnecessary cost and administrative overhead.

477
MCQhard

A company runs a critical application on EC2 instances in a VPC. The application needs to send data to an S3 bucket and an SQS queue, both in the same AWS account. The security team requires that all traffic to these AWS services must stay within the AWS network and not traverse the internet. The VPC has private subnets with no NAT gateway or Internet Gateway. The EC2 instances have an IAM role that grants necessary permissions. The S3 bucket and SQS queue are configured with bucket policies and queue policies that deny all access except from the VPC. However, the application is failing to send data to both S3 and SQS. What should the network engineer do to resolve this issue?

A.Deploy an Amazon CloudFront distribution in front of S3 and use its public endpoint
B.Create a NAT gateway in a public subnet and update the route tables to send traffic to it
C.Set up an AWS Direct Connect connection and route traffic through it
D.Create a gateway endpoint for S3 and an interface endpoint for SQS in the VPC, and update the route tables for S3 and the security groups for SQS
AnswerD

Gateway endpoint for S3 uses prefix lists in route tables; interface endpoint for SQS uses ENIs and security groups. Update policies to allow traffic from the VPC endpoints.

Why this answer

Option C is correct because VPC endpoints for S3 (Gateway endpoint) and SQS (Interface endpoint) provide private connectivity without internet. The policies must also be updated to allow traffic from the endpoints. Option A is wrong because NAT gateways would route traffic over the internet, violating the requirement.

Option B is wrong because Direct Connect is overkill and does not solve the immediate issue of private connectivity to S3 and SQS. Option D is wrong because CloudFront is for content delivery and does not provide private access to SQS.

478
MCQhard

A company runs a critical application on EC2 instances behind an Application Load Balancer. They need to ensure that if an instance fails health checks, it is automatically terminated and replaced. Which AWS service should they use?

A.AWS Lambda
B.EC2 Instance Connect
C.Auto Scaling group
D.Amazon CloudWatch
AnswerC

Auto Scaling groups can use ELB health checks to automatically replace unhealthy instances.

Why this answer

The correct answer is D because Auto Scaling groups can automatically replace unhealthy instances based on health checks from the load balancer. Option A (EC2) does not provide automatic replacement. Option B (CloudWatch) can monitor but not replace.

Option C (Lambda) could be used with custom logic but is not the standard solution.

479
Multi-Selecthard

A company has a VPC with public and private subnets. The public subnet contains a NAT gateway and a bastion host. The private subnet contains application servers. The company wants to ensure that the application servers can download patches from the internet. Which TWO steps should be taken to allow this while maintaining security? (Choose two.)

Select 2 answers
A.Allow outbound HTTPS (port 443) traffic from the application servers in the security group
B.Modify the network ACL of the private subnet to allow all outbound traffic
C.Add a route in the public subnet route table that points 0.0.0.0/0 to the NAT gateway
D.Add a route in the private subnet route table that points 0.0.0.0/0 to the NAT gateway
E.Associate an Elastic IP address with the NAT gateway
AnswersA, D

Correct; security groups must allow outbound traffic.

Why this answer

Option A is correct because the application servers need to initiate outbound HTTPS connections (port 443) to download patches from the internet. By allowing outbound HTTPS traffic in the security group associated with the application servers, you permit the necessary traffic while maintaining stateful filtering and restricting other outbound traffic. This is a security best practice that follows the principle of least privilege.

Exam trap

AWS often tests the distinction between where routes are added (public vs. private subnet route tables) and the role of security groups versus network ACLs, leading candidates to incorrectly modify the public subnet's route table or use overly permissive network ACL rules.

480
MCQmedium

A company has deployed an application across multiple AWS Regions using Application Load Balancers (ALBs). The company wants to route traffic to the nearest healthy endpoint using latency-based routing. Which AWS service should be used to distribute traffic across the ALBs?

A.Amazon CloudFront with multiple origins.
B.AWS Network Load Balancer with cross-zone load balancing.
C.Amazon Route 53 with latency routing policy.
D.AWS Global Accelerator.
AnswerC

Route 53 latency routing routes traffic based on the lowest latency between the client and the endpoint.

Why this answer

Option A is correct because Amazon Route 53 supports latency-based routing policies to route traffic to the endpoint with the lowest latency. Option B is wrong because AWS Global Accelerator uses Anycast IPs and directs traffic to the nearest edge location, not necessarily latency-based routing. Option C is wrong because CloudFront is a CDN and not designed for routing to ALBs based on latency.

Option D is wrong because Network Load Balancer is a regional service and does not route across regions.

481
MCQhard

A company is troubleshooting high latency on an AWS Direct Connect connection. The network team notices that the latency increases during peak hours. The connection uses a single virtual interface (VIF) with a 1 Gbps capacity. What is the MOST likely cause of the latency?

A.The VLAN ID is mismatched between the customer router and AWS
B.The bandwidth limit of the virtual interface is being exceeded
C.Jumbo frames are not enabled on the customer router
D.BGP keepalive timers are set too high
AnswerB

Congestion causes packet drops and increased latency.

Why this answer

Option B is correct because traffic can be dropped if it exceeds the bandwidth limit, causing retransmissions and increased latency. Option A is wrong because jumbo frames typically reduce latency. Option C is wrong because BGP timers affect convergence, not latency.

Option D is wrong because VLAN mismatch would cause connectivity loss, not just latency.

482
MCQeasy

A company is using AWS Client VPN to allow remote employees to access resources in a VPC. The VPN is configured with a server certificate and mutual authentication. Some users report that they cannot connect to the VPN. What should the administrator check FIRST?

A.Check the security group associated with the VPN endpoint.
B.Verify that the server certificate is uploaded to AWS Certificate Manager (ACM).
C.Confirm that the VPN endpoint is associated with all subnets in the VPC.
D.Verify that each user has a valid client certificate installed on their device.
AnswerD

Correct: Mutual authentication requires client certificates.

Why this answer

The question states that mutual authentication is configured, which requires both a server certificate and a valid client certificate on each user's device. Since some users cannot connect while others presumably can, the most likely issue is that the affected users lack a valid client certificate. The administrator should first verify that each user has a valid client certificate installed, as this is a common point of failure in mutual TLS authentication.

Exam trap

AWS often tests the distinction between server-side and client-side authentication requirements in mutual TLS; the trap here is that candidates assume the issue is with the server certificate or network configuration, overlooking that each user must have a valid client certificate for mutual authentication to succeed.

How to eliminate wrong answers

Option A is wrong because security groups are stateful and, by default, allow all outbound traffic; the VPN endpoint's security group controls inbound/outbound traffic but is not the first thing to check when users cannot connect, especially since the issue is likely client-side. Option B is wrong because the server certificate must be uploaded to ACM for the VPN endpoint to function, but if the VPN is already configured and working for some users, the server certificate is already in place; this would be a global issue, not a per-user issue. Option C is wrong because the VPN endpoint does not need to be associated with all subnets in the VPC; it only needs to be associated with at least one subnet to function, and associating it with all subnets is not required and would not cause per-user connectivity failures.

483
Drag & Dropmedium

Order the steps to migrate a VPC from using an Internet Gateway to a NAT gateway for outbound-only internet access:

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the NAT gateway, then update routes to use it, remove the IGW route, adjust security, and test.

484
Multi-Selectmedium

A company has a VPC with public and private subnets. The private subnets have a route to a NAT gateway. The network team wants to monitor DNS queries from EC2 instances in private subnets to a custom DNS resolver on-premises over a VPN. Which TWO services can capture this traffic?

Select 2 answers
A.Amazon Route 53 Resolver query logs
B.Amazon CloudWatch
C.VPC Flow Logs
D.AWS Network Firewall
E.AWS CloudTrail
AnswersC, D

Flow logs capture all IP traffic, including DNS queries.

Why this answer

Option A is correct because VPC Flow Logs capture all IP traffic including DNS. Option D is correct because AWS Network Firewall can capture and log DNS traffic. Option B is incorrect because Route 53 Resolver query logs capture queries to Route 53, not custom resolvers.

Option C is incorrect because CloudTrail logs API calls. Option E is incorrect because CloudWatch does not capture traffic directly.

485
Multi-Selecteasy

Which TWO statements about AWS WAF are accurate? (Choose 2)

Select 2 answers
A.AWS WAF provides protection against network-layer DDoS attacks
B.AWS WAF can inspect traffic at the VPC level using VPC Flow Logs
C.AWS WAF automatically mitigates DDoS attacks without manual intervention
D.AWS WAF can block or allow web requests based on conditions such as IP addresses, HTTP headers, and URI strings
E.AWS WAF can be deployed on Application Load Balancers, Amazon CloudFront distributions, and Amazon API Gateway APIs
AnswersD, E

Core functionality.

Why this answer

Options A and C are correct: WAF protects web applications and integrates with ALB, CloudFront, API Gateway. Option B is wrong because WAF is for web traffic, not network-level DDoS. Option D is wrong because WAF does not inspect VPC traffic.

Option E is wrong because Shield Advanced is the managed DDoS service.

486
MCQeasy

A company has a VPC with an application load balancer (ALB) in public subnets and EC2 instances in private subnets. The EC2 instances must only accept traffic from the ALB. Which security group configuration achieves this?

A.Allow inbound traffic from 0.0.0.0/0 on the application port.
B.Allow inbound traffic from the VPC CIDR on the application port.
C.Allow inbound traffic from the private subnet CIDR on the application port.
D.Allow inbound traffic from the ALB's security group on the application port.
AnswerD

This ensures only traffic from the ALB is accepted.

Why this answer

Option C is correct because a security group rule referencing the ALB's security group allows traffic only from the ALB. Option A is wrong because allowing 0.0.0.0/0 allows all traffic. Option B is wrong because allowing the VPC CIDR allows all instances in the VPC, not just the ALB.

Option D is wrong because allowing the private subnet CIDR allows all instances in those subnets.

487
MCQmedium

A company is implementing a multi-region active-active application. They want to route users to the nearest healthy endpoint using DNS. Which AWS service should be used?

A.Elastic Load Balancer (ELB)
B.Amazon CloudFront
C.Amazon Route 53 latency-based routing
D.AWS Global Accelerator
AnswerC

Routes based on lowest latency.

Why this answer

Option C is correct because Route 53 latency-based routing routes traffic to the region with the lowest latency. Option A is wrong because Global Accelerator uses Anycast IPs and does not rely on DNS routing policy. Option B is wrong because CloudFront is for content delivery, not application routing.

Option D is wrong because ELB is regional and does not perform latency-based DNS routing.

488
Multi-Selecthard

Which THREE components are required to establish a site-to-site VPN connection between an on-premises network and AWS? (Choose THREE.)

Select 3 answers
A.AWS Direct Connect
B.AWS Transit Gateway
C.Virtual Private Gateway
D.Customer Gateway
E.VPN Connection
AnswersC, D, E

AWS side VPN endpoint.

Why this answer

Option B (Customer Gateway), Option C (Virtual Private Gateway), and Option D (VPN Connection) are required. Option A (Direct Connect) is a different service. Option E (Transit Gateway) is optional, not required.

489
Multi-Selectmedium

A company is designing a multi-account strategy using AWS Organizations. The security team wants to centrally manage VPC Flow Logs from all accounts. Which THREE steps are required to achieve this?

Select 3 answers
A.Set up a VPN connection between the logging account and each member account.
B.Enable VPC Flow Logs in each account, specifying the central S3 bucket as the destination.
C.Create an S3 bucket in the central logging account with a bucket policy that grants write access to the member accounts.
D.Configure the central S3 bucket to use server-side encryption with AWS KMS (SSE-KMS).
E.Create a VPC peering connection between all accounts to allow log delivery.
AnswersB, C, D

Flow logs must be configured to send to the central bucket.

Why this answer

To centralize flow logs, you need a central S3 bucket with appropriate permissions, enable flow logs in each account, and send them to the central bucket. The bucket policy must allow cross-account writes.

490
MCQeasy

A security engineer reviews the above security group configuration for a web server. What is a security concern with this configuration?

A.The outbound rule allows all traffic, which could be used for data exfiltration if the server is compromised.
B.The inbound rule for SSH allows traffic from a large CIDR block (10.0.0.0/8), which could include unauthorized internal hosts.
C.The outbound rule allows all traffic, which is necessary for the server to function.
D.The inbound rule for HTTP is too permissive because it allows traffic from all IP addresses.
AnswerA

A restrictive egress rule is a best practice to limit the impact of a breach.

Why this answer

Option D is correct because the egress rule allows all outbound traffic to any destination, which could allow data exfiltration if the instance is compromised. Option A is incorrect because HTTP is allowed from anywhere, which is typical for a web server. Option B is incorrect because SSH from 10.0.0.0/8 is internal and acceptable.

Option C is incorrect because the egress rule allows all traffic, not just HTTP.

491
MCQeasy

A company uses AWS Direct Connect with a private VIF to connect to their VPC. They want to monitor the network latency between their on-premises router and the AWS Direct Connect location. Which AWS service should they use?

A.AWS Direct Connect metrics in CloudWatch
B.AWS X-Ray
C.VPC Flow Logs
D.Amazon CloudWatch Synthetics
AnswerA

Direct Connect publishes metrics like latency to CloudWatch.

Why this answer

Option D is correct because AWS Direct Connect provides CloudWatch metrics including latency and BGP status. Option A is incorrect because VPC Flow Logs capture traffic metadata, not latency. Option B is incorrect because CloudWatch Synthetics monitors endpoint availability, not Direct Connect.

Option C is incorrect because AWS X-Ray traces application requests, not network links.

492
MCQhard

A company is using a centralized egress VPC model with a NAT gateway for outbound traffic from multiple VPCs. The network team notices that some EC2 instances are having connectivity timeouts when accessing the internet. The team has verified the route tables and security groups. Which additional check should be performed to troubleshoot the issue?

A.Check the security group rules for outbound traffic
B.Check the VPC Flow Logs for denied traffic
C.Check the route tables for the internet gateway
D.Check the NAT gateway CloudWatch metrics for error packets and connection counts
AnswerD

High connection counts or error packets indicate resource exhaustion.

Why this answer

Option D is correct because NAT Gateway CloudWatch metrics, specifically `ErrorPortAllocation` and `PacketsDropCount`, directly indicate whether the NAT Gateway is running out of available ports or dropping packets due to connection limits. In a centralized egress model with multiple VPCs, high connection counts can exhaust the NAT Gateway's ephemeral port capacity (65,535 per IP), causing connectivity timeouts even when route tables and security groups are correctly configured.

Exam trap

AWS often tests the misconception that VPC Flow Logs or security group checks are sufficient for diagnosing NAT Gateway issues, when in fact the root cause is often port exhaustion or packet drops at the NAT Gateway itself, which requires CloudWatch metrics to identify.

How to eliminate wrong answers

Option A is wrong because the team has already verified security groups, and outbound rules are typically permissive by default; the issue is at the NAT Gateway level, not the instance's security group. Option B is wrong because VPC Flow Logs capture traffic metadata but do not show NAT Gateway-specific errors like port exhaustion; denied traffic would appear as 'ACCEPT' or 'REJECT' based on security group/NACL rules, not NAT Gateway capacity. Option C is wrong because route tables for the internet gateway are irrelevant in a centralized egress model where traffic is routed through the NAT Gateway in the egress VPC, not directly to an IGW from the spoke VPCs.

493
MCQmedium

A company is using AWS WAF to protect a web application behind an Application Load Balancer. They want to block requests that contain SQL injection attacks. Which WAF rule type should they use?

A.IP set rule
B.Managed rule group for SQL injection
C.Rate-based rule
D.Geographic match rule
AnswerB

AWS WAF managed rules include SQL injection detection.

Why this answer

AWS WAF provides managed rule groups specifically designed to detect common web threats, including SQL injection attacks. The 'Managed rule group for SQL injection' contains pre-configured rules that inspect request components (such as query strings, URI, and body) for SQL injection patterns, making it the correct choice for blocking such attacks without requiring custom rule authoring.

Exam trap

The trap here is that candidates may confuse a rate-based rule (which controls request frequency) with a content-inspection rule, or assume that an IP set rule can block attacks based on source reputation, when in fact only managed rule groups or custom rules with SQL injection match conditions can inspect request content for injection patterns.

How to eliminate wrong answers

Option A is wrong because an IP set rule matches requests based on source IP addresses, not on the content of the request, so it cannot detect SQL injection patterns. Option C is wrong because a rate-based rule limits the number of requests from a source IP over a time window, which is used for DDoS protection, not for inspecting request payloads for SQL injection. Option D is wrong because a geographic match rule filters traffic based on the country of origin of the IP address, which has no relation to SQL injection detection.

494
MCQeasy

A network engineer is troubleshooting SSH connectivity to an EC2 instance in subnet subnet-0abcd1234efgh5678, which is associated with the network ACL shown. The security group allows inbound SSH. Why can't the engineer SSH to the instance?

A.The security group is blocking SSH traffic
B.The network ACL is not associated with the subnet
C.The network ACL has a rule that denies all traffic (rule 300) which overrides the allow rule
D.The network ACL rule 200 denies SSH traffic, overriding rule 100
AnswerB

A NACL must be associated with the subnet to affect traffic.

Why this answer

Option C is correct because network ACLs are evaluated in order of rule number; rule 100 allows SSH, but rule 200 denies SSH (same port, but deny overrides allow because it is evaluated later? Actually, in NACLs, rules are evaluated from lowest to highest, and the first matching rule determines the action. Since rule 100 allows, rule 200 is never reached. However, rule 300 denies all traffic.

Since rule 300 has a higher number, it will not override earlier allow rules. Wait: The correct behavior: NACL rules are processed in order; the first rule that matches the traffic determines the action. Since rule 100 matches SSH traffic and allows it, rule 200 and 300 are not evaluated for that traffic.

So SSH should be allowed. But the question says can't SSH. Let me re-check: The exhibit shows rule 100 allows SSH, rule 200 denies SSH (same criterion), rule 300 denies all traffic.

Since rule 100 matches first, SSH should be allowed. So maybe the issue is that the subnet is not associated with this NACL? Or maybe the security group is blocking? But the security group allows SSH. The most likely cause is that the NACL's inbound rule 100 allows SSH, but the outbound rules might be blocking.

However, the exhibit only shows inbound entries. Option A is incorrect because rule 300 is a deny-all, but it is evaluated after rule 100. Option B is incorrect because rule 200 is a deny, but it is not evaluated.

Option D is incorrect because security groups are stateful. Actually, the correct answer might be that the NACL's outbound rules are causing the issue, but the exhibit does not show outbound rules. However, since the question asks about the exhibit, we need to pick the best answer.

The exhibit shows only inbound rules; maybe the outbound default deny is blocking return traffic? But NACLs are stateless, so return traffic must be allowed by outbound rules. The exhibit does not show outbound rules. The default outbound rule is deny all.

So that could be the issue. But among the options, none mention outbound. Let me re-read the options.

Option A: 'The network ACL has a rule that denies all traffic (rule 300) which overrides the allow rule.' This is incorrect because rule 100 is processed first. Option B: 'The network ACL rule 200 denies SSH traffic, overriding rule 100.' Incorrect because rule 100 is processed first. Option C: 'The network ACL is not associated with the subnet.' This could be the reason.

Option D: 'The security group is blocking SSH traffic.' But the scenario says security group allows SSH. So most likely, the NACL is not associated. Therefore, option C is correct.

495
Multi-Selecteasy

Which THREE of the following are considerations when designing a Direct Connect implementation for high availability? (Choose three.)

Select 3 answers
A.Use a single connection with high bandwidth.
B.Configure static routes to the on-premises network.
C.Use BGP to advertise the same prefixes over both connections.
D.Use two or more Direct Connect connections.
E.Connect to different Direct Connect locations.
AnswersC, D, E

Enables automatic failover.

Why this answer

Correct: A (redundant connections), C (different locations), and D (BGP routing). B is wrong because single connection cannot provide HA. E is wrong because VPN is a separate backup, not a Direct Connect design consideration.

496
Multi-Selecthard

A company is using AWS Global Accelerator to improve performance for a global application. The application uses an Application Load Balancer (ALB) in each region. The network team wants to ensure that traffic is distributed evenly across regions and that failover happens quickly. Which THREE steps should the team take? (Select THREE.)

Select 3 answers
A.Configure multiple endpoint groups, one per region, and set traffic dials to distribute load
B.Enable health checks on each endpoint and set a low threshold for failure detection
C.Set the traffic dial for each endpoint group to a value that reflects the desired distribution
D.Enable client IP address preservation on the Global Accelerator
E.Use Route 53 weighted routing in front of Global Accelerator
AnswersA, B, C

Traffic dials control the percentage of traffic to each region.

Why this answer

Options A, C, and D are correct. A: Multiple endpoint groups with traffic dials allow distributing traffic across regions. C: Health checks on endpoints ensure quick failover.

D: Adjusting traffic dials can fine-tune distribution. Option B is wrong because weighted routing is not a Global Accelerator feature; it uses proximity. Option E is wrong because client IP preservation is not related to traffic distribution.

497
MCQhard

A financial services company must meet PCI DSS compliance requirements. They have a VPC with public and private subnets. The web servers in the public subnets must only accept traffic from the internet on ports 80 and 443. The application servers in the private subnets must only accept traffic from the web servers. Which network design ensures least-privilege access?

A.Use security groups on web servers allowing 0.0.0.0/0 on ports 80/443, and on app servers allowing the web servers' CIDR block
B.Use a Network ACL on the public subnet allowing inbound ports 80 and 443 from 0.0.0.0/0, and security groups on web and app servers with the app servers' security group referencing the web servers' security group
C.Use a single Network ACL for both public and private subnets with allow rules for ports 80 and 443
D.Use a single Network ACL on the private subnet allowing inbound ports 80 and 443 from the public subnet CIDR
AnswerB

This provides least-privilege with stateful security groups and stateless NACL.

Why this answer

Option B is correct because it uses security groups for stateful, least-privilege access control. The web servers' security group allows inbound ports 80 and 443 from 0.0.0.0/0, and the app servers' security group references the web servers' security group as the source, ensuring only traffic from the web servers is permitted. This design leverages security group chaining, which automatically handles return traffic and avoids the need for explicit CIDR management, aligning with PCI DSS least-privilege requirements.

Exam trap

The trap here is that candidates often default to using Network ACLs for subnet-level control, forgetting that security groups provide stateful, instance-level filtering with the ability to reference other security groups, which is more aligned with least-privilege and PCI DSS requirements.

How to eliminate wrong answers

Option A is wrong because allowing the web servers' CIDR block on the app servers' security group is less flexible and scalable than referencing the web servers' security group; it also fails to leverage stateful security group chaining, potentially requiring manual updates if web server IPs change. Option C is wrong because using a single Network ACL for both subnets would apply the same rules to all subnets, violating least-privilege by allowing inbound traffic from the internet to the private subnet and not differentiating between web and app server traffic. Option D is wrong because a Network ACL on the private subnet allowing inbound ports 80 and 443 from the public subnet CIDR is stateless, requiring explicit outbound rules for return traffic, and does not provide the granularity of security group references; it also unnecessarily exposes the private subnet to the entire public subnet CIDR.

498
MCQeasy

A security engineer needs to ensure that all traffic between two VPCs in the same region is encrypted in transit. The VPCs are connected via a VPC peering connection. What should the engineer do to meet this requirement?

A.Set up a VPN connection between the two VPCs and route traffic through it.
B.Configure network ACLs to enforce encryption.
C.No additional configuration needed; VPC peering traffic is automatically encrypted.
D.Use AWS Transit Gateway to connect the VPCs and enable encryption.
AnswerC

AWS encrypts inter-region VPC peering traffic by default.

Why this answer

Option A is correct because VPC peering traffic is already encrypted automatically. Option B is wrong because VPN is not needed. Option C is wrong because Transit Gateway does not add encryption beyond what VPC peering provides.

Option D is wrong because NACLs do not encrypt traffic.

499
MCQmedium

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Direct Connect. The network team wants to monitor BGP session status for all Transit Gateway attachments. Which AWS service should be used?

A.AWS Config
B.VPC Flow Logs
C.AWS Transit Gateway Network Manager
D.Amazon CloudWatch with Transit Gateway metrics
AnswerC

Network Manager provides a central dashboard for monitoring BGP sessions and connectivity.

Why this answer

Option A is correct because Transit Gateway Network Manager provides monitoring of BGP sessions and network topology. Option B is incorrect because CloudWatch can monitor metrics but not BGP session status directly. Option C is incorrect because VPC Flow Logs capture traffic, not routing protocol status.

Option D is incorrect because AWS Config can track configuration changes but not real-time BGP status.

500
MCQmedium

A company has a VPC with an IPv6 CIDR and wants to provide internet access to instances in a private subnet using IPv6. Which AWS service should be used?

A.VPC Gateway Endpoint
B.Internet Gateway
C.NAT Gateway
D.Egress-Only Internet Gateway
AnswerD

Egress-only internet gateway provides outbound-only IPv6 access.

Why this answer

An egress-only internet gateway allows outbound IPv6 traffic from private subnets but blocks inbound traffic.

501
MCQhard

A company has a VPC with public and private subnets in two Availability Zones. They have a NAT gateway in each AZ for outbound internet access. They recently added a third AZ and created a new private subnet. Instances in the new private subnet cannot reach the internet. The route table for the new subnet has a default route (0.0.0.0/0) pointing to a NAT gateway in the same AZ. What is the most likely cause?

A.The security group attached to the NAT gateway blocks outbound traffic
B.The route table in the new private subnet does not have a route to the NAT gateway
C.The NAT gateway in the new AZ does not have an Elastic IP address attached
D.The NAT gateway is not in a public subnet in the new AZ
AnswerC

A NAT gateway requires an Elastic IP to function; without it, outbound traffic fails.

Why this answer

Option A is correct because the NAT gateway must have an Elastic IP (EIP) to provide internet connectivity. Without an EIP, the NAT gateway cannot translate private IPs for internet access. Option B is wrong because NAT gateways are not assigned to subnets; they are placed in public subnets.

Option C is wrong because the route table is correctly configured. Option D is wrong because security group rules are for inbound/outbound traffic, but the NAT gateway itself does not have security groups.

502
MCQhard

A company is designing a network for a real-time gaming application that requires low latency and high throughput between game servers in multiple regions. The application uses UDP traffic. Which AWS service should be used to route traffic between regions?

A.AWS Transit Gateway
B.AWS Global Accelerator
C.Amazon CloudFront
D.Amazon Route 53
AnswerB

Supports UDP and TCP, provides anycast IPs.

Why this answer

AWS Global Accelerator uses the Anycast IP address and the AWS global network to route UDP traffic from users to the optimal regional endpoint, minimizing latency and jitter. It is designed for real-time applications like gaming that require low-latency and high-throughput UDP traffic between regions, as it bypasses the public internet and leverages AWS's internal backbone.

Exam trap

The trap here is that candidates often confuse Amazon Route 53's latency-based routing with actual network path optimization, but Route 53 only controls DNS resolution and does not accelerate or route the UDP traffic itself after the initial connection.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a hub-and-spoke connectivity service for VPC-to-VPC or on-premises routing within a single region, not designed for inter-region traffic optimization or low-latency UDP routing. Option C is wrong because Amazon CloudFront is a content delivery network (CDN) optimized for HTTP/HTTPS traffic and does not support UDP traffic for real-time gaming applications. Option D is wrong because Amazon Route 53 is a DNS service that resolves domain names to IP addresses and can route traffic via policies like latency-based routing, but it does not optimize the network path or provide any acceleration for UDP traffic; it only controls initial DNS resolution.

503
Multi-Selecteasy

A company is designing a highly available architecture for a web application using an Application Load Balancer (ALB) across multiple Availability Zones. Which TWO actions should be taken to ensure high availability?

Select 2 answers
A.Use a Network Load Balancer instead of an ALB.
B.Register EC2 instances in multiple Availability Zones.
C.Place the EC2 instances in a single Availability Zone.
D.Configure the ALB as internal.
E.Configure the ALB as internet-facing.
AnswersB, E

Multi-AZ provides fault tolerance.

Why this answer

Option A is correct because the ALB must be internet-facing to receive traffic from users. Option D is correct because the EC2 instances should be in multiple AZs to survive an AZ failure. Option B is incorrect because an internal ALB is not accessible from the internet.

Option C is incorrect because a single AZ is not highly available. Option E is incorrect because a Network Load Balancer is for TCP/UDP, not HTTP.

504
MCQhard

A company is using AWS Database Migration Service (DMS) to replicate data from an on-premises Oracle database to an Amazon RDS for Oracle instance. The replication is failing intermittently with connection timeouts. The network connectivity uses a Direct Connect private VIF. What should the network team investigate first?

A.The MTU settings on the on-premises router and the AWS Direct Connect interface.
B.The route table of the VPC to ensure it has a route to the on-premises CIDR via the Direct Connect virtual interface.
C.The VPN connection status as a backup path.
D.The security group of the RDS instance to ensure it allows traffic from the on-premises IP range.
AnswerA

MTU mismatch can cause intermittent connectivity issues, especially with DMS.

Why this answer

Option B is correct because the MTU mismatch between on-premises and AWS can cause packet fragmentation or drops, leading to timeouts. Option A is wrong because security groups do not apply to on-premises traffic. Option C is wrong because routing is point-to-point, no internet.

Option D is wrong because VPN is not used.

505
MCQhard

A company has a VPC with a public subnet and a private subnet. They have a NAT Gateway in the public subnet. Instances in the private subnet need to download patches from the internet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT Gateway. However, instances cannot reach the internet. What is a possible cause?

A.The route table for the NAT Gateway's subnet does not have a route to an Internet Gateway.
B.The NAT Gateway is in a private subnet.
C.The network ACL on the private subnet is blocking outbound traffic.
D.The NAT Gateway does not have a security group allowing outbound traffic.
AnswerA

NAT Gateway needs a route to IGW for internet access.

Why this answer

For a NAT Gateway to route traffic to the internet, its subnet must have a route to an Internet Gateway (IGW). The NAT Gateway resides in the public subnet, and the public subnet's route table must include a default route (0.0.0.0/0) pointing to the IGW. Without this route, the NAT Gateway cannot forward traffic from the private subnet to the internet, even though the private subnet's route table correctly points to the NAT Gateway.

Exam trap

AWS often tests the misconception that configuring the private subnet's route table to point to the NAT Gateway is sufficient, while ignoring that the NAT Gateway's own subnet must have a route to the Internet Gateway for outbound connectivity.

How to eliminate wrong answers

Option B is wrong because the NAT Gateway is explicitly stated to be in the public subnet, and placing it in a private subnet would prevent it from reaching the internet, but that is not the scenario here. Option C is wrong because network ACLs are stateless and, by default, allow all outbound traffic; unless explicitly modified to block outbound traffic, they would not prevent internet access. Option D is wrong because NAT Gateways do not have security groups; they are managed by AWS and cannot be associated with security groups, so this is not a possible cause.

506
MCQeasy

A company wants to provide internet access to instances in a private subnet using a NAT gateway. The NAT gateway is deployed in a public subnet with an Elastic IP. The private subnet route table has a default route pointing to the NAT gateway. However, instances in the private subnet cannot access the internet. What is the most likely cause?

A.The public subnet route table does not have a route to the internet gateway.
B.The security group assigned to the NAT gateway blocks outbound traffic.
C.The private subnet route table has a route to the internet gateway instead of the NAT gateway.
D.The NAT gateway does not have an Elastic IP associated.
AnswerA

NAT gateway needs internet gateway route in its subnet.

Why this answer

The NAT gateway is deployed in a public subnet, but for it to route traffic to the internet, the public subnet's route table must have a default route (0.0.0.0/0) pointing to an internet gateway (IGW). Without this route, the NAT gateway cannot forward traffic from the private subnet to the internet, even though the private subnet's route table correctly points to the NAT gateway. This is the most likely cause because the NAT gateway itself needs internet access via the IGW to translate and forward traffic.

Exam trap

AWS often tests the misconception that a NAT gateway automatically has internet access simply because it is in a public subnet, but the critical missing piece is the explicit route to the internet gateway in that subnet's route table.

How to eliminate wrong answers

Option B is wrong because security groups are not assigned to NAT gateways; NAT gateways are controlled by network ACLs, not security groups, and security groups cannot be attached to NAT gateways. Option C is wrong because if the private subnet route table had a route to the internet gateway, instances would attempt direct internet access, which would fail since they are in a private subnet without a public IP, but the question states the route points to the NAT gateway, so this is not the issue. Option D is wrong because the question explicitly states the NAT gateway has an Elastic IP associated, so this cannot be the cause of the failure.

507
MCQhard

A company runs a web application on EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application must only accept traffic from known corporate IP addresses, but the company also needs to allow healthy traffic from AWS health checkers. Which architecture meets these requirements securely?

A.Configure the Application Load Balancer's security group to allow inbound from corporate IPs, and the EC2 instances' security group to allow inbound from the ALB's security group.
B.Create two target groups: one for corporate traffic and one for health check traffic, each with different security groups.
C.Use AWS WAF on the ALB to create an IP set containing corporate IPs, and allow all traffic from ALB to instances.
D.Use a network ACL on the VPC subnet to allow inbound traffic from corporate IPs and AWS health checker IP ranges.
AnswerA

This ensures that only traffic through the ALB (including health checks) reaches the instances, and the ALB only accepts corporate IP traffic.

Why this answer

The correct approach is to use security groups. The ALB security group should allow inbound from corporate IPs, and the EC2 security group should allow inbound only from the ALB security group. AWS health checkers come from the ALB's private IPs, so they are covered.

Option B is correct. Option A (NACL) is incorrect because NACLs are stateless and would require complex rules. Option C (WAF) can filter by IP but also needs to allow health checks, and it adds complexity.

Option D (dedicated ALB for health checks) is overkill and unnecessary.

508
MCQeasy

A company wants to connect an on-premises data center to AWS using a dedicated private connection that does not traverse the internet. Which AWS service should they use?

A.AWS Transit Gateway
B.AWS Site-to-Site VPN
C.AWS Direct Connect
D.VPC Peering
AnswerC

Dedicated private connection.

Why this answer

AWS Direct Connect is the correct choice because it provides a dedicated, private network connection from an on-premises data center to AWS, bypassing the internet entirely. This service uses industry-standard 802.1Q VLANs to create a private virtual interface (VIF) that connects directly to a virtual private gateway or AWS Transit Gateway, ensuring low latency, consistent bandwidth, and compliance with data sovereignty requirements.

Exam trap

AWS often tests the misconception that AWS Transit Gateway itself provides a dedicated private connection, but it is a routing service that requires an underlying physical or virtual link to extend to on-premises networks.

How to eliminate wrong answers

Option A is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it is not a dedicated private connection service; it requires an underlying connection like Direct Connect or VPN to extend to on-premises. Option B is wrong because AWS Site-to-Site VPN creates an encrypted tunnel over the public internet, which does not meet the requirement of a dedicated private connection that does not traverse the internet. Option D is wrong because VPC Peering connects VPCs within AWS using the AWS global network, but it cannot connect an on-premises data center to AWS.

509
Multi-Selectmedium

A security team needs to implement a solution to detect and alert on suspicious network traffic within a VPC. The solution should analyze VPC Flow Logs and generate findings for potential threats. Which THREE AWS services can be used together to achieve this?

Select 3 answers
A.VPC Flow Logs
B.Amazon Detective
C.Amazon GuardDuty
D.AWS CloudTrail
E.AWS Config
AnswersA, B, C

Captures network traffic metadata.

Why this answer

Option A (VPC Flow Logs) provides the data source. Option B (Amazon GuardDuty) can analyze Flow Logs for threats. Option D (Amazon Detective) can perform deeper investigation.

Option C is wrong because CloudTrail is for API logging, not network traffic analysis. Option E is wrong because Config is for resource configuration tracking.

510
Multi-Selectmedium

A network engineer must design a solution to monitor and troubleshoot connectivity from an on-premises data center to a VPC over an AWS Direct Connect connection. The solution must provide visibility into BGP routing, packet loss, and latency. Which TWO services or features should the engineer use? (Choose two.)

Select 2 answers
A.Amazon CloudWatch Logs for Direct Connect
B.AWS CloudTrail
C.Amazon CloudWatch metrics for Direct Connect
D.VPC Flow Logs
E.AWS X-Ray
AnswersA, C

Can ingest Direct Connect logs for monitoring.

Why this answer

Amazon CloudWatch metrics for Direct Connect can monitor BGP session state, packet loss, and latency. AWS CloudTrail logs API calls but not network performance. VPC Flow Logs capture IP traffic metadata but not BGP details or latency.

AWS X-Ray is for application tracing. Amazon Inspector is for security assessments.

511
Multi-Selectmedium

A company has a VPC with an internet gateway and a NAT Gateway. The private subnet route table has a default route to the NAT Gateway. The company wants to enable instances in the private subnet to access an S3 bucket in the same region without traversing the internet. Which TWO actions should the company take?

Select 2 answers
A.Remove the default route to the NAT Gateway from the private subnet route table.
B.Add a route to the S3 prefix list via the gateway endpoint in the private subnet route table.
C.Create a gateway VPC endpoint for S3.
D.Add a route to the S3 prefix list via the NAT Gateway in the private subnet route table.
E.Create an interface VPC endpoint for S3.
AnswersB, C

This enables private access.

Why this answer

Option B is correct because adding a route to the S3 prefix list via the gateway endpoint directs traffic destined for S3 through the VPC endpoint, keeping it within the AWS network. Option C is correct because a gateway VPC endpoint for S3 provides a private, scalable connection to S3 without requiring internet access or a NAT Gateway. Together, these actions allow private subnet instances to access S3 privately and efficiently.

Exam trap

The trap here is that candidates often confuse gateway endpoints with interface endpoints, incorrectly assuming S3 requires an interface endpoint, or they think the NAT Gateway must be removed entirely, when in fact the NAT Gateway should remain for other outbound traffic and only the S3-specific route needs to be added via the gateway endpoint.

512
MCQmedium

A company is using AWS Transit Gateway to connect multiple VPCs and on-premises networks. The company wants to centralize network security by inspecting all traffic between VPCs and between VPCs and on-premises. Which architecture should be used?

A.Attach all VPCs to a Transit Gateway and use route tables to send traffic through a firewall appliance in one VPC.
B.Use VPN connections between all VPCs and on-premises.
C.Use VPC peering between all VPCs and configure security groups.
D.Use Network Load Balancer to distribute traffic across VPCs.
AnswerA

Transit Gateway route tables can direct traffic to a inspection VPC.

Why this answer

Option D is correct because Transit Gateway supports appliance mode to force traffic through a security appliance VPC. A and B do not provide centralized inspection. C is manual and not scalable.

513
MCQhard

Refer to the exhibit. A company has created a VPC endpoint for S3. However, an EC2 instance in the subnet associated with the route table cannot access S3 via the endpoint. The route table has a route to the endpoint. What is the most likely cause?

A.The endpoint is in 'pending' state
B.The route table is not associated with the subnet
C.Private DNS is not enabled
D.The security group is blocking traffic
AnswerC

Without Private DNS, the instance does not resolve S3 to the endpoint IP.

Why this answer

The correct answer is C because the endpoint policy is set to Allow all, which is fine. However, the PrivateDnsEnabled is false, meaning that DNS resolution for S3 endpoints does not resolve to the endpoint IP. To use the endpoint, either enable Private DNS or use the endpoint-specific DNS name.

Option A is wrong because the endpoint state is 'available'. Option B is wrong because the route table is associated. Option D is wrong because the security group is not specified (empty), but default SG allows all outbound traffic.

514
MCQhard

Refer to the exhibit. A network engineer is creating an IAM policy for a junior engineer who needs to set up a VPC with public and private subnets and an internet gateway. The junior engineer reports that they cannot create a VPC peering connection. Based on the policy, what is the most likely reason?

A.The policy has an explicit Deny statement for ec2:CreateVpcPeeringConnection.
B.The policy allows ec2:CreateVpc which implicitly denies peering.
C.The policy requires multi-factor authentication to create VPC peering connections.
D.The policy does not allow the ec2:CreateVpcPeeringConnection action.
AnswerA

The explicit Deny overrides any Allow and prevents the action.

Why this answer

The policy explicitly denies the ec2:CreateVpcPeeringConnection action with an Effect of Deny. Even though there is an Allow for other actions, the Deny overrides any Allow for that specific action. Option C is correct.

Options A and B are not relevant because the policy does not allow or deny those actions. Option D is incorrect because the policy does not require MFA.

515
MCQeasy

A company wants to securely connect two VPCs in the same region. The VPCs must be able to communicate using private IP addresses, and connectivity should be highly available. Which solution meets these requirements?

A.Set up a VPN connection between the two VPCs using virtual private gateways.
B.Create an inter-region VPC peering connection.
C.Create a VPC peering connection between the two VPCs.
D.Use an AWS Transit Gateway to connect the two VPCs.
AnswerC

VPC peering provides low-latency, private connectivity between VPCs in the same region.

Why this answer

Option C is correct because a VPC peering connection allows two VPCs in the same region to communicate using private IPv4 or IPv6 addresses as if they were on the same network, with no single point of failure. It is highly available by design since traffic flows directly between the VPCs using the AWS global network infrastructure, without any intermediate devices or bandwidth limits.

Exam trap

AWS often tests the misconception that a VPN connection is required for private IP communication between VPCs, but VPC peering provides direct, private, and highly available connectivity without the overhead of VPN tunnels.

How to eliminate wrong answers

Option A is wrong because a VPN connection between two VPCs using virtual private gateways introduces a single point of failure (the VPN tunnel endpoints) unless multiple tunnels are configured, and it adds complexity and latency compared to a native VPC peering solution. Option B is wrong because an inter-region VPC peering connection is used for VPCs in different AWS regions, not for VPCs in the same region, and the question specifies same-region connectivity. Option D is wrong because while an AWS Transit Gateway can connect two VPCs, it introduces an additional cost and a central hub that, although highly available, is unnecessary for a simple two-VPC scenario and adds complexity beyond the requirements.

516
MCQhard

A company has a VPC with public and private subnets. The private subnets need to access the internet through a NAT gateway. The security team wants to ensure that traffic from the private subnets cannot bypass the NAT gateway. Which configuration should be used?

A.Deploy a forward proxy in a public subnet and configure the private subnets to use it
B.Use an egress-only internet gateway for the private subnets
C.Add a route in the private subnet route table with destination 0.0.0.0/0 pointing to the NAT gateway
D.Attach a security group to the NAT gateway that only allows outbound traffic
AnswerC

This forces all outbound traffic to go through the NAT gateway.

Why this answer

A route table with a default route pointing to the NAT gateway ensures all outbound traffic goes through the NAT. Option B is wrong because an egress-only internet gateway is for IPv6. Option C is wrong because a proxy in a public subnet still needs routing.

Option D is wrong because a security group on the NAT gateway does not enforce routing.

517
Multi-Selectmedium

A company wants to design a multi-region active-active architecture with Amazon Route 53 latency-based routing and failover using health checks. Which TWO configurations are necessary? (Choose two.)

Select 2 answers
A.Use geolocation routing to direct users to the nearest region
B.Assign a weight to each record for traffic distribution
C.Configure a latency alias record for each region's resource
D.Create a health check for each resource and associate it with the record
E.Set the failover record type to 'Active-Active'
AnswersC, D

Latency-based routing uses latency alias records.

Why this answer

Option C is correct because latency-based routing in Route 53 uses alias records to route traffic based on the lowest latency for the end user. Configuring a latency alias record for each regional resource (e.g., an Application Load Balancer) allows Route 53 to respond with the IP of the resource that provides the best latency. Option D is correct because health checks must be associated with each latency record to enable failover; if a resource fails its health check, Route 53 removes it from the pool of healthy endpoints, ensuring traffic is only routed to healthy regions.

Exam trap

The trap here is that candidates often confuse latency-based routing with geolocation routing, or incorrectly assume that a failover record type must be explicitly set to 'Active-Active', when in fact the active-active behavior is achieved by combining latency-based routing with health checks, not by a specific record type.

518
MCQmedium

A company is designing a hybrid network architecture using AWS Direct Connect. They have a single Direct Connect connection with a private virtual interface (VIF) to a VPC in us-east-1. The on-premises network uses BGP to advertise a prefix (10.0.0.0/8) to AWS. The VPC has a CIDR of 10.1.0.0/16. The company wants to add a second VPC (10.2.0.0/16) in the same region and allow on-premises to communicate with both VPCs. They plan to use a Transit Gateway to connect the VPCs and the Direct Connect gateway. The Direct Connect gateway is associated with the Transit Gateway. The on-premises router is advertising 10.0.0.0/8. After configuration, the on-premises network can communicate with 10.1.0.0/16 but not with 10.2.0.0/16. The network engineer verifies that the Transit Gateway route table has routes for both VPC attachments and that the Direct Connect gateway is associated with the Transit Gateway. What is the MOST likely issue?

A.The Direct Connect gateway is not associated with the Transit Gateway route table that contains the 10.2.0.0/16 route
B.The Transit Gateway route table does not have a route for 10.2.0.0/16
C.The private virtual interface is not configured to support multiple VPCs
D.The on-premises router is not advertising the 10.2.0.0/16 prefix
AnswerA

If the Direct Connect gateway attachment is in a different route table, it won't propagate the VPC CIDR to on-premises.

Why this answer

When using a Direct Connect gateway with a Transit Gateway, the Direct Connect gateway propagates routes to the Transit Gateway. The Transit Gateway route table must have a route for the on-premises prefix (10.0.0.0/8) pointing to the Direct Connect gateway attachment. Also, the Transit Gateway must propagate the VPC CIDRs to the Direct Connect gateway so that on-premises can learn them.

The issue is likely that the 10.2.0.0/16 route is not being propagated to the Direct Connect gateway. This can happen if the Transit Gateway route table does not have the VPC attachment associated or if the route propagation is disabled for that VPC attachment. The engineer verified routes in the Transit Gateway route table, so the issue might be that the Direct Connect gateway is not receiving the route for 10.2.0.0/16.

Typically, the Transit Gateway automatically propagates routes from attachments to the Direct Connect gateway if the route table is associated. However, if the VPC attachment is not associated with the same route table as the Direct Connect gateway attachment, propagation may not happen. The most likely fix is to ensure that both VPC attachments and the Direct Connect gateway attachment are in the same Transit Gateway route table.

519
Multi-Selectmedium

A company is designing a network for a multi-account AWS environment using AWS Organizations. They need to centralize network management and enable VPC connectivity across accounts. Which THREE services should they consider? (Choose THREE.)

Select 3 answers
A.AWS Resource Access Manager
B.AWS CloudFormation StackSets
C.VPC Peering
D.AWS Direct Connect
E.AWS Transit Gateway
AnswersA, B, E

Shares Transit Gateway and other resources across accounts.

Why this answer

AWS Resource Access Manager (RAM) is correct because it enables you to share centrally managed resources, such as Transit Gateways and VPC subnets, across multiple AWS accounts within an AWS Organization. This eliminates the need to create duplicate resources in each account and allows for centralized network management without requiring cross-account IAM roles or complex peering configurations.

Exam trap

The trap here is that candidates often select VPC Peering because it is a familiar, simple connectivity option, but they overlook that it lacks transitive routing and centralized management, making it unsuitable for a multi-account architecture where AWS Transit Gateway is the correct scalable solution.

520
MCQhard

A company uses AWS Shield Advanced to protect its web application from DDoS attacks. The application is fronted by Amazon CloudFront and an Application Load Balancer. The security team wants to receive notifications when a DDoS attack is detected. Which AWS service should be used to receive these notifications?

A.AWS Config
B.Amazon CloudWatch
C.VPC Flow Logs
D.Amazon GuardDuty
AnswerB

Shield Advanced publishes metrics to CloudWatch, and CloudWatch Alarms can be set up to send notifications.

Why this answer

Option C is correct because AWS Shield Advanced integrates with Amazon CloudWatch to emit DDoS detection metrics, which can trigger CloudWatch Alarms for notifications. Option A is wrong because Amazon GuardDuty focuses on threat detection, not Shield events. Option B is wrong because AWS Config is for resource configuration auditing.

Option D is wrong because VPC Flow Logs capture network traffic, not Shield events.

521
MCQmedium

A network engineer is troubleshooting connectivity issues between two VPCs that are peered. The VPCs are in the same region and the peering connection is in the 'active' state. Security groups in both VPCs allow all traffic. However, instances in VPC A cannot reach instances in VPC B. What is the most likely cause?

A.Security groups are blocking traffic between the VPCs
B.The VPC peering connection is in the 'pending-acceptance' state
C.Route tables in one or both VPCs do not have routes pointing to the peering connection
D.Network ACLs are blocking traffic between the VPCs
AnswerC

Without proper routes, traffic is not directed to the peering connection.

Why this answer

VPC peering requires route table entries in both VPCs to direct traffic to the peering connection. Option A is correct because missing routes are a common issue. Option B is wrong because the peering is active.

Option C is wrong because security groups allow all. Option D is wrong because NACLs are not mentioned as blocking.

522
Multi-Selecteasy

A company has a VPC with public and private subnets. They want to allow instances in the private subnet to download software updates from the internet while blocking inbound internet traffic. Which TWO components are required? (Select TWO.)

Select 2 answers
A.A Virtual Private Gateway.
B.An Internet Gateway attached to the VPC.
C.A VPC Peering connection.
D.A NAT Gateway in a public subnet.
E.A route in the private subnet's route table pointing to the NAT Gateway.
AnswersD, E

NAT Gateway enables outbound internet access.

Why this answer

Option A is correct because a NAT Gateway provides outbound internet access to instances in private subnets. Option D is correct because the private subnet's route table must have a route to the NAT Gateway for internet-bound traffic. Option B is wrong because an Internet Gateway is used for public subnets, not private.

Option C is wrong because a Virtual Private Gateway is for VPN connections. Option E is wrong because a VPC Peering connection connects VPCs, not to the internet.

523
MCQhard

A company has a Direct Connect connection with a private VIF to a VPC in us-east-1. The VPC has two subnets: a public subnet and a private subnet. The public subnet has an internet gateway attached. The private subnet has a NAT gateway. The company's on-premises network uses the 10.0.0.0/8 IP range. The VPC CIDR is 10.1.0.0/16. The on-premises router is advertising 10.1.0.0/16 over BGP to the Direct Connect router. The company needs EC2 instances in the private subnet to initiate outbound connections to the internet for updates. The NAT gateway is in the public subnet. The route table for the private subnet has a default route (0.0.0.0/0) pointing to the NAT gateway. However, the on-premises network team reports that they can ping the private IP of the NAT gateway (10.1.0.10) but not the private IP of an EC2 instance in the private subnet (10.1.1.50). The EC2 instance's security group allows ICMP from the on-premises IP range. The VPC's main route table has a route for 10.0.0.0/8 pointing to the virtual private gateway. The VPC is attached to a virtual private gateway. What is the most likely cause?

A.The virtual private gateway is not attached to the VPC.
B.The NAT gateway is not reachable from the on-premises network.
C.The security group on the EC2 instance is blocking ICMP from the on-premises IP range.
D.The private subnet's route table does not have a route for the on-premises CIDR (10.0.0.0/8) pointing to the virtual private gateway.
AnswerD

Without a route for the on-premises CIDR in the private subnet's route table, traffic from on-premises to the EC2 instance is not forwarded to the VGW.

Why this answer

The on-premises network can ping the NAT gateway because the NAT gateway is in the public subnet, and the route table for the public subnet likely has a route to the virtual private gateway for the on-premises CIDR. However, the EC2 instance is in the private subnet, and the private subnet's route table does not have a route for the on-premises CIDR (10.0.0.0/8) pointing to the virtual private gateway. The VPC's main route table has such a route, but the private subnet is not using the main route table; it likely has a custom route table that only has the default route to the NAT gateway.

Therefore, traffic from on-premises to the EC2 instance's private IP is not routed to the virtual private gateway. Option D is correct. Option A is incorrect because the security group allows ICMP.

Option B is incorrect because the NAT gateway is reachable. Option C is incorrect because the virtual private gateway is attached.

524
MCQmedium

A company uses AWS Network Firewall to inspect traffic between VPCs in a transit gateway setup. They have a rule group that allows HTTP and HTTPS traffic to a web server in a production VPC. Recently, the security team added a new Suricata IPS rule to block traffic from a specific IP address. After deploying the updated rule group, they notice that all traffic to the web server is being dropped, even from allowed IPs. The firewall logs show the new rule is triggering for all traffic, not just the specific IP. What is the most likely cause?

A.The web server's security group is blocking traffic from the firewall's IP range after the firewall adds its source IP.
B.The new Suricata rule uses the 'drop' action instead of 'reject', causing all packets to be dropped.
C.The new rule is placed before the allow rules in the rule group, and due to the order of evaluation, the drop rule matches first and drops all traffic because the rule's source IP is set to 'any' instead of the specific IP.
D.The rule group is attached to the firewall policy in the wrong direction (e.g., outbound instead of inbound).
AnswerC

In Suricata rules, order matters. If the new rule has an incorrect source IP (e.g., using 'any' or a broad range), it will match all traffic and drop it before allow rules are evaluated. The rule should have the specific IP to block.

525
MCQmedium

A company is designing a hybrid network with AWS Direct Connect and AWS Site-to-Site VPN as backup. The primary Direct Connect connection uses a private VIF to a VPC. If the Direct Connect fails, traffic should automatically fail over to the VPN connection. What is the MOST reliable way to achieve this failover?

A.Use BGP on Direct Connect and static routes on the VPN connection, with a higher metric for the VPN static route.
B.Configure static routes on the customer gateway device with a lower metric for the Direct Connect interface.
C.Use BGP on both connections and prepend AS paths on the Direct Connect routes to make them less preferred.
D.Use BGP on both connections and set a lower local preference on the Direct Connect routes.
AnswerC

AS path prepending makes Direct Connect routes less preferred, so VPN routes are used when Direct Connect is up. When Direct Connect fails, BGP sessions drop, and VPN routes become available automatically.

Why this answer

Option C is correct because using BGP on both connections allows you to influence route selection via AS path prepending. By prepending the AS path on the Direct Connect routes, you make them appear less preferred compared to the VPN routes, ensuring that under normal conditions traffic uses Direct Connect. When Direct Connect fails, the BGP session drops, the routes are withdrawn, and traffic automatically fails over to the VPN without any manual intervention or reliance on static metrics.

Exam trap

The trap here is that candidates often confuse local preference (which influences inbound traffic from BGP peers) with AS path prepending (which influences outbound route selection from the perspective of the BGP router), or they assume static metrics provide reliable failover without considering that static routes do not dynamically withdraw on link failure.

How to eliminate wrong answers

Option A is wrong because mixing BGP on Direct Connect with static routes on the VPN creates an asymmetric routing control plane; static routes cannot dynamically react to Direct Connect failure, and a higher metric on the static route would actually make the VPN less preferred, not a backup. Option B is wrong because configuring static routes on the customer gateway device with a lower metric for Direct Connect does not provide dynamic failover; if the Direct Connect link fails, the static route remains in the routing table until manually removed or a connectivity check fails, leading to blackholing. Option D is wrong because setting a lower local preference on Direct Connect routes would make them less preferred than VPN routes, causing traffic to use the VPN as the primary path, which is the opposite of the desired design where Direct Connect is primary.

Page 6

Page 7 of 23

Page 8